You are viewing documentation for Falco version: v0.29.1

Falco v0.29.1 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Supported Syscall Events

Here are the system call event types and args supported by the kernel module and BPF probe via libscap included in the Falco libs. Note that, for performance reasons, by default Falco will only consider a subset of them indicated in the table below. However, it's possible to make Falco consider all events by using the -A command line switch.

FalcoDirEvent
Yes>syscall(SYSCALLID ID, UINT16 nativeID)
Yes<syscall(SYSCALLID ID)
Yes>open()
Yes<open(FD fd, FSPATH name, FLAGS32 flags, UINT32 mode, UINT32 dev)
No>close(FD fd)
No<close(ERRNO res)
No>read(FD fd, UINT32 size)
No<read(ERRNO res, BYTEBUF data)
No>write(FD fd, UINT32 size)
No<write(ERRNO res, BYTEBUF data)
Yes>socket(FLAGS32 domain, UINT32 type, UINT32 proto)
Yes<socket(FD fd)
Yes>bind(FD fd)
Yes<bind(ERRNO res, SOCKADDR addr)
Yes>connect(FD fd)
Yes<connect(ERRNO res, SOCKTUPLE tuple)
Yes>listen(FD fd, UINT32 backlog)
Yes<listen(ERRNO res)
No>send(FD fd, UINT32 size)
No<send(ERRNO res, BYTEBUF data)
Yes>sendto(FD fd, UINT32 size, SOCKTUPLE tuple)
Yes<sendto(ERRNO res, BYTEBUF data)
No>recv(FD fd, UINT32 size)
No<recv(ERRNO res, BYTEBUF data)
Yes>recvfrom(FD fd, UINT32 size)
Yes<recvfrom(ERRNO res, BYTEBUF data, SOCKTUPLE tuple)
No>shutdown(FD fd, FLAGS8 how)
No<shutdown(ERRNO res)
No>getsockname()
No<getsockname()
No>getpeername()
No<getpeername()
Yes>socketpair(FLAGS32 domain, UINT32 type, UINT32 proto)
Yes<socketpair(ERRNO res, FD fd1, FD fd2, UINT64 source, UINT64 peer)
Yes>setsockopt()
Yes<setsockopt(ERRNO res, FD fd, FLAGS8 level, FLAGS8 optname, DYNAMIC val, UINT32 optlen)
No>getsockopt()
No<getsockopt(ERRNO res, FD fd, FLAGS8 level, FLAGS8 optname, DYNAMIC val, UINT32 optlen)
Yes>sendmsg(FD fd, UINT32 size, SOCKTUPLE tuple)
Yes<sendmsg(ERRNO res, BYTEBUF data)
No>sendmmsg()
No<sendmmsg()
Yes>recvmsg(FD fd)
Yes<recvmsg(ERRNO res, UINT32 size, BYTEBUF data, SOCKTUPLE tuple)
No>recvmmsg()
No<recvmmsg()
Yes>creat()
Yes<creat(FD fd, FSPATH name, UINT32 mode, UINT32 dev)
Yes>pipe()
Yes<pipe(ERRNO res, FD fd1, FD fd2, UINT64 ino)
No>eventfd(UINT64 initval, FLAGS32 flags)
No<eventfd(FD res)
No>futex(UINT64 addr, FLAGS16 op, UINT64 val)
No<futex(ERRNO res)
No>stat()
No<stat(ERRNO res, FSPATH path)
No>lstat()
No<lstat(ERRNO res, FSPATH path)
No>fstat(FD fd)
No<fstat(ERRNO res)
No>stat64()
No<stat64(ERRNO res, FSPATH path)
No>lstat64()
No<lstat64(ERRNO res, FSPATH path)
No>fstat64(FD fd)
No<fstat64(ERRNO res)
No>epoll_wait(ERRNO maxevents)
No<epoll_wait(ERRNO res)
No>poll(FDLIST fds, INT64 timeout)
No<poll(ERRNO res, FDLIST fds)
No>select()
No<select(ERRNO res)
No>select()
No<select(ERRNO res)
No>lseek(FD fd, UINT64 offset, FLAGS8 whence)
No<lseek(ERRNO res)
No>llseek(FD fd, UINT64 offset, FLAGS8 whence)
No<llseek(ERRNO res)
No>getcwd()
No<getcwd(ERRNO res, CHARBUF path)
Yes>chdir()
Yes<chdir(ERRNO res, CHARBUF path)
Yes>fchdir(FD fd)
Yes<fchdir(ERRNO res)
Yes>mkdir(FSPATH path, UINT32 mode)
Yes<mkdir(ERRNO res)
Yes>rmdir(FSPATH path)
Yes<rmdir(ERRNO res)
No>pread(FD fd, UINT32 size, UINT64 pos)
No<pread(ERRNO res, BYTEBUF data)
No>pwrite(FD fd, UINT32 size, UINT64 pos)
No<pwrite(ERRNO res, BYTEBUF data)
No>readv(FD fd)
No<readv(ERRNO res, UINT32 size, BYTEBUF data)
No>writev(FD fd, UINT32 size)
