Rule: PTRACE anti-debug attempt #40
Conversation
Signed-off-by: Brucedh <[email protected]>
|
@Brucedh: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Welcome @Brucedh! It looks like this is your first PR to falcosecurity/rules 🎉 |
|
LGTM label has been added. Git tree hash: 24545f38a8a3978e69cce257b11bbda0aa2d529b
|
|
/kind rule-create |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Brucedh, leogr, loresuso The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Alessandro Brucato [email protected]
What type of PR is this?
/kind rule-create
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
The ptrace system call is used by debuggers, such as GDB, to examine a target process. Malicious programs will often try to prevent this by using the ptrace system call first, preventing other programs from using it on them. This rule detects that behavior. Legitimate processes may also do this for DRM or diagnostic purposes.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
This PR has been ported from falcosecurity/falco#2227