github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-27 07:07:23 +00:00
Code Issues Projects Releases Wiki Activity
2,363 Commits 121 Branches 172 Tags 104 MiB
535db19991
Commit Graph

2363 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Kaizhe Huang
535db19991 disable change thread namespace test 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2021-06-07 12:17:21 +02:00
Kaizhe Huang
abe46a19a0 minor changes 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-06-07 12:17:21 +02:00
Kaizhe Huang
96fc8d1a27 update test 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-06-07 12:17:21 +02:00
Kaizhe Huang
ad82f66be3 rules update(Change thread namespace and Set Setuid or Setgid bit): disable by default 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-06-07 12:17:21 +02:00
Leonardo Grasso
c60fac9e34 build(test): upgrade urllib3 to 1.26.5 
CVE-2021-33503 has been fixed in urllib3 v1.26.5.
See:
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503
 - https://github.com/urllib3/urllib3/releases/tag/1.26.5

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-06-04 22:15:33 +02:00
Sverre Boschman
35dc315390 add known k8s service accounts 
Signed-off-by: Sverre Boschman
 2021-06-04 10:46:09 +02:00
maxgio92
62c995f309 revert: add notes for 0.28.2 release 
This reverts commit 3432551295.

Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-06-01 15:47:37 +02:00
maxgio92
3432551295 changelog: add notes for 0.28.2 release 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-05-27 14:51:17 +02:00
Kaizhe Huang
09e1604fe0 rule update(Debugfs Launched in Privileged Container): fix typo in description 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2021-05-27 11:21:30 +02:00
Leonardo Grasso
da7279da1d build(cmake/modules): upgrade libs and drivers version to 13ec67ebd23417273275296813066e07cb85bc91 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
05f5aa2af3 chore(cmake/modules): do not build libscap examples 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
53a1be66b0 chore(docker/builder): remove never used MINIMAL_BUILD option 
The option was added but could not work since MINIMAL_BUILD is not declared in this scope (also not currently needed).
Furthermore, it never took effect since the builder image was never built and pushed. For the same reason, we have not noticed it until now.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
f7b572bea5 build(docker/builder): upgrade cmake version 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
ed59f33f3f build(userspace/falco): add GRPC_LIBRARIES when gRPC is bundled 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
b41acdff1c build(cmake/modules): always use bundled jsoncpp 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
4acc089b1f build(userspace/falco): add_depenedency for gRPC when bundled 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
591d4e500e build: always use bundled b64 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
79bdcb030b build: correct yamlcpp dependency for falco 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
f4dba52ee2 build(cmake/modules): ncurses dependency is not required anymore 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
bfc0021cdd build: update build system to support libs cmake modules 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
e616f79bac build: switch to falcosecurity-libs external project 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
4006452b1f chore(cmake/modules): rename sysdig to falcosecurity-libs 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
maxgio92
59831b077e docs(release.md): update github release template mentioning the release manager 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-05-18 15:34:07 +02:00
maxgio92
0d95beb1e3 docs(release.md): update post-release tasks order 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-05-18 15:34:07 +02:00
maxgio92
2e27d5dded docs(release.md): add blog announcement to post-release tasks 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-05-18 15:34:07 +02:00
Leonardo Di Donato
24f64cab33 docs(proposals): fix libs contribution name 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-05-17 16:24:53 +02:00
Yu Kitazume
0f36ff030e add Yahoo!Japan as an adopter 
Signed-off-by: Yu Kitazume <u.kitazume@gmail.com>
 2021-05-12 11:37:34 +02:00
diamonwiggins
601ec5cf85 add Replicated to adopters 
Signed-off-by: diamonwiggins <diamonw757@gmail.com>
 2021-05-11 11:59:54 +02:00
Carlos Panato
f237f277e7 changelog: add notes for 0.28.1 release 
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
 2021-05-07 14:55:02 +02:00
ismail yenigul
2226a1508c exception to privileged container for EKS images 
Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>
 2021-05-06 02:36:48 +02:00
Carlos Panato
6f64c21ad9 urelease/docs: fix link and small refactor in the text 
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
 2021-04-30 14:27:26 +02:00
maxgio92
fd6a1d0d05 clean(rules/falco_rules.yaml): remove deprecated oci image repositories 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-04-29 11:51:35 +02:00
David Windsor
87438ec723 Add Secureworks to adopters 
Signed-off-by: David Windsor <dwindsor@secureworks.com>
 2021-04-26 10:34:00 +02:00
Leonardo Grasso
d0be6d96d0 build: enable ASLR for statically linked build 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-22 18:12:05 +02:00
Leonardo Grasso
aefd67eb8a build: hardening flags 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-22 18:12:05 +02:00
Leonardo Di Donato
6e94c37399 new(test): regression test for FAL-01-003 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-21 15:11:17 +02:00
Leonardo Di Donato
d3c22d3d0c new(test/trace_files): test fixture for FAL-01-003 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-21 15:11:17 +02:00
natchaphon-r
366975bc3b Adding MathWorks to Falco's adopter list 
Signed-off-by: natchaphon-r <natchaphon.r@gmail.com>
 2021-04-20 09:30:11 +02:00
natchaphon-r
f9692fcb82 Adding MathWorks to Falco's adopter list 
Signed-off-by: natchaphon-r <natchaphon.r@gmail.com>
 2021-04-20 09:30:11 +02:00
Leonardo Grasso
e95ab26f33 update(rules): stricter detection of man-db postinst exception 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-19 17:01:10 +02:00
Leonardo Grasso
23a611b343 chore(rules): remove too week macro python_running_sdchecks 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-19 17:01:10 +02:00
Dan POP
2658d65373 adding known users /and how to add your name 
added list from the survey that allowed mentions of their name publically in the adopters file. 

