github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-14 20:33:31 +00:00
Code Issues Projects Releases Wiki Activity
4,834 Commits 117 Branches 173 Tags 105 MiB
test/wip
Commit Graph

1638 Commits

Author SHA1 Message Date
Federico Di Pierro
8843a9ec2b chore(userspace/falco,falco.yaml): enable libs_logger with info severity by default. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-03-17 13:20:09 +01:00
Federico Di Pierro
9cbfdda21f fix(userspace/falco): when counting -M timeout, make sure that time diff is > 0. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 22:08:28 +01:00
Federico Di Pierro
cfc221549a chore(userspace/engine): update engine checksum and version minor. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 13:08:26 +01:00
Federico Di Pierro
9f1bc7d518 fix(userspace/engine): expand %container.info extra format to empty string. 
Also, remove `container_id container_name` fields from `-pc` output.
These fields are now automatically appended since the `container` plugin
marks them as suggested.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 13:08:26 +01:00
Federico Di Pierro
bb13702f0f chore(userspace/falco): drop container_engines config key. 
Also, default falco.yaml will only host container plugin configuration but won't enable the plugin.
Instead, a configuration override file will be installed only on linux non-musl deployments, enabled the plugin.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 13:08:26 +01:00
Federico Di Pierro
fafeddaf35 chore(userspace,unit_tests): include thread.h where needed. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 13:08:26 +01:00
Federico Di Pierro
1fd8a85b95 fix(userspace/falco): fixed bundled deps build. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 13:08:26 +01:00
Federico Di Pierro
66cd160f1d new(cmake,userspace): port Falco to use new container plugin. 
It will be shipped by default hence it is present in default config.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 13:08:26 +01:00
Federico Di Pierro
4c34457fa3 cleanup(userspace/falco): drop deprecated in 0.40.0 CLI flags. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-19 14:24:43 +01:00
Federico Di Pierro
252eb5cd40 fix(userspace/falco): init cmdline options after loading all config files. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-13 13:21:10 +01:00
Leonardo Di Giovanna
9e2c22804c refactor(falco/app): apply early return pattern in actions code 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2025-02-10 18:20:53 +01:00
Leonardo Di Giovanna
a8db99db5b feat(falco/app): move actions not using config before load_config 
Move actions not requiring config to be loaded before `load_config`
action. This avoid resource waste. Notably, `print_help` is
promoted as first execution action. Moreover, set actions lists to
constant expressions.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2025-02-10 10:44:52 +01:00
Federico Di Pierro
14a8ee0b08 fix(userspace/falco): fix jemalloc enabled in minimal build. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-06 13:30:36 +01:00
zayaanshahm
77b83557ea fix(userspace/falco): use container_engines.cri.sockets in load_yaml 
Signed-off-by: Zayaan Moez <zayaanmoez@outlook.com>
 2025-01-17 17:07:34 +01:00
Shane Lawrence
f23e44fcab Add TODO comment for win32. 
Signed-off-by: Shane Lawrence <shane@lawrence.dev>
 2025-01-16 10:05:56 +01:00
Shane Lawrence
6bf33ffd76 Add RelWithDebInfo target to produce release binary with separate debug symbols file. 
Signed-off-by: Shane Lawrence <shane@lawrence.dev>
 2025-01-16 10:05:56 +01:00
Federico Di Pierro
aa312096d0 chore(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-01-15 14:49:50 +01:00
Federico Aponte
ec2c2e801e chore: avoid deprecated funcs to calculate sha256 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2025-01-13 13:22:39 +01:00
Luca Guerra
1239566467 fix(falco): prevent use-after-return in webserver 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-12-19 10:31:48 +01:00
Luca Guerra
d7792acdf3 update(falco): update libs to latest master 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-12-19 10:31:48 +01:00
Federico Di Pierro
1c71777dbd new(cmake,userspace): expose jemalloc stats in stats writer and prometheus metircs. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-12-10 15:11:03 +01:00
Federico Di Pierro
d007418fd3 new(cmake,ci): added support for using jemalloc allocator instead of glibc one. 
The jemalloc allocator is enabled by default for published packages.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-12-10 15:11:03 +01:00
Federico Di Pierro
f8feea63ad fix(userspace/falco): use correct filtercheck_field_info. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-12-06 13:33:46 +01:00
Federico Di Pierro
35d8618373 chore(userspace/falco): add new suggested_output option to append_output configuration. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-12-05 15:34:40 +01:00
Federico Di Pierro
70ee5f4107 chore(userspace): update config schema. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-12-05 15:34:40 +01:00
Federico Di Pierro
114757d215 new(userspace,cmake): honor new plugins exposed suggested output formats. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-12-05 15:34:40 +01:00
Federico Di Pierro
9b35c0d5e0 update(userspace/falco): use ternary operator 
Co-authored-by: Samuel Gaist <samuel.gaist@idiap.ch>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-12-05 10:15:39 +01:00
Federico Di Pierro
211eea6abb new(userspace/falco): allow entirely disabling plugin hostinfo support. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-12-05 10:15:39 +01:00
Mark Stemm
4a73ef8824 When overriding rules, ensure that the sources match 
In places where a second rule definition might replace, append to, or
replace items from a base rule, ensure that the source of the second
rule definiton matches the first.

