falco icon indicating copy to clipboard operation
falco copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

Feature request: apply priority to specific syscalls and guarantee them for processing (i.e. will never be dropped)

Open happy-dude opened this issue 1 year ago • 17 comments

Motivation

In a sync with my detection and response peers, I was discussing how tools like Falco can drop events during periods of high syscall activity and built-in features (like the syscall buffer) to help alleviate aspects of this.

My peers then asked if Falco had

  • prioritization of certain syscalls, and
  • buffers that contain these higher-priority events

Such that this set of events would never be dropped, essentially guaranteeing that they will be processed.

This was requested with the understanding that Falco cannot monitor everything and there will be syscall drops.

This would be highly valuable for Detection and Response teams; while specific rules may require a combination of syscalls or alerted at priorities, there are some syscall events that are high-priority enough where favoring them for processing over others make sense.

Feature

  • Marking a subset of syscalls as higher priority
  • Having separate buffers for high-priority events
  • Ensuring that high-priority events will be processed / will not be dropped (in other words, lower-priority or unprioritized events will be dropped instead)

Additional Context

  • For example, we never want to miss an exec* (i.e. execve) syscall

cc @incertum @FedeDP @adduali1310

happy-dude avatar Feb 02 '23 19:02 happy-dude