libs icon indicating copy to clipboard operation
libs copied to clipboard
verified publisher icon falcosecurity

Improve visibility on the `ioctl` events

Open Biagio-Dipalma opened this issue 2 years ago • 12 comments

Motivation

This syscall can be handy to detect suspicious/malicious operations with network interfaces. To achieve this we need more details about the interface provided in the entry event: at the moment we see the memory address of the object (in the argument field).

for example, here an example of C code to set a network interface in promiscuos mode:

 ifr.ifr_flags |= IFF_PROMISC;

    if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) {
        perror("Failed to set promiscuous mode");
        close(sock);
        exit(1);
    }

this is what we see in Falco:

14:19:29.179213999: Warning IOCTL event (evt.args=fd=3(<4>) request=8913 argument=7FFE4A0E97B0  fd.type=ipv4 fd.name= fd.sockfamily=ip proc.name=set-promiscous)
14:19:29.179219373: Warning IOCTL event (evt.args=fd=3(<4>) request=8914 argument=7FFE4A0E97B0  fd.type=ipv4 fd.name= fd.sockfamily=ip proc.name=set-promiscous)

Feature

in this case we might need to update the arguments to see the flags applied to the network interface and get only the malicious/suspicious ones.

Alternatives

Additional context

Biagio-Dipalma avatar Sep 05 '23 15:09 Biagio-Dipalma

ei @Biagio-Dipalma! The request makes sense! We will try to schedule some time for this in the next release. For the moment I will put the milestone

/milestone TBD

Andreagit97 avatar Sep 06 '23 09:09 Andreagit97

Here I think we can only get socket relative ioctl cmd. Handling all possible ioctl commands for all possible devices would be a huge task.

I think we can reproduce in some way what sock_do_ioctl check if the cmd is relative to sockets is_socket_ioctl_cmd and then convert types to a PPM notation, WDYT?

Andreagit97 avatar Sep 26 '23 09:09 Andreagit97

Moving to 0.17.0. /milestone 0.17.0

FedeDP avatar Apr 16 '24 15:04 FedeDP

/milestone 0.18.0

We had no time to work on this during the 0.17.0 release cycle.

FedeDP avatar May 21 '24 14:05 FedeDP

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Aug 19 '24 16:08 poiana

/remove-lifecycle stale

Andreagit97 avatar Aug 20 '24 08:08 Andreagit97

Moving to next milestone, no bandwidth during this release cycle for this one. /milestone 0.19.0

FedeDP avatar Aug 27 '24 13:08 FedeDP

/milestone 0.20.0

FedeDP avatar Nov 13 '24 09:11 FedeDP

/milestone 0.21.0 No luck again for the current release cycle :/

FedeDP avatar Jan 08 '25 09:01 FedeDP

As above :( we haven't got much developer "spare" time lately... /milestone 0.22.0

FedeDP avatar Apr 02 '25 10:04 FedeDP

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jul 01 '25 16:07 poiana

/remove-lifecycle stale

FedeDP avatar Jul 21 '25 08:07 FedeDP