Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Falco supported events #715

Closed
leogr opened this issue Sep 20, 2022 · 16 comments · Fixed by #840
Closed

Falco supported events #715

leogr opened this issue Sep 20, 2022 · 16 comments · Fixed by #840
Labels
kind/documentation

Comments

@leogr
Copy link
Member

leogr commented Sep 20, 2022

What to document

After discussing with @Andreagit97 about recent changes and minor breaking changes (eg,e.g.-Awill not be applied anymore when reading from.scap` files), we decided to create a table, so it was clear what will be the expected outcome for Falco 0.33.0.

Ref falcosecurity/falco#2201

The documentation (and maybe other places like the help usage of the command line) may need to be updated accordingly.

/milestone 0.33.0

cc @falcosecurity/falco-maintainers @falcosecurity/libs-maintainers

Falco supported events

Category evt.type Default (without -A) With -A .scap file
EC_PLUGIN plugin Yes Yes Yes
EC_SYSCALL various Only syscalls in simple_set All All, including EF_OLD_VERSION
EC_TRACEPOINT procexit, switch, signaldeliver, page_fault procexit All All, including EF_OLD_VERSION
EC_INTERNAL container, useradded, userdeleted, groupadded, groupdeleted and other internal events Only container, useradded, userdeleted, groupadded, groupdeleted All All, including EF_OLD_VERSION

Notes:

  • EF_OLD_VERSION are never generated when live mode, but they may be present in .scap files
  • Since the new Falco version won't apply any userspace pre-filtering, -A is implicit when reading from .scap
  • EC_PLUGIN is not yet present in libs, but our plan is to insert it soon
@Andreagit97
Copy link
Member

EC_PLUGIN is not yet present in libs, but our plan is to insert it soon

Added here falcosecurity/libs#622

@jasondellaluce
Copy link
Contributor

@Andreagit97 @leogr I think this is solved for the scope of Falco 0.33.0, but it may be worth adding it on the Falco website (or the some libs internal document) instead of closing this. What do you think?

@leogr
Copy link
Member Author

leogr commented Oct 18, 2022

it may be worth adding it on the Falco website

Definitively yes 👍

@Andreagit97
Copy link
Member

makes sense but before doing that we have to update it, since the actual logic is not exactly as described here, but for sure we can update this issue until the design is ended and after that, we can move it to the documentation :)

@jasondellaluce
Copy link
Contributor

For clarity, I'm gonna move this issue to falcosecurity/falco-website.

@jasondellaluce jasondellaluce transferred this issue from falcosecurity/falco Oct 19, 2022
@leogr
Copy link
Member Author

leogr commented Nov 3, 2022

Hey @Andreagit97 @jasondellaluce

I've lost track of this. Any progress?

@jasondellaluce
Copy link
Contributor

This still has to be documented

@leogr
Copy link
Member Author

leogr commented Nov 23, 2022

Hey @vjjmiras could you help with this?

@vjjmiras
Copy link
Contributor

Is it possible to obtain this information automatically from the falco binary or any other single source of truth (like a file in the falco repo)?

Instead of updating the website whenever this changes, we should import the information automatically.

@leogr
Copy link
Member Author

leogr commented Nov 23, 2022

Is it possible to obtain this information automatically from the falco binary or any other single source of truth (like a file in the falco repo)?

I don't think it's possible now, but perhaps we can do something using our libs? cc @FedeDP @Andreagit97

Instead of updating the website whenever this changes, we should import the information automatically.
👍

@Andreagit97
Copy link
Member

let's say we still need to work on the code side (we have to add a new flag about internal events and discuss which events Falco should receive) so let's say I will keep the issue opened just to remember us to document it but before doing that we need to complete the feature with all the details in this way we can avoid to change the doc the next month 😆

And yes @vjjmiras the unique source of truth will be in libs repo, in the source code, not exposed by a binary, but we can talk about that when the feature will be complete, so probably next Falco release :)

@poiana
Copy link

poiana commented Feb 21, 2023

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member

/remove-lifecycle stale

@leogr
Copy link
Member Author

leogr commented Feb 22, 2023

cc @therealbobo

@therealbobo therealbobo mentioned this issue Mar 5, 2023
Merged
@poiana
Copy link

poiana commented May 24, 2023

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@therealbobo
Copy link
Contributor

/remove-lifecycle stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs: added documentation about -A option therealbobo/falco-website
6 participants
@leogr @vjjmiras @jasondellaluce @therealbobo @poiana @Andreagit97