github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-05 10:56:47 +00:00
Code Issues Projects Releases Wiki Activity
1,597 Commits 117 Branches 173 Tags 104 MiB
3693b16c91
Commit Graph

1597 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mark Stemm
3693b16c91 Let puma reactor spawn shells 
Sample Falco alert:

```
Shell spawned by untrusted binary (user=git shell=sh parent=puma reactor
cmdline=sh -c pgrep -fl "unicorn.* worker\[.*?\]" pcmdline=puma reactor
gparent=puma ggparent=runsv aname[4]=ru...
```

https://github.com/puma/puma says it is "A Ruby/Rack web server built
for concurrency".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
48a0f512fb Let cilium-cni change namespaces 
Sample Falco alert:

```
Namespace change (setns) by unexpected program (user=root
command=cilium-cni parent=cilium-cni host CID2 CID1 image=<NA>)
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
01c9d8ba31 Let runc write to /exec.fifo 
Sample Falco alert:

```
File below / or /root opened for writing (user=<NA>
command=runc:[1:CHILD] init parent=docker-runc-cur file=/exec.fifo
program=runc:[1:CHILD] CID1 image=<NA>)
```

This github issue provides some context:
https://github.com/opencontainers/runc/pull/1698

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
7794e468ba Alow writes to /etc/pki from openshift secrets dir 
Sample falco alert:

```
File below /etc opened for writing (user=root command=cp
/run/secrets/kubernetes.io/serviceaccount/ca.crt
/etc/pki/ca-trust/source/anchors/openshift-ca.crt parent=bash
pcmdline=bash -c #!/bin/bash\nset -euo pipefail\n\n# set by the node
image\nunset KUB...
```

The exception is conditioned on containers.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
0d74f3938d Let avinetworks supervisor write some ssh cfg 
Sample Falco alert:

```
File below /etc opened for writing (user=root command=se_supervisor.p
/opt/avi/scripts/se_supervisor.py -d parent=systemd pcmdline=systemd
file=/etc/ssh/ssh_monitor_config_10.24.249.200 program=se_supervisor.p
gparent=docker-containe ggparent=docker-con...
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
e5f06e399f Let mcafee write to /etc/cma.d 
Sample Falco alert:

```
File below /etc opened for writing (user=root command=macompatsvc
self_start parent=macompatsvc pcmdline=macompatsvc self_start
file=/etc/cma.d/lpc.conf program=macompatsvc gparent=macompatsvc
ggparent=systemd gggparent=<NA> CID1 image=<NA>)
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
fa3e48ca1a Add "dsc_host" as a MS OMS program 
Sample Falco alert:

```
File below /etc opened for writing (user=<NA> command=dsc_host
/opt/dsc/output PerformRequiredConfigurationChecks 1 parent=python
pcmdline=python
/opt/microsoft/omsconfig/Scripts/PerformRequiredConfigurationChecks.py
file=/etc/opt/omi/conf/omsconfig/con...
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Kris Nova
bf0cdb7c38 Updating community section of README.md 
Pointing to the community repo as the source of truth

Signed-off-by: Kris Nova <kris@nivenly.com>
 2020-01-28 14:23:56 +01:00
Kris Nova
be67c4adaf Updating logo and slogan to match branding guidelines 
Signed-off-by: Kris Nova <kris@nivenly.com>
 2020-01-28 14:21:21 +01:00
Kris Nova
b088a57dd0 Adding Glossary 
- Adding section to define language used in the project

Signed-off-by: Kris Nova <kris@nivenly.com>
 2020-01-28 12:35:15 +01:00
Kris Nova
40fbc96736 Updating with comments from Bencer 
Signed-off-by: Kris Nova <kris@nivenly.com>
 2020-01-28 12:35:15 +01:00
Kris Nova
c350876456 Updating README.md from Janet's review 
- Updating language around contributed/created/donated
 - Adding 3 key benefits

