Steven Brzozowski
Steven Brzozowski
Hi @incertum, thanks for the quick reply! >Check out our recently added kernel testing framework proposal [here](https://github.com/falcosecurity/libs/blob/master/proposals/20230530-driver-kernel-testing-framework.md#why-does-kernel-testing-matter). It highlights that anything you do in the kernel driver happens in the...
So I tried each set of syscalls - only adding the previous set to the next instead of replacing it outright. Surprisingly no drops until the third iteration! I also...
This is all great information, thank you! I'll look into what you said about enter events. > Add these patches into the respective "fillers", those are the tail called programs...
I've thrown together a patch that allows you to specify a set of filters in the config with each filter consisting of the syscall number, arg number for the string...
Ah sorry, I only implemented it for the `modern-ebpf` driver.
> Just acknowledging that kernel-side (where we only have the raw arg) we can have //////proc or path traversals that's what I would do as an attacker to circumvent it...
Hi @incertum, sorry for the late response. I agree it would be incredibly valuable to know the event rate Falco can support. I assume it would be pretty uniform across...
Hi, we were able to test our patch more widely, so here are some of our results: For event rate over the course of ~4 days, here's what we have...
> Is your patch publicly available? Sure, you can find the diff for falco [here](https://github.com/falcosecurity/falco/compare/master...HubSpot:falco:master) and falcosecurity-libs [here](https://github.com/falcosecurity/libs/compare/master...HubSpot:falcosecurity-libs:master). It's pretty rough around the edges, but seems to do the trick...
Sure, I can work on opening a proposal summarizing the feature in the coming days.