This already existed for defines, but for other changes. There was a
bug where a second definition might exist for a different source, but
the additional rule was used anyway.

This now returns the same error for these other changes e.g. "Rule has
been re-defined..." as define.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-10-24 08:45:12 +02:00
Mark Stemm
a44b311333 Add a source to rule_update_info 
It's possible that someone might want to override a property for a
non-syscall rule source. To assist in this, decode any source property
for rules with append/override and save it in the rule_update_info
object. For the source property only, the value for source can be
empty e.g. 'source: ' or an empty string e.g. 'source: ""'. Both of
those are considered valid but result in an empty source.

A later change will ensure that the sources match up when
appending/redefining/overriding/enabling.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-10-24 08:45:12 +02:00
Federico Di Pierro
e4cbffc35b update(userpsace/engine): update engine checksum and version. 
See https://github.com/falcosecurity/libs/pull/2047.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-21 16:01:59 +02:00
Mark Stemm
e99b11e793 Make enable()/disable() virtual so they can be overridden 
Subclasses might want to also see when rules are enabled/disabled.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-10-16 12:01:37 +02:00
Luca Guerra
fb01b6d927 cleanup(falco): deprecate -b --print-base64 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-10 17:37:18 +02:00
Luca Guerra
4501b64b9d new(falco): add buffer_format_base64 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-10 17:37:18 +02:00
Luca Guerra
dfa6b9b88e chore(falco): deprecated -A 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-10 10:26:16 +02:00
Luca Guerra
3b28450171 new(falco): add base_syscalls.all option to falco.yaml 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-10 10:26:16 +02:00
Mark Stemm
5f13a9be08 Add equality operators for indexed_vector/falco_{list,macro,rule} 
Add an equality operator for indexed_vector.

As indexed_vectors commonly hold falco lists/macros/rules, also add
equality operators for those structs. For condition/sinsp_filter
shared_ptrs, the operator checks that the shared_ptrs point to the
same underlying memory.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-10-10 09:20:17 +02:00
Mark Stemm
093d9234a5 Add a compile_output::clone() method that can be overridden 
Add a clone() method that can be overridden by subclasses. This allows
copying compile state when needed in a way that preserves
polymorphism.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-10-10 09:20:17 +02:00
Federico Di Pierro
c55adf38b4 chore(userspace/engine): fix build warning. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-09 16:26:14 +02:00
Federico Di Pierro
3e24606c11 new(ci): use zig compiler instead of relying on centos7. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-09 16:26:14 +02:00
Luca Guerra
6721a6b9cf fix(engine): allow null init_config for plugin info 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-08 12:06:08 +02:00
Luca Guerra
c7c0246ca8 fix(engine): disable comma separated vectors in cxxopts 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-07 13:24:04 +02:00
Luca Guerra
478514940f update(falco): deprecated -S --snaplen option 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-07 11:33:03 +02:00
Luca Guerra
ef79648037 new(falco): add falco_libs.snaplen option 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-07 11:33:03 +02:00
Federico Di Pierro
f72e6a59ad fix(userspace/falco): fix event set selection for plugin with parsing capability. 
In live mode we need to use the source_info inspectors instead of the offline inspector.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-07 09:56:02 +02:00
Federico Di Pierro
41f20fd07a cleanup(userspac/falco): drop deprecated options. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-02 14:49:40 +02:00
Luca Guerra
17e61450db cleanup(falco): reformat options::define 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-30 17:50:32 +02:00
Luca Guerra
683df327ac fix(falco): allow disable_cri_async from both CLI and config 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-30 15:33:32 +02:00
Poiana
50b98b30e5 chore(falco): apply code formatting 
Signed-off-by: Poiana <poiana.bot@gmail.com>
 2024-09-30 13:25:31 +02:00
Leonardo Di Giovanna
3a6d1c8c5d feat(stats): add host_netinfo networking information stats family 
Introduce host_netinfo stats family to hold information regarding host
networking. At the moment, it only provides ipv4 and ipv6 addresses
list for each interface available on the host. The naming schema for
the introduced stats is
falco.host_netinfo.interfaces.<ifname>.protocols.<ipv4|ipv6>.addresses.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2024-09-26 15:50:16 +02:00