-
Notifications
You must be signed in to change notification settings - Fork 908
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[UMBRELLA] Missing syscalls #1998
Comments
Relevant blog post: https://falco.org/blog/falco-monitoring-new-syscalls/ :) |
Linking this to falcosecurity/libs#269 |
Hi @Andreagit97, it seems to me that we are missing monitoring for the |
Completely agree with you @loresuso we need it! I wll add it to the list, thank you!
|
As a first step, we could try to add "string name" support for all of these, so that at least we don't receive UNKNOWN events. |
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
falcosecurity/libs#649 adds support for all the listed syscalls, as generic events. |
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
|
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
Motivation
I think we need an issue to track all the missing syscalls that can have a security value for
Falco
. I detected these ones right now:fsconfig
new: fsconfig support libs#606fsmount
fsopen
fspick
open_tree
move_mount
mount_setattr
memfd_create
new: Support for memfd_create syscall libs#1127memfd_secret
ioperm
kexec_file_load
kexec_load
(it is already in our tables but there is no implementation)pidfd_getfd
Feat: Support for pidfd_getfd syscall libs#1145pidfd_open
Support pidfd_open syscall libs#1187pidfd_send_signal
pkey_alloc
pkey_mprotect
pkey_free
landlock_create_ruleset
quotactl_fd
landlock_restrict_self
landlock_add_rule
epoll_pwait2
migrate_pages
move_pages
mlock2
update(driver): add support for mlock2 syscall libs#358preadv2
pwritev2
prctl
arch_prctl
umount
fix(driver): remove some inconsistencies in our event tables libs#936mknod
feat(driver): support for mknod/mknodat syscall libs#1270mknodat
feat(driver): support for mknod/mknodat syscall libs#1270init_module
feat(driver): support for init_module, finit_module syscalls libs#1242finit_module
feat(driver): support for init_module, finit_module syscalls libs#1242Please if you have in mind other syscalls, leave a comment under this issue and I will add them to the list.
This issue could also be a point of reference for discussing which syscalls may be more relevant and therefore have a higher priority.
I hope it could be helpful for all the
Falco
community 😃The text was updated successfully, but these errors were encountered: