github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-02 17:42:18 +00:00
Code Issues Projects Releases Wiki Activity
2,199 Commits 117 Branches 173 Tags 104 MiB
7691dba3ff
Commit Graph

2199 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Lorenzo Fontana
7691dba3ff fix(userspace/falco): output needs to be initialized after fork 
Co-Authored-By: Leonardo Grasso <me@leonardograsso.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-18 16:56:13 +01:00
Lorenzo Fontana
c736689f6f docs(RELEASE.md): link the ecr images in releases 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-18 16:52:02 +01:00
Lorenzo Fontana
3bcd2ca70d update(.circleci): fix tag definition for ECR image push on releases 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-18 15:45:52 +01:00
Lorenzo Fontana
2e443e7660 build(.circleci): temporarly disable static analysis 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-18 13:15:25 +01:00
Lorenzo Fontana
bec5121fa4 docs(CHANGELOG.md): release notes for 0.27.0 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-18 13:15:25 +01:00
Lorenzo Fontana
ee0b7daba0 docs(RELEASE.md): remove url, it does not work anymore 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-18 13:15:25 +01:00
Leonardo Grasso
b2bbb265b4 chore(cmake): remove unnecessary whitespace patch 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-01-15 14:22:14 +01:00
Leo Di Donato
0d7068b048 docs(.circleci): adding Jonah to Falco CI maintainers 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-01-13 17:22:41 +01:00
James Barlow
7f33b08634 rule(Create Hidden Files or Directories): Exclude exe_running_docker_save 
Signed-off-by: James Barlow <james.barlow@finbourne.com>
 2021-01-08 19:21:42 +01:00
James Barlow
c2a05b3e64 rule(Mkdir binary dirs): Exclude exe_running_docker_save 
Signed-off-by: James Barlow <james.barlow@finbourne.com>
 2021-01-08 19:21:42 +01:00
Leonardo Grasso
581d67fa08 docs(proposals/20200828-structured-exception-handling): indentation 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-01-08 17:53:08 +01:00
Leonardo Grasso
b7bda6d892 docs(proposals/20200828-structured-exception-handling): highlight syntax 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-01-08 17:53:08 +01:00
Mark Stemm
5eec26976d Add notes on single-field exceptions 
If an exception item has a single value for fields, all the values are
combined together into a single set to build an expression field
cmp (val1, val2, ...)

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-01-08 17:53:08 +01:00
Mark Stemm
1916314583 Use well-defined object keys 
Instead of oveloading the exception item name as the key of the object,
just have a flat array of object with a name property.

A bit more verbose, but makes it easier to understand what the schema is.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-01-08 17:53:08 +01:00
Mark Stemm
8831c7f3c7 Add notion of exception operators 
A rule exception can now have a comps property that allows fields to be
matched against items using an operator of =. If not defined, equality
is implied.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-01-08 17:53:08 +01:00
Mark Stemm
2cebe052a1 Address feedback 
- Clean up npm examples so they are valid.
- Small punctuation changes.
- Emphasize that the strings related to field values are arbitrary.
- Emphasize that exceptions only use equality matching.
- Emphasize that you'll need to upgrade falco to use these new features.
- Capitalize Falco everywhere.
- Change language related to backwards compatibility.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-01-08 17:53:08 +01:00
Mark Stemm
05282f3976 Proposal on better exception handling 
This proposes adding exceptions as a first class object to falco rules
files.

