Lorenzo Susini
Lorenzo Susini
Hi @LucaGuerra, I really support introducing security events coming from Linux Security Modules. As you said, we will need to attach to these hooks via kprobes (when using the kmod),...
Yeah, I agree with you, that's why I also introduced support for the `mprotect` syscall and I suggested very similar stuff [here](https://github.com/falcosecurity/libs/pull/174) not so long ago. However, I think that...
Hey @FedeDP, thank you! I agree with you, maybe we can better document the fact those new fields (`is_exe_writable` and `is_exe_upper_layer`) can be trusted only on specific kernel versions? I...
> > I agree with you, maybe we can better document the fact those new fields (is_exe_writable and is_exe_upper_layer) can be trusted only on specific kernel versions? I thought about...
Ah I got it now, sorry! Yeah you are right
Hey @FedeDP, I think I have addressed all your comments: - Stated that `is_exe_upper_layer` is meaningful if underlying kernel version is above 3.18 - Added a small function `get_exe_inode` to...
Hey maintainers! I have rebased this PR again, and I still think is a good feature to add. What do you think? 🙂
/cc @FedeDP @Andreagit97 @LucaGuerra
@incertum just rebased https://github.com/falcosecurity/libs/pull/287! I've also written a proposal in the hackmd to detect fileless execution. Feedback is highly appreciated!