Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add new syscalls collecting support #2543

Closed
MagpieRYL opened this issue May 12, 2023 · 4 comments
Closed

add new syscalls collecting support #2543

MagpieRYL opened this issue May 12, 2023 · 4 comments
Assignees
Milestone

Comments

@MagpieRYL
Copy link

Motivation

Some intrusion method:

  • inserting kernel module for persistence
  • make a device node on disk utilizing mknod, for gaining larger attack surface

Examples in container escape:

  • container starts with CAP_SYS_MODULE: inserting kernel module
  • container starting with CAP_SYS_ADMIN: mknod can make a device node on disk, providing debugfs a chance to overwrite host's filesystem, with ability from the dangerous CAP_SYS_ADMIN config: mknod syscall

Feature

@Andreagit97
Copy link
Member

ei @MagpieRYL thank you for that, I added these syscalls into our umbrella issue #1998!
You are right! these syscalls are not supported in Falco or at least they are supported in "generic" mode (i.e. you can see when these syscalls are called but not which are their parameters)
Here you can find a more detailed report https://github.com/falcosecurity/libs/blob/master/driver/report.md

  • the green ones are the "fully" supported
  • the yellow ones are supported only in "generic" mode

Btw since these syscalls can have a relevant syscall impact maybe a generic implementation is not enough we will work on that ASAP :)

@Andreagit97 Andreagit97 added this to the 0.36.0 milestone May 12, 2023
@incertum
Copy link
Contributor

Since Falco 0.35.0 all generic syscalls are exposed to Falco, simply write a Falco rule, including init_module, and finit_module and mknod and many more. Please note Andrea's comment around them being generic hence we do not log specific args, but for Falco you can still access all of the proc.* fields from the process that issued these system calls.

@incertum
Copy link
Contributor

@MagpieRYL would you be interested in contributing Falco rules https://github.com/falcosecurity/rules? We need more robust rules for container escapes in general.

@Andreagit97 Andreagit97 self-assigned this Aug 1, 2023
@Andreagit97
Copy link
Member

We should address this issue with:

(Thanks @therealbobo !)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants