mirror of
				https://github.com/falcosecurity/falco.git
				synced 2025-10-22 03:49:36 +00:00 
			
		
		
		
	Renaming
This commit is contained in:
		| @@ -1,9 +1,9 @@ | |||||||
| cmake_minimum_required(VERSION 2.8.2) | cmake_minimum_required(VERSION 2.8.2) | ||||||
|  |  | ||||||
| project(digwatch) | project(falco) | ||||||
|  |  | ||||||
| if(NOT DEFINED DIGWATCH_VERSION) | if(NOT DEFINED FALCO_VERSION) | ||||||
| 	set(DIGWATCH_VERSION "0.1.1dev") | 	set(FALCO_VERSION "0.1.1dev") | ||||||
| endif() | endif() | ||||||
|  |  | ||||||
| if(NOT DEFINED DIR_ETC) | if(NOT DEFINED DIR_ETC) | ||||||
| @@ -31,8 +31,8 @@ else() | |||||||
| 	set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}") | 	set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}") | ||||||
| endif() | endif() | ||||||
|  |  | ||||||
| set(PACKAGE_NAME "digwatch") | set(PACKAGE_NAME "falco") | ||||||
| set(PROBE_VERSION "${DIGWATCH_VERSION}") | set(PROBE_VERSION "${FALCO_VERSION}") | ||||||
| set(PROBE_NAME "sysdig-probe") | set(PROBE_NAME "sysdig-probe") | ||||||
| set(PROBE_DEVICE_NAME "sysdig") | set(PROBE_DEVICE_NAME "sysdig") | ||||||
|  |  | ||||||
| @@ -152,21 +152,21 @@ ExternalProject_Add(lpeg | |||||||
| 		    CONFIGURE_COMMAND "" | 		    CONFIGURE_COMMAND "" | ||||||
|                     INSTALL_COMMAND "") |                     INSTALL_COMMAND "") | ||||||
|  |  | ||||||
| install(FILES digwatch.yaml | install(FILES falco.yaml | ||||||
| 	DESTINATION "${DIR_ETC}") | 	DESTINATION "${DIR_ETC}") | ||||||
|  |  | ||||||
| add_subdirectory(${SYSDIG_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/userspace/libscap) | add_subdirectory(${SYSDIG_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/userspace/libscap) | ||||||
| add_subdirectory(${SYSDIG_DIR}/userspace/libsinsp ${PROJECT_BINARY_DIR}/userspace/libsinsp) | add_subdirectory(${SYSDIG_DIR}/userspace/libsinsp ${PROJECT_BINARY_DIR}/userspace/libsinsp) | ||||||
|  |  | ||||||
| add_subdirectory(rules) | add_subdirectory(rules) | ||||||
| add_subdirectory(userspace/digwatch) | add_subdirectory(userspace/falco) | ||||||
|  |  | ||||||
|  |  | ||||||
| set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}") | set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}") | ||||||
| set(CPACK_PACKAGE_VENDOR "Sysdig Inc.") | set(CPACK_PACKAGE_VENDOR "Sysdig Inc.") | ||||||
| set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "digwatch, a system-level activity monitoring tool") | set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "falco, a system-level activity monitoring tool") | ||||||
| set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt") | set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt") | ||||||
| set(CPACK_PACKAGE_VERSION "${DIGWATCH_VERSION}") | set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}") | ||||||
| set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}") | set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}") | ||||||
| set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/CMakeCPackOptions.cmake") | set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/CMakeCPackOptions.cmake") | ||||||
| set(CPACK_STRIP_FILES "ON") | set(CPACK_STRIP_FILES "ON") | ||||||
|   | |||||||
							
								
								
									
										28
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										28
									
								
								README.md
									
									
									
									
									
