github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-12 21:16:33 +00:00
Code Issues Projects Releases Wiki Activity
4,161 Commits 119 Branches 173 Tags
fix/use_plugin_name
Commit Graph

1334 Commits

Author SHA1 Message Date
Jason Dellaluce
a46cbcffe8 fix(engine): index old version of events in rulesets 
Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-03 15:58:21 +02:00
Jason Dellaluce
577ba5904b update(engine): bump version to 14 and update fields checksum 
Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-03 15:58:21 +02:00
Andrea Terzolo
c8bc5758c3 new(userspace): print architecture information 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-07-31 19:57:29 +02:00
Andrea Terzolo
b759e77fda new(userspace): print if the BPF probe is enabled 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-07-28 12:25:57 +02:00
Andrea Terzolo
74b6186f7d new(userspace): print enabled sources when falco starts 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-07-28 12:25:57 +02:00
Mark Stemm
baf5540c30 Remove required_engine_version from falco engine load_rules APIs 
The only use of it was to include in --support output, which is
redundant as the support output already includes the full contents of
each rules file.

Additionally, it wasn't even being updated after the switch from lua
rules loading to c++ rules
loading (https://github.com/falcosecurity/falco/pull/1966/ or
surrounding PRs).

This will simplify follow-on changes to add a real "result" to rules
loading methods, as there will be fewer API variants to support.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-07-25 17:57:42 +02:00
Andrea Terzolo
35db0b4a24 cleanup(userspace): remove unused logic 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-07-14 09:58:50 +02:00
Andrea Terzolo
4136a27de1 new(userspace): add exception management 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-07-14 09:58:50 +02:00
Andrea Terzolo
e73dbd4b42 new(userspace): add current drop_pct 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Shane Lawrence <shane@lawrence.dev>
 2022-07-14 09:58:50 +02:00
Andrea Terzolo
b57a2d5a5f update(userspace): introduce nlohmann json library 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-07-14 09:58:50 +02:00
Andrea Terzolo
a7153f2fd8 fix(userspace): compute the drop ratio in the right way 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Shane Lawrence <shane@lawrence.dev>
 2022-07-13 09:38:22 +02:00
Aldo Lacuku
46f625c449 chore(engine): remove trailing colon from logs when loading rule files 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-07-12 10:40:43 +02:00
Jason Dellaluce
62c1e875d5 update(userspace/falco): simplify sinsp logger sev decoding 
Co-authored-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-07 12:46:51 +02:00
Jason Dellaluce
7dade32688 refactor(userspace/falco): make sinsp logging part of the configuration (default to false) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-07 12:46:51 +02:00
Jason Dellaluce
bae68b37ee new(userspace/falco): enable attaching libsinsp logger to the falco one 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-07 12:46:51 +02:00
Luca Guerra
3cde70eda8 fix(falco): parameter ordering in initialization 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
982e8663be update(gvisor): make gvisor_enable depend on config 
Signed-off-by: Luca Guerra <luca@guerra.sh>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-01 14:17:38 +02:00
Luca Guerra
993516f430 new(falco): add compile-time option to enable or disable gvisor support 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
60b149709d fix(gvisor): formatting 
Signed-off-by: Luca Guerra <luca@guerra.sh>
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-01 14:17:38 +02:00
Luca Guerra
698eda8680 new(gvisor): add option to generate gVisor configuration 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
0b75433cee update(gvisor): update to the latest sinsp interface 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
0ba492c280 new(falco): do not alert on syscall frequency when gvisor is enabled 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
927c1c4126 new(falco): enable gVisor event collection 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Jason Dellaluce
3c2effb498 refactor(userspace/engine): remove source field from macros in rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-28 11:33:08 +02:00
Leonardo Grasso
2f208b52fc fix(userspace/falco/app_actions/print_version.cpp): correct getter call for schema version 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
f3bc178e40 fix(userspace/falco/app_actions/print_version.cpp): ensure destructor gets invoked 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
fda9fb36de update(userspace/falco): add more info to --version output 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
92fdbbcc52 update(userspace/falco): do not print driver version by default 
Since now each Falco version is compatible with a range of driver version and not just one.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 12:47:03 +02:00
Mark Stemm
85ca1eb3dd fix(app_actions): perform validate_rules before load_rules action 
Perform the validate_rules action before the load_rules action. This
ensures that *only* the rules files named with -V arguments are
validated.

