github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-18 18:58:41 +00:00
Code Issues Projects Releases Wiki Activity
2,372 Commits 122 Branches 184 Tags
new/plugin-system-api-additions-prerebase
Commit Graph

140 Commits

Author SHA1 Message Date
Mark Stemm
8a9b7dfcfa Squash w/ prior commit 2021-10-06 15:27:13 -07:00
Mark Stemm
f4182707e9 Add plugins to falco build/package 
Add a cmake module "plugins" that does the following:

 - Downloads/installs the plugins repo from a known tag
 - Builds using the make target
 - Copies the resulting cloudtrail/json shared libraries to
   CMAKE_CURRENT_BINARY_DIR/plugins
 - Installs them to FALCO_SHARE_DIR/plugins

The default config will define the plugins but they will be disabled
by default.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-10-06 09:37:03 -07:00
Mark Stemm
fce2b925f0 Add initial set of Cloudtrail rules 
These rules can be used when combined with the cloudtrail plugin.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-10-01 15:49:28 -07:00
Mark Stemm
d3be537f7e Update to use latest version of falcosecurity/libs 2021-09-23 14:44:19 -07:00
Mark Stemm
849fb98bc2 Update to latest falcosecurity/libs 2021-08-17 15:25:24 -07:00
Mark Stemm
c1d1fafade Update to latest falcosecurity libs 2021-08-04 16:55:02 -05:00
Mark Stemm
8ac6ea732e Add plugin version compat w/ rules files 
When loading rules, parse a required_plugin_versions item that looks
like:

- required_plugin_versions:
  - name: cloudtrail
    version: 1.0.1

And save it in the engine.

A new method is_plugin_compatible() takes a plugin and version and
returns whether it's compatible with all required_plugin_versions
blocks in all rules files.

In falco, after loading rules and plugins, iterate over the result of
plugin_infos(), calling is_plugin_compatible(), and exiting if any are
not compatible.
 2021-07-27 13:34:03 -05:00
Mark Stemm
5d245f6569 Minimally working rule loading + eval w/ plugins 
First minimally working version with plugins + rule loading/rule
evaluation:

 - In the falco engine, hold rulesets for plugins in a map from plugin
   id to falco ruleset.
 - Add new methods "add_plugin_filter" to rules.cpp/falco_engine
   that adds a filter for a given source and compiled filter. This
   isn't strictly necessary, as the plugin filterchecks are added when
   a plugin is registered, but it more cleanly separates filters for
   syscalls and plugins.
 - When loading rules, if the source is not syscall or k8s_audit,
   assume it's a plugin filter and call add_plugin_filter.
 - In process_sinsp_event, if the event type is PLUGINEVENT_E, use the
   plugins rulesets map instead of m_sinsp_rules, looking up the
   appropriate source from the plugin.

This doesn't handle extractor plugins yet and I only tested the very
minimal happy path but I did get rules loaded and working.
 2021-07-09 11:30:21 -07:00
Mark Stemm
b1d88c509f Update to reflect new plugin api/config in proposal 2021-07-02 17:17:41 -07:00
Leonardo Grasso
8b10a35a40 build(cmake/modules): upgrade libs and drivers version to 13ec67ebd23417273275296813066e07cb85bc91 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 12:44:58 +02:00
Leonardo Grasso
da7279da1d build(cmake/modules): upgrade libs and drivers version to 13ec67ebd23417273275296813066e07cb85bc91 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
05f5aa2af3 chore(cmake/modules): do not build libscap examples 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
b41acdff1c build(cmake/modules): always use bundled jsoncpp 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
591d4e500e build: always use bundled b64 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
79bdcb030b build: correct yamlcpp dependency for falco 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
f4dba52ee2 build(cmake/modules): ncurses dependency is not required anymore 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
bfc0021cdd build: update build system to support libs cmake modules 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
e616f79bac build: switch to falcosecurity-libs external project 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
4006452b1f chore(cmake/modules): rename sysdig to falcosecurity-libs 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
JenTing Hsiao
b1801c28c7 Bump year to 2021 
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
 2021-03-12 10:45:31 +01:00
JenTing Hsiao
3ba62a4031 Migrate from init to systemd in rpm package 
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
 2021-03-12 10:45:31 +01:00
Leonardo Grasso
825e6caf2d build: fetch build deps from download.falco.org 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-10 18:00:52 +01:00
Leonardo Grasso
b2bbb265b4 chore(cmake): remove unnecessary whitespace patch 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-01-15 14:22:14 +01:00
Angelo Puglisi
f6fa18e7ec chore(cmake): mark some variables as advanced 
Have some cmake variables (e.g. *_INCLUDE and *_LIB) marked as advanced,
in order to have a cleaner ccmake menu.

Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
 2020-12-15 10:56:20 -05:00
Leonardo Di Donato
648bb6294f fix(cmake/modules): patch the max_consumers parameter of the 
kernel-module Falco driver

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-11-13 09:21:30 -05:00
Lorenzo Fontana
55a93bce8b build: bump sinsp, scap and the drivers to 5c0b863ddade7a45568c0ac97d037422c9efb750 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
e0175b1e06 build: cmake modules fixes and split 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
8be299939a build: update sinsp, scap and the drivers to c4f096099bf81966803d26c40c6c2cb2b8d08033 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
9828c6aeb6 build: bump gRPC to 1.32.0 
Besides all the other improvements, we are really interested
in getting the Make options for other ISAs than x86_64 when it
comes to compiling abseil [0].

This is what happens on aarch64

```
make[4]: *** [Makefile:2968: /root/falco/build-musl/grpc-prefix/src/grpc/objs/opt/third_party/abseil-cpp/absl/base/internal/thread_identity.o] Error 1
c++: error: unrecognized command line option '-maes'
c++: error: unrecognized command line option '-msse4'
c++: error: unrecognized command line option '-msse4'
c++: error: unrecognized command line option '-maes'
```

[0] bf87ec9e44

Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
7ee0eb7e9c update: cpack specify architecture for debian packages 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
0f155c3a1f build: switch Falco back to luajit 
moonjit is unmaintaned [0], and lujit recently [1] added support
for the aarch64 architecture.

[0] https://twitter.com/siddhesh_p/status/1308594269502885889?s=20
[1] e9af1abec5

Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
3258bdd990 update: syscall table zero definition for arm64 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
9f41a390a7 update: bump sinsp and scap to fntlnz-aarch64 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
7aa6fa9897 build: use fields_info from libsinsp 
Related-to: https://github.com/draios/sysdig/pull/1693
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
8dd9ebbdf9 build: moonjit replacement for luajit 
This is needed because Luajit does not support many architectures
such as aarch64 and ppcle64.

Note: some operating systems, such as Alpine, already use moonjit as a dropin
replacement for luajit.

Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
a51c4fc903 build: static code analysis structure and cppcheck 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-09-29 14:44:28 +02:00
Leonardo Grasso
558b18ea67 build: update the driver version to 2aa88dc 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-18 17:27:45 +02:00
Leonardo Grasso
bbfb27777b build: remove macrodefs about time (musl build) 
See https://github.com/draios/sysdig/pull/1684

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-18 17:27:45 +02:00
Leonardo Di Donato
f02a998526 build: update the driver version to 73554b9 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Di Donato
5316e39379 chore(cmake/modules): correct logging for string-view-lite (always) bundled header dependency 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Di Donato
7e28e305a6 deps: update driver version 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
ec2ccf4d1c build: fix cares include 
Co-Authored-By: Lorenzo Fontana <fontanalorenz@gmail.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
be7ba9fea4 build: fix cares include path 
Co-Authored-By: Lorenzo Fontana <fontanalorenz@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
2141580a10 update(userspace/engine): bump driver version to 9c7755ae7aaa221a3d17c1d98911c4c2cbdbd21317559d744e53bf63a2677a4b 
Co-Authored-By: Lorenzo Fontana <fontanalorenz@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Lorenzo Fontana
f2bc92ac58 build: allow configurable cpack targets 
Co-Authored-By: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
d5f752de7a build: add MUSL_OPTIMIZED_BUILD option 
This option is now decoupled from `MINIMAL_BUILD`

Co-Authored-By: Lorenzo Fontana <fontanalorenz@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
109efc2799 chore(cmake/modules): refine sysdig cmake for minimal build 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
c46dbc7f11 build: remove gRPC, openssl, curl from minimal build 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-09-10 15:01:07 +02:00
Leonardo Grasso
a87913c822 build: update sysdig version to ae104eb20ff0198a5dcb0c91cc36c86e7c3f25c7 
Co-Authored-By: Lorenzo Fontana <fontanalorenz@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-08-24 20:32:24 +02:00
Leonardo Di Donato
fbac5b77ff build(cmake/modules): change driver version to 37aab8 
This driver version brings into the following features:
- fix for https://github.com/draios/sysdig/issues/1659 (correct handling
  of the pathnames args for *at syscalls)
- update JQ + builtin oniguruma

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-08-20 19:26:56 +02:00