Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Adding support for prctl Syscall #1013

Closed
therealbobo opened this issue Mar 29, 2023 · 4 comments · Fixed by #1015
Closed

[FEATURE] Adding support for prctl Syscall #1013

therealbobo opened this issue Mar 29, 2023 · 4 comments · Fixed by #1015
Assignees
@therealbobo
Labels
kind/feature New feature or request
Milestone
5.0.0+driver

Comments

@therealbobo
Copy link
Contributor

Motivation

The prctl syscall can be used to manipulate the information about a process. In particular can be used to change the process name in attempt to hide a malicious behaviour with a "false identity" (e.g. renaming itself to ssh). It would be nice if Falco could detect such a behaviour.

Feature

Implement the prctl syscall in the 3 drivers.
@therealbobo therealbobo added the kind/feature New feature or request label Mar 29, 2023
@Andreagit97
Copy link
Member

Ei @therealbobo thank you for that! this syscall should be already tracked in this issue falcosecurity/falco#1998

@therealbobo
Copy link
Contributor Author

Hey @Andreagit97, I didn't notice that! I'd like to keep this open because the prctl could hide a malicious behaviour and I think that its implementation could be very useful for the community! If you want I could try to work on it! 😄

@jasondellaluce
Copy link
Contributor

Thanks @therealbobo! I agree with you this syscall can have high priority due to the good security-related info it carries. Looking forward to see what you come up with!

@jasondellaluce
Copy link
Contributor

/milestone next-driver

@poiana poiana added this to the next-driver milestone Mar 29, 2023
@therealbobo therealbobo mentioned this issue Mar 29, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@therealbobo therealbobo

Labels
kind/feature New feature or request
Projects
None yet
Milestone
5.0.0+driver
Development

Successfully merging a pull request may close this issue.

new(driver): support for prctl syscall therealbobo/libs
4 participants
@jasondellaluce @therealbobo @poiana @Andreagit97