falco

mirror of https://github.com/falcosecurity/falco.git synced 2026-04-04 11:02:16 +00:00

Author	SHA1	Message	Date
Leonardo Di Donato	3bfd94fefd	docs(test): run locally handling python deps with venv Co-authored-by: Lorenzo Fontana <lo@linux.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-05-26 15:01:48 +02:00
Leonardo Di Donato	f186e5f41f	fix(userspace/falco): set gpr log verbosity accordingly to the Falco one Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-05-21 18:15:46 +02:00
Leonardo Di Donato	ade64b0ce8	update(userspace/falco): make log level a configuration member Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-05-21 18:15:46 +02:00
Leonardo Di Donato	d808c0aeaf	update(tests/engine): test is_unix_scheme Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-05-21 18:15:46 +02:00
Leonardo Di Donato	65e069a020	update(userspace/engine): url_is_unix_scheme() util is now is_unix_scheme(string_view) Also no more custom `starts_with` utility function. Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-05-21 18:15:46 +02:00
Leonardo Di Donato	75c2275dac	build(userspace): falco and falco_engine depend on string-view-lite header Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-05-21 18:15:46 +02:00
Lorenzo Fontana	dc0670c718	update(userspace/falco): wrap gpr logs into falco logs Signed-off-by: Lorenzo Fontana <lo@linux.com>	2020-05-21 18:15:46 +02:00
Lorenzo Fontana	05ce5b7f0b	new(tests): cases for falco::utils::starts_with Signed-off-by: Lorenzo Fontana <lo@linux.com>	2020-05-21 18:15:46 +02:00
Lorenzo Fontana	de8bade2bf	update(userspace/engine): move utils inside engine Signed-off-by: Lorenzo Fontana <lo@linux.com>	2020-05-21 18:15:46 +02:00
Lorenzo Fontana	d7de45acb2	new(userspace/falco): gRPC server unix socket support Signed-off-by: Lorenzo Fontana <lo@linux.com>	2020-05-21 18:15:46 +02:00
Lorenzo Fontana	86b473e224	update(userspace/falco): utilities to detect unix socket prefix in string Signed-off-by: Lorenzo Fontana <lo@linux.com>	2020-05-21 18:15:46 +02:00
Mark Stemm	7fd350d49a	Allow exact matches for rule names Currently, when calling enable_rule, the provided rule name pattern is a substring match, that is if the rules file has a rule "My fantastic rule", and you call engine->enable_rule("fantastic", true), the rule will be enabled. This can cause problems if one rule name is a complete subset of another rule name e.g. rules "My rule" and "My rule is great", and calling engine->enable_rule("My rule", true). To allow for this case, add an alternate method enable_rule_exact() in both default ruleset and ruleset variants. In this case, the rule name must be an exact match. In the underlying ruleset code, add a "match_exact" option to falco_ruleset::enable() that denotes whether the substring is an exact or substring match. This doesn't change the default behavior of falco in any way, as the existing calls still use enable_rule(). Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-05-11 14:15:42 +02:00
Lorenzo Fontana	0d34394817	fix: grpc compilation with splitted gpr library Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com> Signed-off-by: Lorenzo Fontana <lo@linux.com>	2020-04-30 08:31:02 -07:00
Leonardo Di Donato	d3a215a2db	new(userspace/falco): return also driver version from --version flag Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-03-23 18:50:06 +01:00
Lorenzo Fontana	ea46adfbc8	new(userspace/falco): add --disable-cri-async flag Signed-off-by: Lorenzo Fontana <lo@linux.com>	2020-03-18 16:23:19 +01:00
Vaibhav	03bf027e5c	feat(userspace): Add comments to explain "banned.h". Fixes #1035 Signed-off-by: Vaibhav <vrongmeal@gmail.com>	2020-02-13 18:01:39 +01:00
Vaibhav	7ed3e1d927	feat(userspace): Add `BAN_ALTERNATIVE` macro to `banned.h`. BAN_ALTERNATIVE is same as BAN but the message also provides an alternative function that the user could use instead of the banned function. Fixes #1035 Signed-off-by: Vaibhav <vrongmeal@gmail.com>	2020-02-13 18:01:39 +01:00
Vaibhav	1c80c1f458	feat(userspace): Add more functions to `banned.h`. These include: * vsprintf() * sprintf() * strcat() * strncat() * strncpy() * swprintf() * vswprintf() This also changes `userspace/falco/logger.cpp` to remove a `sprintf` statement. The statement did not affect the codebase in any form so it was simply removed rather than being substituted. Fixes #1035 Signed-off-by: Vaibhav <vrongmeal@gmail.com>	2020-02-13 18:01:39 +01:00
