github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-18 18:58:41 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'dev' into agent-master

Browse Source
This commit is contained in:
Luca Marturana
2017-03-20 15:45:29 +01:00
parent 800a3f1ea1 18900089f3
commit a25166b7ac
10 changed files with 170 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
CMakeLists.txt
View File

@@ -29,7 +29,9 @@ set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
add_definitions(-DPLATFORM_NAME="${CMAKE_SYSTEM_NAME}")
add_definitions(-DK8S_DISABLE_THREAD)
add_definitions(-DHAS_CAPTURE)
if(CMAKE_SYSTEM_NAME MATCHES "Linux")
add_definitions(-DHAS_CAPTURE)
endif()
if(CMAKE_BUILD_TYPE STREQUAL "Debug")
set(KBUILD_FLAGS "${DRAIOS_DEBUG_FLAGS} ${DRAIOS_FEATURE_FLAGS}")
@@ -46,6 +48,10 @@ set(CMAKE_INSTALL_PREFIX /usr)
set(CMD_MAKE make)
set(SYSDIG_DIR "${PROJECT_SOURCE_DIR}/../sysdig")
# make luaJIT work on OS X
if(APPLE)
set(CMAKE_EXE_LINKER_FLAGS "-pagezero_size 10000 -image_base 100000000")
endif()
include(ExternalProject)
@@ -295,14 +301,18 @@ if(NOT USE_BUNDLED_LPEG)
else()
set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
set(LPEG_DEPENDENCIES "")
if(USE_BUNDLED_LUAJIT)
list(APPEND LPEG_DEPENDENCIES "luajit")
endif()
ExternalProject_Add(lpeg
DEPENDS luajit
DEPENDS ${LPEG_DEPENDENCIES}
URL "http://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
BUILD_IN_SOURCE 1
URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
BUILD_IN_SOURCE 1
CONFIGURE_COMMAND ""
INSTALL_COMMAND "")
INSTALL_COMMAND "")
endif()
#
@@ -332,11 +342,11 @@ else()
set(LIBYAML_LIB "${LIBYAML_SRC}/.libs/libyaml.a")
ExternalProject_Add(libyaml
URL "http://download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
URL_MD5 "4a4bced818da0b9ae7fc8ebc690792a7"
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
URL_MD5 "4a4bced818da0b9ae7fc8ebc690792a7"
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
CONFIGURE_COMMAND ./bootstrap && ./configure
INSTALL_COMMAND "")
INSTALL_COMMAND "")
endif()
#
@@ -357,8 +367,15 @@ if(NOT USE_BUNDLED_LYAML)
else()
set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
set(LYAML_DEPENDENCIES "")
if(USE_BUNDLED_LUAJIT)
list(APPEND LYAML_DEPENDENCIES "luajit")
endif()
if(USE_BUNDLED_LIBYAML)
list(APPEND LYAML_DEPENDENCIES "libyaml")
endif()
ExternalProject_Add(lyaml
DEPENDS libyaml luajit
DEPENDS ${LYAML_DEPENDENCIES}
URL "http://download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
BUILD_COMMAND ${CMD_MAKE}
@@ -370,7 +387,9 @@ endif()
install(FILES falco.yaml
DESTINATION "${FALCO_ETC_DIR}")
add_subdirectory("${SYSDIG_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
if(CMAKE_SYSTEM_NAME MATCHES "Linux")
add_subdirectory("${SYSDIG_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
endif()
add_subdirectory("${SYSDIG_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
add_subdirectory("${SYSDIG_DIR}/userspace/libsinsp" "${PROJECT_BINARY_DIR}/userspace/libsinsp")

5
examples/k8s-using-daemonset/README.md Normal file
View File

@@ -0,0 +1,5 @@
=Example K8s Services for Falco=
The yaml file in this directory installs the following:
- Open Source Falco, as a DaemonSet. Falco is configured to communicate with the K8s API server via its service account, and changes its output to be K8s-friendly. It also sends to a slack webhook for the `#demo-falco-alerts` channel on our [public slack](https://sysdig.slack.com/messages/demo-falco-alerts/).
- The [Falco Event Generator](https://github.com/draios/falco/wiki/Generating-Sample-Events), as a deployment that ensures it runs on exactly 1 node.

