github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-28 15:47:25 +00:00
Code Issues Projects Releases Wiki Activity
4,773 Commits 121 Branches 172 Tags 104 MiB
1e455f30a6
Commit Graph

4773 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Luca Guerra
e4107c05a4 update(ci): replace aarch64 actuated runners with oracle 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-11-05 10:59:09 +01:00
Federico Di Pierro
729bf9562b update(cmake): bump yaml-cpp to latest master. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-11-05 09:29:09 +01:00
dependabot[bot]
b50903e498 chore(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `407e997` to `283a62f`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](407e99721f...283a62f464)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-10-24 10:11:12 +02:00
Mark Stemm
09a9fd4c26 Add tests for mismatched sources and append 
Add additional unit tests to verify that rule loading fails when a
second rules object has a different source but the name of an existing
rules object.

Also add tests for additional rules having an empty source.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-10-24 08:45:12 +02:00
Mark Stemm
4a73ef8824 When overriding rules, ensure that the sources match 
In places where a second rule definition might replace, append to, or
replace items from a base rule, ensure that the source of the second
rule definiton matches the first.

This already existed for defines, but for other changes. There was a
bug where a second definition might exist for a different source, but
the additional rule was used anyway.

This now returns the same error for these other changes e.g. "Rule has
been re-defined..." as define.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-10-24 08:45:12 +02:00
Mark Stemm
a44b311333 Add a source to rule_update_info 
It's possible that someone might want to override a property for a
non-syscall rule source. To assist in this, decode any source property
for rules with append/override and save it in the rule_update_info
object. For the source property only, the value for source can be
empty e.g. 'source: ' or an empty string e.g. 'source: ""'. Both of
those are considered valid but result in an empty source.

A later change will ensure that the sources match up when
appending/redefining/overriding/enabling.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-10-24 08:45:12 +02:00
Federico Di Pierro
24f824dfb5 update(cmake): bump libs to latest master. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-22 14:59:04 +02:00
Federico Di Pierro
e4cbffc35b update(userpsace/engine): update engine checksum and version. 
See https://github.com/falcosecurity/libs/pull/2047.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-21 16:01:59 +02:00
poiana
5749517c4e update(cmake): update libs and driver to latest master. 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
 2024-10-21 16:01:59 +02:00
Mark Stemm
e99b11e793 Make enable()/disable() virtual so they can be overridden 
Subclasses might want to also see when rules are enabled/disabled.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-10-16 12:01:37 +02:00
Federico Di Pierro
c19b637e36 fix(ci): fixed shasum computation for bump-libs CI. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-15 16:16:37 +02:00
Luca Guerra
fb01b6d927 cleanup(falco): deprecate -b --print-base64 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-10 17:37:18 +02:00
Luca Guerra
4501b64b9d new(falco): add buffer_format_base64 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-10 17:37:18 +02:00
dependabot[bot]
e04deeabe5 chore(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `e38fb3f` to `407e997`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](e38fb3f6a7...407e99721f)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-10-10 10:35:17 +02:00
Luca Guerra
dfa6b9b88e chore(falco): deprecated -A 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-10 10:26:16 +02:00
Luca Guerra
3b28450171 new(falco): add base_syscalls.all option to falco.yaml 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-10 10:26:16 +02:00
Federico Di Pierro
b242f90510 chore(ci): use redhat advised method to check rpmsign success. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-10 10:17:17 +02:00
Mark Stemm
80b7de6d90 Add a test for compile_output::clone() for derived type 
Add a test for checking that compile_output::clone() returns equal
values, specifically in the case of derived values.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-10-10 09:20:17 +02:00
Mark Stemm
5f13a9be08 Add equality operators for indexed_vector/falco_{list,macro,rule} 
Add an equality operator for indexed_vector.

