diff --git a/CMakeLists.txt b/CMakeLists.txt index 196b124e..e373966f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,9 +1,9 @@ cmake_minimum_required(VERSION 2.8.2) -project(digwatch) +project(falco) -if(NOT DEFINED DIGWATCH_VERSION) - set(DIGWATCH_VERSION "0.1.1dev") +if(NOT DEFINED FALCO_VERSION) + set(FALCO_VERSION "0.1.1dev") endif() if(NOT DEFINED DIR_ETC) @@ -31,8 +31,8 @@ else() set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}") endif() -set(PACKAGE_NAME "digwatch") -set(PROBE_VERSION "${DIGWATCH_VERSION}") +set(PACKAGE_NAME "falco") +set(PROBE_VERSION "${FALCO_VERSION}") set(PROBE_NAME "sysdig-probe") set(PROBE_DEVICE_NAME "sysdig") @@ -152,21 +152,21 @@ ExternalProject_Add(lpeg CONFIGURE_COMMAND "" INSTALL_COMMAND "") -install(FILES digwatch.yaml +install(FILES falco.yaml DESTINATION "${DIR_ETC}") add_subdirectory(${SYSDIG_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/userspace/libscap) add_subdirectory(${SYSDIG_DIR}/userspace/libsinsp ${PROJECT_BINARY_DIR}/userspace/libsinsp) add_subdirectory(rules) -add_subdirectory(userspace/digwatch) +add_subdirectory(userspace/falco) set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}") set(CPACK_PACKAGE_VENDOR "Sysdig Inc.") -set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "digwatch, a system-level activity monitoring tool") +set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "falco, a system-level activity monitoring tool") set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt") -set(CPACK_PACKAGE_VERSION "${DIGWATCH_VERSION}") +set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}") set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}") set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/CMakeCPackOptions.cmake") set(CPACK_STRIP_FILES "ON") diff --git a/README.md b/README.md index 6cde51fd..9356082c 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,18 @@ -# Digwatch: Host Activity Monitoring with Sysdig Filters +# Sysdig Falco: Host Activity Monitoring with Sysdig Filters ## Overview Brief description of what, why, how, and pointer to website. -### What kind of events can digwatch detect? +### What kind of events can falco detect? -## Installing Digwatch +## Installing Falco Installation instructions. -## Configuring Digwatch +## Configuring Falco -Digwatch is primarily configured via two files: a configuration file (such as the `digwatch.yaml` in this repository) and a rules file (such as the `digwatch_rules.conf` file in `rules/`). These two files are written to `/etc` after you install the Digwatch package. +Digwatch is primarily configured via two files: a configuration file (such as the `falco.yaml` in this repository) and a rules file (such as the `digwatch_rules.conf` file in `rules/`). These two files are written to `/etc` after you install the Falco package. ### Rules file Explain the rules file syntax @@ -21,17 +21,17 @@ Explain the rules file syntax Explain the config file contents and syntax -## Running Digwatch +## Running Falco Digwatch is intended to be run as a service. But for experimentation and designing/testing rulesets, you will likely want to run it manually from the command-line. -### Running Digwatch as a service +### Running Falco as a service Instructions for Centos and Ubuntu. -### Running Digwatch manually +### Running Falco manually -## Building Digwatch +## Building Falco ### Building Clone this repo in a directory that also contains the sysdig source repo. The result should be something like: @@ -43,7 +43,7 @@ $ pwd 22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig $ ls -l total 20 -drwxr-xr-x 1 vagrant vagrant 238 Feb 21 21:44 digwatch +drwxr-xr-x 1 vagrant vagrant 238 Feb 21 21:44 falco drwxr-xr-x 1 vagrant vagrant 646 Feb 21 17:41 sysdig ``` @@ -56,18 +56,18 @@ $ cmake .. $ make ``` -as a result, you should have a digwatch executable in `build/userspace/digwatch/digwatch`. +as a result, you should have a falco executable in `build/userspace/falco/falco`. ### Running locally-built sysdig -Assuming you are in the `build` dir, you can run digwatch as: +Assuming you are in the `build` dir, you can run falco as: -`$ sudo ./userspace/digwatch/digwatch -c ../digwatch.yaml -r ../rules/digwatch_rules.conf` +`$ sudo ./userspace/falco/falco -c ../falco.yaml -r ../rules/falco_rules.conf` Or instead you can try using some of the simpler rules files in `rules`. Or to get started, try creating a file with this: -Create a file with some [digwatch rules](Rule-syntax-and-design). For example: +Create a file with some [falco rules](Rule-syntax-and-design). For example: ``` write: (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename interactive: proc.pname = bash or proc.pname = sshd diff --git a/digwatch.yaml b/falco.yaml similarity index 100% rename from digwatch.yaml rename to falco.yaml diff --git a/rules/CMakeLists.txt b/rules/CMakeLists.txt index dff2d608..e77dff73 100644 --- a/rules/CMakeLists.txt +++ b/rules/CMakeLists.txt @@ -1,3 +1,3 @@ -install(FILES digwatch_rules.conf +install(FILES falco_rules.conf DESTINATION "${DIR_ETC}") diff --git a/rules/digwatch_rules.conf b/rules/falco_rules.conf similarity index 96% rename from rules/digwatch_rules.conf rename to rules/falco_rules.conf index a4cbde0c..6ee407a6 100644 --- a/rules/digwatch_rules.conf +++ b/rules/falco_rules.conf @@ -229,14 +229,19 @@ user.name = kafka and inbound and fd.sport != 9092 | WARNING Unexpected Kafka in # Memcached ports user.name = memcached and inbound and fd.sport != 11211 | WARNING Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = memcached and outbound | WARNING Unexpected Memcached outbound connection (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) + # MongoDB ports mongodb_server_port: fd.sport = 27017 mongodb_shardserver_port: fd.sport = 27018 mongodb_configserver_port: fd.sport = 27019 mongodb_webserver_port: fd.sport = 28017 - -user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | WARNING Unexpected MongoDF inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | WARNING Unexpected MongoDB inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # MySQL ports user.name = mysql and inbound and fd.sport != 3306 | WARNING Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) + +# HTTP server +http_server: proc.name in (nginx, httpd, lighttpd) +http_server and inbound and fd.sport != 80 and fd.sport != 443 | WARNING Unexpected HTTP server inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) diff --git a/scripts/build-lpeg.sh b/scripts/build-lpeg.sh index b0c990c0..6a8db3fd 100755 --- a/scripts/build-lpeg.sh +++ b/scripts/build-lpeg.sh @@ -7,7 +7,7 @@ gcc -O2 -fPIC -I$LUA_INCLUDE -c lptree.c -o lptree.o gcc -O2 -fPIC -I$LUA_INCLUDE -c lpvm.c -o lpvm.o -# For building lpeg.so, which we don't need now that we're statically linking lpeg.a into digwatch +# For building lpeg.so, which we don't need now that we're statically linking lpeg.a into falco #gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o #gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o diff --git a/scripts/description.txt b/scripts/description.txt index c4fc004c..6c562ee1 100644 --- a/scripts/description.txt +++ b/scripts/description.txt @@ -1,3 +1,3 @@ -Digwatch instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events. +Sysdig Falco instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events. Then, using a rule-based configuration, you can specify filters for events of interest that you would like to log or be notified of. diff --git a/scripts/install-digwatch.in b/scripts/install-falco.in similarity index 100% rename from scripts/install-digwatch.in rename to scripts/install-falco.in diff --git a/userspace/digwatch/CMakeLists.txt b/userspace/falco/CMakeLists.txt similarity index 75% rename from userspace/digwatch/CMakeLists.txt rename to userspace/falco/CMakeLists.txt index 3a94017d..b05c9b09 100644 --- a/userspace/digwatch/CMakeLists.txt +++ b/userspace/falco/CMakeLists.txt @@ -3,16 +3,16 @@ include_directories("${LUAJIT_INCLUDE}") include_directories(${PROJECT_SOURCE_DIR}/../sysdig/userspace/libscap) include_directories(${PROJECT_SOURCE_DIR}/../sysdig/userspace/libsinsp) -include_directories("${PROJECT_BINARY_DIR}/userspace/digwatch") +include_directories("${PROJECT_BINARY_DIR}/userspace/falco") include_directories("${CURL_INCLUDE_DIR}") include_directories("${YAMLCPP_INCLUDE_DIR}") include_directories("${LPEG_SRC}") include_directories(${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include) -add_executable(digwatch configuration.cpp formats.cpp fields.cpp rules.cpp logger.cpp digwatch.cpp) +add_executable(falco configuration.cpp formats.cpp fields.cpp rules.cpp logger.cpp falco.cpp) -target_link_libraries(digwatch sinsp) -target_link_libraries(digwatch +target_link_libraries(falco sinsp) +target_link_libraries(falco "${LPEG_SRC}/lpeg.a" "${YAMLCPP_LIB}") @@ -20,7 +20,7 @@ target_link_libraries(digwatch set(DIGWATCH_LUA_MAIN "rule_loader.lua") configure_file(config_digwatch.h.in config_digwatch.h) -install(TARGETS digwatch DESTINATION bin) +install(TARGETS falco DESTINATION bin) install(FILES lua/compiler.lua DESTINATION share/digwatch/lua) install(FILES lua/rule_loader.lua diff --git a/userspace/digwatch/config_digwatch.h.in b/userspace/falco/config_digwatch.h.in similarity index 100% rename from userspace/digwatch/config_digwatch.h.in rename to userspace/falco/config_digwatch.h.in diff --git a/userspace/digwatch/configuration.cpp b/userspace/falco/configuration.cpp similarity index 100% rename from userspace/digwatch/configuration.cpp rename to userspace/falco/configuration.cpp diff --git a/userspace/digwatch/configuration.h b/userspace/falco/configuration.h similarity index 100% rename from userspace/digwatch/configuration.h rename to userspace/falco/configuration.h diff --git a/userspace/digwatch/digwatch.cpp b/userspace/falco/falco.cpp similarity index 95% rename from userspace/digwatch/digwatch.cpp rename to userspace/falco/falco.cpp index 4163843b..98614073 100644 --- a/userspace/digwatch/digwatch.cpp +++ b/userspace/falco/falco.cpp @@ -36,13 +36,13 @@ std::vector valid_output_names {"stdout", "syslog"}; static void usage() { printf( - "Usage: digwatch [options] rules_filename\n\n" + "Usage: falco [options] rules_filename\n\n" "Options:\n" " -h, --help Print this page\n" " -c Configuration file (default " DIGWATCH_SOURCE_CONF_FILE ", " DIGWATCH_INSTALL_CONF_FILE ")\n" " -o Output type (options are 'stdout', 'syslog', default is 'stdout')\n" " -e Read the events from (in .scap format) instead of tapping into live.\n" - " -r Rules file (defaults to value set in configuration file, or /etc/digwatch_rules.conf).\n" + " -r Rules file (defaults to value set in configuration file, or /etc/falco_rules.conf).\n" "\n" ); } @@ -285,12 +285,12 @@ int digwatch_init(int argc, char **argv) { config.init(conf_filename); // log after config init because config determines where logs go - digwatch_logger::log(LOG_INFO, "Digwatch initialized with configuration file " + conf_filename + "\n"); + digwatch_logger::log(LOG_INFO, "Falco initialized with configuration file " + conf_filename + "\n"); } else { config.init(); - digwatch_logger::log(LOG_INFO, "Digwatch initialized. No configuration file found, proceeding with defaults\n"); + digwatch_logger::log(LOG_INFO, "Falco initialized. No configuration file found, proceeding with defaults\n"); } if (rules_filename.size()) @@ -305,7 +305,7 @@ int digwatch_init(int argc, char **argv) lua_main_filename = lua_dir + DIGWATCH_LUA_MAIN; if (!std::ifstream(lua_main_filename)) { - digwatch_logger::log(LOG_ERR, "Could not find Digwatch Lua libraries (tried " + + digwatch_logger::log(LOG_ERR, "Could not find Falco Lua libraries (tried " + string(DIGWATCH_LUA_DIR DIGWATCH_LUA_MAIN) + ", " + lua_main_filename + "). Exiting \n"); result = EXIT_FAILURE; diff --git a/userspace/digwatch/fields.cpp b/userspace/falco/fields.cpp similarity index 100% rename from userspace/digwatch/fields.cpp rename to userspace/falco/fields.cpp diff --git a/userspace/digwatch/fields.h b/userspace/falco/fields.h similarity index 100% rename from userspace/digwatch/fields.h rename to userspace/falco/fields.h diff --git a/userspace/digwatch/formats.cpp b/userspace/falco/formats.cpp similarity index 100% rename from userspace/digwatch/formats.cpp rename to userspace/falco/formats.cpp diff --git a/userspace/digwatch/formats.h b/userspace/falco/formats.h similarity index 100% rename from userspace/digwatch/formats.h rename to userspace/falco/formats.h diff --git a/userspace/digwatch/logger.cpp b/userspace/falco/logger.cpp similarity index 100% rename from userspace/digwatch/logger.cpp rename to userspace/falco/logger.cpp diff --git a/userspace/digwatch/logger.h b/userspace/falco/logger.h similarity index 100% rename from userspace/digwatch/logger.h rename to userspace/falco/logger.h diff --git a/userspace/digwatch/lpeg.h b/userspace/falco/lpeg.h similarity index 100% rename from userspace/digwatch/lpeg.h rename to userspace/falco/lpeg.h diff --git a/userspace/digwatch/lua/README.md b/userspace/falco/lua/README.md similarity index 100% rename from userspace/digwatch/lua/README.md rename to userspace/falco/lua/README.md diff --git a/userspace/digwatch/lua/compiler.lua b/userspace/falco/lua/compiler.lua similarity index 100% rename from userspace/digwatch/lua/compiler.lua rename to userspace/falco/lua/compiler.lua diff --git a/userspace/digwatch/lua/output.lua b/userspace/falco/lua/output.lua similarity index 100% rename from userspace/digwatch/lua/output.lua rename to userspace/falco/lua/output.lua diff --git a/userspace/digwatch/lua/rule_loader.lua b/userspace/falco/lua/rule_loader.lua similarity index 100% rename from userspace/digwatch/lua/rule_loader.lua rename to userspace/falco/lua/rule_loader.lua diff --git a/userspace/digwatch/lua/smoke.sh b/userspace/falco/lua/smoke.sh similarity index 100% rename from userspace/digwatch/lua/smoke.sh rename to userspace/falco/lua/smoke.sh diff --git a/userspace/digwatch/lua/test.lua b/userspace/falco/lua/test.lua similarity index 100% rename from userspace/digwatch/lua/test.lua rename to userspace/falco/lua/test.lua diff --git a/userspace/digwatch/rules.cpp b/userspace/falco/rules.cpp similarity index 100% rename from userspace/digwatch/rules.cpp rename to userspace/falco/rules.cpp diff --git a/userspace/digwatch/rules.h b/userspace/falco/rules.h similarity index 100% rename from userspace/digwatch/rules.h rename to userspace/falco/rules.h