Federico Di Pierro

Relevant blog post: https://falco.org/blog/falco-monitoring-new-syscalls/ :)

See https://github.com/falcosecurity/libs/issues/605.

As a first step, we could try to add "string name" support for all of these, so that at least we don't receive UNKNOWN events. Then, we can later work...

falcosecurity/libs#649 adds support for all the listed syscalls, as generic events.

In theory, user.uid `-1` means that there is no thread information associated with the event; basically (see here: https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/filterchecks.cpp#L4781): `evt->get_thread_info()` is NULL. In fact, uid is obtained from the event...

So, we got a valid and actually correct thread id. Nice! I will try to reproduce the issue! ;)

Hi! This is expected since we are not able to extract users and groups list from containers. Me and @loresuso are working on a solution involving accessing the overlayfs of...

I'll keep you posted :)

Hi! Yes, you won't believe it but we are working on another approach to solve the issue: https://github.com/falcosecurity/libs/pull/677 Hopefully this will be the best solution. @deepskyblue86

Hi! Falco 0.34 will surely have this feature. I am not sure if we will make a 0.33.1 patch release for this one (and perhaps some more fixes). Let's say...