github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-27 23:27:20 +00:00
Code Issues Projects Releases Wiki Activity
2,779 Commits 121 Branches 172 Tags 104 MiB
b4d9261ce2
Commit Graph

2779 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Leonardo Grasso
b4d9261ce2 build: define "falco" component 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-04-22 09:41:56 +02:00
Leonardo Grasso
3300c72db0 build(cmake/modules): explicitly set libs package and driver component names 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-04-22 09:41:56 +02:00
Jason Dellaluce
0bf53f0f88 refactor(userspace/engine): restrict unsafe-na-check warning to k8s audit fields 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-21 18:50:58 +02:00
Jason Dellaluce
37d03cf7bc chore(userspace/engine): fix typo spotted with codespell 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-21 18:50:58 +02:00
Jason Dellaluce
71274b4369 test(userspace/engine): add unit tests for filter_warning_resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-21 18:50:58 +02:00
Jason Dellaluce
95727b268f new(userspace/engine): add a resolver to generate warnings from a filter AST 
The first warnings we support involve the unsafe comparisons with <NA>, which were present
in the legacy regression tests for PSPs.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-21 18:50:58 +02:00
Jason Dellaluce
391ab028fc refactor!: deprecate PSP regression tests 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-21 18:50:58 +02:00
Leonardo Grasso
8dd4beac73 build(cmake): upgrade catch2 to 2.13.9 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-04-21 16:17:59 +02:00
Mateusz Gozdek
b080d20525 Add codespell GitHub Action 
Folllow up to #1961 to prevent common typos to be added to the repo.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
 2022-04-20 12:21:27 +02:00
Mateusz Gozdek
1fdfbd3a3d Fix more typos 
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
 2022-04-20 12:21:27 +02:00
Kevin Krakauer
53eb6112a6 add gVisor to ADOPTERS.md 
Signed-off-by: Kevin Krakauer <krakauer@google.com>
 2022-04-20 12:20:27 +02:00
Jason Dellaluce
13256fb7ef update(userspace/engine): bump engine version to 12 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-19 16:29:40 +02:00
Jason Dellaluce
df6dced96b update(build): bump cloudtrail and json plugin versions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-19 16:29:40 +02:00
Jason Dellaluce
d9d23cd31d update: bump libs version to b19f87e8aee663e4987a3db54570725e071ed105 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-19 16:29:40 +02:00
Jason Dellaluce
b8a95d262f refactor(userspace/engine): polish evttype resolver and use it in rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-19 16:29:40 +02:00
Jason Dellaluce
dd3d235d7f refactor(tests): adapting test_rulesets to new method signatures 
At the same time, this also simplifies the unit test cases by using the SCENARIO construct of catch2,
which allows sharing a setup phases between different unit tests, and removes a bunch of repeated LOC in our case.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-19 16:29:40 +02:00
Jason Dellaluce
71ca58cebd test(userspace/engine): port unit tests for evttypes resolver from linsinsp 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-19 16:29:40 +02:00
Jason Dellaluce
b5870a8656 new(userspace/engine): add a resolver class to search evttypes from filters and event names 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-19 16:29:40 +02:00
Jason Dellaluce
f638706ba3 chore(userspace/engine): renamings and code polishing in rule_loader and rule_reader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-15 10:54:58 +02:00
Jason Dellaluce
e1a5427874 update(userspace): add method to clear rule loader state 
Once all rule files have been loaded, and all the rules have been compiled into filters and inserted in the engine rulesets, the loader definitions are maintained in memory without really being used. This commit adds a convenience method to clear the loader state and free-up some memory when engine consumers do not require such information in memory anymore.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-15 10:54:58 +02:00
Jason Dellaluce
30fb58ed48 refactor(userspace/engine): update falco_engine to use new rule_reader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-15 10:54:58 +02:00
Jason Dellaluce
2c0e6d3b88 update(userspace/engine): introduce new rule_reader class 
The rule_reader class is responsible of parsing the YAML ruleset text and of using the rule_loader
to store the new definition in the internal state. This is a first step towards separating the YAML
reading logic from the rule parsing one. Potentially, this will allow us to read rulesets from another
YAML library or from something different than YAML files too.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-15 10:54:58 +02:00
Jason Dellaluce
9ed7d57838 refactor(userspace/engine): reduce responsibilities of rule_loader 
The rule_loader is now simply responsible of collecting list/macro/rule definitions and then compiling them as falco_rules. The ruleset file reading code will be moved to another class

