Support container event to denote container starts (#550)

* Add support for container metaevent to detect container spawning

Create a new macro "container_started" to check both the old and
the new check.
Also, only look for execve exit events with vpid=1.

* Use TBB_INCLUDE_DIR for consistency w sysdig,agent

Previously it was a mix of TBB_INCLUDE and TBB_INCLUDE_DIR.

* Build using matching sysdig branch, if exists

.travis.yml

@@ -26,8 +26,11 @@ services:
 before_install:
     - sudo apt-get update
 install:
+    - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
     - sudo apt-get install rpm linux-headers-$(uname -r) libelf-dev
     - git clone https://github.com/draios/sysdig.git ../sysdig
+    # if available, use the branch with the same name in sysdig
+    - pushd ../sysdig && (git checkout "${BRANCH}" || exit 0) && echo "Using sysdig branch:" $(git rev-parse --abbrev-ref HEAD) && popd
     - sudo apt-get install -y python-pip libvirt-dev jq dkms
     - cd ..
     - curl -Lo avocado-36.0-tar.gz https://github.com/avocado-framework/avocado/archive/36.0lts.tar.gz

CMakeLists.txt

@@ -449,10 +449,10 @@ endif()
 
 option(USE_BUNDLED_TBB "Enable building of the bundled tbb" ${USE_BUNDLED_DEPS})
 if(NOT USE_BUNDLED_TBB)
-	find_path(TBB_INCLUDE tbb.h PATH_SUFFIXES tbb)
+	find_path(TBB_INCLUDE_DIR tbb.h PATH_SUFFIXES tbb)
 	find_library(TBB_LIB NAMES tbb)
-	if(TBB_INCLUDE AND TBB_LIB)
-		message(STATUS "Found tbb: include: ${TBB_INCLUDE}, lib: ${TBB_LIB}")
+	if(TBB_INCLUDE_DIR AND TBB_LIB)
+		message(STATUS "Found tbb: include: ${TBB_INCLUDE_DIR}, lib: ${TBB_LIB}")
 	else()
 		message(FATAL_ERROR "Couldn't find system tbb")
 	endif()
@@ -461,7 +461,7 @@ else()
 
 	message(STATUS "Using bundled tbb in '${TBB_SRC}'")
 
-	set(TBB_INCLUDE "${TBB_SRC}/include/")
+	set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
 	set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
 	ExternalProject_Add(tbb
 		URL "http://s3.amazonaws.com/download.draios.com/dependencies/tbb-2018_U5.tar.gz"

rules/falco_rules.yaml

@@ -337,6 +337,9 @@
 - macro: container
   condition: container.id != host
 
+- macro: container_started
+  condition: (evt.type = container or (evt.type=execve and evt.dir=< and proc.vpid=1))
+
 - macro: interactive
   condition: >
     ((proc.aname=sshd and proc.name != sshd) or
@@ -1406,7 +1409,7 @@
 - rule: Launch Privileged Container
   desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images.
   condition: >
-    evt.type=execve and proc.vpid=1 and container
+    container_started and container
     and container.privileged=true
     and not trusted_containers
     and not user_trusted_containers
@@ -1446,7 +1449,7 @@
     Detect the initial process started by a container that has a mount from a sensitive host directory
     (i.e. /proc). Exceptions are made for known trusted images.
   condition: >
-    evt.type=execve and proc.vpid=1 and container
+    container_started and container
     and sensitive_mount
     and not trusted_containers
     and not user_sensitive_mount_containers
@@ -1458,19 +1461,18 @@
 # explicitly enumerate the container images that you want to run in
 # your environment. In this main falco rules file, there isn't any way
 # to know all the containers that can run, so any container is
-# alllowed, by using a filter that is guaranteed to evaluate to true
-# (the same proc.vpid=1 that's in the Launch Disallowed Container
-# rule). In the overridden macro, the condition would look something
-# like (container.image.repository = vendor/container-1 or
+# allowed, by using a filter that is guaranteed to evaluate to true.
+# In the overridden macro, the condition would look something like
+# (container.image.repository = vendor/container-1 or
 # container.image.repository = vendor/container-2 or ...)
 
 - macro: allowed_containers
-  condition: (proc.vpid=1)
+  condition: (container.id exists)
 
 - rule: Launch Disallowed Container
   desc: >
     Detect the initial process started by a container that is not in a list of allowed containers.
-  condition: evt.type=execve and proc.vpid=1 and container and not allowed_containers
+  condition: container_started and container and not allowed_containers
   output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
   priority: WARNING
   tags: [container]

userspace/engine/CMakeLists.txt

@@ -22,6 +22,7 @@ include_directories("${PROJECT_BINARY_DIR}/userspace/engine")
 include_directories("${LUAJIT_INCLUDE}")
 include_directories("${NJSON_INCLUDE}")
 include_directories("${CURL_INCLUDE_DIR}")
+include_directories("${TBB_INCLUDE_DIR}")
 
 add_library(falco_engine STATIC
 	rules.cpp

userspace/falco/CMakeLists.txt

@@ -24,6 +24,7 @@ include_directories("${PROJECT_SOURCE_DIR}/../sysdig/userspace/sysdig")
 include_directories("${PROJECT_SOURCE_DIR}/userspace/engine")
 include_directories("${PROJECT_BINARY_DIR}/userspace/falco")
 include_directories("${CURL_INCLUDE_DIR}")
+include_directories("${TBB_INCLUDE_DIR}")
 include_directories("${NJSON_INCLUDE}")
 include_directories("${YAMLCPP_INCLUDE_DIR}")
 include_directories("${CIVETWEB_INCLUDE_DIR}")