github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-31 22:28:22 +00:00
Code Issues Projects Releases Wiki Activity
2,752 Commits 119 Branches 173 Tags
06b6565fa6b14dfdb3c75409f61c03f9e7056acc
Commit Graph

2752 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Marcin Kowalski
a94e6de458 add useragent string to output 
Signed-off-by: Marcin Kowalski <marcin.kowalski@assecobs.pl>
 2022-01-18 09:49:34 +01:00
Leonardo Grasso
3e9f8c1ef1 chore(userpsace/engine): update fields checksum 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-17 18:15:43 +01:00
Mark Stemm
d20a326e09 Skip EPF_TABLE_ONLY fields with --list -N 
When listing fields with -N (names only), also skip fields with the
EPF_TABLE_ONLY flag. (Skipping fields without -N is handled in libs,
in the as_string() method).

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-01-17 18:15:43 +01:00
Federico Di Pierro
0c290d98f8 fix(tests): avoid hardcoding plugin version 0.1.0 in plugin tests. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-17 17:20:33 +01:00
Federico Di Pierro
1befb053d0 update(gitignore): drop 2 useless lines from gitignore that are now installed in the build folder. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-17 17:20:33 +01:00
Federico Di Pierro
ae57718bda update(build): updated libs to latest master version. Updated plugins versions. Updated falco engine version. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-17 17:20:33 +01:00
Luca Guerra
55ce38cf3a use debian 11 slim as nodriver image 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-01-17 16:26:07 +01:00
Luca Guerra
18571eb20d ci: build stripped tgz 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-01-17 16:26:07 +01:00
Luca Guerra
9c449901f3 cmake: do not strip tar gz builds 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-01-17 16:26:07 +01:00
Jason Dellaluce
4ab8d6db98 refactor(configuration): remove plugin config loading from file feature 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-17 14:55:11 +01:00
Jason Dellaluce
5e354859a9 new(configuration): allow defining plugin config as YAML maps 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-17 14:55:11 +01:00
Jason Dellaluce
f4b79296fc fix: improve nested configuration field support 
This fixes the parser introduced in https://github.com/falcosecurity/falco/pull/1792.
Now, nested fields such as `arr[1].subval` are supported, whereas the parser used
to recognize the `.` as an unexpected character.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-17 14:55:11 +01:00
Jason Dellaluce
6bf8f34d9f fix(engine): correctly format json output in json_event 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-14 13:29:33 +01:00
vadim.zyarko
f8f053c7fa Add an emty line to sattisfy the rules tests 
Signed-off-by: vadim.zyarko <vadim.zyarko@sysdig.com>
 2022-01-13 09:44:57 +01:00
VadimZy
b88a1cbb09 replace .. with table concat 
Signed-off-by: vadim.zyarko <vadim.zyarko@sysdig.com>
 2022-01-13 09:44:57 +01:00
Mark Stemm
c86615f68c Embed .lua files into falco executable 
Instead of having .lua files external to the program responsible for
loading rules, embed the contents of those files into the executable
and load them as strings instead of as files:

Add a cmake custom command below userspace/engine/lua that calls a
bash script lua-to-cpp.sh to generate falco_engine_lua_files.{cpp,hh}
that are compiled into the falco engine library.

The script creates a .cpp file that has const char * symbols for each
file, as well as lists of files that should be loaded when the falco
engine is loaded. There are actually two lists:

- lua_module_strings: these are loaded and also added to the lua
  runtime package.preload table, so they are available when lua code
  require()s them.

- lua_code_strings: these are loaded *and* evaluated, so the functions
  in them are availble to be called from C++.

This simplifies some of the falco_common methods, as there's no need
to keep track of a "main" lua file to load or paths from which the lua
loader should find files for modules, and there's no need to keep
track of an "alternate" lua directory that occurs for debug builds.

Also, there's no need to include any .lua files in the installed
packages, as they're built into the falco binary.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-01-13 09:26:35 +01:00
Mark Stemm
08df1c63cf Clean up lyaml build a bit 
change LYAML_SRC to LYAML_ROOT, which points to the top source
directory now.

LYAML_LIB and (new) LYAML_LUA_DIR are based relative to that
directory.

