diff --git a/docker/builder/root/usr/bin/usage b/docker/builder/root/usr/bin/usage index 8d31a741..2c61b9ea 100755 --- a/docker/builder/root/usr/bin/usage +++ b/docker/builder/root/usr/bin/usage @@ -18,7 +18,7 @@ How to use. * docker run -ti falcosecurity/falco-builder bash To build Falco it needs: - - a bind-mount on the source directory (ie., the directory containing Falco and sysdig source as siblings) + - a bind-mount on the source directory (ie., the directory containing the Falco source as sibling) Optionally, you can also bind-mount the build directory. So, you can execute it from the Falco root directory as follows. diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 5c1e8679..d42394e2 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -220,7 +220,7 @@ ] # The truncated dpkg-preconfigu is intentional, process names are -# truncated at the sysdig level. +# truncated at the falcosecurity-libs level. - list: package_mgmt_binaries items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd] @@ -1905,7 +1905,7 @@ # For now, only considering a full mount of /etc as # sensitive. Ideally, this would also consider all subdirectories -# below /etc as well, but the globbing mechanism used by sysdig +# below /etc as well, but the globbing mechanism # doesn't allow exclusions of a full pattern, only single characters. - macro: sensitive_mount condition: (container.mount.dest[/proc*] != "N/A" or @@ -2953,7 +2953,7 @@ # The two Container Drift rules below will fire when a new executable is created in a container. # There are two ways to create executables - file is created with execution permissions or permissions change of existing file. -# We will use a new sysdig filter, is_open_exec, to find all files creations with execution permission, and will trace all chmods in a container. +# We will use a new filter, is_open_exec, to find all files creations with execution permission, and will trace all chmods in a container. # The use case we are targeting here is an attempt to execute code that was not shipped as part of a container (drift) - # an activity that might be malicious or non-compliant. # Two things to pay attention to: diff --git a/userspace/engine/lua/parser.lua b/userspace/engine/lua/parser.lua index fcae0b01..8814cd80 100644 --- a/userspace/engine/lua/parser.lua +++ b/userspace/engine/lua/parser.lua @@ -18,7 +18,7 @@ Much of the scaffolding and helpers was derived from Andre Murbach Maidl's Lua parser (https://github.com/andremm/lua-parser). - While this is based on the sysdig filtering syntax (*), the Falco syntax is extended to support "macro" terms, which are just identifiers. + While this is based on the falcosecurity-libs filtering syntax (*), the Falco syntax is extended to support "macro" terms, which are just identifiers. (*) There is currently one known difference with the syntax implemented in libsinsp: In libsinsp, field names cannot start with 'a', 'o', or 'n'. With this parser they can. diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index 41dccd9f..6fc70e8d 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -1327,7 +1327,7 @@ int falco_init(int argc, char **argv) if(trace_filename.size()) { - // Try to open the trace file as a sysdig + // Try to open the trace file as a // capture file first. try { inspector->open(trace_filename);