ROX-33614: Update Falco to 0.23.1

[Stringy]

Description

Falco PR: stackrox/falcosecurity-libs#97

The changes in this PR relate to the uplift of Falco to the latest tagged version, 0.23.1. This is a significant upgrade, jumping from 0.18.1 up to this latest version and contains the following notable changes to Collector:

• Added TOCTOU BPF programs to exclude list (we are not interested in these syscalls and they caused verifier issues)
• Moved Container ID parsing into Collector
  • Perhaps the most significant change in upstream Falco is the container plugin, which is a Go shared library that must be loaded at runtime and dynamically populates fields for each process. The complexity of such a plugin in terms of building, loading, and utilising it was deemed a little too much for the small amount of data we actually need from it. As a result, we don't use the plugin at all.
  • One side effect of this is we don't have k8s namespaces automatically populated, which means in the future if/when we want namespace-level runtime configuration we may have to revisit these changes and either implement this in Collector or resign ourselves to using the container plugin.
• The container filter has been changed from "container.id != 'host'" to "proc.pid != proc.vpid" - these are functionally identical but the former is not usable because we're not using the container plugin. Strictly speaking the new filter does not work on (very) old kernels e.g. RHEL 7, but we do not need to support them.
• Numerous API changes to interact correctly with the new Falco version.

This work was performed primarily by Claude, with oversight from me. This was something of an experiment and so I got Claude to do as much of the work as possible, with my role being that of the driver; steering Claude when it got muddled or hyper focused on the wrong fix.

The update and rebase itself was relatively straight forward, resulting in new locally-built and locally-verified builds in just a couple of hours (i.e. builds that built and ran locally, passing the integration tests on my Fedora 42 x86 machine.) The bottle neck became the CI and getting that work fed back into Claude to perform the diagnostics and fixes.

As a result, I have added two Claude skills as part of this PR which allow Claude to (1) perform Falco updates in the future and (2) inspect the state of CI and investigate test failures or BPF verifiers issues.

Checklist

• Investigated and inspected CI test results
• Updated documentation accordingly

Automated testing

• Added unit tests
• Added integration tests
• Added regression tests

If any of these don't apply, please comment below.

Testing Performed

Built and tested locally, all unit & integration tests passing. CI handles the remainder of our test matrix.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 10.76923% with 58 lines in your changes missing coverage. Please review.
✅ Project coverage is 27.37%. Comparing base (d461f49) to head (23c2967).
⚠️ Report is 6 commits behind head on master.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
collector/lib/system-inspector/Service.cpp	0.00%	2 Missing and 10 partials ⚠️
collector/lib/NetworkSignalHandler.cpp	0.00%	11 Missing ⚠️
collector/lib/ProcessSignalFormatter.cpp	15.38%	7 Missing and 4 partials ⚠️
collector/lib/Utility.cpp	35.71%	5 Missing and 4 partials ⚠️
collector/lib/ContainerMetadata.cpp	0.00%	5 Missing ⚠️
collector/lib/Process.cpp	0.00%	3 Missing ⚠️
collector/lib/system-inspector/EventExtractor.cpp	0.00%	2 Missing and 1 partial ⚠️
collector/lib/system-inspector/EventExtractor.h	0.00%	0 Missing and 2 partials ⚠️
collector/lib/CollectorService.cpp	0.00%	1 Missing ⚠️
collector/lib/ContainerInfoInspector.cpp	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2976      +/-   ##
==========================================
+ Coverage   27.34%   27.37%   +0.03%     
==========================================
  Files          95       94       -1     
  Lines        5420     5413       -7     
  Branches     2545     2547       +2     
==========================================
  Hits         1482     1482              
+ Misses       3211     3201      -10     
- Partials      727      730       +3     

Flag	Coverage Δ
collector-unit-tests	27.37% <10.76%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: fd74638c-eb5b-435f-9855-d9be1d9958a8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch giles/claude-update-falco-skill

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Molter73]

I haven't gone through the changes under .claude or AGENTS.md, I think those probably should moved to their own PR.

Even without those there are plenty of comments, the falco side looks fine though.

[Molter73]

Can we move the .claude/commands and AGENTS.md to a separate PR so we can focus the review efforts?

[Molter73]

I'm fairly certain directly doing the checks is faster than doing these string checks. If we don't want to do this check for process information, I'm fairly certain we can check the syscall number instead and that will also be faster. Is there some other reason this check would be here I'm not seeing?

[Molter73]

Fairly certain this check should just be an assert.

[Molter73]

Why are we using extract when the falco PR still has the definition of extract_single?

[Molter73]

Should this be an assert?

[Molter73]

Since ACS has no idea what to do with processes outside of a container, it might be better to just let the exception bubble up and kill collector, rather than flood sensor with events it will not process.

[Molter73]

Why can't we use GetContainerID here?

[Molter73]

Suggested change

	<< signal->name()
	<< signal->name() << "[" << container_id << "] "

[Molter73]

Fairly certain you can do something like this:

Suggested change

	os << "Name: " << t->m_comm << ", PID: " << t->m_pid << ", Args: " << t->m_exe;
	os << "Container: \"" << (t == nullptr ? "null" : GetContainerID(*t)) << "\", Name: " << t->m_comm << ", PID: " << t->m_pid << ", Args: " << t->m_exe;

Or just create an overloaded version of GetContainerID that takes a pointer, checks it, then calls the version with the reference.

[Molter73]

Why do the timeouts in this test need to be bumped from 5 to 30 seconds?