github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-06 11:26:44 +00:00
Code Issues Projects Releases Wiki Activity
2,616 Commits 117 Branches 173 Tags 104 MiB
83b036bc0e
Commit Graph

2616 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Leonardo Di Donato
44f0633f47 update: falco builder image has FALCO_VERSION build arg and env var again 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-26 03:23:01 +02:00
Leonardo Di Donato
9d4ed8e33e build: falco version from git when cmake variable exists but empty 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-26 03:23:01 +02:00
Leonardo Di Donato
0d4fc4bdad update: falco version from cmake variable 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-26 03:23:01 +02:00
Leonardo Di Donato
85a94d67d3 build: falco version from git index when not defined 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-26 03:23:01 +02:00
Leonardo Di Donato
f3c3cda879 new: cmake modules for git revision description 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-26 03:23:01 +02:00
Leonardo Di Donato
e02318db7c update: centos 7 falco builder 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-26 03:23:01 +02:00
Leonardo Di Donato
9f7e3bdfcd update: usage examples for falco builder 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-26 03:23:01 +02:00
Leonardo Di Donato
2cda10caeb new: default (usage) command for falco builder image 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-26 03:23:01 +02:00
Leonardo Di Donato
7efec602e8 new: script to enable toolset 7 in falco builder containers 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-26 03:23:01 +02:00
Leonardo Di Donato
8fb4c7f2f6 update: entrypoint checks for sysdig and falco dirs 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-26 03:23:01 +02:00
Leonardo Di Donato
6e313742e7 build: attempt to be consistent when downloading things 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-26 03:23:01 +02:00
Leonardo Di Donato
e92a721521 build: install cmake at docker build phase rather than at runtime 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-26 03:23:01 +02:00
Leonardo Di Donato
d5aae4aff5 update: make travis use the hack script 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-26 03:23:01 +02:00
Leonardo Di Donato
2aff2d00a3 update: move build and test commands into a separate script 
Co-authored-By: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-26 03:23:01 +02:00
ntimo
d7956a2a09 add docker.io/prom/node-exporter to falco_sensitive_mount_images 
Signed-off-by: Timo Nowitzki <git@nowitzki.me>
 2019-07-24 16:25:47 +02:00
ntimo
9308c1ee55 add docker.io/google/cadvisor to falco_sensitive_mount_images 
Signed-off-by: Timo Nowitzki <git@nowitzki.me>
 2019-07-24 16:25:47 +02:00
Mark Stemm
40e3e21391 Allow all lowercase priorities 
Just being tolerant given that the comparison used to be entirely
case-insensitive.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-24 13:05:17 +02:00
kaizhe
d6c089c917 add netdata/netdata to falco_sensitive_mount_images 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-07-23 18:50:23 +02:00
kaizhe
9ab718c100 rules update: 
Add trusted_logging_images macro for rule Clear Log Hisotry as exception

Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-07-23 18:50:23 +02:00
Lorenzo Fontana
4b2ea32eac fix: do the inspector after forking for daemon mode 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-07-23 01:13:05 +02:00
Spencer Krum
5acdb16e89 Fix shell_procs macro 
Extra parentheses broke the Terminal check

Co-Authored-By: Michael Ducy <michael@ducy.org>
Signed-off-by: Spencer Krum <skrum@us.ibm.com>
 2019-07-22 04:43:26 -07:00
Mark Stemm
a084f8c4ed CHANGELOG/README changes for 0.16.0 
Bumping version, noting changes since last release.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-12 12:18:42 -07:00
Mark Stemm
01f65e3bae Add new tests for validating rules files 
Add a bunch of additional test cases for validating rules files. Each
has a specific kind of parse failure and checks for the appropriate
error info on stdout.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-11 11:24:22 -07:00
Mark Stemm
1711ed0a2e Pass back explicit errors in load_rules() 
Instead of relying on lua errors to pass back parse errors, pass back an
explicit true + required engine version or false + error message.

Also clean up the error message to display info + context on the
error. When the error related to yaml parsing, use the row number passed
back in lyaml's error string to print the specific line with the error.

When parsing rules/macros/lists, print the object being parsed alongside
the error.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-11 11:24:22 -07:00
Mark Stemm
839d76a760 Send validate output to stdout 
When parsing rules files with -V (validate), print info on the result of
loading the rules file to stdout. That way a caller can capture stdout
to pass along any rules parsing error.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-11 11:24:22 -07:00
Mark Stemm
dc7bff127f New flags to compare stdout/stderr, validate rules 
New test options stdout_is/stderr_is do a direct comparison between
stdout/stderr and the provided value.

