github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-18 18:58:41 +00:00
Code Issues Projects Releases Wiki Activity
3,001 Commits 122 Branches 184 Tags
remove-fntlnz
Commit Graph

822 Commits

Author SHA1 Message Date
Jason Dellaluce
62c1e875d5 update(userspace/falco): simplify sinsp logger sev decoding 
Co-authored-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-07 12:46:51 +02:00
Jason Dellaluce
7dade32688 refactor(userspace/falco): make sinsp logging part of the configuration (default to false) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-07 12:46:51 +02:00
Jason Dellaluce
bae68b37ee new(userspace/falco): enable attaching libsinsp logger to the falco one 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-07 12:46:51 +02:00
Luca Guerra
3cde70eda8 fix(falco): parameter ordering in initialization 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
982e8663be update(gvisor): make gvisor_enable depend on config 
Signed-off-by: Luca Guerra <luca@guerra.sh>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-01 14:17:38 +02:00
Luca Guerra
993516f430 new(falco): add compile-time option to enable or disable gvisor support 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
60b149709d fix(gvisor): formatting 
Signed-off-by: Luca Guerra <luca@guerra.sh>
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-01 14:17:38 +02:00
Luca Guerra
698eda8680 new(gvisor): add option to generate gVisor configuration 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
0b75433cee update(gvisor): update to the latest sinsp interface 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
0ba492c280 new(falco): do not alert on syscall frequency when gvisor is enabled 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
927c1c4126 new(falco): enable gVisor event collection 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Jason Dellaluce
3c2effb498 refactor(userspace/engine): remove source field from macros in rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-28 11:33:08 +02:00
Leonardo Grasso
2f208b52fc fix(userspace/falco/app_actions/print_version.cpp): correct getter call for schema version 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
f3bc178e40 fix(userspace/falco/app_actions/print_version.cpp): ensure destructor gets invoked 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
fda9fb36de update(userspace/falco): add more info to --version output 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
92fdbbcc52 update(userspace/falco): do not print driver version by default 
Since now each Falco version is compatible with a range of driver version and not just one.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 12:47:03 +02:00
Mark Stemm
85ca1eb3dd fix(app_actions): perform validate_rules before load_rules action 
Perform the validate_rules action before the load_rules action. This
ensures that *only* the rules files named with -V arguments are
validated.

