This commit is contained in:
Henri DF
2016-04-28 02:57:50 +00:00
parent 8b5fcf866a
commit abe6220651
28 changed files with 43 additions and 38 deletions

View File

@@ -1,9 +1,9 @@
cmake_minimum_required(VERSION 2.8.2) cmake_minimum_required(VERSION 2.8.2)
project(digwatch) project(falco)
if(NOT DEFINED DIGWATCH_VERSION) if(NOT DEFINED FALCO_VERSION)
set(DIGWATCH_VERSION "0.1.1dev") set(FALCO_VERSION "0.1.1dev")
endif() endif()
if(NOT DEFINED DIR_ETC) if(NOT DEFINED DIR_ETC)
@@ -31,8 +31,8 @@ else()
set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}") set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
endif() endif()
set(PACKAGE_NAME "digwatch") set(PACKAGE_NAME "falco")
set(PROBE_VERSION "${DIGWATCH_VERSION}") set(PROBE_VERSION "${FALCO_VERSION}")
set(PROBE_NAME "sysdig-probe") set(PROBE_NAME "sysdig-probe")
set(PROBE_DEVICE_NAME "sysdig") set(PROBE_DEVICE_NAME "sysdig")
@@ -152,21 +152,21 @@ ExternalProject_Add(lpeg
CONFIGURE_COMMAND "" CONFIGURE_COMMAND ""
INSTALL_COMMAND "") INSTALL_COMMAND "")
install(FILES digwatch.yaml install(FILES falco.yaml
DESTINATION "${DIR_ETC}") DESTINATION "${DIR_ETC}")
add_subdirectory(${SYSDIG_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/userspace/libscap) add_subdirectory(${SYSDIG_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/userspace/libscap)
add_subdirectory(${SYSDIG_DIR}/userspace/libsinsp ${PROJECT_BINARY_DIR}/userspace/libsinsp) add_subdirectory(${SYSDIG_DIR}/userspace/libsinsp ${PROJECT_BINARY_DIR}/userspace/libsinsp)
add_subdirectory(rules) add_subdirectory(rules)
add_subdirectory(userspace/digwatch) add_subdirectory(userspace/falco)
set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}") set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
set(CPACK_PACKAGE_VENDOR "Sysdig Inc.") set(CPACK_PACKAGE_VENDOR "Sysdig Inc.")
set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "digwatch, a system-level activity monitoring tool") set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "falco, a system-level activity monitoring tool")
set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt") set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
set(CPACK_PACKAGE_VERSION "${DIGWATCH_VERSION}") set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}") set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/CMakeCPackOptions.cmake") set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/CMakeCPackOptions.cmake")
set(CPACK_STRIP_FILES "ON") set(CPACK_STRIP_FILES "ON")

View File

@@ -1,18 +1,18 @@
# Digwatch: Host Activity Monitoring with Sysdig Filters # Sysdig Falco: Host Activity Monitoring with Sysdig Filters
## Overview ## Overview
Brief description of what, why, how, and pointer to website. Brief description of what, why, how, and pointer to website.
### What kind of events can digwatch detect? ### What kind of events can falco detect?
## Installing Digwatch ## Installing Falco
Installation instructions. Installation instructions.
## Configuring Digwatch ## Configuring Falco
Digwatch is primarily configured via two files: a configuration file (such as the `digwatch.yaml` in this repository) and a rules file (such as the `digwatch_rules.conf` file in `rules/`). These two files are written to `/etc` after you install the Digwatch package. Digwatch is primarily configured via two files: a configuration file (such as the `falco.yaml` in this repository) and a rules file (such as the `digwatch_rules.conf` file in `rules/`). These two files are written to `/etc` after you install the Falco package.
### Rules file ### Rules file
Explain the rules file syntax Explain the rules file syntax
@@ -21,17 +21,17 @@ Explain the rules file syntax
Explain the config file contents and syntax Explain the config file contents and syntax
## Running Digwatch ## Running Falco
Digwatch is intended to be run as a service. But for experimentation and designing/testing rulesets, you will likely want to run it manually from the command-line. Digwatch is intended to be run as a service. But for experimentation and designing/testing rulesets, you will likely want to run it manually from the command-line.
### Running Digwatch as a service ### Running Falco as a service
Instructions for Centos and Ubuntu. Instructions for Centos and Ubuntu.