Test option validate_rules_file maps to -V arguments, which validate
rules and exits.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-11 11:24:22 -07:00
Leonardo Di Donato
e80ff6296a new: luacheck basic config 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-10 18:49:02 +02:00
Leonardo Di Donato
231f881c5a update: ignore luacheck cache 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-10 18:49:02 +02:00
Leonardo Di Donato
cb5a3a14e6 new: k8s.gcr.io/kube-proxy addition to falco trusted images 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-10 16:43:41 +02:00
Leonardo Di Donato
4c68da0dcc new: YAML lint configuration 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-10 13:00:03 +02:00
Mattia Pagnozzi
a32870ae1d Add runc to the list of possible container entrypoint parents 
Docker versions >= 18.09 removed the "docker-" prefix, so include runc
in the list.

Signed-off-by: Mattia Pagnozzi <mattia.pagnozzi@gmail.com>
 2019-07-09 14:31:49 +02:00
Leonardo Di Donato
fdbd520cce fix: bump falco engine version 
Co-Authored-By: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-09 11:45:38 +02:00
Leonardo Di Donato
f20a5a04bf new: cmake format file 
Co-Authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-08 19:05:06 +02:00
Lorenzo Fontana
affb1086a3 update: fields checksum while adding ka.useragent 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-08 17:40:41 +02:00
Lorenzo Fontana
8155d467ab update: ka.useragent in k8s audit fields 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-08 17:40:41 +02:00
Lorenzo Fontana
bf19d8c881 chore: format json_evt in preparation to add fields 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-08 17:40:41 +02:00
Mark Stemm
7501c3cb5d Expand lists without using regsub 
To speed up list expansion, instead of using regexes to replace a list
name with its contents, do string searches followed by examining the
preceding/following characters for the proper delimiter.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-05 15:29:26 -07:00
Mark Stemm
52a44c171c Look up priorities using a table 
This is faster than iteration + string case changes.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-05 15:29:26 -07:00
Mark Stemm
0e4f2ec17c Skip unnecessary string cleanups 
We shouldn't need to clean up strings via a cleanup function and don't
need to do it via a bunch of string.gsub() functions.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-05 15:29:26 -07:00
Mark Stemm
047f12d0f6 More efficient searches for defined filters 
Instead of iterating over the entire list of filters and doing pattern
matches against each defined filter, perform table lookups.

For filters that take arguments e.g. proc.aname[3] or evt.arg.xxx, split
the filtercheck string on bracket/dot and check the values against a
table.

There are now two tables of defined filters: defined_arg_filters and
defined_noarg_filters. Each filter is put into a table depending on
whether the filter takes an argument or not.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-05 15:29:26 -07:00
Mark Stemm
c1035ce4de Make field index information public 
Json-related filtercheck fields supported indexing with brackets, but
when looking at the field descriptions you couldn't tell if a field
allowed an index, required an index, or did not allow an index.

This information was available, but it was a part of the protected
aliases map within the class.

Move this to the public field information so it can be used outside the
class.

Also add m_ prefixes for member names, now that the struct isn't
trivial.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-05 15:29:26 -07:00
Lorenzo Fontana
19c12042f4 update: sysdig dir gate in subdirectories 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-03 15:27:28 +02:00
Lorenzo Fontana
e688ab7d0a chore: remove find catch from cmake files 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-03 12:45:47 +02:00
Lorenzo Fontana
b2ef08fd30 chore: clang format following the current style 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-03 09:07:00 +02:00
Leonardo Di Donato
5fdf658d0e fix(userspace): correct include directories 
Co-Authored-By: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Leonardo Di Donato
08454dfa53 new: test token bucket declaration triggers the default init 
Co-Authored-By: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Lorenzo Fontana
9bc28951ad update: revert formatting 
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-07-02 17:52:29 +02:00
Leonardo Di Donato
583be9ce22 udpate: catch2 tests config 
Co-Authored-By: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Leonardo Di Donato
71b2fe6e14 update: token bucket tests 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Leonardo Di Donato
a09f71b457 new: dependency inject the timer for token bucket 
Co-Authored-By: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00