Signed-off-by: Kris Nova <kris@nivenly.com>
 2020-01-28 12:35:15 +01:00
Kris Nova
bf8367b280 Updating Falco Logo Path 
Signed-off-by: Kris Nova <kris@nivenly.com>
 2020-01-28 12:35:15 +01:00
Kris Nova
c510808299 Adding branding guidelines to GitHub 
Signed-off-by: Kris Nova <kris@nivenly.com>
 2020-01-28 12:35:15 +01:00
Leonardo Di Donato
a1d6a4762e fix(docker/minimal): libyaml 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-24 11:53:02 +01:00
Leonardo Di Donato
32b373aa9a build: fix dep version 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-23 16:35:33 +01:00
Leonardo Di Donato
3132174459 docs: update CHANGELOG with last major change for 0.19.0 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-23 15:32:47 +01:00
Leonardo Di Donato
a3845b43fc update(integrations): switch to 0.19.0 
Co-authored-by: Lorenzo Fontana <fontanalorenzo@me.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-23 15:32:47 +01:00
Leonardo Di Donato
24549e163a update(docker): switch to 0.19.0 
Co-authored-by: Lorenzo Fontana <fontanalorenzo@me.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-23 15:32:47 +01:00
Leonardo Di Donato
dab9835712 update: changelog for 0.19.0 
Co-authored-by: Lorenzo Fontana <fontanalorenzo@me.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-23 15:32:47 +01:00
Leonardo Di Donato
725f16b71c chore: use latest falco-tester again 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-23 15:04:39 +01:00
Leonardo Di Donato
f3dcacea5b fix(docker/tester): share rules and trace files with docker test runners 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-23 15:04:39 +01:00
Leonardo Di Donato
cf803759ef fix(docker/tester): falco-tester does not have to check for docker/local anymore 
Co-Authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-23 15:04:39 +01:00
Leonardo Di Donato
347b581d95 chore: cleanup docker test runners 
Co-Authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-23 15:04:39 +01:00
Lorenzo Fontana
c96248e4fc chore(integration): libyaml in tester docker file for deb packages 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-23 15:04:39 +01:00
Lorenzo Fontana
c7b8d6123a chore(integration): add dkms to docker test deb runner 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-23 15:04:39 +01:00
Lorenzo Fontana
a8a3caee95 chore(circleci): temporary config for falco tester image 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-23 15:04:39 +01:00
Lorenzo Fontana
46181a7336 update(integration): rpm tester docker image 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-23 15:04:39 +01:00
Lorenzo Fontana
6b3adca132 update(integration): mount rules and traces paths in falco_test.py 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-23 15:04:39 +01:00
Lorenzo Fontana
6bd4c3a041 update(integration): falco tester entrypoint 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-23 15:04:39 +01:00
Lorenzo Fontana
6d737c1def new(integration): docker deb runner 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-23 15:04:39 +01:00
Lorenzo Fontana
ecfd22563f update(integration): switch to docker runners for packages 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-23 15:04:39 +01:00
Leonardo Di Donato
12a86d33ef fix(docker/builder): add llvm toolset back to falco-builder 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
29847df168 fix(scripts/rpm): substitute underscores with dashes for RPM version 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
a44ae907fe build: RPM package deps 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
bdb4cd94a1 chore: rename centos step into circleci 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
6ab27683fa fix(cmake/modules): no need of LDFLAGS=-static for gRPC cmake 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
55364405aa chore(docker/builder): remove unneded layer 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
0fe1d7d81d fix(cmake/modules): enforce bundled openssl for sinsp when USE_BUNDLED_DEPS is true 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
8a605e31df fix(cmake/modules): provide built openssl binary when using bundled deps 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
739d79a1eb chore: double-quoting verify fields variables 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
a160fba6c9 update: tell sinsp to use bundled openssl 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
ff44239833 build: gRPC patch for static LDFLAGS 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
077fbea0a7 update(docker/builder): back to centos:7 as base image 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
4f94fde7e8 build: grpc needs openssl and pkg-config now 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
5b33cbe2aa build: curl depends on openssl 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
dd0a0d90db build: openssl cmake module (and inclusion) 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
3f06ed0ab0 build: disable the tests of sinsp/scap deps 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-20 21:44:42 +01:00
Leonardo Di Donato
a793de1793 build: use latest falco-builder and falco-tester into CI 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-20 13:59:24 +01:00
Leonardo Di Donato
182c07a31f update: force deps to always use the system openssl 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-20 13:59:24 +01:00