github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-19 03:06:22 +00:00
Code Issues Projects Releases Wiki Activity
2,049 Commits 122 Branches 184 Tags
add-exceptions-support-copy
Commit Graph

2049 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mark Stemm
bc570c58df More rule error/warnings handling cleanups 2020-10-02 16:56:22 -07:00
Mark Stemm
68018d3a69 More exceptions handling cleanups. 2020-10-02 16:56:03 -07:00
Mark Stemm
defde05c90 Update tests to add error counts 
When validating, the output has a summary of error/warning counts, so
update tests appropriately.
 2020-10-02 16:54:55 -07:00
Mark Stemm
21ed93aa53 Don't look for event counts with -V/validate 
When running falco with -V/valdiate <rules file>, you won't get any
event counts. All prior tests didn't get this far as they also resulted
in rules parsing errors.

However, validating can now result in warnings only. This won't exit but
won't print event counts either.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-10-02 16:52:44 -07:00
Mark Stemm
2eb286fd02 Automated tests for exceptions 
Handle various positive and negative cases. Should handle every error
and warning path when reading exceptions objects or rule exception
fields, and various positive cases of using exceptions to prevent
alerts.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-10-02 16:51:43 -07:00
Mark Stemm
ab5a39c994 Cleanups 
Handle new layout for exceptions, etc.
 2020-10-02 10:37:18 -07:00
Mark Stemm
c4cc1d7996 Restructure exceptions 
Rule exception is an object now with fields and optional comps.
 2020-10-01 17:05:27 -07:00
Mark Stemm
b9671f936d Ensure that exception fields are valid 
When parsing the exception attribute of a rule, ensure that the fields
are actually defined ones for the event source.
 2020-09-23 09:23:46 -07:00
Mark Stemm
0ffd1e9c5c WIP: most of exceptions parsing support 
Support top level exception objects and exceptions field for rules:

- Save exceptions in state.exceptions_by_name along with a context.
- When parsing rules, error if a rule has append=true but also defines
  exceptions--exceptions can only be defined in the original rule.
- After loading all rules and exceptions, iterate through the exception
  values, finding the matching field names (field1, field2, ...), then
  iterating over the list of field values (val1a, val1b, ...), (val2a,
  val2b, ...), building up a string of the form:
    and not ((field1=val1a and field2=val1b and ...) or
              (field1=val2a and field2=val2b and ...)...
	     )"

  This string is appended to the rule's condition.

Remaining work is:
 - More ad-hoc testing
 - Unit tests
 - Verifying that field names are valid when loading rules.
 - Converting existing rules as much as possible to use exceptions.
 - (Maybe) support operators other than = when definining exception fields?
 2020-09-17 18:21:00 -07:00
Mark Stemm
81cdab21be Allow unknown top level obs as warnings 
When parsing a rules file, if a top level object is not one of the known
types rule, macro, list, required_engine_version, instead of failing
parsing, add a warning instead.

This adds some forwards-compatibility to rules files.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-09-17 16:18:31 -07:00
Mark Stemm
60052bffcb Pass back warnings when loading rules 
Add the notion of warnings when loading rules, which are printed if
verbose is true:

 - load_rules now returns a tuple (success, required engine version,
   error array, warnings array) instead of (true, required engine
   version) or (false, error string)
 - build_error/build_error_with_context now returns an array instead of
   string value.
 - warnings are combined across calls to load_rules_doc
 - Current warnings include:
   - a rule that contains an unknown filter
   - a macro not referred to by any rule
   - a list not referred to by any rule/macro/list

Any errors/warnings are concatenated into the exception if success was
false. Any errors/warnings will be printed if verbose is true.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-09-17 16:02:42 -07:00
Lorenzo Fontana
1efa4d3af0 update(scripts): driver loader cycle available gcc versions 
The falco-driver-loader script calls dkms to compile the kernel
module using the default gcc.
In some systems, and in the falcosecurity/falco container image,
the defult gcc is not the right one to compile it.

The script will try to compile the module by cycling trough all the available GCCs
starting from the default one until the module is compiled the first
time.

The default gcc is the highest priority while trying.
Newer GCCs have the priority over older GCCs.

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-09-16 18:09:09 +02:00
Leonardo Di Donato
8611af4373 chore(.circleci): re-enable cleanup of falco development packages only when on the master branch 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-14 11:09:09 +02:00
Leonardo Di Donato
b6fd43f4db update(.circleci): update CI references to cleanup script 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-14 11:09:09 +02:00
Leonardo Di Donato
2971d0de7f fix(scripts): move cleanup (falco development packages) into scripts dir 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-14 11:09:09 +02:00
Leonardo Grasso
d2dbe64723 update: bump Falco engine version to 7 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-13 22:54:00 +02:00
Leonardo Grasso
66309e3a1f build(.circleci): fix static build path 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-11 14:52:30 +02:00
bgeesaman
cb2439d757 Append Slash to Sensitive Mount Path startswith 
Make L#1932 equivalent to L#1898

Signed-off-by: Brad Geesaman <bradgeesaman+github@gmail.com>
 2020-09-11 14:50:28 +02:00
Leonardo Di Donato
f02a998526 build: update the driver version to 73554b9 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Di Donato
d1ee7d3d79 chore(.circleci): re-enable the usual falco-tester docker image for CI 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Di Donato
0586a7d33c update(docker/no-driver): use the statically linked falco tarball 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Di Donato
e0f0db96d3 build(rules): fix rules etc dir 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Di Donato
045cb4a45d build(.circleci): specify falco etc directory for musl build 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Di Donato
4319f16fa6 build: publish musl artifacts 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Di Donato
c2603c0130 new(.circleci): test the minimal build 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Di Donato
5316e39379 chore(cmake/modules): correct logging for string-view-lite (always) bundled header dependency 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Di Donato
9a29203a4d build: engine fields checksum only when not building the minimal Falco 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Di Donato
7e28e305a6 deps: update driver version 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
ec2ccf4d1c build: fix cares include 
Co-Authored-By: Lorenzo Fontana <fontanalorenz@gmail.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
d2ecc52253 build(.circleci): fix build/musl when releasing 
Co-Authored-By: Lorenzo Fontana <fontanalorenz@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
be7ba9fea4 build: fix cares include path 
Co-Authored-By: Lorenzo Fontana <fontanalorenz@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
2141580a10 update(userspace/engine): bump driver version to 9c7755ae7aaa221a3d17c1d98911c4c2cbdbd21317559d744e53bf63a2677a4b 
Co-Authored-By: Lorenzo Fontana <fontanalorenz@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
1e64f0a5c9 build(.circleci): publish static tgz on release 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Lorenzo Fontana
7e9ca5c540 build: run_regression_tests.sh skip packages tests if asked 
Co-Authored-By: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-09-10 15:01:07 +02:00
Lorenzo Fontana
98a5813bd7 build: allow the tester command to retrieve the source and build env 
variables

Co-Authored-By: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-09-10 15:01:07 +02:00
Lorenzo Fontana
492fe0c372 build: circleci musl build 
Co-Authored-By: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-09-10 15:01:07 +02:00
Lorenzo Fontana
00d930199f build: strip userspace/falco/falco in release when building with musl 
optimizations

Co-Authored-By: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-09-10 15:01:07 +02:00
Lorenzo Fontana
f2bc92ac58 build: allow configurable cpack targets 
Co-Authored-By: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
d5f752de7a build: add MUSL_OPTIMIZED_BUILD option 
This option is now decoupled from `MINIMAL_BUILD`

Co-Authored-By: Lorenzo Fontana <fontanalorenz@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
109efc2799 chore(cmake/modules): refine sysdig cmake for minimal build 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
c46dbc7f11 build: remove gRPC, openssl, curl from minimal build 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
b7e75095e6 build(userspace): avoid openssl dep for engine fields verification 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
68f937f5e8 build: disallow k8s audit trace file when minimal build 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
0c1ed551ca build: remove civetweb when minimal build 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
bdd14604d4 build: remove webserver from minimal build 
Co-Authored-By: Lorenzo Fontana <fontanalorenz@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
9d88bfd0d4 build: add MINIMAL_BUILD option 
Co-Authored-By: Lorenzo Fontana <fontanalorenz@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leo Di Donato
361fec452e chore(.circleci): typos 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-08 11:07:48 +02:00
Leonardo Di Donato
cd449cb89b update(.circleci): cleanup/packages-dev job 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-08 11:07:48 +02:00
Leonardo Di Donato
2880bb1f23 build(.circleci): script for automatic cleanup of Falco development releases 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-08 11:07:48 +02:00
Leo Di Donato
d25e07381e update(proposals): clarify that prebuilding drivers is on a best-effort basis 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-07 11:39:54 +02:00