@jonahjon     --  please approve or change any verbiage to adding AWS as contributors with all you and the teams work on PROW and all the contributions thus far.

Signed-off-by: Dan Papandrea <dan.papandrea@sysdig.com>
 2021-04-19 16:58:59 +02:00
Leonardo Di Donato
600501e141 update(userspace/falco): handle the case there wasn't been any previously processed event 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-19 16:56:53 +02:00
Leonardo Di Donato
0df18fd786 update(userspace/falco): print out current time when a timeouts notification gets emitted 
Also, print out the time of the last processed event in the output
fields of the notification.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-19 16:56:53 +02:00
Leonardo Di Donato
c1da6d21b9 new: syscall_event_timeouts configuration block 
Falco uses a shared buffer between the kernel and userspace to receive
the events (eg., system call information) in userspace.
Anyways, the underlying libraries can also timeout for various reasons.
For example, there could have been issues while reading an event.
Or the particular event needs to be skipped.
Normally, it's very unlikely that Falco does not receive events consecutively.
Falco is able to detect such uncommon situation.
Here you can configure the maximum number of consecutive timeouts without an event
after which you want Falco to alert.
By default this value is set to 1000 consecutive timeouts without an event at all.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-19 16:56:53 +02:00
Leonardo Di Donato
c4a73bdd8e update(userspace/falco): a null event when there's a timeout is unlikely 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-19 16:56:53 +02:00
Leonardo Di Donato
28a339e4bc new(userspace/engine): likely/unlikely macros in utils 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-19 16:56:53 +02:00
Leonardo Di Donato
65a168ab5a new(userspace/falco): output msg when the number of consecutive timeouts without an event is greater than a given threshold 
The rationale is that in case Falco obtains a consistent number of
consecutive timeouts (in a row) without a valid event, something is
going wrong.

This because, normally, the libs send timeouts to Falco (also) to signal events to discard.
In such cases, which are the majority of cases, `ev` exists and is not
`null`.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-19 16:56:53 +02:00
Lorenzo Fontana
46425b392c fix(userspace): handle exceptions for process_k8s_audit_event 
This fix has two major points in it:

- when `std::stoll` is used in parse_as_int64 handle all the exceptions it
can throw (https://en.cppreference.com/w/cpp/string/basic_string/stol)
- when `process_k8s_audit_event` an eventual exception in it does not
stop the webserver process. This is done by doing a catch all handle
outside it and by logging an error message to the caller as well as in
stderr

Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-04-19 12:32:22 +02:00
Leo Di Donato
8b0d22dee9 docs: update link for HackMD community call notes 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-13 15:26:53 +02:00