59
examples/k8s-using-daemonset/falco-daemonset.yaml Normal file
View File

@@ -0,0 +1,59 @@
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: falco
labels:
name: falco-daemonset
app: demo
spec:
template:
metadata:
labels:
name: falco
app: demo
role: security
spec:
containers:
- name: falco
image: sysdig/falco:latest
securityContext:
privileged: true
command: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o", "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/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"]
volumeMounts:
- mountPath: /host/var/run/docker.sock
name: docker-socket
readOnly: true
- mountPath: /host/dev
name: dev-fs
readOnly: true
- mountPath: /host/proc
name: proc-fs
readOnly: true
- mountPath: /host/boot
name: boot-fs
readOnly: true
- mountPath: /host/lib/modules
name: lib-modules
readOnly: true
- mountPath: /host/usr
name: usr-fs
readOnly: true
volumes:
- name: docker-socket
hostPath:
path: /var/run/docker.sock
- name: dev-fs
hostPath:
path: /dev
- name: proc-fs
hostPath:
path: /proc
- name: boot-fs
hostPath:
path: /boot
- name: lib-modules
hostPath:
path: /lib/modules
- name: usr-fs
hostPath:
path: /usr

17
examples/k8s-using-daemonset/falco-event-generator-deployment.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: falco-event-generator-deployment
labels:
name: falco-event-generator-deployment
app: demo
spec:
replicas: 1
template:
metadata:
labels:
app: falco-event-generator
spec:
containers:
- name: falco-event-generator
image: sysdig/falco-event-generator:latest

14
rules/falco_rules.yaml
View File

@@ -76,7 +76,7 @@
# dpkg -L login | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" ","
- list: login_binaries
items: [login, systemd, systemd-logind, su, nologin, faillog, lastlog, newgrp, sg]
items: [login, systemd, '"(systemd)"', systemd-logind, su, nologin, faillog, lastlog, newgrp, sg]
# dpkg -L passwd | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" ","
- list: passwd_binaries
@@ -113,6 +113,9 @@
- list: db_server_binaries
items: [mysqld]
- list: gitlab_binaries
items: [gitlab-shell, git]
- macro: server_procs
condition: proc.name in (http_server_binaries, db_server_binaries, docker_binaries, sshd)
@@ -256,7 +259,7 @@
package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries,
ldconfig.real, ldconfig, confd, gpg, insserv,
apparmor_parser, update-mime, tzdata.config, tzdata.postinst,
systemd-machine, debconf-show, rollerd, bind9.postinst)
systemd-machine, debconf-show, rollerd, bind9.postinst, sv)
and not proc.pname in (sysdigcloud_binaries)
and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java)
and not ansible_running_python
@@ -365,7 +368,7 @@
logrotate, ansible, less, adduser, pycompile, py3compile,
pyclean, py3clean, pip, pip2, ansible-playboo, man-db,
init, pluto, mkinitramfs, unattended-upgr, watch, sysdig,
landscape-sysin, nessusd, PM2, syslog-summary
landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup
]
- rule: Run shell untrusted
@@ -430,7 +433,7 @@
and shell_procs
and proc.pname exists
and not proc.pname in (shell_binaries, docker_binaries, k8s_binaries, lxd_binaries, aide_wrapper_binaries, nids_binaries,
monitoring_binaries, initdb, pg_ctl, awk, apache2, falco, cron)
monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, apache2, falco, cron, erl_child_setup)
and not trusted_containers
output: "Shell spawned in a container other than entrypoint (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
priority: WARNING
@@ -469,7 +472,7 @@
tags: [host, users]
- list: allowed_dev_files
items: [/dev/null, /dev/stdin, /dev/stdout, /dev/stderr, /dev/tty, /dev/random, /dev/urandom, /dev/console]
items: [/dev/null, /dev/stdin, /dev/stdout, /dev/stderr, /dev/random, /dev/urandom, /dev/console]
# (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
- rule: Create files below dev
@@ -479,6 +482,7 @@
(evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT))
and not proc.name in (dev_creation_binaries)
and not fd.name in (allowed_dev_files)
and not fd.name startswith /dev/tty
output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
priority: WARNING
tags: [filesystem]

4
userspace/engine/falco_common.cpp
View File

@@ -24,6 +24,10 @@ along with falco. If not, see <http://www.gnu.org/licenses/>.
falco_common::falco_common()
{
m_ls = lua_open();
if(!m_ls)
{
throw falco_exception("Cannot open lua");
}
luaL_openlibs(m_ls);
}