This fixes https://github.com/falcosecurity/falco/issues/2087.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-06-23 12:24:03 +02:00
Jason Dellaluce
1e5ef912de chore: improve falco.yaml comments 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-14 22:13:37 +02:00
Jason Dellaluce
50039316ce update(userspace/falco): make plugin configuration more robust 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-14 22:13:37 +02:00
Jason Dellaluce
eb365f1a3e new(userspace/falco): add action and option to print detailed plugin info 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-14 22:13:37 +02:00
Aldo Lacuku
e6f99a61c9 chore(falco): fix indentation 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-09 12:50:39 +02:00
Aldo Lacuku
7b83943059 fix(falco): compilation issues with new libs version 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-09 12:50:39 +02:00
Aldo Lacuku
2111699a96 chore(engine): bump falco engine version number to 13 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-09 12:50:39 +02:00
Aldo Lacuku
7a774f6b2e chore(userpace/falco): do not print error code in process_events.cpp 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-01 13:35:38 +02:00
Aldo Lacuku
765ef5daaf chore(userspace/falco): fix punctuation typo in output message when loading plugins 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-05-30 10:46:40 +02:00
Jason Dellaluce
3b462af58e fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 19:23:26 +02:00
Jason Dellaluce
09eae35f3a refactor(userspace/falco): create action for initializing k8s and mesos clients (step 2) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 19:23:26 +02:00
Jason Dellaluce
383b8f9660 refactor(userspace/falco): create action for initializing k8s and mesos clients 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 19:23:26 +02:00
Jason Dellaluce
13d70b65ae update(userspace/engine): rename ruleset.h in filter_ruleset.h 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
9fd10220a5 update(userspace/falco): sync falco with new engine definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
0abd7eaa28 refactor(userspace/engine): refactor engine interface and internals 
This updates the engine to comply and work properly with the newly-introduced
interface design.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
a1bdf95a0f refactor(userspace/engine): improve ruleset interface definitions 
The filter_ruleset interface its implementation evt_type_index_ruleset
have been modified as follows:
- Only keep track of ruleset ids and not names. The falco engine will take
care of mapping easy-to-remember ruleset names to ruleset ids.
To emphasize this, use ruleset_id everywhere and not ruleset.
Also, make it non-optional.
- Have explicit separate functions to enable/disable rules, instead of a single enable() method combined with a boolean flag.
This does *not* change the falco_engine interface, which has
similar methods, to avoid breaking API changes.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Mark Stemm <mark.stemm@gmail.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
833fec8537 refactor(userspace/engine): leverage falco_rule def in stats manager 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
50c2aa9c81 refactor(userspace/engine): update rule loader to use new filter_ruleset interface 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
f41f51f736 refactor(userspace/engine): update falco engine to use new ruleset interface and have one ruleset for each source 
This also fixes a couple of bugs. With the current implementation, the multi-ruleset feature is broken with multiple sources.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
3af8d1c0d2 refactor(userspace/engine): adapt existing ruleset implementation to new filter_ruleset interface 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 09:16:45 +02:00
Jason Dellaluce
bbbdb311e0 refactor(userspace/engine): introduce interface for rulesets and their factory 
This interface will allow us to use different ruleset implementations inside the same engine.
The goal is to define API boundaries that will allow swapping the current evttype-index
ruleset implementation more easily. Key benefits include: smaller component with less responsibilities,
easier substituibility, more testable design, opportunity to adopt different index strategies
depending on the ruleset implementation.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-25 09:16:45 +02:00
Andrea Terzolo
d860472987 update(userspace/falco): improve falco termination 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-05-24 18:35:18 +02:00
Andrea Terzolo
3a3d5dfdcd Update userspace/falco/app_actions/load_rules_files.cpp 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-05-24 15:55:17 +02:00
Andrea Terzolo
46159b8de9 update(userspace/engine): introduce new check_plugin_requirements API 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-05-24 15:55:17 +02:00
Andrea Terzolo
e751bf79c3 fix(userspace/engine): improve rule loader source checks for macros and lists 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-05-24 15:54:17 +02:00
Federico Di Pierro
39f55f4b5c update(userspace): split filterchecks list for each source idx. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-05-21 16:33:38 +02:00
Federico Di Pierro
5f00cea3c9 fix(userspace/falco): do not start webserver in capture mode. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-05-21 16:33:38 +02:00
Federico Di Pierro
acbbcf7481 Update userspace/falco/app_cmdline_options.h 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-05-12 14:26:34 +02:00
Federico Di Pierro
3ba64d8a49 new(userspace/falco): new inotify watcher is now able to properly watch rules folders, when specified. 
This means that when starting Falco passing to it a folder for its rules, it will properly manage
changes to any file inside the folders, plus any created/deleted file inside it.

Unified list of rules parsing, instead of having it done twice inside cmdline_options and configuration.
Instead, it is done only once, inside load_rules_files.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-05-12 14:26:34 +02:00
Federico Di Pierro
293a6c2b40 update(userspace/falco): moved to a config option. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-05-12 14:26:34 +02:00
Federico Di Pierro
a9fe979071 chore(userspace/falco): small cleanup. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-05-12 14:26:34 +02:00
Federico Di Pierro
e32f5a66c5 new(userspace/falco): added an option to listen to changes on the config file and rules files, and trigger a Falco reload. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-05-12 14:26:34 +02:00
Milkshak3s
8c6cfae18f Include origin host in output json 
Signed-off-by: Milkshak3s <justchris.vantine@gmail.com>
 2022-05-09 12:16:50 +02:00
Leonardo Grasso
eae193ade0 build(userspace/engine): cleanup unused include dir 
`CURL_INCLUDE_DIR` is a leftover since now the correct include path is injected via libs.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-05-04 16:12:30 +02:00