falco: [UMBRELLA] Missing syscalls
Motivation
I think we need an issue to track all the missing syscalls that can have a security value for Falco. I detected these ones right now:
-
fsconfighttps://github.com/falcosecurity/libs/pull/606 -
fsmount -
fsopen -
fspick -
open_tree -
move_mount -
mount_setattr -
memfd_createhttps://github.com/falcosecurity/libs/pull/1127 -
memfd_secret -
ioperm -
kexec_file_load -
kexec_load(it is already in our tables but there is no implementation) -
pidfd_getfdhttps://github.com/falcosecurity/libs/pull/1145 -
pidfd_openhttps://github.com/falcosecurity/libs/pull/1187 -
pidfd_send_signal -
pkey_alloc -
pkey_mprotect -
pkey_free -
landlock_create_ruleset -
quotactl_fd -
landlock_restrict_self -
landlock_add_rule -
epoll_pwait2 -
migrate_pages -
move_pages -
mlock2https://github.com/falcosecurity/libs/pull/358 -
preadv2 -
pwritev2 -
prctl -
arch_prctl -
umounthttps://github.com/falcosecurity/libs/pull/936 -
mknodhttps://github.com/falcosecurity/libs/pull/1270 -
mknodathttps://github.com/falcosecurity/libs/pull/1270 -
init_modulehttps://github.com/falcosecurity/libs/pull/1242 -
finit_modulehttps://github.com/falcosecurity/libs/pull/1242
Please if you have in mind other syscalls, leave a comment under this issue and I will add them to the list.
This issue could also be a point of reference for discussing which syscalls may be more relevant and therefore have a higher priority.
I hope it could be helpful for all the Falco community π
About this issue
- Original URL
- State: open
- Created 2 years ago
- Reactions: 5
- Comments: 16 (12 by maintainers)
Commits related to this issue
- new(driver,userspace): automatically generate syscall_info_table entries at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The tab... — committed to falcosecurity/libs by FedeDP 2 years ago
- new(driver,userspace): automatically generate syscall_info_table entries at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The tab... — committed to falcosecurity/libs by FedeDP 2 years ago
- new(driver,userspace): automatically generate syscall_info_table entries at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The tab... — committed to FedeDP/libs by FedeDP 2 years ago
- new(driver,userspace): automatically generate syscall_info_table entries at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The tab... — committed to falcosecurity/libs by FedeDP 2 years ago
- new(driver,userspace): automatically generate syscall_info_table entries at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The tab... — committed to falcosecurity/libs by FedeDP 2 years ago
- new(driver,userspace): automatically generate syscall_info_table entries at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The tab... — committed to falcosecurity/libs by FedeDP 2 years ago
- new(driver,userspace): automatically generate syscall_info_table entries at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The tab... — committed to stackrox/falcosecurity-libs by FedeDP 2 years ago
- new(driver,userspace): automatically generate syscall_info_table entries at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The tab... — committed to stackrox/falcosecurity-libs by FedeDP 2 years ago
- new(driver,userspace): automatically generate syscall_info_table entries at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The tab... — committed to stackrox/falcosecurity-libs by FedeDP 2 years ago
- new(driver,userspace): automatically generate syscall_info_table entries at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The tab... — committed to stackrox/falcosecurity-libs by FedeDP 2 years ago
Relevant blog post: https://falco.org/blog/falco-monitoring-new-syscalls/ π
falcosecurity/libs#649 adds support for all the listed syscalls, as generic events.
Completely agree with you @loresuso we need it! I wll add it to the list, thank you!