								
							| @@ -1,18 +1,18 @@ | |||||||
| # Digwatch: Host Activity Monitoring with Sysdig Filters | # Sysdig Falco: Host Activity Monitoring with Sysdig Filters | ||||||
|  |  | ||||||
| ## Overview | ## Overview | ||||||
| Brief description of what, why, how, and pointer to website. | Brief description of what, why, how, and pointer to website. | ||||||
|  |  | ||||||
| ### What kind of events can digwatch detect? | ### What kind of events can falco detect? | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| ## Installing Digwatch | ## Installing Falco | ||||||
| Installation instructions. | Installation instructions. | ||||||
|  |  | ||||||
| ## Configuring Digwatch | ## Configuring Falco | ||||||
|  |  | ||||||
| Digwatch is primarily configured via two files: a configuration file (such as the `digwatch.yaml` in this repository) and a rules file (such as the `digwatch_rules.conf` file in `rules/`). These two files are written to `/etc` after you install the Digwatch package. | Digwatch is primarily configured via two files: a configuration file (such as the `falco.yaml` in this repository) and a rules file (such as the `digwatch_rules.conf` file in `rules/`). These two files are written to `/etc` after you install the Falco package. | ||||||
|  |  | ||||||
| ### Rules file | ### Rules file | ||||||
| Explain the rules file syntax | Explain the rules file syntax | ||||||
| @@ -21,17 +21,17 @@ Explain the rules file syntax | |||||||
| Explain the config file contents and syntax | Explain the config file contents and syntax | ||||||
|  |  | ||||||
|  |  | ||||||
| ## Running Digwatch | ## Running Falco | ||||||
|  |  | ||||||
| Digwatch is intended to be run as a service. But for experimentation and designing/testing rulesets, you will likely want to run it manually from the command-line. | Digwatch is intended to be run as a service. But for experimentation and designing/testing rulesets, you will likely want to run it manually from the command-line. | ||||||
|  |  | ||||||
| ### Running Digwatch as a service | ### Running Falco as a service | ||||||
| Instructions for Centos and Ubuntu. | Instructions for Centos and Ubuntu. | ||||||
|  |  | ||||||
| ### Running Digwatch manually | ### Running Falco manually | ||||||
|  |  | ||||||
|  |  | ||||||
| ## Building Digwatch | ## Building Falco | ||||||
|  |  | ||||||
| ### Building | ### Building | ||||||
| Clone this repo in a directory that also contains the sysdig source repo. The result should be something like: | Clone this repo in a directory that also contains the sysdig source repo. The result should be something like: | ||||||
| @@ -43,7 +43,7 @@ $ pwd | |||||||
| 22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig | 22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig | ||||||
| $ ls -l | $ ls -l | ||||||
| total 20 | total 20 | ||||||
| drwxr-xr-x  1 vagrant vagrant  238 Feb 21 21:44 digwatch | drwxr-xr-x  1 vagrant vagrant  238 Feb 21 21:44 falco | ||||||
| drwxr-xr-x  1 vagrant vagrant  646 Feb 21 17:41 sysdig | drwxr-xr-x  1 vagrant vagrant  646 Feb 21 17:41 sysdig | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
| @@ -56,18 +56,18 @@ $ cmake .. | |||||||
| $ make | $ make | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
| as a result, you should have a digwatch executable in `build/userspace/digwatch/digwatch`. | as a result, you should have a falco executable in `build/userspace/falco/falco`. | ||||||
|  |  | ||||||
|  |  | ||||||
| ### Running locally-built sysdig | ### Running locally-built sysdig | ||||||
|  |  | ||||||
| Assuming you are in the `build` dir, you can run digwatch as: | Assuming you are in the `build` dir, you can run falco as: | ||||||
|  |  | ||||||
| `$ sudo ./userspace/digwatch/digwatch -c ../digwatch.yaml -r ../rules/digwatch_rules.conf` | `$ sudo ./userspace/falco/falco -c ../falco.yaml -r ../rules/falco_rules.conf` | ||||||
|  |  | ||||||
| Or instead you can try using some of the simpler rules files in `rules`. Or to get started, try creating a file with this: | Or instead you can try using some of the simpler rules files in `rules`. Or to get started, try creating a file with this: | ||||||
|  |  | ||||||
| Create a file with some [digwatch rules](Rule-syntax-and-design). For example: | Create a file with some [falco rules](Rule-syntax-and-design). For example: | ||||||
| ``` | ``` | ||||||
| write: (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename | write: (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename | ||||||
