github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 16:17:32 +00:00
Code Issues Projects Releases Wiki Activity
2,144 Commits 121 Branches 172 Tags 104 MiB
12b7ff9940
Commit Graph

2144 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Lorenzo Fontana
12b7ff9940 build: BUILD_BYPRODUCTS for civetweb 
The BUILD_BYPRODUCTS for the civetweb target
is needed so that when Falco is built using Ninja
the falco target can have a reference to
understand what target is building the civetweb lib
and do the build automatically without having to do
`ninja civetweb` first.

Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-11-16 13:23:27 -05:00
Leonardo Di Donato
648bb6294f fix(cmake/modules): patch the max_consumers parameter of the 
kernel-module Falco driver

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-11-13 09:21:30 -05:00
Lorenzo Fontana
dada3db3f2 docs: adding the kubernetes privileged use case to use cases 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Co-Authored-By: Leonardo Grasso <me@leonardograsso.com>
Co-Authored-By: Massimiliano Giovagnoli <massimiliano.giovagnoli.1992@gmail.com>
Co-Authored-By: Jonah Jones <jonahjones094@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-11-12 14:47:22 -05:00
DingGGu
2b2856299c rule(macro user_known_k8s_client_container): separate list of k8s images 
Signed-off-by: DingGGu <ggu@dunamu.com>
 2020-11-11 10:22:45 -05:00
DingGGu
ec5b42074e rule(macro user_known_k8s_ns_kube_system_images): add new macro image name inside kube-system namespace 
Signed-off-by: DingGGu <ggu@dunamu.com>
 2020-11-11 10:22:45 -05:00
DingGGu
0b516b7d42 rule(macro user_known_k8s_ns_kube_system_images): add new macro image name inside kube-system namespace 
Signed-off-by: DingGGu <ggu@dunamu.com>
 2020-11-11 10:22:45 -05:00
DingGGu
4954593261 rule(macro user_known_k8s_client_container): add node-problem-detector pattern to avoid false positive 
Signed-off-by: DingGGu <ggu@dunamu.com>
 2020-11-11 10:22:45 -05:00
Leonardo Di Donato
0eff0f6003 docs: changelog for 0.26.2 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-11-10 14:10:15 -05:00
Leo Di Donato
8d10a60e42 build: remove duplicate item from FALCO_SOURCES 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-11-10 06:43:15 -05:00
Dominic Evans
4d6636a030 fix(scripts/falco-driver-loader): lsmod usage 
Attempting to start falco on a host that had a similarly named module
(e.g., "falcon") would cause the falco-driver-loader to loop attempting
to rmmod falco when falco was not loaded.

falco-driver-loader will now inspect only the first column of lsmod
output and require the whole search string to match

Fixes #1468

Signed-off-by: Dominic Evans <dominic.evans@uk.ibm.com>
 2020-11-10 04:11:07 -05:00
Lorenzo Fontana
55a93bce8b build: bump sinsp, scap and the drivers to 5c0b863ddade7a45568c0ac97d037422c9efb750 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
0f14821744 fix(userspace/falco): include directories and sources 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
e0175b1e06 build: cmake modules fixes and split 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
8be299939a build: update sinsp, scap and the drivers to c4f096099bf81966803d26c40c6c2cb2b8d08033 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
9828c6aeb6 build: bump gRPC to 1.32.0 
Besides all the other improvements, we are really interested
in getting the Make options for other ISAs than x86_64 when it
comes to compiling abseil [0].

This is what happens on aarch64

```
make[4]: *** [Makefile:2968: /root/falco/build-musl/grpc-prefix/src/grpc/objs/opt/third_party/abseil-cpp/absl/base/internal/thread_identity.o] Error 1
c++: error: unrecognized command line option '-maes'
c++: error: unrecognized command line option '-msse4'
c++: error: unrecognized command line option '-msse4'
c++: error: unrecognized command line option '-maes'
```

[0] bf87ec9e44

Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
7ee0eb7e9c update: cpack specify architecture for debian packages 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
0f155c3a1f build: switch Falco back to luajit 
moonjit is unmaintaned [0], and lujit recently [1] added support
for the aarch64 architecture.

[0] https://twitter.com/siddhesh_p/status/1308594269502885889?s=20
[1] e9af1abec5

Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
3258bdd990 update: syscall table zero definition for arm64 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
9f41a390a7 update: bump sinsp and scap to fntlnz-aarch64 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
7aa6fa9897 build: use fields_info from libsinsp 
Related-to: https://github.com/draios/sysdig/pull/1693
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
Lorenzo Fontana
8dd9ebbdf9 build: moonjit replacement for luajit 
This is needed because Luajit does not support many architectures
such as aarch64 and ppcle64.

Note: some operating systems, such as Alpine, already use moonjit as a dropin
replacement for luajit.

Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-11-10 04:09:10 -05:00
kaizhe
0852a88a16 rule(macro chage_list): create new macro chage_list as execption in rule Usermgmt binaries 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-11-06 08:43:34 -05:00
divious1
cea9c6a377 adding lkm rule 
Signed-off-by: divious1 <josehelps@gmail.com>
 2020-11-06 04:57:55 -05:00
Nicolas Marier
c055f02dd0 rule(macro multipath_writing_conf): create and use the macro 
`multipath`, which is run by `systemd-udevd`, writes to
`/etc/multipath/wwids`, `/etc/multipath/bindings` and a few other paths
under `/etc/multipath` as part of its normal operation.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
 2020-11-06 04:56:10 -05:00
Lorenzo Fontana
f5c1e7c165 build: fix build directory for xunit tests 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-11-05 11:49:40 -05:00
Lorenzo Fontana
aaf6816821 build: make our integration tests report clear steps for circleCI UI 
inspection via collect test data [0]

[0] https://circleci.com/docs/2.0/collect-test-data/

Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-11-05 11:49:40 -05:00
Lorenzo Fontana
ee5b55c02e docs: reach out documentation 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-11-05 08:51:06 -05:00
Christian Zunker
294804daf4 rule(list falco_privileged_images): add calico/node without registry prefix 
Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>
 2020-10-30 09:50:30 +01:00
Leonardo Di Donato
b3679f8a59 update: new DRIVERS_REPO default 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-10-28 14:11:39 +01:00
Leonardo Di Donato
a575625043 docs(proposals): new drivers storage obsolate part of existing artifacts storage proposals 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-10-28 14:11:39 +01:00
Mark Stemm
26f2aaa3eb rule(Full K8s... Access): fix users list 
Use the right list name in the rule Full K8s Administrative Access--it
was using the nonexistent list admin_k8s_users, so it was just using the
string "admin_k8s_users".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-10-28 14:09:42 +01:00
Leonardo Grasso
c8703b88bf update(userspace/engine): handle formatters with smart pointer 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-10-27 15:12:28 +01:00
Leonardo Grasso
cebec11552 fix(userspace/engine): free formatters, if any 
Previously, formatters were freed by LUA code when re-opening outputs.
Since now, outputs are not controlling anymore the falco_formats class (see #1412), we just free formatters only if were already initialized.

That is needed when the engine restarts (see #1446).

By doing so, we also ensure that correct inspector instance is set to the formatter cache.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-10-27 15:12:28 +01:00
Lorenzo Fontana
61bfd5a158 update(proposals): proposal for moving the drivers to S3 
Reviewed-by: Spencer Krum <nibz@spencerkrum.com>
Reviewed-by: Leonardo Grasso <me@leonardograsso.com>
Reviewed-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-10-26 14:07:31 +01:00
Leonardo Grasso
81de65eb69 fix(userspace/falco): use given priority for msg 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-10-26 14:05:25 +01:00
Leo Di Donato
bc9a2f38e1 update(falco/rules): re-use spawned_process macro inside container_started macro 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-10-26 14:03:19 +01:00
Leonardo Grasso
c188f4a731 chore(userspace/falco): output class does not need to inherit from falco_common 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-10-26 11:21:37 +01:00
Leonardo Grasso
ca04145590 chore(userspace/falco): remove unused dep from falco_outputs 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-10-26 11:21:37 +01:00
Leonardo Grasso
511a9fa97f chore: update copyright year to 2020 
On previously modified files.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-10-26 11:21:37 +01:00
Leonardo Grasso
7b8f67fdbd chore(userspace/falco): remove leftover from outputs 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-10-26 11:21:37 +01:00
Leonardo Grasso
6e36afdba3 update(userspace/falco): move gRPC queue to proper namespace 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-10-26 11:21:37 +01:00
Lorenzo Fontana
9ea195a0b7 macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-10-21 12:54:19 +02:00
kaizhe
47fa7d53c4 rule(Outbound Connection to C2 Servers): Add a new rule to detect outbound connections to c2 servers 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-10-13 16:43:07 -04:00
Lorenzo Fontana
0a33f555eb build: bump b64 to ce864b17ea0e24a91e77c7dd3eb2d1ac4175b3f0. 
This version includes a fix so that it does not include the headers
for size_t twice.

Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-10-13 09:30:05 -04:00
Lorenzo Fontana
38f524d1dd build: bump b64 to v2.0.0.1 
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2020-10-13 09:30:05 -04:00
Leonardo Grasso
388de27398 update(docker/tester): split version guessing of Falco version 
Needed by statically linked build of Falco.

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-10-13 07:29:01 -04:00
Leonardo Grasso
69d2fa76ff fix(docker/tester): re-enable -e 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Co-Authored-By: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-10-13 07:29:01 -04:00
Marc-Olivier Bouchard
39e6d21449 Added new macro user_known_remote_file_copy_activities 
Signed-off-by: Marc-Olivier Bouchard <mobouchard@coveo.com>
 2020-10-13 05:13:57 -04:00
Marc-Olivier Bouchard
3418ed64aa Added new macro user_know_remote_file_copy_tools_in_container_conditions 
Signed-off-by: Marc-Olivier Bouchard <mobouchard@coveo.com>
 2020-10-13 05:13:57 -04:00
Leonardo Grasso
d07f18ad05 update(test): use to iso time 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-10-13 05:12:00 -04:00