Leonardo Di Donato	253ff64d64	chore: stick with the error messages we have Because we can't easily change the integration test fixtures. Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	b3171dbae1	update(userspace/falco): use mutable proto fields where applicable Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	738d757b08	docs(userspace/falco): document gRPC errors and actions Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	5663d4d02b	update(userspace/falco): major, minor, patch are digits, so use integers Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	2a9c9bdc53	update(cmake/modules): module to detect Falco version from the git index Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	ae2eb8de8e	fix(userspace): ensure threadiness is gt 0 Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	c7aff2d4cb	new(userspace/falco): register version gRPC service Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	bc297bdc8f	build: better way to extract falco commit hash (also extract ref) Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	2a91289ee4	update(userspace/falco): request context and request stream context templatize the service too now Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	c224633454	new(userspace/falco): initial work for version gRPC svc registration Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	714a6619ad	new(userspace/falco): gRPC unary version service impl Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	550ee0d8fc	build: compile version proto Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	8d49e45d44	docs(userspace/falco): document version protobuf Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	5e8f98ea92	new(userspace/falco): protobuf for gRPC version service Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	e560056b92	update(userspace/falco): define version part variables Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Leonardo Di Donato	84261d2071	build: extract version pieces Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-07 11:28:57 +01:00
Lorenzo Fontana	af3d89b706	fix(userspace/engine): formatting and auto declarations Signed-off-by: Lorenzo Fontana <lo@linux.com>	2020-02-06 19:16:21 +01:00
Lorenzo Fontana	5b9001d1d5	fix(userspace/engine): make sure that m_uses_paths is always false by default Signed-off-by: Lorenzo Fontana <lo@linux.com>	2020-02-06 19:16:21 +01:00
Lorenzo Fontana	240f7e2057	fix(userspace/engine): base64 format fix Signed-off-by: Lorenzo Fontana <lo@linux.com> Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>	2020-02-04 21:00:00 +01:00
Vaibhav	22a95796c1	feat(userspace): Add `banned.h` which includes banned functions. This defines certain functions as invalid tokens, i.e., when compiled, the compiler throws an error. Currently only `strcpy` is included as a banned function. Fixes #788 Signed-off-by: Vaibhav <vrongmeal@gmail.com>	2020-02-04 17:47:56 +01:00
Leonardo Di Donato	739d79a1eb	chore: double-quoting verify fields variables Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-01-21 12:51:50 +01:00
Leonardo Di Donato	76fbecf907	build: cmake falco target deps Co-authored-by: Lorenzo Fontana <lo@linux.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-01-17 19:09:31 +01:00
Leonardo Di Donato	d6e246a26a	build: use SYSDIG_SOURCE_DIR into falco CMakeLists.txt files Co-authored-by: Lorenzo Fontana <lo@linux.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-01-17 19:09:31 +01:00
Lorenzo Fontana	b96e17fe5d	new: fix lyaml dependencies Signed-off-by: Lorenzo Fontana <lo@linux.com>	2020-01-17 19:09:31 +01:00
Mark Stemm	c53df3af00	Don't rethrow exceptions in parse_k8s_audit_json Callers aren't expected to catch execeptions and instead rely on the bool return value to indicate whether or not the parsing was successful. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2019-12-16 17:00:50 -08:00
Mark Stemm	4c576f31f2	Also allow json arrays of k8s audit evts Currently, the json object POSTed to the /k8s_audit endpoint is assumed to be an obect, with a "type" of either "Event" or "EventList". When the K8s API Server POSTs events, it aggregates them into an EventList, ensuring that there is always a single object. However, we're going to add some intermediate tools that tail log files and send them to the endpoint, and the easiest way to send a batch of events is to pass them as a json array instead of a single object. To properly handle this, modify parse_k8s_audit_event_json to also handle a json array. For arrays, it iterates over the objects, calling parse_k8s_audit_json recursively. This only iterates an initial top level array to avoid excessive recursion/attacks involving degenerate json objects with excessively nested arrays. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2019-12-16 17:00:50 -08:00
Adrián Arroyo Calle	1b05f0e6a7	chore: read hostname in initialization Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>	2019-11-27 22:23:49 +01:00
Adrián Arroyo Calle	4d180cbc31	chore: use std::string to have safer copies Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>	2019-11-27 22:23:49 +01:00
Adrián Arroyo Calle	137e7fc0ec	chore: hostname can be 253 characters maximum Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>	2019-11-27 22:23:49 +01:00
Adrián Arroyo Calle	52fbcefa1d	chore: add environment variable FALCO_GRPC_HOSTNAME Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>	2019-11-27 22:23:49 +01:00
Adrián Arroyo Calle	a084f17493	feat: add hostname field in gRPC output Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>	2019-11-27 22:23:49 +01:00
Mark Stemm	4e39fee54e	Always catch json type errors when extracting In all extraction functions, always catch json type errors alongside json out of range errors. Both cases result in not extracting any value from the event. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2019-11-18 16:19:58 -08:00

1 2 3 4 5 ...

427 Commits