github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-05 19:06:44 +00:00
Code Issues Projects Releases Wiki Activity
1,415 Commits 117 Branches 173 Tags 104 MiB
7c33fafe89
Commit Graph

1415 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
kaizhe
7c33fafe89 minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
18acea4a73 minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
8011fe7ce7 rules update: add more sensitive host path to sensitive_host_mount macro 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
Lorenzo Fontana
d328ff3fde update(cmake/patch): include Makefile template in patch for grpc 1.25.0 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-12-03 17:43:57 +00:00
Lorenzo Fontana
fbcc6a0781 build: update gRPC to 1.25.0 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-12-03 17:43:57 +00:00
Jean-Philippe Lachance
80d69917ea * Rename the macro to user_known_package_manager_in_container 
+ Add a comment to explain how we should use this macro

Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-03 00:03:35 +01:00
Jean-Philippe Lachance
3713f7a614 + Add a simple user_known_package_manager_in_container_conditions macro 
* Use the user_known_package_manager_in_container_conditions macro in the "Launch Package Management Process in Container" rule

Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-03 00:03:35 +01:00
Jean-Philippe Lachance
79cb75dcd1 ! Exclude exe_running_docker_save in the "Set Setuid or Setgid bit" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-02 23:54:53 +01:00
Hiroki Suezawa
c736a843a0 rule update: Add kubelet to user_known_chmod_applications list 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-01 23:27:04 +01:00
Adrián Arroyo Calle
1b05f0e6a7 chore: read hostname in initialization 
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
 2019-11-27 22:23:49 +01:00
Adrián Arroyo Calle
4d180cbc31 chore: use std::string to have safer copies 
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
 2019-11-27 22:23:49 +01:00
Adrián Arroyo Calle
137e7fc0ec chore: hostname can be 253 characters maximum 
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
 2019-11-27 22:23:49 +01:00
Adrián Arroyo Calle
52fbcefa1d chore: add environment variable FALCO_GRPC_HOSTNAME 
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
 2019-11-27 22:23:49 +01:00
Adrián Arroyo Calle
a084f17493 feat: add hostname field in gRPC output 
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
 2019-11-27 22:23:49 +01:00
Leonardo Di Donato
c96f85282d fix: do not use wget to patch gRPC makefile 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-27 18:18:07 +01:00
Lorenzo Fontana
d2459aa0a8 update: add wget to the travis build 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-11-27 18:18:07 +01:00
Lorenzo Fontana
d11ac4a59d update: cleanup the gRPC dependency and use the url from the main project 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-11-27 18:18:07 +01:00
Mark Stemm
4e39fee54e Always catch json type errors when extracting 
In all extraction functions, always catch json type errors alongside
json out of range errors. Both cases result in not extracting any value
from the event.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-11-18 16:19:58 -08:00
Leonardo Di Donato
885e131451 fix(scripts): copy falco-probe-loader during packages build 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Leonardo Di Donato
6ede7bd422 chore: removing sysdig references 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Leonardo Di Donato
a64a827d72 update: puppet module had been renamed to falco 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Leonardo Di Donato
a200d17581 chore: improving naming 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Leonardo Di Donato
a17a12c306 update(scripts): rename env variables for falco probe loader 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Leonardo Di Donato
514d8bacc3 update(docker): introduce SKIP_MODULE_LOAD env variable 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Leonardo Di Donato
3e9ebfb354 fix(docker): adapt dockerfiles to HOST_ROOT env var 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Leonardo Di Donato
17bc344381 fix(scripts): rename SYSDIG_HOST_ROOT env variable into HOST_ROOT 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Leonardo Di Donato
3ce2056dc5 fix(docker): glob rather than ls in the docker entrypoints 
Plus, make them use HOST_ROOT env var, not SYSDIG_HOST_ROOT

