[Feature] Improve args in bpf exit event

[incertum]

Based on a discussion between @Andreagit97 @darryk10 and myself a few ideas shared by Andrea to improve bpf syscall based alerting in falco rules:

• add the possibility to check the return value, possibly expose evt.arg.cmd also in the exit event to have all fields of interest in one event
• introduce the BPF commands name, so use evt.arg.cmd == BPF_PROG_LOAD instead of evt.arg.cmd == 5 -> Update(driver): Introduce the BPF commands name #1545
• expose also the name of the BPF prog injected (not easy at all) -> comment @incertum not sure how valuable it would be for detections, maybe not really needed at the moment.

[Andreagit97]

this is a duplicate of #1342 but it is more detailed, I will close mine :)

[incertum]

oh 🤦‍♀️ I should have maybe checked before opening this issue.

[Rohith-Raju]

@Andreagit97 @incertum Would love to work on this!!

[incertum]

Awesome, you have any additional questions? Else please feel free to go ahead :) Thanks!

[Rohith-Raju]

I'm going to solve them one by one and will reach out if I get stuck 😄.

[incertum]

Great! Suggesting to focus on the first 2 items in one PR -> easy wins, add direct value to Falco rules in the next release.

The last one may need to be queued depending on prioritization, not a top priority feature.

[incertum]

/milestone TBD

[incertum]

/milestone 0.15.0

[incertum]

Changed milestone to TBD since 2 items are still open and to be discussed. @Rohith-Raju are you still interested in exploring the other 2 items in the future? No immediate urgency.

[Rohith-Raju]

@incertum Yes, I'd love to!!

[incertum]

Awesome @Rohith-Raju likely these items would be for the summer after Falco 0.38.0, but dev and PR review can happen any time before of course!

[Rohith-Raju]

Sure!! I'll reach out to you if I need more info!!

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

add the possibility to check the return value, possibly expose evt.arg.cmd also in the exit event to have all fields of interest in one event

This could be solved with #2068

[Andreagit97]

/remove-lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[Andreagit97]

could be partially solved by #1867, at least the first point

add the possibility to check the return value, possibly expose evt.arg.cmd also in the exit event to have all fields of interest in one event

[Andreagit97]

/remove-lifecycle rotten