github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-27 23:27:20 +00:00
Code Issues Projects Releases Wiki Activity
2,620 Commits 121 Branches 172 Tags 104 MiB
335d79e79c
Commit Graph

2620 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Leonardo Grasso
442011d07e build(.circleci): publish dev packages to S3 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
Leonardo Grasso
70ee1093d8 build(docker): fetch packages from download.falco.org 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
Leonardo Grasso
3936740390 build(scripts): add cloudfront invalidation for publishing scripts 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
Leonardo Grasso
9bc04fd02d build(scripts): publishing script for DEBs 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
Leonardo Grasso
b6ac6de227 build(scripts): publishing script for RPMs 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
Leonardo Grasso
5ebb653977 build(scripts): publishing script for bin packages 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
stevenshuang
167c5bc691 fix: update rule description 
Signed-off-by: stevenshuang <stevenshuang521@gmail.com>
 2021-03-24 18:47:55 +01:00
Leonardo Di Donato
1ded30f173 update(test): tighten the condition to test the drops thresholds 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
7edd965a08 fix(test/confs): drop log messages are debug, fix the test fixture accordingly 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
920ab6982a new(test): test cases about wrong threshold drop config value 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
3842e07422 update(userspace/falco): drop messages are DEBUG level 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
7bc5fcf047 fix(userspace/falco): validate the drop threshold config value 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
199a1c22c6 fix(userspace/falco): n_evts does not containd the dropped events count 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
5380fe5308 new(test): test case about illogical drop actions 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
e3f7cdab20 update(userspace/falco): pass to sdropmgr the threshold 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
1714926cc6 update(userspace/falco): reduce noisiness 
The threshold governs the noisiness of the drops.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
4774e92bc2 refactor(userspace/falco): refactor the enum of drop actions into an enum class 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
a1b58d70a7 update(userspace/falco): grab the threshold configuration value + do not allow the ignore action to work with any other except the exit one 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
b8b50932fe update: reduce the max burst of event drops 
This also introduces a threshold configurable value.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Kaizhe Huang
7ea80e39b1 rule(Set Setuid or Setgid bit) update: add k3s-agent in the whitelist 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-03-22 11:36:59 +01:00
Kaizhe Huang
b58f76b268 rule (Debugfs Launched in Privileged Container and Mount Launched in Privileged Container): create 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-03-22 11:36:59 +01:00
JenTing Hsiao
b1801c28c7 Bump year to 2021 
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
 2021-03-12 10:45:31 +01:00
JenTing Hsiao
e1d3e68a84 Modprobe/rmmod at systemd service start/stop 
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
 2021-03-12 10:45:31 +01:00
JenTing Hsiao
5661b491af Removes the comments in systemd service files 
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
 2021-03-12 10:45:31 +01:00
JenTing Hsiao
39bb5c28c7 Migrate from init to systemd in debian package 
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
 2021-03-12 10:45:31 +01:00
JenTing Hsiao
3ba62a4031 Migrate from init to systemd in rpm package 
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
 2021-03-12 10:45:31 +01:00
Shane Lawrence
2f0e09b549 rule (Write below monitored dir): Clean up and use glob matching. 
Signed-off-by: Shane Lawrence <shane@lawrence.dev>
 2021-03-12 10:37:16 +01:00
POCTEO
34bbe2984f Pocteo as an adopter 
Signed-off-by: Walid DRIDI <contact@pocteo.co>
 2021-03-11 16:58:59 +01:00
Leonardo Grasso
825e6caf2d build: fetch build deps from download.falco.org 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-10 18:00:52 +01:00
jonahjon
96ad761308 adding falco-slim build/push 
Signed-off-by: jonahjon <jonahjones094@gmail.com>
 2021-03-05 12:22:47 +01:00
Leo Di Donato
bb7ce37159 fix(.circleci): correctly publish the falco-driver-loader container image from master to AWS ECR gallery 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-05 12:22:47 +01:00
Leo Di Donato
c66d056f67 fix(.circleci): the falco-driver-loader container images requires FALCO_IMAGE_TAG build arg (release to AWS ECR gallery) 
Signed-off-by: Leonardo Di Donato
 2021-03-05 12:22:47 +01:00
Leo Di Donato
6a2759fe94 update(.circleci): tag falco-no-driver:<tag> image as falco-no-driver:latest, falco:<tag>-slim, and falco:latest-slim 
And publish them too.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-05 12:22:47 +01:00
Leo Di Donato
b91c5b613a update(.circleci): falco-no-driver:latest from bin bucket 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-05 12:22:47 +01:00
Leo Di Donato
6fe9f8da0b fix(.circleci): falco-no-driver container images grabs Falco from the bin[-dev] bucket 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-05 12:22:47 +01:00
jonahjon
e888a1d354 adding other alternate AWS builds to circleCI 
Signed-off-by: jonahjon <jonahjones094@gmail.com>
 2021-03-05 12:22:47 +01:00
Isaac Rivera
6e746d71ba fixing typo 
Signed-off-by: Isaac Rivera <irivera007@yahoo.com>
 2021-03-05 12:16:33 +01:00
Isaac Rivera
2de8176c88 adding shapesecurity to adopters 
Signed-off-by: Isaac Rivera <irivera007@yahoo.com>
 2021-03-05 12:16:33 +01:00
Shane Lawrence
74164b1ef8 Use default pip version to get avocado version. 
Signed-off-by: Shane Lawrence <shane@lawrence.dev>
 2021-03-05 10:50:27 +01:00
Shane Lawrence
da8f054043 Fix broken links to docs. 
Signed-off-by: Shane Lawrence <shane@lawrence.dev>
 2021-03-05 10:48:21 +01:00
Bart van der Schans
05545f228d Add flex and bison to docker for building bpf module on recent amazon linux2 
Signed-off-by: Bart van der Schans <bart@vanderschans.nl>
 2021-03-05 10:46:10 +01:00
Spencer Krum
b3693a0b75 chore(rules): Add ibmcloud operator lifecycle manager 
Signed-off-by: Spencer Krum <nibz@spencerkrum.com>
 2021-02-19 12:35:30 +01:00
Spencer Krum
a54f946135 chore(rules): Rule exceptions for ibm cloud 
Whitelist ibm images for connecting to k8s api server