| interactive: proc.pname = bash or proc.pname = sshd | interactive: proc.pname = bash or proc.pname = sshd | ||||||
|   | |||||||
| @@ -1,3 +1,3 @@ | |||||||
| install(FILES digwatch_rules.conf | install(FILES falco_rules.conf | ||||||
| 	DESTINATION "${DIR_ETC}") | 	DESTINATION "${DIR_ETC}") | ||||||
|  |  | ||||||
|   | |||||||
| @@ -229,14 +229,19 @@ user.name = kafka and inbound and fd.sport != 9092 | WARNING Unexpected Kafka in | |||||||
| 
 | 
 | ||||||
| # Memcached ports | # Memcached ports | ||||||
| user.name = memcached and inbound and fd.sport != 11211 | WARNING Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) | user.name = memcached and inbound and fd.sport != 11211 | WARNING Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) | ||||||
|  | user.name = memcached and outbound | WARNING Unexpected Memcached outbound connection (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) | ||||||
|  | 
 | ||||||
| 
 | 
 | ||||||
| # MongoDB ports | # MongoDB ports | ||||||
| mongodb_server_port: fd.sport = 27017 | mongodb_server_port: fd.sport = 27017 | ||||||
| mongodb_shardserver_port: fd.sport = 27018 | mongodb_shardserver_port: fd.sport = 27018 | ||||||
| mongodb_configserver_port: fd.sport = 27019 | mongodb_configserver_port: fd.sport = 27019 | ||||||
| mongodb_webserver_port: fd.sport = 28017 | mongodb_webserver_port: fd.sport = 28017 | ||||||
| 
 | user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | WARNING Unexpected MongoDB inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) | ||||||
| user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | WARNING Unexpected MongoDF inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) |  | ||||||
| 
 | 
 | ||||||
| # MySQL ports | # MySQL ports | ||||||
| user.name = mysql and inbound and fd.sport != 3306 | WARNING Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) | user.name = mysql and inbound and fd.sport != 3306 | WARNING Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) | ||||||
|  | 
 | ||||||
|  | # HTTP server | ||||||
|  | http_server: proc.name in (nginx, httpd, lighttpd) | ||||||
|  | http_server and inbound and fd.sport != 80 and fd.sport != 443 | WARNING Unexpected HTTP server inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) | ||||||
| @@ -7,7 +7,7 @@ gcc -O2 -fPIC -I$LUA_INCLUDE -c lptree.c -o lptree.o | |||||||
| gcc -O2 -fPIC -I$LUA_INCLUDE -c lpvm.c -o lpvm.o | gcc -O2 -fPIC -I$LUA_INCLUDE -c lpvm.c -o lpvm.o | ||||||
|  |  | ||||||
|  |  | ||||||
| # For building lpeg.so, which we don't need now that we're statically linking lpeg.a into digwatch | # For building lpeg.so, which we don't need now that we're statically linking lpeg.a into falco | ||||||
| #gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o | #gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o | ||||||
| #gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o | #gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o | ||||||
|  |  | ||||||
|   | |||||||
| @@ -1,3 +1,3 @@ | |||||||
| Digwatch instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events. | Sysdig Falco instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events. | ||||||
| Then, using a rule-based configuration, you can specify filters for events of interest that you would like to log or be notified of. | Then, using a rule-based configuration, you can specify filters for events of interest that you would like to log or be notified of. | ||||||
|  |  | ||||||
|   | |||||||
| @@ -3,16 +3,16 @@ include_directories("${LUAJIT_INCLUDE}") | |||||||
| 
 | 
 | ||||||
| include_directories(${PROJECT_SOURCE_DIR}/../sysdig/userspace/libscap) | include_directories(${PROJECT_SOURCE_DIR}/../sysdig/userspace/libscap) | ||||||
| include_directories(${PROJECT_SOURCE_DIR}/../sysdig/userspace/libsinsp) | include_directories(${PROJECT_SOURCE_DIR}/../sysdig/userspace/libsinsp) | ||||||
| include_directories("${PROJECT_BINARY_DIR}/userspace/digwatch") | include_directories("${PROJECT_BINARY_DIR}/userspace/falco") | ||||||
| include_directories("${CURL_INCLUDE_DIR}") | include_directories("${CURL_INCLUDE_DIR}") | ||||||
| include_directories("${YAMLCPP_INCLUDE_DIR}") | include_directories("${YAMLCPP_INCLUDE_DIR}") | ||||||
| include_directories("${LPEG_SRC}") | include_directories("${LPEG_SRC}") | ||||||
| include_directories(${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include) | include_directories(${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include) | ||||||