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Leonardo Di Donato
9e355e1a74 fix(userspace/falco): typo for consumer related methods 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Loris Degioanni
468fa35965 chore: naming cleanup 
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Loris Degioanni
bb3c0275cc fix(scripts): license header 
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Loris Degioanni
568f480942 new falco-probe-loader file that doesn't depend on sysdig 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Loris Degioanni
3b45e58217 chore: remove some more unnecessary, legacy references to falco in sysdig 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
kaizhe
cf8395c7ed minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-11-08 10:38:47 +01:00
kaizhe
f16c744779 rules update: add hyperkube to the whitelist of rule Set Setuid or Setgit bit 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-11-08 10:38:47 +01:00
kaizhe
4ed581853a rules update: add docker-runc-cur to container_entrypoint macro 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-11-08 10:38:47 +01:00
David de Torres
ed767561ac Added list k8s_client_binaries 
Added accidentally deleted lines for the list of k8s client binaries.

Signed-off-by: David de Torres <detorres.david@gmail.com>
 2019-11-08 09:49:09 +01:00
David de Torres
98becedebb Added rule to detect k8s client tool in container 
The rule detects the execution of the k8s client tool in a container and
logs it with WARNING priority.

Signed-off-by: David de Torres <detorres.david@gmail.com>
 2019-11-08 09:49:09 +01:00
Kris Nova
ae7924cc41 Cleaning up some nomenclature 
First of a handful of PRs to start clarifying the independence of Falco

I don't see any breaking changes here, just cosmetic changes.

Signed-off-by: Kris Nova <kris@nivenly.com>
 2019-11-05 16:40:56 +01:00
Kris Nova
4f53c85f97 Removing Sysdig inc 
Signed-off-by: Kris Nova <kris@nivenly.com>
 2019-11-05 16:40:56 +01:00
Yash Bhutwala
8c2a36ca00 fix the image name and tag for the linuxkit Dockerfile 
Signed-off-by: Yash Bhutwala <ymb002@bucknell.edu>
 2019-11-05 15:46:33 +01:00
Leonardo Di Donato
1ede1fc0f1 docs: add frame.io and sightmachine to ADOPTERS file 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-10-31 19:55:12 +01:00
Lorenzo Fontana
6c5554ca8b docs: add PR 906 to changelog for 0.18.0 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-10-31 12:32:39 +01:00
Lorenzo Fontana
d5e505165a docs: update changelog to 0.18.0 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-10-31 12:32:39 +01:00
Lorenzo Fontana
76b263269f docs(integrations): bump version to 0.18.0 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-10-31 12:32:39 +01:00
Lorenzo Fontana
eae65475e0 docs(docker): version bump to 0.18.0 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-10-31 12:32:39 +01:00
Mark Stemm
023f510a75 Don't pop excess values from stack 
The call to rule_loader.load_rules only returns 2 values, so only pop
two values from the stack. This fixes #906.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-10-30 08:52:46 +01:00
kaizhe
b38db99449 rules update: add calico/node to trusted privileged container list; add calico_node_write_envvars macro to exception list of write below etc 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-10-25 15:18:32 +02:00
Mark Stemm
daec9cb30d Use falcoctl 0.0.4+ tests for space/dash psp names 
Use falcoctl, which properly handles psp names containing
spaces/dashes. Also add tests that verify that the resulting rules are
valid.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-10-25 01:57:00 +02:00
kaizhe
5c61276695 rules update: expand list allowed_k8s_users 
Signed-off-by: kaizhe <derek0405@gmail.com>

add comments

Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-10-24 13:46:23 +02:00
Mark Stemm
d21e69cf9a Use falcoctl 0.0.3 w/ unique names 
Use the changes in https://github.com/falcosecurity/falcoctl/pull/25
that make sure rules, macros, lists, and rule names all have a unique
prefix. In this case the prefix is based on the psp name, so make sure
the psp name actually reflects what it does--there were a few
cut-and-paste carryovers.

This test assumes that falcoctl will be tagged/released as 0.0.3--the
tests won't pass until the falcoctl PR is merged and there's a release.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-10-23 10:45:03 -07:00