As indexed_vectors commonly hold falco lists/macros/rules, also add
equality operators for those structs. For condition/sinsp_filter
shared_ptrs, the operator checks that the shared_ptrs point to the
same underlying memory.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-10-10 09:20:17 +02:00
Mark Stemm
093d9234a5 Add a compile_output::clone() method that can be overridden 
Add a clone() method that can be overridden by subclasses. This allows
copying compile state when needed in a way that preserves
polymorphism.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-10-10 09:20:17 +02:00
Federico Di Pierro
c55adf38b4 chore(userspace/engine): fix build warning. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-09 16:26:14 +02:00
Federico Di Pierro
3e24606c11 new(ci): use zig compiler instead of relying on centos7. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-09 16:26:14 +02:00
Federico Di Pierro
93e5292f2f update(changelog): updated changelog for 0.39.1. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-09 10:54:14 +02:00
Luca Guerra
a754601cb6 update(tests): add tests for plugin init_config 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-08 12:06:08 +02:00
Luca Guerra
6721a6b9cf fix(engine): allow null init_config for plugin info 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-08 12:06:08 +02:00
Federico Di Pierro
7b2feb1f73 fix(ci): fixed bump-libs workflow syntax. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-07 17:49:04 +02:00
Luca Guerra
c7c0246ca8 fix(engine): disable comma separated vectors in cxxopts 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-07 13:24:04 +02:00
Federico Di Pierro
5141bddedd new(ci): add a workflow to automatically bump libs on each monday. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-07 11:35:03 +02:00
Luca Guerra
478514940f update(falco): deprecated -S --snaplen option 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-07 11:33:03 +02:00
Luca Guerra
ef79648037 new(falco): add falco_libs.snaplen option 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-07 11:33:03 +02:00
Federico Di Pierro
f72e6a59ad fix(userspace/falco): fix event set selection for plugin with parsing capability. 
In live mode we need to use the source_info inspectors instead of the offline inspector.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-07 09:56:02 +02:00
dependabot[bot]
257938291d chore(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `b6ad373` to `e38fb3f`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](b6ad373719...e38fb3f6a7)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-10-03 10:22:43 +02:00
Federico Di Pierro
41f20fd07a cleanup(userspac/falco): drop deprecated options. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-02 14:49:40 +02:00
Aldo Lacuku
6997c96306 update(changelog): add changelog for falco 0.39.0 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2024-10-01 12:00:35 +02:00
Luca Guerra
17e61450db cleanup(falco): reformat options::define 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-30 17:50:32 +02:00
Luca Guerra
683df327ac fix(falco): allow disable_cri_async from both CLI and config 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-30 15:33:32 +02:00
Luca Guerra
262aa9a003 cleanup(falco): ignore lint commit 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-30 13:59:32 +02:00
Poiana
50b98b30e5 chore(falco): apply code formatting 
Signed-off-by: Poiana <poiana.bot@gmail.com>
 2024-09-30 13:25:31 +02:00
Andrea Terzolo
11bac9dbd2 update: ignore_some_files 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-09-30 11:10:32 +02:00
Luca Guerra
c235f5b576 chore(build): update libs to 0.18.1 (master branch) 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-27 12:25:21 +02:00
Leonardo Di Giovanna
3a6d1c8c5d feat(stats): add host_netinfo networking information stats family 
Introduce host_netinfo stats family to hold information regarding host
networking. At the moment, it only provides ipv4 and ipv6 addresses
list for each interface available on the host. The naming schema for
the introduced stats is
falco.host_netinfo.interfaces.<ifname>.protocols.<ipv4|ipv6>.addresses.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2024-09-26 15:50:16 +02:00
Luca Guerra
70c10ee7e0 fix(engine): sync outputs before printing stats at shutdown 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-23 16:58:01 +02:00
Leonardo Di Giovanna
d3a67c10bd cleanup(falco_metrics): remove unused falco_utils import 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2024-09-23 15:38:01 +02:00
Leonardo Di Giovanna
5ba94a36bd fix(falco_metrics): remove ifinfo_json stat/metric 
Using JSON as value prevents any meaningful aggregation for the stats.
Splitting these information into multiple labels can drastically
increase the number of dimensions, as the number of interfaces and
addresses can be high in some environment. Moreover, these information
are not currently refreshed, even if they can frequently change. Given
these reasons, remove ifinfo_json from stats and metrics.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2024-09-23 15:38:01 +02:00
Leonardo Di Giovanna
00b35cfd81 fix(falco_metrics)!: use full name for configs and rules files 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2024-09-23 15:38:01 +02:00
Leonardo Di Giovanna
d77f768692 fix(falco_metrics)!: split tags label into multiple tag_ labels 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2024-09-23 15:38:01 +02:00
Luca Guerra
50f4bc172d update(tests): add test for plugin init_config map 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-20 09:55:49 +02:00
Luca Guerra
1a4a29348f fix(falco): allow plugin init_config map in json schema 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-20 09:55:49 +02:00
Federico Di Pierro
78f56190b4 fix(userspace/falco): properly account for plugin with CAP_PARSING when computing interesting sc set. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-19 17:40:48 +02:00
Leonardo Di Giovanna
d66c4ceb23 update(systemd): add falco.service alias to all systemd units 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2024-09-18 15:44:53 +02:00