Skip to content

Commit

Permalink
update(rule): update description
Browse files Browse the repository at this point in the history 
Signed-off-by: Luca Guerra <[email protected]>
  • Loading branch information
@LucaGuerra @poiana
LucaGuerra authored and poiana committed Aug 2, 2024
1 parent 1d3cd24 commit 342b20d
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion rules/falco-incubating_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1296,7 +1296,7 @@
BPF is a kernel technology that can be misused for malicious purposes, like "Linux Kernel Module Injection". This
rule should be considered an auditing rule to notify you of any unprofiled BPF tools running in your environment.
However, it requires customization after profiling your environment. BPF-powered agents make bpf syscalls all the
time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=BPF_PROG_LOAD) in the enter event. If you also want to log
time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=5) in the enter event. If you also want to log
whether the syscall failed or succeeded, remove the direction filter and add the evt.arg.res_or_fd output field.
condition: >
evt.type=bpf and evt.dir=>
Expand Down

0 comments on commit 342b20d

Please sign in to comment.