falcosecurity
Adjusted falco to stop collecting certain types of syscalls
Hi there,
To improve performance based on my needs, I'm trying to adjust the driver so that falco driver only collects execve logs from the system. I only found documentation that support monitoring new syscalls with Falco, but no documentation about removing those syscalls. I wonder how I can remove other syscalls from driver so falco agent only collects execve logs. Hope someone can help.
Thanks, Huy
Hi @kooriboh this is a good point. Right now Falco cannot collect only one syscall. We tried to reduce the number of captured syscalls with the simple_consumer mode, enabled by default since Falco 0.31.0. The next step will be to allow users to collect only specific syscalls like in your case. We had a discussion about that here https://github.com/falcosecurity/libs/issues/267. Here the focus is the eBPF probe, but the same idea can be applied to the kernel module. We will update you when will have news about it :)
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Hi! I just wanted to share that PR https://github.com/falcosecurity/libs/pull/521 aims at allowing that, at least in a programmatic way. There is currently no plan to support any config in Falco to switch off syscalls/tracepoints because it is way too easy to completely break Falco doing that (eg: causing memleaks and other sort of issues). At least, it will be much easier to patch Falco to switch off some syscalls :)
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
@kooriboh this feature will be available in Falco 0.35, see for example this comment in https://github.com/falcosecurity/falco/issues/2433#issuecomment-1447620920
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
@FedeDP: Closing this issue.
In response to this:
/close
This will be fixed by 0.35.0.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.