github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-12 13:07:49 +00:00
Code Issues Projects Releases Wiki Activity
4,161 Commits 119 Branches 173 Tags
fix/use_plugin_name
Commit Graph

1334 Commits

Author SHA1 Message Date
Jason Dellaluce
ea48ec70be refactor(userspace/falco): use new utility for printing versions and support 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-16 17:24:54 +01:00
Jason Dellaluce
7724ad940a new(userspace/falco): standaline utility for retrieving internal version numbers 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-16 17:24:54 +01:00
Jason Dellaluce
c69b198777 chore(userspace/falco): cleanup error message when no output is configured 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
db2f5d5e9c fix(userspace/falco): solve tests issues 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
4aefb7fd7d fix(userspace/falco): require config file only when needed 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
149c95c3fb fix(userspace/falco): load config before every other action 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
78312c8c15 update(userspace/falco): clean up configuration and allow re-initialization 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
d6bbf5d442 refactor(userspace/falco): isolate yaml helpers (2) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
2eac8f88cb refactor(userspace/falco): isolate yaml helpers (1) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
bc3ec30f3e chore(userspace/falco) remove unused var 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
42ef8db26f refactor(userspace/falco): deprecate version-json option and rely on json_output 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
09d9ae135b update(userspace/falco): load default config at app initialization 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
57cafcb65a refator(userspace/falco): allow loading default config with no file 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
c1985a7c99 fix(userspace/engine): absolute rule condition position in validation context 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-10 12:55:43 +01:00
Jason Dellaluce
d79d7112a0 fix(userspace/engine): catch YAML parsing and validation errors with right context 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-10 12:55:43 +01:00
Luca Guerra
1b2c7ef7d9 new(falco): add --version-json to print version information in json format 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-01-10 12:35:43 +01:00
Leonardo Grasso
280fcfe5d3 update: deprecate Mesos support, --mesos-api, and -pm command-line flags 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-01-09 14:04:55 +01:00
Andrea Terzolo
609171fe14 doc: reword 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-21 14:56:02 +01:00
Andrea Terzolo
de6292ce09 doc(userspace): fix a warning message 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-21 14:56:02 +01:00
Luca Guerra
6ea233dd75 new(falco): add engine version to --version 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-12-16 12:09:24 +01:00
Luca Guerra
dde2fdd67c new(falco): add driver_api_version, driver_schema_version, default_driver_version, libs_version to support 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-12-16 12:09:24 +01:00
Jason Dellaluce
5552bcab76 chore: fix typo 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
25ddc3c6a2 update(userspace/engine): broader err catching support in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
35dd0fc153 fix(userspace/engine): implement loop detection in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Federico Di Pierro
4696948754 fix(cmake): properly fetch dev version by appending latest Falco tag, delta between master and tag, and hash. 
`describe` can no more be used as tags are now made on release branches.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-12 11:11:44 +01:00
Andrea Terzolo
52ee61b800 chore(userspace): add njson lib as a dependency for falco_engine 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-10 17:07:06 +01:00
Andrea Terzolo
94ed56df95 chore: bump libs 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Andrea Terzolo
6a972272c0 update: the capture will be stopped in the inspector destructor 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Andrea Terzolo
55deb452d8 update: start/stop capture inside do_inspect 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Federico Di Pierro
87371492c5 update(userspace/engine): updated checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Federico Di Pierro
17dfe4f55d fix(userspace/falco): properly start/stop capture. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Mark Stemm
356a4a0749 Also copy ruleset when copying falco source 
In the copy constructor and assignment operator for falco_source, also
copy the ruleset along with factories/name.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:07:52 +01:00
Mark Stemm
910b8ff858 Fix(engine) Save parse positions when finding unresolved macros 
Now that ASTs contain parse positions, use them when reporting errors
about unknown macros.

When doing the first pass to find all macro references, save macros as
a map<macro name,parse position> instead of a set<macro name>. While
making that change, change the visitor struct to use references
instead of pointers.

In the second pass, when reporting any unresolved macro references,
also report the parse position.

The unit tests also check that the positions of macros are properly
returned in the resolved/unresolved maps.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Mark Stemm
83b12bab1d Fix(engine): include parse positions in compile errors 
Now that ASTs have parse positions and the compiler will return the
position of the last error, use that in falco rules to return errors
within condition strings instead of reporting the position as the
beginning of the condition.

This led to a change in the filter_ruleset interface--now, an ast is
compiled to a filter before being passed to the filter_ruleset
object. That avoids polluting the interface with a lot of details
about rule_loader contexts, errors, etc. The ast is still provided in
case the filter_ruleset wants to do indexing/analysis of the filter.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Jason Dellaluce
ba61706557 update(userspace/falco): enable using zlib with webserver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-30 19:24:47 +01:00
Jason Dellaluce
15b57bd972 fix: remove minor string view dependencies 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
68f4d5bb59 fix(userspace/engine): no need to use external deps 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
47fd90bb7f chore: remove not used dependency - string-view-lite 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Luca Guerra
f08a5b4067 update(cli): also add cg / kg container-gvisor / kubernetes-gvisor 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-23 13:03:57 +01:00
Luca Guerra
dea02f82e8 update(falco): add container-gvisor and kubernetes-gvisor print options 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-23 13:03:57 +01:00
Luca Guerra
e3dbae3259 fix(engine): fix warning about redundant std::move 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-11 16:19:11 +01:00
Aldo Lacuku
161246fe1a fix(output): do not print syscall_buffer_size when gvisor is enabled 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-11-10 10:32:05 +01:00
Jason Dellaluce
240c0b870d fix(userspace/falco): verify engine fields only for syscalls 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-07 15:37:25 +01:00
Mark Stemm
acf5c4ce5f fix(engine): save syscall source only when processing events 
The optimization in https://github.com/falcosecurity/falco/pull/2210
had a bug when the engine uses multiple sources at the same
time--m_syscall_source is a pointer to an entry in the indexed vector
m_sources, but if add_source is called multiple times, the vector is
resized, which copies the structs but invalidates any pointer to the
vector entries.

So instead of caching m_syscall_source in add_source(), cache it in
process_events(). m_sources won't change once processing events starts.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-10-27 18:23:25 +02:00
Yarden Shoham
4a4fa2592b fix(plugins): trim whitespace in open_params 
`open_params` is read from the falco YAML configuration file and parsed using Go's URL.

For example:
c349be6e84/plugins/k8saudit/pkg/k8saudit/source.go (L41-L42)

Go's URL parser does not handle whitespace, so if a user defines the `open_params` in the falco configuration file as follows

```yaml
open_params: >
/file/path
```

the parser returns an error. To avoid this, we now trim this parameter so no whitespace will be left for Go's URL parser to error out on.

For reference see #2262.

Signed-off-by: Yarden Shoham <hrsi88@gmail.com>
 2022-10-21 19:12:58 +02:00
Jason Dellaluce
10fe9fd84b fix(userspace/falco): avoid using CPU when main thread waits for parallel event sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-14 13:12:22 +02:00
Jason Dellaluce
3d7677ce5b update(userspace/falco): create struct for sync parallel event sources parallelization 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-14 13:12:22 +02:00
Jason Dellaluce
0fd765f7c3 new(userspace/falco): add simple semaphre implementation 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-14 13:12:22 +02:00
Jason Dellaluce
cca90b2f80 update(userspace/falco): move on from deprecated libs API for printing event list 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-13 17:00:18 +02:00
Jason Dellaluce
6c873418ce chore(userspace/falco): improve the CLI options helper 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-13 15:39:18 +02:00