github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-25 14:22:15 +00:00
Code Issues Projects Releases Wiki Activity
2,722 Commits 121 Branches 172 Tags 104 MiB
2ee95122df
Commit Graph

2722 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Federico Di Pierro
2f82a9baa1 Update userspace/falco/falco.cpp 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
dfb743838e Update userspace/engine/rules.cpp 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
c7609192c7 Update userspace/engine/lua/rule_loader.lua 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
4d3fc354fa update(userspace/engine): updated no evt.type specified lua warning string. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
43bdfce6e5 update(userspace/falco): divide each plugin infos when dumping list of plugin with a newline. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
a3976463d5 update(userspace/engine): fixed lua CMakeLists deps, to let it be gracefully rebuilt when lua files are updated. 
Moreover, added back warning about performance impact for rules without event types.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
1a485c3447 update(userspace/engine,userspace/falco): improved some string warnings. 
Always print warnings while loading rules.
Print a single line when warning for ignored events.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-24 17:52:31 +01:00
Leonardo Grasso
96529300f6 fix(script/falco-driver-loader): fix typo 
Co-Authored-By: Thomas Spear <tspear@conquestcyber.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 17:49:34 +01:00
Leonardo Grasso
27922faa27 fix(scripts/falco-driver-loader): missing compression formats for .ko files 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 17:49:34 +01:00
Leonardo Grasso
8a1de131f4 update(scripts/falco-driver-loader): load the latest version first 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 17:49:34 +01:00
Federico Di Pierro
e1e8715a0f build: updated cloudtrail plugin to latest version. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-24 16:12:12 +01:00
Leonardo Grasso
9ae8d281f5 fix(test): falco_hostnetwork_images list is now in k8s_audit_rules.yaml 
Co-Authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 15:03:12 +01:00
Leonardo Di Donato
c705623f9e update(rules): move falco_hostnetwork_images list to k8s audit rules 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2022-01-24 15:03:12 +01:00
Leo Di Donato
3640871725 update(rules): remove falco_hostnetwork_images list (unused) 
The `falco_hostnetwork_images` list is unused.

This PR removes it to avoid the warning.

```console
When reading rules content: 1 warnings:
list falco_hostnetwork_images not refered to by any rule/macro/list
```

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2022-01-24 15:03:12 +01:00
Federico Di Pierro
6d507b054c update(build): update libs version for 0.31 release. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-20 14:43:49 +01:00
Federico Di Pierro
f19a1d81c6 update(build): updated plugins to latest versions adding platform name to artifact url. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-20 14:43:49 +01:00
Andrea Terzolo
18c7b6500d refactor: remove apt-config from debian_packages monitoring 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: karthikc911 <ckinnovative@gmail.com>
 2022-01-20 11:07:47 +01:00
Andrea Terzolo
8239fa41f4 docs: fix priority level "info" to "informational" 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-01-18 18:49:18 +01:00
yoshi314
a9e7512936 fix setting the variable of User-Agent, it was missing the prefix. Switched to dedicated curl's method to do this 
Signed-off-by: Marcin Kowalski <marcin.kowalski@assecobs.pl>
 2022-01-18 09:49:34 +01:00
Marcin Kowalski
f67e8bdad7 fix indentation in outputs_http.cpp 
add sample config entry for user-agent variable

Signed-off-by: Marcin Kowalski <marcin.kowalski@assecobs.pl>
 2022-01-18 09:49:34 +01:00
Marcin Kowalski
a94e6de458 add useragent string to output 
Signed-off-by: Marcin Kowalski <marcin.kowalski@assecobs.pl>
 2022-01-18 09:49:34 +01:00
Leonardo Grasso
3e9f8c1ef1 chore(userpsace/engine): update fields checksum 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-17 18:15:43 +01:00
Mark Stemm
d20a326e09 Skip EPF_TABLE_ONLY fields with --list -N 
When listing fields with -N (names only), also skip fields with the
EPF_TABLE_ONLY flag. (Skipping fields without -N is handled in libs,
in the as_string() method).

