falco

mirror of https://github.com/falcosecurity/falco.git synced 2025-07-02 01:22:16 +00:00

Author	SHA1	Message	Date
Andrea Terzolo	3aa9267b48	fix(syscall_buffer): set dimension if page size not available Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>	2022-09-27 10:47:59 +02:00
Andrea Terzolo	725714726d	update(configuration): define `m_syscall_buf_size_preset` as `uint16_t` improve also some logs for `m_syscall_buf_size_preset` configuration errors Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:47:59 +02:00
Andrea Terzolo	c9fa585801	update: address some review comments Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>	2022-09-27 10:47:59 +02:00
Andrea Terzolo	90e4634a79	update(syscall_buffer_size): don't crash in case of `getpagesize` error Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Federico Di Pierro <nierro92@gmail.com>	2022-09-27 10:47:59 +02:00
Andrea Terzolo	b0b2f05eb5	new: configure syscall buffer dimension from Falco Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>	2022-09-27 10:47:59 +02:00
Jason Dellaluce	8aea0935c9	chore(userspace/engine): remove unused var Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00
Jason Dellaluce	9c240198a0	refactor(userspace/engine): refactor falco_engine with new loader defs Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00
Jason Dellaluce	f6f763fe84	refactor(userspace/engine): clean up rule collector Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00
Jason Dellaluce	9b5f3ee99e	refactor(userspace/engine): clean up rule compiler Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00
Jason Dellaluce	89e8f70de0	refactor(userspace/engine): clean up and rename rule reader Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00
Jason Dellaluce	b0f0105116	refactor(userspace/engine): clean up rule loader Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00
Jason Dellaluce	5f2267f716	update(userspace/engine): add new loader files to CMakeLists Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00
Jason Dellaluce	b65157af5e	refactor(userspace/engine): split rule loader git history (5) Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00
Jason Dellaluce	b2b1feb1f2	refactor(userspace/engine): split rule loader git history (4) Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00
Jason Dellaluce	b900e46dfe	refactor(userspace/engine): split rule loader git history (3) Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00
Jason Dellaluce	a98c9cdd20	refactor(userspace/engine): split rule loader git history (2) Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00
Jason Dellaluce	2a427925a0	refactor(userspace/engine): split rule loader git history (1) Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00
Andrea Terzolo	c0c37d87f5	fix(process_events): check the return value of `open_live_inspector` Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>	2022-09-20 18:07:30 +02:00
Andrea Terzolo	f57c67cc96	docs(falco.yaml): fix a typo Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>	2022-09-20 11:35:28 +02:00
Andrea Terzolo	7686c03a36	update(app_actions): add a depraction comment for BPF Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>	2022-09-20 11:35:28 +02:00
Andrea Terzolo	aa0abb4288	tests: fix `traces-positive/run-shell-untrusted.scap` test Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>	2022-09-20 11:35:28 +02:00
Andrea Terzolo	8b927fb010	chore: bump libs version Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>	2022-09-20 11:35:28 +02:00
Andrea Terzolo	a325086363	test(falco): fix broken tests Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>	2022-09-20 11:35:28 +02:00
Andrea Terzolo	1930ec56c7	test(plugin): bump plugin API in test Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-20 11:35:28 +02:00
Andrea Terzolo	3902779409	chore(plugins.cmake): bump plugin versions Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>	2022-09-20 11:35:28 +02:00
Andrea Terzolo	7e37c72431	update: falco works with the latest libs commit Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>	2022-09-20 11:35:28 +02:00
Federico Di Pierro	e068df514c	chore(userspace/engine,userspace/falco): upgraded to latest libs. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-09-20 11:35:28 +02:00
Federico Di Pierro	9048d84ed4	chore(cmake): bumped libs to latest master. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-09-20 11:35:28 +02:00
Federico Di Pierro	00459f3447	chore(cmake): dropped SCAP_BPF_PROBE_ENV_VAR_NAME variable; unused. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>	2022-09-20 11:35:28 +02:00