No<writev(ERRNO res, BYTEBUF data)
No>preadv(FD fd, UINT64 pos)
No<preadv(ERRNO res, UINT32 size, BYTEBUF data)
No>pwritev(FD fd, UINT32 size, UINT64 pos)
No<pwritev(ERRNO res, BYTEBUF data)
Yes>dup(FD fd)
Yes<dup(FD res)
Yes>signalfd(FD fd, UINT32 mask, FLAGS8 flags)
Yes<signalfd(FD res)
Yes>kill(PID pid, SIGTYPE sig)
Yes<kill(ERRNO res)
Yes>tkill(PID tid, SIGTYPE sig)
Yes<tkill(ERRNO res)
Yes>tgkill(PID pid, PID tid, SIGTYPE sig)
Yes<tgkill(ERRNO res)
No>nanosleep(RELTIME interval)
No<nanosleep(ERRNO res)
No>timerfd_create(UINT8 clockid, FLAGS8 flags)
No<timerfd_create(FD res)
Yes>inotify_init(FLAGS8 flags)
Yes<inotify_init(FD res)
No>getrlimit(FLAGS8 resource)
No<getrlimit(ERRNO res, INT64 cur, INT64 max)
No>setrlimit(FLAGS8 resource)
No<setrlimit(ERRNO res, INT64 cur, INT64 max)
Yes>prlimit(PID pid, FLAGS8 resource)
Yes<prlimit(ERRNO res, INT64 newcur, INT64 newmax, INT64 oldcur, INT64 oldmax)
No>fcntl(FD fd, FLAGS8 cmd)
No<fcntl(FD res)
No>switch(PID next, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap)
No>brk(UINT64 addr)
No<brk(UINT64 res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap)
No>mmap(UINT64 addr, UINT64 length, FLAGS32 prot, FLAGS32 flags, FD fd, UINT64 offset)
No<mmap(UINT64 res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap)
No>mmap2(UINT64 addr, UINT64 length, FLAGS32 prot, FLAGS32 flags, FD fd, UINT64 pgoffset)
No<mmap2(UINT64 res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap)
No>munmap(UINT64 addr, UINT64 length)
No<munmap(ERRNO res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap)
No>splice(FD fd_in, FD fd_out, UINT64 size, FLAGS32 flags)
No<splice(ERRNO res)
Yes>ptrace(FLAGS16 request, PID pid)
Yes<ptrace(ERRNO res, DYNAMIC addr, DYNAMIC data)
Yes>ioctl(FD fd, UINT64 request, UINT64 argument)
Yes<ioctl(ERRNO res)
Yes>rename()
Yes<rename(ERRNO res, FSPATH oldpath, FSPATH newpath)
Yes>renameat()
Yes<renameat(ERRNO res, FD olddirfd, FSRELPATH oldpath, FD newdirfd, FSRELPATH newpath)
Yes>symlink()
Yes<symlink(ERRNO res, CHARBUF target, FSPATH linkpath)
Yes>symlinkat()
Yes<symlinkat(ERRNO res, CHARBUF target, FD linkdirfd, FSRELPATH linkpath)
Yes>procexit(ERRNO status)
No>sendfile(FD out_fd, FD in_fd, UINT64 offset, UINT64 size)
No<sendfile(ERRNO res, UINT64 offset)
Yes>quotactl(FLAGS16 cmd, FLAGS8 type, UINT32 id, FLAGS8 quota_fmt)
Yes<quotactl(ERRNO res, CHARBUF special, CHARBUF quotafilepath, UINT64 dqb_bhardlimit, UINT64 dqb_bsoftlimit, UINT64 dqb_curspace, UINT64 dqb_ihardlimit, UINT64 dqb_isoftlimit, RELTIME dqb_btime, RELTIME dqb_itime, RELTIME dqi_bgrace, RELTIME dqi_igrace, FLAGS8 dqi_flags, FLAGS8 quota_fmt_out)
Yes>setresuid(UID ruid, UID euid, UID suid)
Yes<setresuid(ERRNO res)
Yes>setresgid(GID rgid, GID egid, GID sgid)
Yes<setresgid(ERRNO res)
Yes>setuid(UID uid)
Yes<setuid(ERRNO res)
Yes>setgid(GID gid)
Yes<setgid(ERRNO res)
No>getuid()
No<getuid(UID uid)
No>geteuid()
No<geteuid(UID euid)
No>getgid()
No<getgid(GID gid)
No>getegid()
No<getegid(GID egid)
No>getresuid()
No<getresuid(ERRNO res, UID ruid, UID euid, UID suid)
No>getresgid()
No<getresgid(ERRNO res, GID rgid, GID egid, GID sgid)
Yes>clone()
Yes<clone(PID res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, INT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, FLAGS32 flags, UINT32 uid, UINT32 gid, PID vtid, PID vpid)
Yes>fork()
