falco

mirror of https://github.com/falcosecurity/falco.git synced 2026-03-18 18:58:41 +00:00

Author	SHA1	Message	Date
Mark Stemm	cdd4f51db0	Better fix for falco tests after rebase	2022-01-31 11:55:11 -08:00
Mark Stemm	1b112d752a	Fixing falco tests after rebase	2022-01-31 11:49:20 -08:00
Mark Stemm	eb86768dfb	Fixing falco bugs after rebase	2022-01-31 11:49:04 -08:00
Mark Stemm	b55df884ef	falco_engine fix typos	2022-01-31 11:15:46 -08:00
Mark Stemm	debcb1e729	Update test output matches to match new aligned code The prior falco changes made output printing more consistent by moving it into a standlone function instead of scattered printf()s. Some test cases relied on the (inconsistent) print strings, so update them to the (hopefully more consistent) outputs used now. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2022-01-31 11:15:43 -08:00
Mark Stemm	9f88c7cbd0	Falco cleanups. this should pass all tests	2022-01-31 11:15:03 -08:00
Mark Stemm	946a431e55	swappable falco engine cleanups. this should pass all tests	2022-01-31 11:14:07 -08:00
Mark Stemm	7e37fc8210	Rules loading cleanups. This version should pass all tests	2022-01-31 11:14:07 -08:00
Mark Stemm	1ed2bec4d7	Remove temp debug logs (falco_engine)	2022-01-31 11:14:07 -08:00
Mark Stemm	cc4332c8ce	More falco_engine cleanups. this should pass all tests	2022-01-31 11:14:04 -08:00
Mark Stemm	c648f2fcfd	falco cleanups. this passes most tests	2022-01-31 11:07:33 -08:00
Mark Stemm	03d826d249	swappable falco engine cleanups. this passes mosts tests	2022-01-31 11:07:33 -08:00
Mark Stemm	83fe8d649a	Rules loading cleanups. This passes mosts tests	2022-01-31 11:07:33 -08:00
Mark Stemm	4356307412	falco_engine cleanups. this passes most tests	2022-01-31 11:07:33 -08:00
Mark Stemm	d338185524	Move validation to after swengine init A bigger reorg is probably in order, but this gets validation with -v to work, at least	2022-01-31 11:07:32 -08:00
Mark Stemm	54dea70482	This version builds	2022-01-31 11:07:30 -08:00
Mark Stemm	08a67b77d6	This version builds	2022-01-31 11:06:29 -08:00
Mark Stemm	22e6205921	Add grpc methods to reload/validate rules files Add grpc methods to reload/validate a set of rules files. This is only stubs at the moment, but the implementation will consist of: - creating a new falco engine - doing any required initialization - loading each rules file - enabling/disabling rules based on command line options - (for reload) using swappable_falco_engine::replace() to update the falco engine. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2022-01-31 11:06:29 -08:00
Mark Stemm	91ee079ea6	Use swappable_falco_engine to hold falco engine Use an instance of swappable_falco_engine obj to hold the falco engine. This generally involves: - Passing around a reference to a swappable_falco_engine instead of a pointer to a falco_engine - Using swengine.engine() to access the current falco engine instead of the falco_engine pointer. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2022-01-31 11:06:25 -08:00
Mark Stemm	4cc05d6f4a	Add a notion for a swappable falco engine New class swappable_falco_engine contains a shared_ptr to a falco_engine object and has two main methods: - engine(): retrieve the current shared pointer - replace(): update the engine with a new one The implementation allows for replace() and engine() to occur on different threads, using a tbb::concurrent_queue. replace() pushes onto the queue(), and engine() pops from the queue, replacing the current engine. This will be used to replace the falco engine on the fly when reloading rules on the fly via the grpc interface. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2022-01-31 11:03:33 -08:00
Mark Stemm	06b7427ede	Move falco formats code out of engine This isn't used by the engine itself anymore, now that it uses factories to provide formatters. This is in preparation for other changes to make the falco engine hot-swappable while running. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2022-01-31 11:03:33 -08:00
Federico Di Pierro	f86423db76	fix(build): fixed build folder path for publish bin static. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> 0.31.0	2022-01-31 17:02:48 +01:00
Federico Di Pierro	5eed3a6638	fix(build): hotfix for release 0.31.0. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-01-31 17:02:48 +01:00
Leonardo Grasso	d585343483	docs(CHANGELOG.md): last update Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2022-01-31 14:01:48 +01:00
Teryl	9e57b5b4ba	docs(changelog.md): update for release 0.31.0 Signed-off-by: Teryl <terylt@ibm.com>	2022-01-31 14:01:48 +01:00
Federico Di Pierro	47f38c8ae2	chore(build): dropped centos8 circleci build because it is useless and right now it is causing issues with yum. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-01-31 12:48:48 +01:00