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-15 10:54:58 +02:00
Clemence Saussez
af96a930eb rules(allowed_kube_namespace_image_list): add container threat detection image 
Signed-off-by: Clemence Saussez <clemence@zen.ly>
 2022-04-15 10:52:58 +02:00
Clemence Saussez
5d65671d3a rules(falco_privileged_images): add container threat detection image 
Signed-off-by: Clemence Saussez <clemence@zen.ly>
 2022-04-15 10:52:58 +02:00
Stefano
d3383b4b23 Fixed ouput Rules K8s Serviceaccount Created/Deleted 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: AlbertoPellitteri <alberto.pellitteri@sysdig.com>
 2022-04-15 10:49:58 +02:00
Stefano
65435d4418 Removed use cases not triggering 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Brucedh <alessandro.brucato@sysdig.com>
Co-authored-by: AlbertoPellitteri <alberto.pellitteri@sysdig.com>
 2022-04-13 10:03:25 +02:00
Jason Dellaluce
06b6565fa6 refactor(userspace): sync falco codebase to new falco_common definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 22:21:20 +02:00
Jason Dellaluce
55ec8c0e1b refactor(userspace/engine): polish falco_common and improve priority parsing/formatting 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 22:21:20 +02:00
Lorenzo Susini
4343fe8a8b new(rules/k8s_audit): add rules to detect pods sharing host pid and IPC namespaces 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-04-11 18:29:19 +02:00
Jason Dellaluce
2934ef29b9 chore(userspace/engine): fix indentations and use improve indexed_vector 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 12:22:18 +02:00
Jason Dellaluce
47426fbe0d update(userspace/engine): minor improvements and bug fixes on engine and rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 12:22:18 +02:00
Jason Dellaluce
e50d22f013 fix(userspace/engine): solve integration test errors 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 12:22:18 +02:00
Jason Dellaluce
c0f8171d89 test: adapt integration tests to new rule loader error messages 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 12:22:18 +02:00
Jason Dellaluce
43020d8a7d refactor(userspace/engine): re-implement the rule loader in C++ 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 12:22:18 +02:00
Jason Dellaluce
d483b897e7 new(userspace/engine): create stats_manager inside falco engine 
This is a porting of what we had inside the Lua codebase. This now handles the single responsibility
of gathering stats about rule-event matching, and of formatting them to print them to the user.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 12:22:18 +02:00
Jason Dellaluce
9e93b7cd52 new(userspace/engine): add falco_rule struct to represent rule definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 12:22:18 +02:00
Jason Dellaluce
6c9e6c5918 new(userspace/engine): add new indexed_vector class to achieve string-based O(1) access in vectors 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 12:22:18 +02:00
Jason Dellaluce
c2cac5af92 refactor(userspace/engine): add run() overload in filter_macro_resolver to support shared_ptrs 
This change allows working with safety with AST nodes wrapped into shared pointers.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 12:22:18 +02:00
Jason Dellaluce
cf83a91d4e refactor(userspace/engine): re-implement wrap_text() function in falco_utils 
The function implementation was removed, however it was still defined in the .h header. Moreover,
this will now be required in order to replace its lua equivalent.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 12:22:18 +02:00
Jason Dellaluce
3201479392 refactor(userspace/engine): turn falco_common into a namespace containing common static utilities 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 12:22:18 +02:00
Jason Dellaluce
b74dcbd851 cleanup(userspace/engine): remove lua files and lua-related code sections 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 12:22:18 +02:00
Jason Dellaluce
7db9dd66ff refactor(build): drop dependencies to chisels, luajit, lyaml, and libyaml 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-11 12:22:18 +02:00
Angelo Puglisi
e8cb96a57b perf: change falco_engine::process_event to lookup sources by index 
falco_engine::process_event gets called for every inspector event.
Profiling showed that std::map::find takes about 10% of
falco_engine::process_event, and that can easily improved by accessing
the source by index.

Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
 2022-04-06 14:46:31 +02:00
Mateusz Gozdek
cb4cec6f57 Fix typos 
Found by running the following command:
codespell -f -H -L aks,creat,chage -S .git

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
 2022-04-06 14:40:31 +02:00
Stefano
36bd07d82d Fix spaces 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-04-01 19:38:40 +02:00
Stefano
bcff88922a Added eks_allowed_k8s_users list to whitelist EKS users 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Alberto Pellitteri <alberto.pellitteri@sysdig.com>
 2022-04-01 19:38:40 +02:00
Stefano
1988f3b0be Disabled by default noisy rules 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-03-29 17:39:25 +02:00
schie
64f0cefab0 Update rules/okta_rules.yaml 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Thomas Labarussias <issif+github@gadz.org>
 2022-03-29 17:39:25 +02:00
schie
48041a517b Update rules/okta_rules.yaml 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Thomas Labarussias <issif+github@gadz.org>
 2022-03-29 17:39:25 +02:00