github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-05 10:56:47 +00:00
Code Issues Projects Releases Wiki Activity
1,860 Commits 117 Branches 173 Tags 104 MiB
a72f27c028
Commit Graph

1860 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
kaizhe
cc1892177a falco rule naming convention 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-01-07 14:58:12 +01:00
Michael Ducy
2041932ad2 move audit doc 
Signed-off-by: Michael Ducy <michael@ducy.org>
 2019-12-17 09:15:41 +01:00
Michael Ducy
64b50978e0 Publish security audit 
Signed-off-by: Michael Ducy <michael@ducy.org>
 2019-12-17 09:15:41 +01:00
Mark Stemm
c53df3af00 Don't rethrow exceptions in parse_k8s_audit_json 
Callers aren't expected to catch execeptions and instead rely on the
bool return value to indicate whether or not the parsing was successful.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-12-16 17:00:50 -08:00
Mark Stemm
4c576f31f2 Also allow json arrays of k8s audit evts 
Currently, the json object POSTed to the /k8s_audit endpoint is assumed
to be an obect, with a "type" of either "Event" or "EventList". When the
K8s API Server POSTs events, it aggregates them into an EventList,
ensuring that there is always a single object.

However, we're going to add some intermediate tools that tail log files
and send them to the endpoint, and the easiest way to send a batch of
events is to pass them as a json array instead of a single object.

To properly handle this, modify parse_k8s_audit_event_json to also
handle a json array. For arrays, it iterates over the objects, calling
parse_k8s_audit_json recursively. This only iterates an initial top
level array to avoid excessive recursion/attacks involving degenerate
json objects with excessively nested arrays.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-12-16 17:00:50 -08:00
Hiroki Suezawa
cd94d05cd9 rule(list network_tool_binaries): delete ssh from the list 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-16 22:27:12 +01:00
Hiroki Suezawa
23a7203e50 rule(list network_tool_binaries): add network tool names 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-16 22:27:12 +01:00
Leonardo Di Donato
28fa4a72e8 docs(docker/builder): usage reports clang version too 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-13 13:04:23 +01:00
Leonardo Di Donato
ac4f089903 update(docker/builder): add llvm-toolset-7 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-13 13:04:23 +01:00
Leonardo Di Donato
cd1b23d2bc update(.github): remove unused kind/* label from PR template 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-13 11:17:02 +01:00
Leonardo Di Donato
de8714d2be chore(.github): delete issue templates in favor of default ones 
Default issue templates can be found in https://github.com/falcosecurity/.github repo.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-13 11:17:02 +01:00
Hiroki Suezawa
93fdf8ef61 rule(macro user_known_k8s_client_container): Rephrase the comment 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-11 12:53:06 +01:00
Hiroki Suezawa
bcc84c47c6 rule(macro user_known_k8s_client_container): have more strict condition to avoid false positives 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-11 12:53:06 +01:00
Chris Goller
965ead0c2a build: use consistent case for options in message 
Signed-off-by: Chris Goller <goller@gmail.com>
 2019-12-10 21:15:16 +01:00
Chris Goller
d66125278a build: use consistent case for falco options 
Signed-off-by: Chris Goller <goller@gmail.com>
 2019-12-10 21:15:16 +01:00
Chris Goller
e31bfeb8b2 build: add FALCO_Coverage CMake option 
With cmake FALCO_Coverage=on the --coverage option
is passed to both clang and gcc to help analyze untested
portions of the code base.  It produces gcov files.

These files can be analyzed by many tools such as lcov,
gcovr, etc.