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-01-17 18:15:43 +01:00
Federico Di Pierro
0c290d98f8 fix(tests): avoid hardcoding plugin version 0.1.0 in plugin tests. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-17 17:20:33 +01:00
Federico Di Pierro
1befb053d0 update(gitignore): drop 2 useless lines from gitignore that are now installed in the build folder. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-17 17:20:33 +01:00
Federico Di Pierro
ae57718bda update(build): updated libs to latest master version. Updated plugins versions. Updated falco engine version. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-17 17:20:33 +01:00
Luca Guerra
55ce38cf3a use debian 11 slim as nodriver image 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-01-17 16:26:07 +01:00
Luca Guerra
18571eb20d ci: build stripped tgz 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-01-17 16:26:07 +01:00
Luca Guerra
9c449901f3 cmake: do not strip tar gz builds 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-01-17 16:26:07 +01:00
Jason Dellaluce
4ab8d6db98 refactor(configuration): remove plugin config loading from file feature 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-17 14:55:11 +01:00
Jason Dellaluce
5e354859a9 new(configuration): allow defining plugin config as YAML maps 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-17 14:55:11 +01:00
Jason Dellaluce
f4b79296fc fix: improve nested configuration field support 
This fixes the parser introduced in https://github.com/falcosecurity/falco/pull/1792.
Now, nested fields such as `arr[1].subval` are supported, whereas the parser used
to recognize the `.` as an unexpected character.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-17 14:55:11 +01:00
Jason Dellaluce
6bf8f34d9f fix(engine): correctly format json output in json_event 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-14 13:29:33 +01:00
vadim.zyarko
f8f053c7fa Add an emty line to sattisfy the rules tests 
Signed-off-by: vadim.zyarko <vadim.zyarko@sysdig.com>
 2022-01-13 09:44:57 +01:00
VadimZy
b88a1cbb09 replace .. with table concat 
Signed-off-by: vadim.zyarko <vadim.zyarko@sysdig.com>
 2022-01-13 09:44:57 +01:00
Mark Stemm
c86615f68c Embed .lua files into falco executable 
Instead of having .lua files external to the program responsible for
loading rules, embed the contents of those files into the executable
and load them as strings instead of as files:

Add a cmake custom command below userspace/engine/lua that calls a
bash script lua-to-cpp.sh to generate falco_engine_lua_files.{cpp,hh}
that are compiled into the falco engine library.

The script creates a .cpp file that has const char * symbols for each
file, as well as lists of files that should be loaded when the falco
engine is loaded. There are actually two lists:

- lua_module_strings: these are loaded and also added to the lua
  runtime package.preload table, so they are available when lua code
  require()s them.

- lua_code_strings: these are loaded *and* evaluated, so the functions
  in them are availble to be called from C++.

This simplifies some of the falco_common methods, as there's no need
to keep track of a "main" lua file to load or paths from which the lua
loader should find files for modules, and there's no need to keep
track of an "alternate" lua directory that occurs for debug builds.

Also, there's no need to include any .lua files in the installed
packages, as they're built into the falco binary.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-01-13 09:26:35 +01:00
Mark Stemm
08df1c63cf Clean up lyaml build a bit 
change LYAML_SRC to LYAML_ROOT, which points to the top source
directory now.

LYAML_LIB and (new) LYAML_LUA_DIR are based relative to that
directory.

There's no install step at all now--the static library and the .lua
files are now used directly from the source tree.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-01-13 09:26:35 +01:00
Mark Stemm
10512b9ef9 Move compiler/parser lua files to a "modules" subdir 
This will distinguish it from rule_loader.lua, which is *not* a module
but lua code with functions that can be called directly.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-01-13 09:26:35 +01:00
Jason Dellaluce
0e52ef9971 fix(grpc): ignore protobuf deprecation warning 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-12 00:16:49 +01:00
Jason Dellaluce
a371a995b4 update(outputs): adapt grpc output to new protobuf definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-12 00:16:49 +01:00
Jason Dellaluce
0f984c4dbe update(grpc): substitute and deprecate enum source field from protobuf 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-12 00:16:49 +01:00
Federico Di Pierro
48a23121df new(userspace/falco): add support for kernel side simple consumer. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-10 10:58:44 +01:00
Federico Di Pierro
475ed0dbeb fix(userspace/engine,userspace/falco): set http output contenttype to text/plain when json output is disabled 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-10 10:57:44 +01:00
Zach Stone
eaccfbe82d Pick some lint 
Signed-off-by: Zach Stone <zach@giantswarm.io>
 2022-01-10 10:56:44 +01:00
Zach Stone
e496c91562 Add Giant Swarm to Adopters list 
Signed-off-by: Zach Stone <zach@giantswarm.io>
 2022-01-10 10:56:44 +01:00
Lorenzo Susini
cef2c2d5c1 chore: improve --list output using is_source_valid 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-01-10 10:53:44 +01:00
Jason Dellaluce
2ee0645f25 update(tests): remove token_bucket unit tests 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-04 16:41:18 +01:00
Mark Stemm
42f8b1cd83 Update to version of libs with better output formatting 
This has required changes to print info on fields.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-12-23 17:05:39 +01:00
Mark Stemm
455be15b0b Fill in new shortdesc/data_type/tags for json fields 
Update json_event_filter_factory::get_fields() to add the new
info (shortdesc, data_type, tags) to field descriptions.

This allows for richer outputs when printing info on the fields.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-12-23 17:05:39 +01:00
Mark Stemm
64e8feb200 Update fields checksum (no changes, order only) 
With the new implementation of list_fields(), the order of fields
changed slightly. So update the checksum.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-12-23 17:05:39 +01:00