github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-21 19:44:57 +00:00
Code Issues Projects Releases Wiki Activity
1,900 Commits 123 Branches 176 Tags
2848eceb03b265aafaa2e159b6ab08dfa7149fb2
Commit Graph

454 Commits

Author SHA1 Message Date
Leonardo Di Donato
c7ac1ef61b update(userspace/engine): const correctness for json_event class 
Co-authored-by: Nathan Baker <nathan.baker@sysdig.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-07-07 21:19:08 +02:00
Leonardo Di Donato
553856ad68 chore(userspace): log the gRPC threadiness 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-07-07 13:42:09 +02:00
Leonardo Di Donato
2d52be603d update(userspace/falco): gRPC server threadiness 0 by default (which 
means "auto")

The 0 ("auto") value sets the threadiness to the number of online cores
automatically.

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-07-07 13:42:09 +02:00
Leonardo Di Donato
75e62269c3 new: hardware_concurrency helper 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-07-07 13:42:09 +02:00
Leonardo Grasso
fecf1a9fea fix(userspace/falco/lua): correct argument 
This explain why `buffered_output: false` was not honored for stdout

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-07-03 11:45:00 +02:00
Lorenzo Fontana
352307431a fix: update k8s audit endpoint to /k8s-audit everywhere 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-07-01 13:29:51 +02:00
Leonardo Grasso
82e0b5f217 fix(userspace/falco): honor -M also when using a trace file 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-06-30 13:04:03 +02:00
Lorenzo Fontana
9eb0b7fb5f update(userspace/falco): avoid memory allocation for falco output 
response

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Lorenzo Fontana
869d883dc7 update(userspace/falco): better gRPC server logging 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
b88767f558 bc(userspace/falco): the Falco gRPC Outputs API are now "falco.outputs.service/get" and "falco.outputs.service/sub" 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
bdbdf7b830 update(userspace/falco): pluralize Falco output proto and service 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Lorenzo Fontana
3d9bc8f67b update(userspace/falco): remove keepalive from output request 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Lorenzo Fontana
c89c11c3c4 update(userspace/falco): remove output queue size 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Lorenzo Fontana
5bd9ba0529 update(userspace/falco/grpc): simpler bidirectional context state 
transitions

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Lorenzo Fontana
b9e6d65e69 update(userspace/falco/grpc): bidirectional sub implementation 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Lorenzo Fontana
0d194f2b40 update(userspace/falco/grpc): for stream contexts use a flag to detect 
if it is still running or not

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Lorenzo Fontana
d9f2cda8cf update(userspace/falco/grpc): dealing with multiple streaming requests 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
2ebc55f897 wip(userspace/falco): bidirectional gRPC outputs logic (initial) 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
01ae8701d9 new(userspace/falco): concrete initial implementation of the subscribe gRPC service 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
be6c4b273d new(userspace/falco): gRPC context for bidirectional services 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
a72f27c028 new(userspace/falco): macro to REGISTER_BIDI gRPC services 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
58adc5b60c new(userspace/falco): output gRPC service to provide a server streaming method and a bidirectional method to obtain Falco alerts 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
cf31712fad update(userspace/falco): context class for bidirectional gRPC services 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
a568c42adb update(userspace/falco): unsafe_size() method for falco::output::queue 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Leonardo Di Donato
05dd170d70 fix(userspace/falco): virtual destructor of base grpc context 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-06-29 20:42:50 +02:00
Omer Azaria
70b9bfe1d6 rule(Container Drift Detected): detect new exec created in a container 
Signed-off-by: Omer Azaria <omer.azaria@sysdig.com>
 2020-06-22 12:24:59 +02:00
Shane Lawrence
00884ef581 Log modified copy instead of original message. 
Signed-off-by: Shane Lawrence <shane@lawrence.dev>
 2020-06-19 15:28:42 +02:00
Leonardo Di Donato
3bfd94fefd docs(test): run locally handling python deps with venv 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-26 15:01:48 +02:00
Leonardo Di Donato
f186e5f41f fix(userspace/falco): set gpr log verbosity accordingly to the Falco one 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-21 18:15:46 +02:00
Leonardo Di Donato
ade64b0ce8 update(userspace/falco): make log level a configuration member 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-21 18:15:46 +02:00
Leonardo Di Donato
d808c0aeaf update(tests/engine): test is_unix_scheme 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-21 18:15:46 +02:00
Leonardo Di Donato
65e069a020 update(userspace/engine): url_is_unix_scheme() util is now is_unix_scheme(string_view) 
Also no more custom `starts_with` utility function.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-21 18:15:46 +02:00
Leonardo Di Donato
75c2275dac build(userspace): falco and falco_engine depend on string-view-lite header 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-21 18:15:46 +02:00
Lorenzo Fontana
dc0670c718 update(userspace/falco): wrap gpr logs into falco logs 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-21 18:15:46 +02:00
Lorenzo Fontana
05ce5b7f0b new(tests): cases for falco::utils::starts_with 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-21 18:15:46 +02:00
Lorenzo Fontana
de8bade2bf update(userspace/engine): move utils inside engine 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-21 18:15:46 +02:00
Lorenzo Fontana
d7de45acb2 new(userspace/falco): gRPC server unix socket support 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-21 18:15:46 +02:00
Lorenzo Fontana
86b473e224 update(userspace/falco): utilities to detect unix socket prefix in string 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-21 18:15:46 +02:00
Mark Stemm
7fd350d49a Allow exact matches for rule names 
Currently, when calling enable_rule, the provided rule name pattern is a
substring match, that is if the rules file has a rule "My fantastic
rule", and you call engine->enable_rule("fantastic", true), the rule
will be enabled.