It adds a new key "exceptions" to rule objects that allows a rule
writer to define tuples of field names that comprise an exception, and a
new top level object "exception" that contains lists of tuples of field
values that define exceptions to rules.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-01-08 17:53:08 +01:00
Leo Di Donato
da4a5b1456 chore(.circleci): typos 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-01-08 15:50:26 +01:00
Leo Di Donato
36e9c2ba17 chore(.circleci): switch to falcosecurity slug for AWS ECR registry 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-01-08 15:50:26 +01:00
Leonardo Di Donato
0c8b4a2127 chore(.circleci): test out container image publish for a specific Falco development version 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-01-08 15:50:26 +01:00
Leonardo Di Donato
356b3e1451 new(.circleci): publish Falco development container images (from master) to AWS ECR Public 
Co-authored-by: jonahjon <jonahjones094@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-01-08 15:50:26 +01:00
Leonardo Di Donato
9eb60f04ff chore: refinements 
Co-authored-by: jonahjon <jonahjones094@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-01-08 15:50:26 +01:00
Leonardo Di Donato
ff29188cb2 ci: add job to publish container images to AWS ECR registry 
Co-authored-by: jonahjon <jonahjones094@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-01-08 15:50:26 +01:00
Naoki Oketani
4fb7e99c68 docs: fix a broken link of README 
Signed-off-by: Naoki Oketani <okepy.naoki@gmail.com>
 2021-01-07 14:58:14 +01:00
Spencer Krum
d03a1f4a9b feature(grpc): Add engine version to version svc 
Fixes #1269

Add two new fields in the version service for falco's engine version and
the checksum of all of the fields it understands.

This will require rebuilding/re-releasing all the clients.

Signed-off-by: Spencer Krum <nibz@spencerkrum.com>
 2020-12-15 11:00:18 -05:00
Leonardo Grasso
574e7f433b docs(README.md): correct broken links 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-15 10:58:21 -05:00
Angelo Puglisi
f6fa18e7ec chore(cmake): mark some variables as advanced 
Have some cmake variables (e.g. *_INCLUDE and *_LIB) marked as advanced,
in order to have a cleaner ccmake menu.

Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
 2020-12-15 10:56:20 -05:00
kaizhe
6beb9838d6 rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-12-14 04:16:15 -05:00
Angelo Puglisi
9a175cb1db chore(cmake/modules): avoid useless rebuild 
Because of https://gitlab.kitware.com/cmake/cmake/-/issues/16419, every
time one compiles, some external projects gets updated causing rebuild.

Have EP_UPDATE_DISCONNECTED option (default OFF) to be able to control
that behaviour.

Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-12-10 13:28:01 -05:00
Spencer Krum
32daac3e4d fix(config): Error out when no config file supplied 
Fixes: #1406

Signed-off-by: Spencer Krum <nibz@spencerkrum.com>
 2020-12-10 13:26:04 -05:00
kaizhe
0a901e4f52 add exception macro 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-12-04 06:21:34 -05:00
kaizhe
22732e9edb rule(Container Run as Root User): new rule created 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-12-04 06:21:34 -05:00
Leonardo Grasso
6a352338e3 update(userspace/falco): output worker should not throw exceptions 
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
f8b66d051b fix(userspace/falco) class naming convention 
Co-authored-by: Lorenzo Fontana <fontanalorenz@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
c237ddc738 chore(userspace/falco): apply suggestions from review 
Co-authored-by: deepskyblue86 <angelopuglisi86@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
9d31164a71 update(userspace/falco): clear output queue if still blocked during the shutdown 
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
f433b449d9 chore(userspace/falco): add_output init check 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
44955004e3 chore(userspace/falco): handle freeing of output objects 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
a9dac551b8 docs(falco.yaml): better explanation on "output_timeout" 
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
df8e4e0545 new: Falco config for output timeout 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
321da3e5bf chore(userspace/falco): configurable outputs timeout 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
4b34b83739 new(userspace/falco): add "output_timeout" config node 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
5b558cd600 update(userspace/falco): watchdog for outputs 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
3b7401c2e5 new(userspace/falco): Watchdog timer utility 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
aea12f4f3b update(userspace/falco): outputs error handling 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
f2637c8600 update(userspace/falco): add accessor method for output's name 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
0a14d34e16 chore(userspace/falco): correct exception message 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
a1bdf3ed61 update(userspace/falco): add "internal" source to outputs and proto 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
d3c41c2d97 chore(userspace/falco): avoid multiple outputs init 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00
Leonardo Grasso
90d71a8e92 feat(userspace/falco): non-blocking outputs 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-12-01 04:18:04 -05:00