diff --git a/.travis.yml b/.travis.yml index 8056a87f..d78fd141 100644 --- a/.travis.yml +++ b/.travis.yml @@ -26,8 +26,11 @@ services: before_install: - sudo apt-get update install: + - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi) - sudo apt-get install rpm linux-headers-$(uname -r) libelf-dev - git clone https://github.com/draios/sysdig.git ../sysdig + # if available, use the branch with the same name in sysdig + - pushd ../sysdig && (git checkout "${BRANCH}" || exit 0) && echo "Using sysdig branch:" $(git rev-parse --abbrev-ref HEAD) && popd - sudo apt-get install -y python-pip libvirt-dev jq dkms - cd .. - curl -Lo avocado-36.0-tar.gz https://github.com/avocado-framework/avocado/archive/36.0lts.tar.gz diff --git a/CMakeLists.txt b/CMakeLists.txt index c4413797..05bc5ac3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -449,10 +449,10 @@ endif() option(USE_BUNDLED_TBB "Enable building of the bundled tbb" ${USE_BUNDLED_DEPS}) if(NOT USE_BUNDLED_TBB) - find_path(TBB_INCLUDE tbb.h PATH_SUFFIXES tbb) + find_path(TBB_INCLUDE_DIR tbb.h PATH_SUFFIXES tbb) find_library(TBB_LIB NAMES tbb) - if(TBB_INCLUDE AND TBB_LIB) - message(STATUS "Found tbb: include: ${TBB_INCLUDE}, lib: ${TBB_LIB}") + if(TBB_INCLUDE_DIR AND TBB_LIB) + message(STATUS "Found tbb: include: ${TBB_INCLUDE_DIR}, lib: ${TBB_LIB}") else() message(FATAL_ERROR "Couldn't find system tbb") endif() @@ -461,7 +461,7 @@ else() message(STATUS "Using bundled tbb in '${TBB_SRC}'") - set(TBB_INCLUDE "${TBB_SRC}/include/") + set(TBB_INCLUDE_DIR "${TBB_SRC}/include/") set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a") ExternalProject_Add(tbb URL "http://s3.amazonaws.com/download.draios.com/dependencies/tbb-2018_U5.tar.gz" diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 947228a8..4d906fa5 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -337,6 +337,9 @@ - macro: container condition: container.id != host +- macro: container_started + condition: (evt.type = container or (evt.type=execve and evt.dir=< and proc.vpid=1)) + - macro: interactive condition: > ((proc.aname=sshd and proc.name != sshd) or @@ -1406,7 +1409,7 @@ - rule: Launch Privileged Container desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images. condition: > - evt.type=execve and proc.vpid=1 and container + container_started and container and container.privileged=true and not trusted_containers and not user_trusted_containers @@ -1446,7 +1449,7 @@ Detect the initial process started by a container that has a mount from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images. condition: > - evt.type=execve and proc.vpid=1 and container + container_started and container and sensitive_mount and not trusted_containers and not user_sensitive_mount_containers @@ -1458,19 +1461,18 @@ # explicitly enumerate the container images that you want to run in # your environment. In this main falco rules file, there isn't any way # to know all the containers that can run, so any container is -# alllowed, by using a filter that is guaranteed to evaluate to true -# (the same proc.vpid=1 that's in the Launch Disallowed Container -# rule). In the overridden macro, the condition would look something -# like (container.image.repository = vendor/container-1 or +# allowed, by using a filter that is guaranteed to evaluate to true. +# In the overridden macro, the condition would look something like +# (container.image.repository = vendor/container-1 or # container.image.repository = vendor/container-2 or ...) - macro: allowed_containers - condition: (proc.vpid=1) + condition: (container.id exists) - rule: Launch Disallowed Container desc: > Detect the initial process started by a container that is not in a list of allowed containers. - condition: evt.type=execve and proc.vpid=1 and container and not allowed_containers + condition: container_started and container and not allowed_containers output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) priority: WARNING tags: [container] diff --git a/userspace/engine/CMakeLists.txt b/userspace/engine/CMakeLists.txt index f91cac43..820643ce 100644 --- a/userspace/engine/CMakeLists.txt +++ b/userspace/engine/CMakeLists.txt @@ -22,6 +22,7 @@ include_directories("${PROJECT_BINARY_DIR}/userspace/engine") include_directories("${LUAJIT_INCLUDE}") include_directories("${NJSON_INCLUDE}") include_directories("${CURL_INCLUDE_DIR}") +include_directories("${TBB_INCLUDE_DIR}") add_library(falco_engine STATIC rules.cpp diff --git a/userspace/falco/CMakeLists.txt b/userspace/falco/CMakeLists.txt index 1713f94b..8d225b05 100644 --- a/userspace/falco/CMakeLists.txt +++ b/userspace/falco/CMakeLists.txt @@ -24,6 +24,7 @@ include_directories("${PROJECT_SOURCE_DIR}/../sysdig/userspace/sysdig") include_directories("${PROJECT_SOURCE_DIR}/userspace/engine") include_directories("${PROJECT_BINARY_DIR}/userspace/falco") include_directories("${CURL_INCLUDE_DIR}") +include_directories("${TBB_INCLUDE_DIR}") include_directories("${NJSON_INCLUDE}") include_directories("${YAMLCPP_INCLUDE_DIR}") include_directories("${CIVETWEB_INCLUDE_DIR}")