Federico Di Pierro	332d828204	update(userspace/engine): properly value required_version because it is used by caller. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-01-28 15:33:22 +01:00
Federico Di Pierro	75c6cfb414	update(userpace/engine): properly implement semver check for required plugin versions. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-01-28 15:33:22 +01:00
Leonardo Grasso	a4199814a0	fix(tests/engine): correct unit tests Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2022-01-28 15:33:22 +01:00
Leonardo Grasso	24e7e84153	update(rules): updated aws cloudtrail rule bumping plugins version Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Federico Di Pierro <nierro92@gmail.com> Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2022-01-28 15:33:22 +01:00
Federico Di Pierro	70bfb2426c	fix(userspace/engine): forcefully set PPME_PLUGINEVENT_E event type for "plugin" source events. This workaround an issue in libs, targeting Falco 0.31.0. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-01-28 15:33:22 +01:00
Federico Di Pierro	ce3598f801	update(plugins): updated json plugin to latest v0.2.2. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-01-27 17:22:09 +01:00
Federico Di Pierro	8e6ffc6fc9	fix(userspace/engine): actually make m_filter_all_event_types useful by properly using it as fallback when no filter event types is provided. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-01-27 17:22:09 +01:00
Luca Guerra	6a42f4a133	new(build): publish both static and glibc binaries Signed-off-by: Luca Guerra <luca@guerra.sh>	2022-01-26 17:45:50 +01:00
Federico Di Pierro	8d9dd4440f	chore(userspace/engine): cleanup unused alternate-lua-dir option and remove config_falco_engine.h.in, now unused since lua scripts are embedded in Falco. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-01-26 16:19:50 +01:00
Luca Guerra	c49093005d	fix(build): do not include plugins in musl builds Signed-off-by: Luca Guerra <luca@guerra.sh>	2022-01-26 16:18:50 +01:00
Luca Guerra	69767bb51b	fix(build): do not show plugin options in musl optimized builds Signed-off-by: Luca Guerra <luca@guerra.sh>	2022-01-26 16:18:50 +01:00
Andrea Terzolo	7750b6f209	rule: update Copyright in falco rules Signed-off-by: Andrea Terzolo <s276109@studenti.polito.it>	2022-01-25 18:58:05 +01:00
Andrea Terzolo	8c705448cc	rule: add execveat as evt.type for spawned_process macro in falco rules Signed-off-by: Andrea Terzolo <s276109@studenti.polito.it>	2022-01-25 18:58:05 +01:00
Shay Berkovich	6b9fafb75f	rule update(Sudo Potential Privilege Escalation): trigger the most common CVE-2021-3156 exploit Signed-off-by: Shay Berkovich <sberkovich@blackberry.com> Co-authored-by: Meera Balsara <mbalsara@blackberry.com>	2022-01-25 17:54:06 +01:00
Shay Berkovich	fdcd7bffd0	rule update(Detect crypto miners using the Stratum protocol): update protocols Signed-off-by: Shay Berkovich <Sberkovich@blackberry.com> Co-authored-by: Meera Balsara <mbalsara@blackberry.com>	2022-01-25 17:54:06 +01:00
Shay Berkovich	d989e9c2d5	new(rules): Create Hardlink Over Sensitive Files New rule to prevent hardlink bypass and symlink rule set to WARNING for consistency Signed-off-by: Shay Berkovich <sberkovich@blackberry.com> Co-authored-by: Meera Balsara <mbalsara@blackberry.com>	2022-01-25 17:54:06 +01:00
Federico Di Pierro	996ccf555c	rule: updated aws_cloudtrail_rules with correct copyright year and required plugin versions. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-01-25 17:50:06 +01:00
Federico Di Pierro	2f82a9baa1	Update userspace/falco/falco.cpp Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>	2022-01-24 17:52:31 +01:00
Federico Di Pierro	dfb743838e	Update userspace/engine/rules.cpp Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>	2022-01-24 17:52:31 +01:00
Federico Di Pierro	c7609192c7	Update userspace/engine/lua/rule_loader.lua Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>	2022-01-24 17:52:31 +01:00
Federico Di Pierro	4d3fc354fa	update(userspace/engine): updated no evt.type specified lua warning string. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-01-24 17:52:31 +01:00
Federico Di Pierro	43bdfce6e5	update(userspace/falco): divide each plugin infos when dumping list of plugin with a newline. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-01-24 17:52:31 +01:00
Federico Di Pierro	a3976463d5	update(userspace/engine): fixed lua CMakeLists deps, to let it be gracefully rebuilt when lua files are updated. Moreover, added back warning about performance impact for rules without event types. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-01-24 17:52:31 +01:00
Federico Di Pierro	1a485c3447	update(userspace/engine,userspace/falco): improved some string warnings. Always print warnings while loading rules. Print a single line when warning for ignored events. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-01-24 17:52:31 +01:00

1 2 3 4 5 ...

2615 Commits