37
userspace/engine/formats.cpp
View File

@@ -24,12 +24,14 @@ along with falco. If not, see <http://www.gnu.org/licenses/>.
sinsp* falco_formats::s_inspector = NULL;
bool s_json_output = false;
bool falco_formats::s_json_output = false;
sinsp_evt_formatter_cache *falco_formats::s_formatters = NULL;
const static struct luaL_reg ll_falco [] =
{
{"formatter", &falco_formats::formatter},
{"free_formatter", &falco_formats::free_formatter},
{"free_formatters", &falco_formats::free_formatters},
{"format_event", &falco_formats::format_event},
{NULL,NULL}
};
@@ -38,6 +40,10 @@ void falco_formats::init(sinsp* inspector, lua_State *ls, bool json_output)
{
s_inspector = inspector;
s_json_output = json_output;
if(!s_formatters)
{
s_formatters = new sinsp_evt_formatter_cache(s_inspector);
}
luaL_openlib(ls, "formats", ll_falco, 0);
}
@@ -73,22 +79,43 @@ int falco_formats::free_formatter(lua_State *ls)
return 0;
}
int falco_formats::free_formatters(lua_State *ls)
{
if(s_formatters)
{
delete(s_formatters);
s_formatters = NULL;
}
return 0;
}
int falco_formats::format_event (lua_State *ls)
{
string line;
if (!lua_islightuserdata(ls, -1) ||
if (!lua_isstring(ls, -1) ||
!lua_isstring(ls, -2) ||
!lua_isstring(ls, -3) ||
!lua_islightuserdata(ls, -4)) {
throw falco_exception("Invalid arguments passed to format_event()\n");
lua_pushstring(ls, "Invalid arguments passed to format_event()");
lua_error(ls);
}
sinsp_evt* evt = (sinsp_evt*)lua_topointer(ls, 1);
const char *rule = (char *) lua_tostring(ls, 2);
const char *level = (char *) lua_tostring(ls, 3);
sinsp_evt_formatter* formatter = (sinsp_evt_formatter*)lua_topointer(ls, 4);
const char *format = (char *) lua_tostring(ls, 4);
formatter->tostring(evt, &line);
string sformat = format;
try {
s_formatters->tostring(evt, sformat, &line);
}
catch (sinsp_exception& e)
{
string err = "Invalid output format '" + sformat + "': '" + string(e.what()) + "'";
lua_pushstring(ls, err.c_str());
lua_error(ls);
}
// For JSON output, the formatter returned just the output
// string containing the format text and values. Use this to

5
userspace/engine/formats.h
View File

@@ -39,8 +39,13 @@ class falco_formats
// falco.free_formatter(formatter)
static int free_formatter(lua_State *ls);
// falco.free_formatters()
static int free_formatters(lua_State *ls);
// formatted_string = falco.format_event(evt, formatter)
static int format_event(lua_State *ls);
static sinsp* s_inspector;
static sinsp_evt_formatter_cache *s_formatters;
static bool s_json_output;
};

9
userspace/engine/rules.cpp
View File

@@ -49,7 +49,8 @@ int falco_rules::clear_filters(lua_State *ls)
{
if (! lua_islightuserdata(ls, -1))
{
throw falco_exception("Invalid arguments passed to clear_filters()\n");
lua_pushstring(ls, "Invalid arguments passed to clear_filters()");
lua_error(ls);
}
falco_rules *rules = (falco_rules *) lua_topointer(ls, -1);
@@ -70,7 +71,8 @@ int falco_rules::add_filter(lua_State *ls)
! lua_istable(ls, -2) ||
! lua_istable(ls, -1))
{
throw falco_exception("Invalid arguments passed to add_filter()\n");
lua_pushstring(ls, "Invalid arguments passed to add_filter()");
lua_error(ls);
}
falco_rules *rules = (falco_rules *) lua_topointer(ls, -4);
@@ -122,7 +124,8 @@ int falco_rules::enable_rule(lua_State *ls)
! lua_isstring(ls, -2) ||
! lua_isnumber(ls, -1))
{
throw falco_exception("Invalid arguments passed to enable_rule()\n");
lua_pushstring(ls, "Invalid arguments passed to enable_rule()");
lua_error(ls);
}
falco_rules *rules = (falco_rules *) lua_topointer(ls, -3);

16
userspace/falco/lua/output.lua
View File

@@ -24,8 +24,6 @@ mod.levels = levels
local outputs = {}
local formatters = {}
function mod.stdout(level, msg)
print (msg)
end
@@ -84,14 +82,8 @@ function output_event(event, rule, priority, format)
end
format = "*%evt.time: "..levels[level+1].." "..format
if formatters[rule] == nil then
formatter = formats.formatter(format)
formatters[rule] = formatter
else
formatter = formatters[rule]
end
msg = formats.format_event(event, rule, levels[level+1], formatter)
msg = formats.format_event(event, rule, levels[level+1], format)
for index,o in ipairs(outputs) do
o.output(level, msg, o.config)
@@ -99,11 +91,7 @@ function output_event(event, rule, priority, format)
end
function output_cleanup()
for rule, formatter in pairs(formatters) do
formats.free_formatter(formatter)
end
formatters = {}
formats.free_formatters()
end
function add_output(output_name, config)