IBM Observability by Sysdig has a vendored sysdig/agent image.

IBM's Kubernetes Service ships with an operator manager. Example:

19:12:45.090908160: Notice Unexpected connection to K8s API Server from
container (command=catalog -namespace ibm-system
-configmapServerImage=registry.ng.bluemix.net/armada-master/configmap-operator-registry:v1.6.1
k8s.ns=ibm-system k8s.pod=catalog-operator-6495d76869-ncl2z
container=4ad7a04fa1e0
image=registry.ng.bluemix.net/armada-master/olm:0.14.1-IKS-1
connection=172.30.108.219:48200->172.21.0.1:443) k8s.ns=ibm-system
k8s.pod=catalog-operator-6495d76869-ncl2z container=4ad7a04fa1e0

IBM's Kubernetes service also ships with a metrics collecting agent

Signed-off-by: Spencer Krum <nibz@spencerkrum.com>
 2021-02-19 12:35:30 +01:00
Leonardo Grasso
85db1aa997 fix(rules): correct indentation 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-02-19 09:24:55 +01:00
ismail yenigul
37a6caae12 remove commercial images to unblock PR 
add endpoint-controller to user_known_sa_list
related event:
    {
        "output": "05:19:25.557989888: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=endpoint-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-16T05:19:25.557989888Z",
        "output_fields": {
            "jevt.time": "05:19:25.557989888",
            "ka.target.name": "endpoint-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>
 2021-02-19 09:24:55 +01:00
ismail yenigul
2d962dfcb0 rebase to master 
update user_known_sa_list with k8s internal sa in kube-system

{
        "output": "10:27:56.539783936: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=replicaset-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-15T10:27:56.539783936Z",
        "output_fields": {
            "jevt.time": "10:27:56.539783936",
            "ka.target.name": "replicaset-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

{
        "output": "17:06:18.267429888: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=deployment-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-15T17:06:18.267429888Z",
        "output_fields": {
            "jevt.time": "17:06:18.267429888",
            "ka.target.name": "deployment-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

and more..

Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>
 2021-02-19 09:24:55 +01:00
Petr Michalec
541845156f rhsm cert updates 
Signed-off-by: Petr Michalec <epcim@apealive.net>
Signed-off-by: Petr Michalec <pmichalec@ves.io>
 2021-02-18 15:42:06 +01:00
darryk5
0879523776 update: add review suggestions for Rule Sudo Potential Privilege Escalation 
Signed-off-by: darryk5 <stefano.chierici@sysdig.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2021-02-17 21:36:51 +01:00
darryk5
81e880b486 Added Rule Sudo Potential Privilege Escalation (CVE-2021-3156) 
See #1540

Signed-off-by: darryk5 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Fontana <lo@linux.com>
 2021-02-17 21:36:51 +01:00
Carlos Panato
f140cdfd68 falco: add healthz endpoint 
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
 2021-02-11 20:29:07 +01:00