Deleting all Keys from the syscall_exit_ta Map Causes the Agent to No Longer Detect

[agadient]

Describe the bug

A privileged user that attempts to delete all keys from the syscall_exit_ta causes the agent to no longer detect future actions on the system.

How to reproduce it

Compile and run the program located here: https://github.com/Vali-Cyber/ebpf-attacks/tree/main/delete_keys

Expected behaviour

Run the delete_keys program as a privileged user with the -falco flag. Then, try to access the /etc.pam.conf file. Alerts are no longer triggered after the delete_keys program runs.

Environment

• Falco version:

Falco version: 0.36.2 (x86_64)

• System info:

• Cloud provider or hardware configuration: Local VMWare VM
• OS:

PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

• Kernel: Linux hamden 5.15.0-87-generic Example showing running bash via a bad rest api. #97-Ubuntu SMP Mon Oct 2 21:09:21 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
• Installation method: The run_falco.sh command provided here https://github.com/Vali-Cyber/ebpf-attacks/tree/main/agents

Additional context

[Andreagit97]

ei @agadient this is true. If you use Falco with ebpf and you have enough privileges to delete entries into a map, Falco will stop collecting syscalls. The point here is that Falco should notify you that an unprivileged user gained extra permissions so you can stop him before malevolous actions...once the system is compromised Falco's behavior can be altered of course but probably your system is already gone...

TL;DR; probably Falco should help you prevent these possible attacks, once the attacker has already gained privileges I'm not sure you can do something with Falco...

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

[poiana]

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.