Merge pull request #32 from draios/rename-falco

Name change!

CMakeLists.txt

@@ -1,9 +1,9 @@
 cmake_minimum_required(VERSION 2.8.2)
 
-project(digwatch)
+project(falco)
 
-if(NOT DEFINED DIGWATCH_VERSION)
-	set(DIGWATCH_VERSION "0.1.1dev")
+if(NOT DEFINED FALCO_VERSION)
+	set(FALCO_VERSION "0.1.1dev")
 endif()
 
 if(NOT DEFINED DIR_ETC)
@@ -31,8 +31,8 @@ else()
 	set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
 endif()
 
-set(PACKAGE_NAME "digwatch")
-set(PROBE_VERSION "${DIGWATCH_VERSION}")
+set(PACKAGE_NAME "falco")
+set(PROBE_VERSION "${FALCO_VERSION}")
 set(PROBE_NAME "sysdig-probe")
 set(PROBE_DEVICE_NAME "sysdig")
 
@@ -152,21 +152,21 @@ ExternalProject_Add(lpeg
 		    CONFIGURE_COMMAND ""
                     INSTALL_COMMAND "")
 
-install(FILES digwatch.yaml
+install(FILES falco.yaml
 	DESTINATION "${DIR_ETC}")
 
 add_subdirectory(${SYSDIG_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/userspace/libscap)
 add_subdirectory(${SYSDIG_DIR}/userspace/libsinsp ${PROJECT_BINARY_DIR}/userspace/libsinsp)
 
 add_subdirectory(rules)
-add_subdirectory(userspace/digwatch)
+add_subdirectory(userspace/falco)
 
 
 set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
 set(CPACK_PACKAGE_VENDOR "Sysdig Inc.")
-set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "digwatch, a system-level activity monitoring tool")
+set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "falco, a system-level activity monitoring tool")
 set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
-set(CPACK_PACKAGE_VERSION "${DIGWATCH_VERSION}")
+set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
 set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/CMakeCPackOptions.cmake")
 set(CPACK_STRIP_FILES "ON")

README.md

@@ -1,18 +1,18 @@
-# Digwatch: Host Activity Monitoring with Sysdig Filters
+# Sysdig Falco: Host Activity Monitoring with Sysdig Filters
 
 ## Overview
 Brief description of what, why, how, and pointer to website.
 
-### What kind of events can digwatch detect?
+### What kind of events can falco detect?
 
 
 
-## Installing Digwatch
+## Installing Falco
 Installation instructions.
 
-## Configuring Digwatch
+## Configuring Falco
 
-Digwatch is primarily configured via two files: a configuration file (such as the `digwatch.yaml` in this repository) and a rules file (such as the `digwatch_rules.conf` file in `rules/`). These two files are written to `/etc` after you install the Digwatch package.
+Digwatch is primarily configured via two files: a configuration file (such as the `falco.yaml` in this repository) and a rules file (such as the `digwatch_rules.conf` file in `rules/`). These two files are written to `/etc` after you install the Falco package.
 
 ### Rules file
 Explain the rules file syntax
@@ -21,17 +21,17 @@ Explain the rules file syntax
 Explain the config file contents and syntax
 
 
-## Running Digwatch
+## Running Falco
 
 Digwatch is intended to be run as a service. But for experimentation and designing/testing rulesets, you will likely want to run it manually from the command-line.
 
-### Running Digwatch as a service
+### Running Falco as a service
 Instructions for Centos and Ubuntu.
 
-### Running Digwatch manually
+### Running Falco manually
 
 
-## Building Digwatch
+## Building Falco
 
 ### Building
 Clone this repo in a directory that also contains the sysdig source repo. The result should be something like:
@@ -43,7 +43,7 @@ $ pwd
 22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig
 $ ls -l
 total 20
-drwxr-xr-x  1 vagrant vagrant  238 Feb 21 21:44 digwatch
+drwxr-xr-x  1 vagrant vagrant  238 Feb 21 21:44 falco
 drwxr-xr-x  1 vagrant vagrant  646 Feb 21 17:41 sysdig
 ```
 
@@ -56,18 +56,18 @@ $ cmake ..
 $ make
 ```
 
-as a result, you should have a digwatch executable in `build/userspace/digwatch/digwatch`.
+as a result, you should have a falco executable in `build/userspace/falco/falco`.
 
 
 ### Running locally-built sysdig
 
-Assuming you are in the `build` dir, you can run digwatch as:
+Assuming you are in the `build` dir, you can run falco as:
 
-`$ sudo ./userspace/digwatch/digwatch -c ../digwatch.yaml -r ../rules/digwatch_rules.conf`
+`$ sudo ./userspace/falco/falco -c ../falco.yaml -r ../rules/falco_rules.conf`
 
 Or instead you can try using some of the simpler rules files in `rules`. Or to get started, try creating a file with this:
 