### Running Digwatch manually ### Running Falco manually
## Building Digwatch ## Building Falco
### Building ### Building
Clone this repo in a directory that also contains the sysdig source repo. The result should be something like: Clone this repo in a directory that also contains the sysdig source repo. The result should be something like:
@@ -43,7 +43,7 @@ $ pwd
22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig 22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig
$ ls -l $ ls -l
total 20 total 20
drwxr-xr-x 1 vagrant vagrant 238 Feb 21 21:44 digwatch drwxr-xr-x 1 vagrant vagrant 238 Feb 21 21:44 falco
drwxr-xr-x 1 vagrant vagrant 646 Feb 21 17:41 sysdig drwxr-xr-x 1 vagrant vagrant 646 Feb 21 17:41 sysdig
``` ```
@@ -56,18 +56,18 @@ $ cmake ..
$ make $ make
``` ```
as a result, you should have a digwatch executable in `build/userspace/digwatch/digwatch`. as a result, you should have a falco executable in `build/userspace/falco/falco`.
### Running locally-built sysdig ### Running locally-built sysdig
Assuming you are in the `build` dir, you can run digwatch as: Assuming you are in the `build` dir, you can run falco as:
`$ sudo ./userspace/digwatch/digwatch -c ../digwatch.yaml -r ../rules/digwatch_rules.conf` `$ sudo ./userspace/falco/falco -c ../falco.yaml -r ../rules/falco_rules.conf`
Or instead you can try using some of the simpler rules files in `rules`. Or to get started, try creating a file with this: Or instead you can try using some of the simpler rules files in `rules`. Or to get started, try creating a file with this:
Create a file with some [digwatch rules](Rule-syntax-and-design). For example: Create a file with some [falco rules](Rule-syntax-and-design). For example:
``` ```
write: (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename write: (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename
interactive: proc.pname = bash or proc.pname = sshd interactive: proc.pname = bash or proc.pname = sshd

View File

@@ -1,3 +1,3 @@
install(FILES digwatch_rules.conf install(FILES falco_rules.conf
DESTINATION "${DIR_ETC}") DESTINATION "${DIR_ETC}")

View File

@@ -229,14 +229,19 @@ user.name = kafka and inbound and fd.sport != 9092 | WARNING Unexpected Kafka in
# Memcached ports # Memcached ports
user.name = memcached and inbound and fd.sport != 11211 | WARNING Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) user.name = memcached and inbound and fd.sport != 11211 | WARNING Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
user.name = memcached and outbound | WARNING Unexpected Memcached outbound connection (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# MongoDB ports # MongoDB ports
mongodb_server_port: fd.sport = 27017 mongodb_server_port: fd.sport = 27017
mongodb_shardserver_port: fd.sport = 27018 mongodb_shardserver_port: fd.sport = 27018
mongodb_configserver_port: fd.sport = 27019 mongodb_configserver_port: fd.sport = 27019
mongodb_webserver_port: fd.sport = 28017 mongodb_webserver_port: fd.sport = 28017
user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | WARNING Unexpected MongoDB inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | WARNING Unexpected MongoDF inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# MySQL ports # MySQL ports
user.name = mysql and inbound and fd.sport != 3306 | WARNING Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) user.name = mysql and inbound and fd.sport != 3306 | WARNING Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# HTTP server
http_server: proc.name in (nginx, httpd, lighttpd)
http_server and inbound and fd.sport != 80 and fd.sport != 443 | WARNING Unexpected HTTP server inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)

View File

@@ -7,7 +7,7 @@ gcc -O2 -fPIC -I$LUA_INCLUDE -c lptree.c -o lptree.o
gcc -O2 -fPIC -I$LUA_INCLUDE -c lpvm.c -o lpvm.o gcc -O2 -fPIC -I$LUA_INCLUDE -c lpvm.c -o lpvm.o
# For building lpeg.so, which we don't need now that we're statically linking lpeg.a into digwatch # For building lpeg.so, which we don't need now that we're statically linking lpeg.a into falco
#gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o #gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o
#gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o #gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o

View File

@@ -1,3 +1,3 @@
Digwatch instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events. Sysdig Falco instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events.
Then, using a rule-based configuration, you can specify filters for events of interest that you would like to log or be notified of. Then, using a rule-based configuration, you can specify filters for events of interest that you would like to log or be notified of.