Here is an example of one such tool, lcov:

 lcov --directory . --capture --output-file coverage.info
 lcov --extract coverage.info '/source/*' --output-file coverage.info
 genhtml coverage.info

Signed-off-by: Chris Goller <goller@gmail.com>
 2019-12-10 21:15:16 +01:00
Leonardo Di Donato
7159b43f68 update(proposals): goals, non-goals and use cases of the Falco API 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-09 16:46:16 +01:00
Leonardo Di Donato
b684aee817 update(proposals): better summary for Falco API 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-09 16:46:16 +01:00
Leonardo Di Donato
ae52dc4d3b proposals: complete the Falco API proposal 
Co-Authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-09 16:46:16 +01:00
Leo Di Donato
a64f7faa3c fix(proposals): typos and language 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>

Co-Authored-By: Lorenzo Fontana <lo@linux.com>
 2019-12-09 16:46:16 +01:00
Leonardo Di Donato
ced04a4d89 update: goals and (initial) architecture for API services 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-09 16:46:16 +01:00
Leonardo Di Donato
2b75ca9024 new: setup Falco API proposal 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-09 16:46:16 +01:00
Lorenzo Fontana
8069eacc94 build: use secure grpc when it is not bundled 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-12-06 13:36:16 +01:00
Nicolas Marier
13931ab5d7 rule(Write below etc): whitelist automount writing under /etc 
This commit allows automount to write under /etc/mtab without flagging
it as an error.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
 2019-12-05 19:27:18 +01:00
Hiroki Suezawa
559b7e1bb1 rule(The docker client is executed in a container): modify condition to reduce false positive 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-05 14:32:22 +01:00
Hiroki Suezawa
fc58ac7356 rule update: modify rule to detect connection to K8S API Server from a container 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-05 10:59:05 +01:00
Leonardo Di Donato
e893e048a1 docs(README): community call + repo planning + correct mailing list URL 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-04 18:41:28 +01:00
Leo Di Donato
0c9787624b docs(CONTRIBUTING): rule type subsection title 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-04 18:09:14 +01:00
Lorenzo Fontana
daca750cd9 docs(CONTRIBUTING): commit convention details 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-12-04 18:09:14 +01:00
Jean-Philippe Lachance
418bcf2177 Apply Kaizhe's code review 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:36:04 +01:00
Jean-Philippe Lachance
f97a33d40a Exclude exe_running_docker_save in the "Update Package Repository" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:36:04 +01:00
Jean-Philippe Lachance
df7a356e1d Apply Kaizhe's code review 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:35:11 +01:00
Jean-Philippe Lachance
03e8b7f53d Exclude exe_running_docker_save in the "Modify Shell Configuration File" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:35:11 +01:00
Jean-Philippe Lachance
146343e5f0 Update the exe_running_docker_save macro to support docker in docker 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 02:20:21 +01:00
Hiroki Suezawa
7da245e902 rule update: Modify rule to detect raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
d0e6279bb2 rule update: Modify condition for raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
8b2d4e1fe6 rule update: Fix condition for raw packets creation and renamed 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
ebec520ebc rule update: Add rules to detect raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
kaizhe
2f8caf99cd rule update: align sensitive mount macro between k8s_audit rules and syscall rules 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 12:58:21 -08:00
Hiroki Suezawa
0b402e2326 rule update: Rename rule for Cloud Metadata access again 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
Hiroki Suezawa
54329a64cd rule update: Rename rule for Cloud Metadata access 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
rung
89d8259860 rule update: Add consider_gce_metadata_access macro for rule to detect GCE Metadata access 
Signed-off-by: rung <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
Hiroki Suezawa
e70febc8db rule update: Add rules for GCE Metadata detection 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
kaizhe
722ab4f2f9 minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
6c9bce6f73 update k8s audit rule 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
7c33fafe89 minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
18acea4a73 minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
8011fe7ce7 rules update: add more sensitive host path to sensitive_host_mount macro 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
Lorenzo Fontana
d328ff3fde update(cmake/patch): include Makefile template in patch for grpc 1.25.0 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-12-03 17:43:57 +00:00
Lorenzo Fontana
fbcc6a0781 build: update gRPC to 1.25.0 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-12-03 17:43:57 +00:00