-Create a file with some [digwatch rules](Rule-syntax-and-design). For example:
+Create a file with some [falco rules](Rule-syntax-and-design). For example:
 ```
 write: (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename
 interactive: proc.pname = bash or proc.pname = sshd

rules/CMakeLists.txt

@@ -1,3 +1,3 @@
-install(FILES digwatch_rules.conf
+install(FILES falco_rules.conf
 	DESTINATION "${DIR_ETC}")
 

rules/falco_rules.conf

@@ -229,14 +229,19 @@ user.name = kafka and inbound and fd.sport != 9092 | WARNING Unexpected Kafka in
 
 # Memcached ports
 user.name = memcached and inbound and fd.sport != 11211 | WARNING Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+user.name = memcached and outbound | WARNING Unexpected Memcached outbound connection (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+
 
 # MongoDB ports
 mongodb_server_port: fd.sport = 27017
 mongodb_shardserver_port: fd.sport = 27018
 mongodb_configserver_port: fd.sport = 27019
 mongodb_webserver_port: fd.sport = 28017
-
-user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | WARNING Unexpected MongoDF inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | WARNING Unexpected MongoDB inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
 
 # MySQL ports
 user.name = mysql and inbound and fd.sport != 3306 | WARNING Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+
+# HTTP server
+http_server: proc.name in (nginx, httpd, lighttpd)
+http_server and inbound and fd.sport != 80 and fd.sport != 443 | WARNING Unexpected HTTP server inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)

scripts/build-lpeg.sh

@@ -7,7 +7,7 @@ gcc -O2 -fPIC -I$LUA_INCLUDE -c lptree.c -o lptree.o
 gcc -O2 -fPIC -I$LUA_INCLUDE -c lpvm.c -o lpvm.o
 
 
-# For building lpeg.so, which we don't need now that we're statically linking lpeg.a into digwatch
+# For building lpeg.so, which we don't need now that we're statically linking lpeg.a into falco
 #gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o
 #gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o
 

scripts/description.txt

@@ -1,3 +1,3 @@
-Digwatch instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events.
+Sysdig Falco instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events.
 Then, using a rule-based configuration, you can specify filters for events of interest that you would like to log or be notified of.
 

userspace/falco/CMakeLists.txt

@@ -3,16 +3,16 @@ include_directories("${LUAJIT_INCLUDE}")
 
 include_directories(${PROJECT_SOURCE_DIR}/../sysdig/userspace/libscap)
 include_directories(${PROJECT_SOURCE_DIR}/../sysdig/userspace/libsinsp)
-include_directories("${PROJECT_BINARY_DIR}/userspace/digwatch")
+include_directories("${PROJECT_BINARY_DIR}/userspace/falco")
 include_directories("${CURL_INCLUDE_DIR}")
 include_directories("${YAMLCPP_INCLUDE_DIR}")
 include_directories("${LPEG_SRC}")
 include_directories(${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include)
 
-add_executable(digwatch configuration.cpp formats.cpp fields.cpp rules.cpp logger.cpp digwatch.cpp)
+add_executable(falco configuration.cpp formats.cpp fields.cpp rules.cpp logger.cpp falco.cpp)
 
-target_link_libraries(digwatch sinsp)
-target_link_libraries(digwatch
+target_link_libraries(falco sinsp)
+target_link_libraries(falco
 	"${LPEG_SRC}/lpeg.a"
 	"${YAMLCPP_LIB}")
 
@@ -20,7 +20,7 @@ target_link_libraries(digwatch
 set(DIGWATCH_LUA_MAIN "rule_loader.lua")
 configure_file(config_digwatch.h.in config_digwatch.h)
 
-install(TARGETS digwatch DESTINATION bin)
+install(TARGETS falco DESTINATION bin)
 install(FILES lua/compiler.lua
 	DESTINATION share/digwatch/lua)
 install(FILES lua/rule_loader.lua

userspace/falco/falco.cpp

@@ -36,13 +36,13 @@ std::vector<string> valid_output_names {"stdout", "syslog"};
 static void usage()
 {
     printf(
-	   "Usage: digwatch [options] rules_filename\n\n"
+	   "Usage: falco [options] rules_filename\n\n"
 	   "Options:\n"
 	   " -h, --help         Print this page\n"
 	   " -c                 Configuration file (default " DIGWATCH_SOURCE_CONF_FILE ", " DIGWATCH_INSTALL_CONF_FILE ")\n"
 	   " -o                 Output type (options are 'stdout', 'syslog', default is 'stdout')\n"
            " -e <events_file>   Read the events from <events_file> (in .scap format) instead of tapping into live.\n"
-           " -r <rules_file>    Rules file (defaults to value set in configuration file, or /etc/digwatch_rules.conf).\n"
+           " -r <rules_file>    Rules file (defaults to value set in configuration file, or /etc/falco_rules.conf).\n"
 	   "\n"
     );
 }
@@ -285,12 +285,12 @@ int digwatch_init(int argc, char **argv)
 		{
 			config.init(conf_filename);
 			// log after config init because config determines where logs go
-			digwatch_logger::log(LOG_INFO, "Digwatch initialized with configuration file " + conf_filename + "\n");
+			digwatch_logger::log(LOG_INFO, "Falco initialized with configuration file " + conf_filename + "\n");
 		}
 		else
 		{
 			config.init();
-			digwatch_logger::log(LOG_INFO, "Digwatch initialized. No configuration file found, proceeding with defaults\n");
+			digwatch_logger::log(LOG_INFO, "Falco initialized. No configuration file found, proceeding with defaults\n");
 		}
 
 		if (rules_filename.size())
@@ -305,7 +305,7 @@ int digwatch_init(int argc, char **argv)
 			lua_main_filename = lua_dir + DIGWATCH_LUA_MAIN;
 			if (!std::ifstream(lua_main_filename))
 			{
-				digwatch_logger::log(LOG_ERR, "Could not find Digwatch Lua libraries (tried " +
+				digwatch_logger::log(LOG_ERR, "Could not find Falco Lua libraries (tried " +
 						     string(DIGWATCH_LUA_DIR DIGWATCH_LUA_MAIN) + ", " +
 						     lua_main_filename + "). Exiting \n");
 				result = EXIT_FAILURE;