View File

@@ -3,16 +3,16 @@ include_directories("${LUAJIT_INCLUDE}")
include_directories(${PROJECT_SOURCE_DIR}/../sysdig/userspace/libscap) include_directories(${PROJECT_SOURCE_DIR}/../sysdig/userspace/libscap)
include_directories(${PROJECT_SOURCE_DIR}/../sysdig/userspace/libsinsp) include_directories(${PROJECT_SOURCE_DIR}/../sysdig/userspace/libsinsp)
include_directories("${PROJECT_BINARY_DIR}/userspace/digwatch") include_directories("${PROJECT_BINARY_DIR}/userspace/falco")
include_directories("${CURL_INCLUDE_DIR}") include_directories("${CURL_INCLUDE_DIR}")
include_directories("${YAMLCPP_INCLUDE_DIR}") include_directories("${YAMLCPP_INCLUDE_DIR}")
include_directories("${LPEG_SRC}") include_directories("${LPEG_SRC}")
include_directories(${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include) include_directories(${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include)
add_executable(digwatch configuration.cpp formats.cpp fields.cpp rules.cpp logger.cpp digwatch.cpp) add_executable(falco configuration.cpp formats.cpp fields.cpp rules.cpp logger.cpp falco.cpp)
target_link_libraries(digwatch sinsp) target_link_libraries(falco sinsp)
target_link_libraries(digwatch target_link_libraries(falco
"${LPEG_SRC}/lpeg.a" "${LPEG_SRC}/lpeg.a"
"${YAMLCPP_LIB}") "${YAMLCPP_LIB}")
@@ -20,7 +20,7 @@ target_link_libraries(digwatch
set(DIGWATCH_LUA_MAIN "rule_loader.lua") set(DIGWATCH_LUA_MAIN "rule_loader.lua")
configure_file(config_digwatch.h.in config_digwatch.h) configure_file(config_digwatch.h.in config_digwatch.h)
install(TARGETS digwatch DESTINATION bin) install(TARGETS falco DESTINATION bin)
install(FILES lua/compiler.lua install(FILES lua/compiler.lua
DESTINATION share/digwatch/lua) DESTINATION share/digwatch/lua)
install(FILES lua/rule_loader.lua install(FILES lua/rule_loader.lua

View File

@@ -36,13 +36,13 @@ std::vector<string> valid_output_names {"stdout", "syslog"};
static void usage() static void usage()
{ {
printf( printf(
"Usage: digwatch [options] rules_filename\n\n" "Usage: falco [options] rules_filename\n\n"
"Options:\n" "Options:\n"
" -h, --help Print this page\n" " -h, --help Print this page\n"
" -c Configuration file (default " DIGWATCH_SOURCE_CONF_FILE ", " DIGWATCH_INSTALL_CONF_FILE ")\n" " -c Configuration file (default " DIGWATCH_SOURCE_CONF_FILE ", " DIGWATCH_INSTALL_CONF_FILE ")\n"
" -o Output type (options are 'stdout', 'syslog', default is 'stdout')\n" " -o Output type (options are 'stdout', 'syslog', default is 'stdout')\n"
" -e <events_file> Read the events from <events_file> (in .scap format) instead of tapping into live.\n" " -e <events_file> Read the events from <events_file> (in .scap format) instead of tapping into live.\n"
" -r <rules_file> Rules file (defaults to value set in configuration file, or /etc/digwatch_rules.conf).\n" " -r <rules_file> Rules file (defaults to value set in configuration file, or /etc/falco_rules.conf).\n"
"\n" "\n"
); );
} }
@@ -285,12 +285,12 @@ int digwatch_init(int argc, char **argv)
{ {
config.init(conf_filename); config.init(conf_filename);
// log after config init because config determines where logs go // log after config init because config determines where logs go
digwatch_logger::log(LOG_INFO, "Digwatch initialized with configuration file " + conf_filename + "\n"); digwatch_logger::log(LOG_INFO, "Falco initialized with configuration file " + conf_filename + "\n");
} }
else else
{ {
config.init(); config.init();
digwatch_logger::log(LOG_INFO, "Digwatch initialized. No configuration file found, proceeding with defaults\n"); digwatch_logger::log(LOG_INFO, "Falco initialized. No configuration file found, proceeding with defaults\n");
} }
if (rules_filename.size()) if (rules_filename.size())
@@ -305,7 +305,7 @@ int digwatch_init(int argc, char **argv)
lua_main_filename = lua_dir + DIGWATCH_LUA_MAIN; lua_main_filename = lua_dir + DIGWATCH_LUA_MAIN;
if (!std::ifstream(lua_main_filename)) if (!std::ifstream(lua_main_filename))
{ {
digwatch_logger::log(LOG_ERR, "Could not find Digwatch Lua libraries (tried " + digwatch_logger::log(LOG_ERR, "Could not find Falco Lua libraries (tried " +
string(DIGWATCH_LUA_DIR DIGWATCH_LUA_MAIN) + ", " + string(DIGWATCH_LUA_DIR DIGWATCH_LUA_MAIN) + ", " +
lua_main_filename + "). Exiting \n"); lua_main_filename + "). Exiting \n");
result = EXIT_FAILURE; result = EXIT_FAILURE;