github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-16 06:48:31 +00:00
Code Issues Projects Releases Wiki Activity
4,161 Commits 119 Branches 173 Tags
fix/use_plugin_name
Commit Graph

1334 Commits

Author SHA1 Message Date
Leonardo Di Donato
a72f27c028 new(userspace/falco): macro to REGISTER_BIDI gRPC services 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
58adc5b60c new(userspace/falco): output gRPC service to provide a server streaming method and a bidirectional method to obtain Falco alerts 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
cf31712fad update(userspace/falco): context class for bidirectional gRPC services 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
a568c42adb update(userspace/falco): unsafe_size() method for falco::output::queue 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
05dd170d70 fix(userspace/falco): virtual destructor of base grpc context 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Omer Azaria
70b9bfe1d6 rule(Container Drift Detected): detect new exec created in a container 
Signed-off-by: Omer Azaria <omer.azaria@sysdig.com>
 2020-06-22 12:24:59 +02:00
Shane Lawrence
00884ef581 Log modified copy instead of original message. 
Signed-off-by: Shane Lawrence <shane@lawrence.dev>
 2020-06-19 15:28:42 +02:00
Leonardo Di Donato
3bfd94fefd docs(test): run locally handling python deps with venv 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-26 15:01:48 +02:00
Leonardo Di Donato
f186e5f41f fix(userspace/falco): set gpr log verbosity accordingly to the Falco one 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-21 18:15:46 +02:00
Leonardo Di Donato
ade64b0ce8 update(userspace/falco): make log level a configuration member 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-21 18:15:46 +02:00
Leonardo Di Donato
d808c0aeaf update(tests/engine): test is_unix_scheme 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-21 18:15:46 +02:00
Leonardo Di Donato
65e069a020 update(userspace/engine): url_is_unix_scheme() util is now is_unix_scheme(string_view) 
Also no more custom `starts_with` utility function.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-21 18:15:46 +02:00
Leonardo Di Donato
75c2275dac build(userspace): falco and falco_engine depend on string-view-lite header 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-21 18:15:46 +02:00
Lorenzo Fontana
dc0670c718 update(userspace/falco): wrap gpr logs into falco logs 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-21 18:15:46 +02:00
Lorenzo Fontana
05ce5b7f0b new(tests): cases for falco::utils::starts_with 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-21 18:15:46 +02:00
Lorenzo Fontana
de8bade2bf update(userspace/engine): move utils inside engine 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-21 18:15:46 +02:00
Lorenzo Fontana
d7de45acb2 new(userspace/falco): gRPC server unix socket support 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-21 18:15:46 +02:00
Lorenzo Fontana
86b473e224 update(userspace/falco): utilities to detect unix socket prefix in string 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-21 18:15:46 +02:00
Mark Stemm
7fd350d49a Allow exact matches for rule names 
Currently, when calling enable_rule, the provided rule name pattern is a
substring match, that is if the rules file has a rule "My fantastic
rule", and you call engine->enable_rule("fantastic", true), the rule
will be enabled.

This can cause problems if one rule name is a complete subset of another
rule name e.g. rules "My rule" and "My rule is great", and calling
engine->enable_rule("My rule", true).

To allow for this case, add an alternate method enable_rule_exact() in
both default ruleset and ruleset variants. In this case, the rule name
must be an exact match.

In the underlying ruleset code, add a "match_exact" option to
falco_ruleset::enable() that denotes whether the substring is an exact
or substring match.

This doesn't change the default behavior of falco in any way, as the
existing calls still use enable_rule().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-05-11 14:15:42 +02:00
Lorenzo Fontana
0d34394817 fix: grpc compilation with splitted gpr library 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-04-30 08:31:02 -07:00
Leonardo Di Donato
d3a215a2db new(userspace/falco): return also driver version from --version flag 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-03-23 18:50:06 +01:00
Lorenzo Fontana
ea46adfbc8 new(userspace/falco): add --disable-cri-async flag 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-03-18 16:23:19 +01:00
Vaibhav
03bf027e5c feat(userspace): Add comments to explain "banned.h". 
Fixes #1035

Signed-off-by: Vaibhav <vrongmeal@gmail.com>
 2020-02-13 18:01:39 +01:00
Vaibhav
7ed3e1d927 feat(userspace): Add BAN_ALTERNATIVE macro to banned.h. 
BAN_ALTERNATIVE is same as BAN but the message also provides an alternative
function that the user could use instead of the banned function.

Fixes #1035

Signed-off-by: Vaibhav <vrongmeal@gmail.com>
 2020-02-13 18:01:39 +01:00
Vaibhav
1c80c1f458 feat(userspace): Add more functions to banned.h. 
These include:
* vsprintf()
* sprintf()
* strcat()
* strncat()
* strncpy()
* swprintf()
* vswprintf()

This also changes `userspace/falco/logger.cpp` to remove a `sprintf`
statement. The statement did not affect the codebase in any form so
it was simply removed rather than being substituted.

Fixes #1035

Signed-off-by: Vaibhav <vrongmeal@gmail.com>
 2020-02-13 18:01:39 +01:00
Leonardo Di Donato
253ff64d64 chore: stick with the error messages we have 
Because we can't easily change the integration test fixtures.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
b3171dbae1 update(userspace/falco): use mutable proto fields where applicable 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
738d757b08 docs(userspace/falco): document gRPC errors and actions 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
5663d4d02b update(userspace/falco): major, minor, patch are digits, so use integers 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
2a9c9bdc53 update(cmake/modules): module to detect Falco version from the git index 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
ae2eb8de8e fix(userspace): ensure threadiness is gt 0 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
c7aff2d4cb new(userspace/falco): register version gRPC service 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
bc297bdc8f build: better way to extract falco commit hash (also extract ref) 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
2a91289ee4 update(userspace/falco): request context and request stream context templatize the service too now 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
c224633454 new(userspace/falco): initial work for version gRPC svc registration 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
714a6619ad new(userspace/falco): gRPC unary version service impl 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
550ee0d8fc build: compile version proto 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
8d49e45d44 docs(userspace/falco): document version protobuf 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
5e8f98ea92 new(userspace/falco): protobuf for gRPC version service 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
e560056b92 update(userspace/falco): define version part variables 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
84261d2071 build: extract version pieces 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Lorenzo Fontana
af3d89b706 fix(userspace/engine): formatting and auto declarations 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-02-06 19:16:21 +01:00
Lorenzo Fontana
5b9001d1d5 fix(userspace/engine): make sure that m_uses_paths is always false by default 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-02-06 19:16:21 +01:00
Lorenzo Fontana
240f7e2057 fix(userspace/engine): base64 format fix 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-04 21:00:00 +01:00
Vaibhav
22a95796c1 feat(userspace): Add banned.h which includes banned functions. 
This defines certain functions as invalid tokens, i.e., when
compiled, the compiler throws an error.

Currently only `strcpy` is included as a banned function.

Fixes #788

Signed-off-by: Vaibhav <vrongmeal@gmail.com>
 2020-02-04 17:47:56 +01:00
Leonardo Di Donato
739d79a1eb chore: double-quoting verify fields variables 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
76fbecf907 build: cmake falco target deps 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-17 19:09:31 +01:00
Leonardo Di Donato
d6e246a26a build: use SYSDIG_SOURCE_DIR into falco CMakeLists.txt files 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
b96e17fe5d new: fix lyaml dependencies 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Mark Stemm
c53df3af00 Don't rethrow exceptions in parse_k8s_audit_json 
Callers aren't expected to catch execeptions and instead rely on the
bool return value to indicate whether or not the parsing was successful.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-12-16 17:00:50 -08:00