This can cause problems if one rule name is a complete subset of another
rule name e.g. rules "My rule" and "My rule is great", and calling
engine->enable_rule("My rule", true).

To allow for this case, add an alternate method enable_rule_exact() in
both default ruleset and ruleset variants. In this case, the rule name
must be an exact match.

In the underlying ruleset code, add a "match_exact" option to
falco_ruleset::enable() that denotes whether the substring is an exact
or substring match.

This doesn't change the default behavior of falco in any way, as the
existing calls still use enable_rule().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-05-11 14:15:42 +02:00
Lorenzo Fontana
0d34394817 fix: grpc compilation with splitted gpr library 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-04-30 08:31:02 -07:00
Leonardo Di Donato
d3a215a2db new(userspace/falco): return also driver version from --version flag 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-03-23 18:50:06 +01:00
Lorenzo Fontana
ea46adfbc8 new(userspace/falco): add --disable-cri-async flag 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-03-18 16:23:19 +01:00
Vaibhav
03bf027e5c feat(userspace): Add comments to explain "banned.h". 
Fixes #1035

Signed-off-by: Vaibhav <vrongmeal@gmail.com>
 2020-02-13 18:01:39 +01:00
Vaibhav
7ed3e1d927 feat(userspace): Add BAN_ALTERNATIVE macro to banned.h. 
BAN_ALTERNATIVE is same as BAN but the message also provides an alternative
function that the user could use instead of the banned function.

Fixes #1035

Signed-off-by: Vaibhav <vrongmeal@gmail.com>
 2020-02-13 18:01:39 +01:00
Vaibhav
1c80c1f458 feat(userspace): Add more functions to banned.h. 
These include:
* vsprintf()
* sprintf()
* strcat()
* strncat()
* strncpy()
* swprintf()
* vswprintf()

This also changes `userspace/falco/logger.cpp` to remove a `sprintf`
statement. The statement did not affect the codebase in any form so
it was simply removed rather than being substituted.

Fixes #1035

Signed-off-by: Vaibhav <vrongmeal@gmail.com>
 2020-02-13 18:01:39 +01:00
Leonardo Di Donato
253ff64d64 chore: stick with the error messages we have 
Because we can't easily change the integration test fixtures.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
b3171dbae1 update(userspace/falco): use mutable proto fields where applicable 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
738d757b08 docs(userspace/falco): document gRPC errors and actions 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
5663d4d02b update(userspace/falco): major, minor, patch are digits, so use integers 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
2a9c9bdc53 update(cmake/modules): module to detect Falco version from the git index 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00