Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[UMBRELLA] Missing syscalls #1998

Open
11 of 35 tasks
Tracked by #1127
Andreagit97 opened this issue May 11, 2022 · 21 comments
Open
11 of 35 tasks
Tracked by #1127

[UMBRELLA] Missing syscalls #1998

Andreagit97 opened this issue May 11, 2022 · 21 comments

Comments

@Andreagit97
Copy link
Member

Andreagit97 commented May 11, 2022

Motivation

I think we need an issue to track all the missing syscalls that can have a security value for Falco. I detected these ones right now:

Please if you have in mind other syscalls, leave a comment under this issue and I will add them to the list.
This issue could also be a point of reference for discussing which syscalls may be more relevant and therefore have a higher priority.
I hope it could be helpful for all the Falco community 😃

@FedeDP
Copy link
Contributor

FedeDP commented May 11, 2022

Relevant blog post: https://falco.org/blog/falco-monitoring-new-syscalls/ :)

@leodido
Copy link
Member

leodido commented May 11, 2022

#676

@jasondellaluce
Copy link
Contributor

Linking this to falcosecurity/libs#269

@loresuso
Copy link
Member

loresuso commented Jul 6, 2022

Hi @Andreagit97, it seems to me that we are missing monitoring for the prctl syscall. I think it could be useful to add monitoring for it since it can be used to e.g. change a process name, paired with a subsequent fork! If you agree, let's add it to the list!
Ref: https://github.com/blackberry/Falco-bypasses/blob/main/fubers/fuber-fakeparents.c#L29

@Andreagit97
Copy link
Member Author

Hi @Andreagit97, it seems to me that we are missing monitoring for the prctl syscall. I think it could be useful to add monitoring for it since it can be used to e.g. change a process name, paired with a subsequent fork! If you agree, let's add it to the list!

Completely agree with you @loresuso we need it! I wll add it to the list, thank you!

Ref: https://github.com/blackberry/Falco-bypasses/blob/main/fubers/fuber-fakeparents.c#L29

@FedeDP
Copy link
Contributor

FedeDP commented Sep 14, 2022

See falcosecurity/libs#605.

@FedeDP
Copy link
Contributor

FedeDP commented Sep 30, 2022

As a first step, we could try to add "string name" support for all of these, so that at least we don't receive UNKNOWN events.
Then, we can later work on implementing driver fillers for them.

FedeDP added a commit to falcosecurity/libs that referenced this issue Oct 3, 2022
…ies at startup time.

We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table.

The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN
(for syscalls that have no event attached, and use the generic one).

Moreover, added generic event support for falcosecurity/falco#1998 syscalls;
they won't use any specific filler, just the automatic generic one, and there is no even mapping for them.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
@FedeDP
Copy link
Contributor

FedeDP commented Oct 3, 2022

falcosecurity/libs#649 adds support for all the listed syscalls, as generic events.

FedeDP added a commit to falcosecurity/libs that referenced this issue Oct 4, 2022
…ies at startup time.

We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table.

The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN
(for syscalls that have no event attached, and use the generic one).

Moreover, added generic event support for falcosecurity/falco#1998 syscalls;
they won't use any specific filler, just the automatic generic one, and there is no even mapping for them.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
FedeDP added a commit to FedeDP/libs that referenced this issue Oct 4, 2022
…ies at startup time.

We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table.

The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN
(for syscalls that have no event attached, and use the generic one).

Moreover, added generic event support for falcosecurity/falco#1998 syscalls;
they won't use any specific filler, just the automatic generic one, and there is no even mapping for them.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
FedeDP added a commit to falcosecurity/libs that referenced this issue Oct 17, 2022
…ies at startup time.

We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table.

The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN
(for syscalls that have no event attached, and use the generic one).

Moreover, added generic event support for falcosecurity/falco#1998 syscalls;
they won't use any specific filler, just the automatic generic one, and there is no even mapping for them.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
FedeDP added a commit to falcosecurity/libs that referenced this issue Oct 25, 2022
…ies at startup time.

We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table.

The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN
(for syscalls that have no event attached, and use the generic one).

Moreover, added generic event support for falcosecurity/falco#1998 syscalls;
they won't use any specific filler, just the automatic generic one, and there is no even mapping for them.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
poiana pushed a commit to falcosecurity/libs that referenced this issue Oct 26, 2022
…ies at startup time.

We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table.

The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN
(for syscalls that have no event attached, and use the generic one).

Moreover, added generic event support for falcosecurity/falco#1998 syscalls;
they won't use any specific filler, just the automatic generic one, and there is no even mapping for them.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Molter73 pushed a commit to stackrox/falcosecurity-libs that referenced this issue Nov 15, 2022
…ies at startup time.

We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table.

The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN
(for syscalls that have no event attached, and use the generic one).

Moreover, added generic event support for falcosecurity/falco#1998 syscalls;
they won't use any specific filler, just the automatic generic one, and there is no even mapping for them.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Molter73 pushed a commit to stackrox/falcosecurity-libs that referenced this issue Nov 15, 2022
…ies at startup time.

We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table.

The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN
(for syscalls that have no event attached, and use the generic one).

Moreover, added generic event support for falcosecurity/falco#1998 syscalls;
they won't use any specific filler, just the automatic generic one, and there is no even mapping for them.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Molter73 pushed a commit to stackrox/falcosecurity-libs that referenced this issue Nov 25, 2022
…ies at startup time.

We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table.

The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN
(for syscalls that have no event attached, and use the generic one).

Moreover, added generic event support for falcosecurity/falco#1998 syscalls;
they won't use any specific filler, just the automatic generic one, and there is no even mapping for them.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Molter73 pushed a commit to stackrox/falcosecurity-libs that referenced this issue Nov 30, 2022
…ies at startup time.

We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table.

The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN
(for syscalls that have no event attached, and use the generic one).

Moreover, added generic event support for falcosecurity/falco#1998 syscalls;
they won't use any specific filler, just the automatic generic one, and there is no even mapping for them.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
@poiana
Copy link
Contributor

poiana commented Jan 1, 2023

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@jasondellaluce
Copy link
Contributor

/remove-lifecycle stale

@Andreagit97 Andreagit97 self-assigned this Jan 18, 2023
@yo348
Copy link

yo348 commented Feb 16, 2023

chown family of syscalls. I plan to submit a PR for it soon.
falcosecurity/libs#892

@Andreagit97
Copy link
Member Author

chown family of syscalls. I plan to submit a PR for it soon.
falcosecurity/libs#892

see falcosecurity/libs#892 (comment)

@poiana
Copy link
Contributor

poiana commented Nov 29, 2023

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member Author

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Feb 28, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member Author

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented May 28, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member Author

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Aug 27, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@FedeDP
Copy link
Contributor

FedeDP commented Aug 27, 2024

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Nov 25, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants