github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-20 03:32:09 +00:00
Code Issues Projects Releases Wiki Activity
2,049 Commits 124 Branches 184 Tags
add-exceptions-support-copy
Commit Graph

482 Commits

Author SHA1 Message Date
Mark Stemm
bc570c58df More rule error/warnings handling cleanups 2020-10-02 16:56:22 -07:00
Mark Stemm
68018d3a69 More exceptions handling cleanups. 2020-10-02 16:56:03 -07:00
Mark Stemm
ab5a39c994 Cleanups 
Handle new layout for exceptions, etc.
 2020-10-02 10:37:18 -07:00
Mark Stemm
c4cc1d7996 Restructure exceptions 
Rule exception is an object now with fields and optional comps.
 2020-10-01 17:05:27 -07:00
Mark Stemm
b9671f936d Ensure that exception fields are valid 
When parsing the exception attribute of a rule, ensure that the fields
are actually defined ones for the event source.
 2020-09-23 09:23:46 -07:00
Mark Stemm
0ffd1e9c5c WIP: most of exceptions parsing support 
Support top level exception objects and exceptions field for rules:

- Save exceptions in state.exceptions_by_name along with a context.
- When parsing rules, error if a rule has append=true but also defines
  exceptions--exceptions can only be defined in the original rule.
- After loading all rules and exceptions, iterate through the exception
  values, finding the matching field names (field1, field2, ...), then
  iterating over the list of field values (val1a, val1b, ...), (val2a,
  val2b, ...), building up a string of the form:
    and not ((field1=val1a and field2=val1b and ...) or
              (field1=val2a and field2=val2b and ...)...
	     )"

  This string is appended to the rule's condition.

Remaining work is:
 - More ad-hoc testing
 - Unit tests
 - Verifying that field names are valid when loading rules.
 - Converting existing rules as much as possible to use exceptions.
 - (Maybe) support operators other than = when definining exception fields?
 2020-09-17 18:21:00 -07:00
Mark Stemm
81cdab21be Allow unknown top level obs as warnings 
When parsing a rules file, if a top level object is not one of the known
types rule, macro, list, required_engine_version, instead of failing
parsing, add a warning instead.

This adds some forwards-compatibility to rules files.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-09-17 16:18:31 -07:00
Mark Stemm
60052bffcb Pass back warnings when loading rules 
Add the notion of warnings when loading rules, which are printed if
verbose is true:

 - load_rules now returns a tuple (success, required engine version,
   error array, warnings array) instead of (true, required engine
   version) or (false, error string)
 - build_error/build_error_with_context now returns an array instead of
   string value.
 - warnings are combined across calls to load_rules_doc
 - Current warnings include:
   - a rule that contains an unknown filter
   - a macro not referred to by any rule
   - a list not referred to by any rule/macro/list

Any errors/warnings are concatenated into the exception if success was
false. Any errors/warnings will be printed if verbose is true.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-09-17 16:02:42 -07:00
Leonardo Grasso
d2dbe64723 update: bump Falco engine version to 7 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-13 22:54:00 +02:00
Leonardo Di Donato
9a29203a4d build: engine fields checksum only when not building the minimal Falco 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-10 15:01:07 +02:00
Lorenzo Fontana
00d930199f build: strip userspace/falco/falco in release when building with musl 
optimizations

Co-Authored-By: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
c46dbc7f11 build: remove gRPC, openssl, curl from minimal build 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
b7e75095e6 build(userspace): avoid openssl dep for engine fields verification 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
68f937f5e8 build: disallow k8s audit trace file when minimal build 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
bdd14604d4 build: remove webserver from minimal build 
Co-Authored-By: Lorenzo Fontana <fontanalorenz@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
385d6eff6d fix(userspace/falco): do not always rethrow the exception 
Co-Authored-By: Lorenzo Fontana <fontanalorenz@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-08-25 14:27:40 +02:00
Lorenzo Fontana
feb39010bb build: include openssl libraries in falco 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-08-20 19:26:56 +02:00
Leonardo Grasso
4346e98f20 feat(userspace/falco): print version at startup 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-07-16 22:35:56 +02:00
Lorenzo Fontana
c03f563450 build: libyaml in bundled deps 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-07-16 19:34:39 +02:00
Lorenzo Fontana
a447b6996e fix(userspace): rethrow inspector open exceptions 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-07-15 18:33:50 +02:00
Leonardo Di Donato
596e7ee303 fix(userspace/falco): try to insert kernel module driver conditionally 
Do it only when not running with userspace instrumentation enabled and
the syscall input source is enabled (!disable_syscall)

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-07-15 18:33:50 +02:00
Leo Di Donato
1343fd7e92 update(userspace/falco): userspace instrumentation help line 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-07-15 18:33:50 +02:00
Kris Nova
1954cf3af3 update(userspace/falco): edits to the falco CLI 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-07-15 18:33:50 +02:00
Kris Nova
bc8f9a5692 feat(cli): adding -u to the usage text 
Signed-off-by: Kris Nova <kris@nivenly.com>
 2020-07-15 18:33:50 +02:00
Loris Degioanni
c743f1eb68 feat(cli): adding -u to flip inspector method calls 
udig support through the -u command line flag

Signed-off-by: Kris Nóva <kris@nivenly.com>
Co-authored-by: Kris Nóva <kris@nivenly.com>
 2020-07-15 18:33:50 +02:00
Leonardo Grasso
de147447ed update(userspace/falco): rename --stats_interval to --stats-interval 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-07-08 17:55:16 +02:00
Leonardo Di Donato
825e249294 update(userspace/falco): rename --stats_interval to --stats-interval 
To match the style of other long flags of the Falco CLI.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-07-08 17:55:16 +02:00
Leonardo Di Donato
00689a5d97 fix(userspace/falco): allow stats interval greather than 999 
milliseconds

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-07-08 17:55:16 +02:00
Leonardo Di Donato
c7ac1ef61b update(userspace/engine): const correctness for json_event class 
Co-authored-by: Nathan Baker <nathan.baker@sysdig.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-07-07 21:19:08 +02:00
Leonardo Di Donato
553856ad68 chore(userspace): log the gRPC threadiness 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-07-07 13:42:09 +02:00
Leonardo Di Donato
2d52be603d update(userspace/falco): gRPC server threadiness 0 by default (which 
means "auto")

The 0 ("auto") value sets the threadiness to the number of online cores
automatically.

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-07-07 13:42:09 +02:00
Leonardo Di Donato
75e62269c3 new: hardware_concurrency helper 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-07-07 13:42:09 +02:00
Leonardo Grasso
fecf1a9fea fix(userspace/falco/lua): correct argument 
This explain why `buffered_output: false` was not honored for stdout

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-07-03 11:45:00 +02:00
Lorenzo Fontana
352307431a fix: update k8s audit endpoint to /k8s-audit everywhere 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-07-01 13:29:51 +02:00
Leonardo Grasso
82e0b5f217 fix(userspace/falco): honor -M also when using a trace file 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-06-30 13:04:03 +02:00
Lorenzo Fontana
9eb0b7fb5f update(userspace/falco): avoid memory allocation for falco output 
response

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Lorenzo Fontana
869d883dc7 update(userspace/falco): better gRPC server logging 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
b88767f558 bc(userspace/falco): the Falco gRPC Outputs API are now "falco.outputs.service/get" and "falco.outputs.service/sub" 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
bdbdf7b830 update(userspace/falco): pluralize Falco output proto and service 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Lorenzo Fontana
3d9bc8f67b update(userspace/falco): remove keepalive from output request 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Lorenzo Fontana
c89c11c3c4 update(userspace/falco): remove output queue size 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Lorenzo Fontana
5bd9ba0529 update(userspace/falco/grpc): simpler bidirectional context state 
transitions

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Lorenzo Fontana
b9e6d65e69 update(userspace/falco/grpc): bidirectional sub implementation 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Lorenzo Fontana
0d194f2b40 update(userspace/falco/grpc): for stream contexts use a flag to detect 
if it is still running or not

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Lorenzo Fontana
d9f2cda8cf update(userspace/falco/grpc): dealing with multiple streaming requests 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
2ebc55f897 wip(userspace/falco): bidirectional gRPC outputs logic (initial) 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
01ae8701d9 new(userspace/falco): concrete initial implementation of the subscribe gRPC service 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
be6c4b273d new(userspace/falco): gRPC context for bidirectional services 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
a72f27c028 new(userspace/falco): macro to REGISTER_BIDI gRPC services 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
58adc5b60c new(userspace/falco): output gRPC service to provide a server streaming method and a bidirectional method to obtain Falco alerts 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00