| 
 | 
 | ||||||
| add_executable(digwatch configuration.cpp formats.cpp fields.cpp rules.cpp logger.cpp digwatch.cpp) | add_executable(falco configuration.cpp formats.cpp fields.cpp rules.cpp logger.cpp falco.cpp) | ||||||
| 
 | 
 | ||||||
| target_link_libraries(digwatch sinsp) | target_link_libraries(falco sinsp) | ||||||
| target_link_libraries(digwatch | target_link_libraries(falco | ||||||
| 	"${LPEG_SRC}/lpeg.a" | 	"${LPEG_SRC}/lpeg.a" | ||||||
| 	"${YAMLCPP_LIB}") | 	"${YAMLCPP_LIB}") | ||||||
| 
 | 
 | ||||||
| @@ -20,7 +20,7 @@ target_link_libraries(digwatch | |||||||
| set(DIGWATCH_LUA_MAIN "rule_loader.lua") | set(DIGWATCH_LUA_MAIN "rule_loader.lua") | ||||||
| configure_file(config_digwatch.h.in config_digwatch.h) | configure_file(config_digwatch.h.in config_digwatch.h) | ||||||
| 
 | 
 | ||||||
| install(TARGETS digwatch DESTINATION bin) | install(TARGETS falco DESTINATION bin) | ||||||
| install(FILES lua/compiler.lua | install(FILES lua/compiler.lua | ||||||
| 	DESTINATION share/digwatch/lua) | 	DESTINATION share/digwatch/lua) | ||||||
| install(FILES lua/rule_loader.lua | install(FILES lua/rule_loader.lua | ||||||
| @@ -36,13 +36,13 @@ std::vector<string> valid_output_names {"stdout", "syslog"}; | |||||||
| static void usage() | static void usage() | ||||||
| { | { | ||||||
|     printf( |     printf( | ||||||
| 	   "Usage: digwatch [options] rules_filename\n\n" | 	   "Usage: falco [options] rules_filename\n\n" | ||||||
| 	   "Options:\n" | 	   "Options:\n" | ||||||
| 	   " -h, --help         Print this page\n" | 	   " -h, --help         Print this page\n" | ||||||
| 	   " -c                 Configuration file (default " DIGWATCH_SOURCE_CONF_FILE ", " DIGWATCH_INSTALL_CONF_FILE ")\n" | 	   " -c                 Configuration file (default " DIGWATCH_SOURCE_CONF_FILE ", " DIGWATCH_INSTALL_CONF_FILE ")\n" | ||||||
| 	   " -o                 Output type (options are 'stdout', 'syslog', default is 'stdout')\n" | 	   " -o                 Output type (options are 'stdout', 'syslog', default is 'stdout')\n" | ||||||
|            " -e <events_file>   Read the events from <events_file> (in .scap format) instead of tapping into live.\n" |            " -e <events_file>   Read the events from <events_file> (in .scap format) instead of tapping into live.\n" | ||||||
|            " -r <rules_file>    Rules file (defaults to value set in configuration file, or /etc/digwatch_rules.conf).\n" |            " -r <rules_file>    Rules file (defaults to value set in configuration file, or /etc/falco_rules.conf).\n" | ||||||
| 	   "\n" | 	   "\n" | ||||||
|     ); |     ); | ||||||
| } | } | ||||||
| @@ -285,12 +285,12 @@ int digwatch_init(int argc, char **argv) | |||||||
| 		{ | 		{ | ||||||
| 			config.init(conf_filename); | 			config.init(conf_filename); | ||||||
| 			// log after config init because config determines where logs go
 | 			// log after config init because config determines where logs go
 | ||||||
| 			digwatch_logger::log(LOG_INFO, "Digwatch initialized with configuration file " + conf_filename + "\n"); | 			digwatch_logger::log(LOG_INFO, "Falco initialized with configuration file " + conf_filename + "\n"); | ||||||
| 		} | 		} | ||||||
| 		else | 		else | ||||||
| 		{ | 		{ | ||||||
| 			config.init(); | 			config.init(); | ||||||
| 			digwatch_logger::log(LOG_INFO, "Digwatch initialized. No configuration file found, proceeding with defaults\n"); | 			digwatch_logger::log(LOG_INFO, "Falco initialized. No configuration file found, proceeding with defaults\n"); | ||||||
| 		} | 		} | ||||||
| 
 | 
 | ||||||
| 		if (rules_filename.size()) | 		if (rules_filename.size()) | ||||||
| @@ -305,7 +305,7 @@ int digwatch_init(int argc, char **argv) | |||||||
| 			lua_main_filename = lua_dir + DIGWATCH_LUA_MAIN; | 			lua_main_filename = lua_dir + DIGWATCH_LUA_MAIN; | ||||||
| 			if (!std::ifstream(lua_main_filename)) | 			if (!std::ifstream(lua_main_filename)) | ||||||
| 			{ | 			{ | ||||||
| 				digwatch_logger::log(LOG_ERR, "Could not find Digwatch Lua libraries (tried " + | 				digwatch_logger::log(LOG_ERR, "Could not find Falco Lua libraries (tried " + | ||||||
| 						     string(DIGWATCH_LUA_DIR DIGWATCH_LUA_MAIN) + ", " + | 						     string(DIGWATCH_LUA_DIR DIGWATCH_LUA_MAIN) + ", " + | ||||||
| 						     lua_main_filename + "). Exiting \n"); | 						     lua_main_filename + "). Exiting \n"); | ||||||
| 				result = EXIT_FAILURE; | 				result = EXIT_FAILURE; | ||||||
		Reference in New Issue
	
	Block a user