There's no install step at all now--the static library and the .lua
files are now used directly from the source tree.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-01-13 09:26:35 +01:00
Mark Stemm
10512b9ef9 Move compiler/parser lua files to a "modules" subdir 
This will distinguish it from rule_loader.lua, which is *not* a module
but lua code with functions that can be called directly.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-01-13 09:26:35 +01:00
Jason Dellaluce
0e52ef9971 fix(grpc): ignore protobuf deprecation warning 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-12 00:16:49 +01:00
Jason Dellaluce
a371a995b4 update(outputs): adapt grpc output to new protobuf definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-12 00:16:49 +01:00
Jason Dellaluce
0f984c4dbe update(grpc): substitute and deprecate enum source field from protobuf 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-12 00:16:49 +01:00
Federico Di Pierro
48a23121df new(userspace/falco): add support for kernel side simple consumer. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-10 10:58:44 +01:00
Federico Di Pierro
475ed0dbeb fix(userspace/engine,userspace/falco): set http output contenttype to text/plain when json output is disabled 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-10 10:57:44 +01:00
Zach Stone
eaccfbe82d Pick some lint 
Signed-off-by: Zach Stone <zach@giantswarm.io>
 2022-01-10 10:56:44 +01:00
Zach Stone
e496c91562 Add Giant Swarm to Adopters list 
Signed-off-by: Zach Stone <zach@giantswarm.io>
 2022-01-10 10:56:44 +01:00
Lorenzo Susini
cef2c2d5c1 chore: improve --list output using is_source_valid 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-01-10 10:53:44 +01:00
Jason Dellaluce
2ee0645f25 update(tests): remove token_bucket unit tests 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-04 16:41:18 +01:00
Mark Stemm
42f8b1cd83 Update to version of libs with better output formatting 
This has required changes to print info on fields.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-12-23 17:05:39 +01:00
Mark Stemm
455be15b0b Fill in new shortdesc/data_type/tags for json fields 
Update json_event_filter_factory::get_fields() to add the new
info (shortdesc, data_type, tags) to field descriptions.

This allows for richer outputs when printing info on the fields.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-12-23 17:05:39 +01:00
Mark Stemm
64e8feb200 Update fields checksum (no changes, order only) 
With the new implementation of list_fields(), the order of fields
changed slightly. So update the checksum.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-12-23 17:05:39 +01:00
Mark Stemm
eded1062cd Use filter_fieldclass_info::as_string to print field info 
Instead of having a falco-specific function to print field info, use
the built-in filter_fieldclass_info::as_string() instead. This is a
better implementation (displays addl info, has better wrapping, wider
output) and having a single implementation allows for consistent
outputs between falco and other potential programs that could use the libs.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-12-23 17:05:39 +01:00
Luca Guerra
473b94b386 fix(build): use consistent 7-character build abbrev sha 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2021-12-23 16:23:39 +01:00
Jason Dellaluce
226d1fb728 update(OWNERS): add jasondellaluce 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-22 18:15:40 +01:00
Lorenzo Susini
6319be8146 update(rules): Add containerd socket to sensitive_mount macro 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2021-12-21 16:53:57 +01:00
Akos Kaldy
cf4672675c add Phoenix to adopters list 
Signed-off-by: Akos Kaldy <kaldyka@gmail.com>
 2021-12-20 17:44:12 +01:00
Angelo Puglisi
f035829ca2 fix(rules): typo in Create Symlink Over Sensitive Files rule output 
Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
 2021-12-13 20:05:33 +01:00
Calvin Bui
cd471a78db re-add double empty newline 
Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com>
 2021-12-10 10:27:33 +01:00
Calvin Bui
65969c30f9 Add ECR repository to rules 
Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com>
 2021-12-10 10:27:33 +01:00
Federico Di Pierro
bb8b75a2cd update(userspace/falco): enforce check that content-type actually starts with "application/json" string. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2021-12-09 21:04:47 +01:00
Federico Di Pierro
b359f71511 fix(userspace/falco): accept 'Content-Type' header that contains "application/json", but it is not strictly equal to it. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2021-12-09 21:04:47 +01:00
Federico Di Pierro
9dcd8bccac fix(userspace/falco): in case output_file cannot be opened, throw a falco exception. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2021-12-09 21:02:48 +01:00
Jason Dellaluce
b5667cab99 chore(test): remove unused files in test directory 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-09 10:36:45 +01:00
Jason Dellaluce
2a00a4d853 rules: adding support to openat2 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:12:14 +01:00
Jason Dellaluce
697d4427a7 chore(scripts): refine removal output messages 
Signed-off-by: Jason Dellaluce jasondellaluce@gmail.com
Co-authored-by: Leonardo Grasso me@leonardograsso.com
 2021-12-06 19:09:14 +01:00
Jason Dellaluce
bf04fed71c fix(scripts): correctly remove loaded drivers 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2021-12-06 19:09:14 +01:00
Jason Dellaluce
c005af22cc fix: set config value and create node if not existing 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:04:15 +01:00
Jason Dellaluce
c93029ce74 fix(build): use correct libyaml variable in tests cmake 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:04:15 +01:00
Jason Dellaluce
076aabcea6 test(falco): adding unit tests for yaml_configuration 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:04:15 +01:00
Jason Dellaluce
d8c588becf update: add yaml-cpp to unit tests 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:04:15 +01:00
Jason Dellaluce
1a7611a761 chore(engine): using is_defined config method instead of private get_node 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:04:15 +01:00