Melissa Kilby
Melissa Kilby
Kernel side solution for robustness reasons: Add pid namespace init task start ts to generically approx container or host start ts and compute time deltas useful for detections, such as...
Another kernel side signal that would like to look into and possibly add to this PR would be: `"Interpreter scripts"` aka text files with execute permissions (see https://man7.org/linux/man-pages/man2/execve.2.html) For example...
This PR is not ready for review.
@LucaGuerra and @loresuso in addition to VM tests, deployed these changes and @loresuso changes from https://github.com/falcosecurity/libs/pull/287 `is_exe_upper_layer` to production (eBPF only). Has been running for 2 weeks now and seems...
Related to thinking in https://github.com/falcosecurity/libs/issues/252 @LucaGuerra @loresuso.
Would favor staying open minded and explore all options. Furthermore, shall we follow a data-driven approach? Meaning we measure perf overhead on actual production servers instead of making decisions based...
Thanks @Kaizhe. Absolutely can add the additional filter statement in and concur this rule is only relevant for web applications that have an Arbitrary File Read bug.
One liner to simulate if rule triggers `python -c 'import subprocess; subprocess.Popen("cat ../../../////etc/passwd", shell=True)'`.
@darryk10 indeed, this seems more economic to just create one more complete rule, good call :) New suggestion below. Would you have additional or other ideas? ``` - rule: Directory...
Tweaked it a bit, proposing that it could be even simpler - just look for `/etc` any file. Also suspecting `glob` is a more expensive filter, `fd.nameraw contains "../" and...