This fixes https://github.com/falcosecurity/falco/issues/2087.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-06-23 12:24:03 +02:00
Jason Dellaluce
1e5ef912de chore: improve falco.yaml comments 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-14 22:13:37 +02:00
Jason Dellaluce
50039316ce update(userspace/falco): make plugin configuration more robust 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-14 22:13:37 +02:00
Jason Dellaluce
eb365f1a3e new(userspace/falco): add action and option to print detailed plugin info 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-14 22:13:37 +02:00
Aldo Lacuku
e6f99a61c9 chore(falco): fix indentation 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-09 12:50:39 +02:00
Aldo Lacuku
7b83943059 fix(falco): compilation issues with new libs version 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-09 12:50:39 +02:00
Aldo Lacuku
2111699a96 chore(engine): bump falco engine version number to 13 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-09 12:50:39 +02:00
Aldo Lacuku
7a774f6b2e chore(userpace/falco): do not print error code in process_events.cpp 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-01 13:35:38 +02:00
Aldo Lacuku
765ef5daaf chore(userspace/falco): fix punctuation typo in output message when loading plugins 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-05-30 10:46:40 +02:00
Jason Dellaluce
3b462af58e fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 19:23:26 +02:00
Jason Dellaluce
09eae35f3a refactor(userspace/falco): create action for initializing k8s and mesos clients (step 2) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 19:23:26 +02:00
Jason Dellaluce
383b8f9660 refactor(userspace/falco): create action for initializing k8s and mesos clients 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 19:23:26 +02:00
Jason Dellaluce
13d70b65ae update(userspace/engine): rename ruleset.h in filter_ruleset.h 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
9fd10220a5 update(userspace/falco): sync falco with new engine definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
0abd7eaa28 refactor(userspace/engine): refactor engine interface and internals 
This updates the engine to comply and work properly with the newly-introduced
interface design.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
a1bdf95a0f refactor(userspace/engine): improve ruleset interface definitions 
The filter_ruleset interface its implementation evt_type_index_ruleset
have been modified as follows:
- Only keep track of ruleset ids and not names. The falco engine will take
care of mapping easy-to-remember ruleset names to ruleset ids.
To emphasize this, use ruleset_id everywhere and not ruleset.
Also, make it non-optional.
- Have explicit separate functions to enable/disable rules, instead of a single enable() method combined with a boolean flag.
This does *not* change the falco_engine interface, which has
similar methods, to avoid breaking API changes.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Mark Stemm <mark.stemm@gmail.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
833fec8537 refactor(userspace/engine): leverage falco_rule def in stats manager 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
50c2aa9c81 refactor(userspace/engine): update rule loader to use new filter_ruleset interface 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
f41f51f736 refactor(userspace/engine): update falco engine to use new ruleset interface and have one ruleset for each source 
This also fixes a couple of bugs. With the current implementation, the multi-ruleset feature is broken with multiple sources.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
3af8d1c0d2 refactor(userspace/engine): adapt existing ruleset implementation to new filter_ruleset interface 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
bbbdb311e0 refactor(userspace/engine): introduce interface for rulesets and their factory 
This interface will allow us to use different ruleset implementations inside the same engine.
The goal is to define API boundaries that will allow swapping the current evttype-index
ruleset implementation more easily. Key benefits include: smaller component with less responsibilities,
easier substituibility, more testable design, opportunity to adopt different index strategies
depending on the ruleset implementation.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 09:16:45 +02:00
Andrea Terzolo
d860472987 update(userspace/falco): improve falco termination 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-05-24 18:35:18 +02:00