[Feature] Improve args in `bpf` exit event

[incertum]

Based on a discussion between @Andreagit97 @darryk10 and myself a few ideas shared by Andrea to improve bpf syscall based alerting in falco rules:

• add the possibility to check the return value, possibly expose evt.arg.cmd also in the exit event to have all fields of interest in one event
• introduce the BPF commands name, so use evt.arg.cmd == BPF_PROG_LOAD instead of evt.arg.cmd == 5 -> Update(driver): Introduce the BPF commands name #1545
• expose also the name of the BPF prog injected (not easy at all) -> comment @incertum not sure how valuable it would be for detections, maybe not really needed at the moment.

[Andreagit97]

this is a duplicate of #1342 but it is more detailed, I will close mine :)

[incertum]

oh 🤦‍♀️ I should have maybe checked before opening this issue.

[Rohith-Raju]

@Andreagit97 @incertum Would love to work on this!!

[incertum]

Awesome, you have any additional questions? Else please feel free to go ahead :) Thanks!

[Rohith-Raju]

I'm going to solve them one by one and will reach out if I get stuck 😄.

[incertum]

Great! Suggesting to focus on the first 2 items in one PR -> easy wins, add direct value to Falco rules in the next release.

The last one may need to be queued depending on prioritization, not a top priority feature.

[incertum]

/milestone TBD