Federico Di Pierro	0274959981	update(userspace/falco, cmake): updated libs to latest master. Adapted API to sinsp::open API break, and simple consumer API break. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>	2022-09-20 11:35:28 +02:00
Hi120ki	30b56d2960	revert and create new known macro Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>	2022-09-16 14:24:40 +02:00
Hi120ki	d6b5789b7a	add user_known_mount_in_privileged_containers Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>	2022-09-16 14:24:40 +02:00
Hi120ki	af4524491d	put open_read in the beginning of the rule Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>	2022-09-16 14:22:39 +02:00
Hi120ki	36a08aee13	Update rules/falco_rules.yaml to delete enabled field Co-authored-by: schie <77834235+darryk10@users.noreply.github.com> Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>	2022-09-16 14:22:39 +02:00
Hi120ki	39de011751	Update rules/falco_rules.yaml to add argoexec into allowlist Co-authored-by: schie <77834235+darryk10@users.noreply.github.com> Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>	2022-09-16 14:22:39 +02:00
Hi120ki	a83d38c6d7	add allowlist Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>	2022-09-16 14:22:39 +02:00
Hi120ki	86c3a9cd69	revert to container Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>	2022-09-16 14:22:39 +02:00
Hi120ki	8473706526	add systemd-sysctl to allowlist Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>	2022-09-16 14:22:39 +02:00
Hi120ki	4e622fc033	add host to target Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>	2022-09-16 14:22:39 +02:00
Hi120ki	16dca8f905	add rule Read environment variable from /proc files Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>	2022-09-16 14:22:39 +02:00
Mark Stemm	2d5fc0b647	Use the same falco_rule struct for every call to filter_ruleset Instead of using a falco_rule struct on the stack, use a single value inside the falco_source struct. It's mutable as find_source returns a const struct. At very high event volumes (> 1M syscalls/second), even the tiny time it takes to create/destroy the struct starts to add up, and this switch has some small cpu savings. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2022-09-16 12:50:39 +02:00
Mark Stemm	e5cd5eacf5	Save syscall source separately and check explicitly in process_event When doing some testing of falco on very high event volumes (> 1.5M events/second), I found that the time taken to look up a falco_source struct had a non-negligible contribution to cpu usage. So instead of looking up the source from the source_idx every time, separately save the source for syscalls in the falco_engine object directly. The separately saved copy is only used once someone calls add_source with source="syscall". Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2022-09-16 12:50:39 +02:00
Stefano	366bcfd7a3	Added disable by default option to reduce noise Signed-off-by: darryk10 <stefano.chierici@sysdig.com>	2022-09-16 12:44:38 +02:00
Stefano	c844eb9ef3	Added rule to detect CVE-2019-5736 Co-authored-by: wcc526 <wcc526@gmail.com> Signed-off-by: darryk10 <stefano.chierici@sysdig.com>	2022-09-16 12:44:38 +02:00
Leonardo Grasso	b71eb7e6ed	chore(OWNERS): cleanup inactive reviewer Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2022-09-14 15:31:25 +02:00
Leonardo Grasso	c732e5d800	update: gRPC server sock defaults to `/run/falco/falco.sock` Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2022-09-14 10:27:24 +02:00
Leonardo Grasso	c0ea753262	update(userspace/falco): gVisor sock now defaults to `/run/falco/gvisor.sock` Co-authored-by: Vicente J. Jiménez Miras <vjjmiras@gmail.com> Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2022-09-14 10:27:24 +02:00
Vicente JJ. Miras	e4008217b9	Replacing /tmp/gvisor.sock with /run/gvisor.sock According to the FHS 3.0 (https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html), transient UNIX-domain sockets should be placed under the directory /run, so this commit updates the implicit value generated by the application. Signed-off-by: Vicente J. Jiménez Miras <vjjmiras@gmail.com>	2022-09-14 10:27:24 +02:00
Jason Dellaluce	9c184af2a1	fix(userspace/falco): adopt stricter memory order semantics Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-12 16:14:15 +02:00
Jason Dellaluce	d11aec28d5	fix(userspace/falco): move stats collection in event success path Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-12 16:14:15 +02:00

... 3 4 5 6 7 ...

3418 Commits