Yes<fork(PID res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, INT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, FLAGS32 flags, UINT32 uid, UINT32 gid, PID vtid, PID vpid)
Yes>vfork()
Yes<vfork(PID res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, INT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, FLAGS32 flags, UINT32 uid, UINT32 gid, PID vtid, PID vpid)
Yes>execve()
Yes<execve(ERRNO res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, UINT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, BYTEBUF env)
No>signaldeliver(PID spid, PID dpid, SIGTYPE sig)
No>getdents(FD fd)
No<getdents(ERRNO res)
No>getdents64(FD fd)
No<getdents64(ERRNO res)
Yes>setns(FD fd, FLAGS32 nstype)
Yes<setns(ERRNO res)
Yes>flock(FD fd, FLAGS32 operation)
Yes<flock(ERRNO res)
No>cpu_hotplug(UINT32 cpu, UINT32 action)
Yes>accept()
Yes<accept(FD fd, SOCKTUPLE tuple, UINT8 queuepct, UINT32 queuelen, UINT32 queuemax)
Yes>accept(INT32 flags)
Yes<accept(FD fd, SOCKTUPLE tuple, UINT8 queuepct, UINT32 queuelen, UINT32 queuemax)
No>semop(INT32 semid)
No<semop(ERRNO res, UINT32 nsops, UINT16 sem_num_0, INT16 sem_op_0, FLAGS16 sem_flg_0, UINT16 sem_num_1, INT16 sem_op_1, FLAGS16 sem_flg_1)
No>semctl(INT32 semid, INT32 semnum, FLAGS16 cmd, INT32 val)
No<semctl(ERRNO res)
No>ppoll(FDLIST fds, RELTIME timeout, SIGSET sigmask)
No<ppoll(ERRNO res, FDLIST fds)
Yes>mount(FLAGS32 flags)
Yes<mount(ERRNO res, CHARBUF dev, FSPATH dir, CHARBUF type)
Yes>umount(FLAGS32 flags)
Yes<umount(ERRNO res, FSPATH name)
No>semget(INT32 key, INT32 nsems, FLAGS32 semflg)
No<semget(ERRNO res)
No>access(FLAGS32 mode)
No<access(ERRNO res, FSPATH name)
Yes>chroot()
Yes<chroot(ERRNO res, FSPATH path)
Yes>tracer(INT64 id, CHARBUFARRAY tags, CHARBUF_PAIR_ARRAY args)
Yes<tracer(INT64 id, CHARBUFARRAY tags, CHARBUF_PAIR_ARRAY args)
Yes>container(CHARBUF json)
Yes>setsid()
Yes<setsid(PID res)
Yes>mkdir(UINT32 mode)
Yes<mkdir(ERRNO res, FSPATH path)
Yes>rmdir()
Yes<rmdir(ERRNO res, FSPATH path)
No>notification(CHARBUF id, CHARBUF desc)
Yes>unshare(FLAGS32 flags)
Yes<unshare(ERRNO res)
No>page_fault(UINT64 addr, UINT64 ip, FLAGS32 error)
Yes>execve(FSPATH filename)
Yes<execve(ERRNO res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, UINT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, BYTEBUF env, INT32 tty, PID pgid, INT32 loginuid)
Yes>setpgid(PID pid, PID pgid)
Yes<setpgid(PID res)
Yes>bpf(INT64 cmd)
Yes<bpf(DYNAMIC res_or_fd)
Yes>seccomp(UINT64 op)
Yes<seccomp(ERRNO res)
Yes>unlink()
Yes<unlink(ERRNO res, FSPATH path)
Yes>unlinkat()
Yes<unlinkat(ERRNO res, FD dirfd, FSRELPATH name, FLAGS32 flags)
Yes>mkdirat()
Yes<mkdirat(ERRNO res, FD dirfd, FSRELPATH path, UINT32 mode)
Yes>openat()
Yes<openat(FD fd, FD dirfd, FSRELPATH name, FLAGS32 flags, UINT32 mode, UINT32 dev)
Yes>link()
Yes<link(ERRNO res, FSPATH oldpath, FSPATH newpath)
Yes>linkat()
Yes<linkat(ERRNO res, FD olddir, FSRELPATH oldpath, FD newdir, FSRELPATH newpath, FLAGS32 flags)
Yes>fchmodat()
Yes<fchmodat(ERRNO res, FD dirfd, FSRELPATH filename, MODE mode)
Yes>chmod()
Yes<chmod(ERRNO res, FSPATH filename, MODE mode)
Yes>fchmod()
Yes<fchmod(ERRNO res, FD fd, MODE mode)
Yes>renameat2()
Yes<renameat2(ERRNO res, FD olddirfd, FSRELPATH oldpath, FD newdirfd, FSRELPATH newpath, FLAGS32 flags)
Yes>userfaultfd()
Yes<userfaultfd(ERRNO res, FLAGS32 flags)

Last modified August 25, 2021: docs: add page for supported events (ba9f66f)