github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-03 18:06:44 +00:00
Code Issues Projects Releases Wiki Activity
1,131 Commits 117 Branches 173 Tags 104 MiB
bf19d8c881
Commit Graph

1131 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Lorenzo Fontana
bf19d8c881 chore: format json_evt in preparation to add fields 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-08 17:40:41 +02:00
Mark Stemm
7501c3cb5d Expand lists without using regsub 
To speed up list expansion, instead of using regexes to replace a list
name with its contents, do string searches followed by examining the
preceding/following characters for the proper delimiter.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-05 15:29:26 -07:00
Mark Stemm
52a44c171c Look up priorities using a table 
This is faster than iteration + string case changes.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-05 15:29:26 -07:00
Mark Stemm
0e4f2ec17c Skip unnecessary string cleanups 
We shouldn't need to clean up strings via a cleanup function and don't
need to do it via a bunch of string.gsub() functions.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-05 15:29:26 -07:00
Mark Stemm
047f12d0f6 More efficient searches for defined filters 
Instead of iterating over the entire list of filters and doing pattern
matches against each defined filter, perform table lookups.

For filters that take arguments e.g. proc.aname[3] or evt.arg.xxx, split
the filtercheck string on bracket/dot and check the values against a
table.

There are now two tables of defined filters: defined_arg_filters and
defined_noarg_filters. Each filter is put into a table depending on
whether the filter takes an argument or not.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-05 15:29:26 -07:00
Mark Stemm
c1035ce4de Make field index information public 
Json-related filtercheck fields supported indexing with brackets, but
when looking at the field descriptions you couldn't tell if a field
allowed an index, required an index, or did not allow an index.

This information was available, but it was a part of the protected
aliases map within the class.

Move this to the public field information so it can be used outside the
class.

Also add m_ prefixes for member names, now that the struct isn't
trivial.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-05 15:29:26 -07:00
Lorenzo Fontana
19c12042f4 update: sysdig dir gate in subdirectories 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-03 15:27:28 +02:00
Lorenzo Fontana
e688ab7d0a chore: remove find catch from cmake files 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-03 12:45:47 +02:00
Lorenzo Fontana
b2ef08fd30 chore: clang format following the current style 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-03 09:07:00 +02:00
Leonardo Di Donato
5fdf658d0e fix(userspace): correct include directories 
Co-Authored-By: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Leonardo Di Donato
08454dfa53 new: test token bucket declaration triggers the default init 
Co-Authored-By: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Lorenzo Fontana
9bc28951ad update: revert formatting 
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-07-02 17:52:29 +02:00
Leonardo Di Donato
583be9ce22 udpate: catch2 tests config 
Co-Authored-By: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Leonardo Di Donato
71b2fe6e14 update: token bucket tests 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Leonardo Di Donato
a09f71b457 new: dependency inject the timer for token bucket 
Co-Authored-By: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Leonardo Di Donato
1a0cf69b03 chore: cmakes formatting 
Co-Authored-By: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Leonardo Di Donato
3a1c0ea916 build: download fakeit mocking library (cmake) 
Co-Authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Leonardo Di Donato
fcc587e806 new: cmake format config file 
Co-Authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Leonardo Di Donato
815f5d8714 new: test token bucket 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Leonardo Di Donato
11838548df build: includes for tests 
Co-Authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Leonardo Di Donato
8a745b73a3 build: use sysdig directory variable for userspace engine build 
Co-Authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-02 17:52:29 +02:00
Leo Di Donato
fade424120 update(.github): PR template 
Some refinements and improvements to the GitHub PR template.

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-07-01 19:04:56 +02:00
Leo Di Donato
48f2b1d08a fix(.github): kind/rule-* rather thant kind/rule/* 
Signed-off-by: leodidonato@gmail.com
 2019-07-01 14:42:18 +02:00
kaizhe
16bd8919ab rule update: fix syntax error 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-07-01 10:33:20 +02:00
kaizhe
6ce17d6fcb add rfc_1918_address macro 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-07-01 10:33:20 +02:00
kaizhe
c12052e03d add openshift image to whitelist 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-07-01 10:33:20 +02:00
kaizhe
8ed33a04fd rule update: add placeholder for rules write below root/etc 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-07-01 10:33:20 +02:00
Leonardo Di Donato
f4fea8441c new: initial clang format file 
This coding convention's solely goal is to approximately match the current code style.
It MUST not be intended in any other way until a real and definitive coding convention is put in.

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-25 21:57:51 +02:00
Lorenzo Fontana
93537ccaea update: test files should use the naming convention 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-06-25 17:01:38 +02:00
Lorenzo Fontana
4174822617 fix: remove example file from cmake tests 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-25 17:01:38 +02:00
Lorenzo Fontana
c2ac1d3622 chore: remove typo 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-25 17:01:38 +02:00
Lorenzo Fontana
adabae4f63 update: build unit tests in travis 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-25 17:01:38 +02:00
Lorenzo Fontana
6e92988425 docs: licensing info in test files 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-25 17:01:38 +02:00
Lorenzo Fontana
026f6866e3 new: attach tests to main cmake and base test 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-25 17:01:38 +02:00
Lorenzo Fontana
18b66330ec new: tests cmake setup 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-25 17:01:38 +02:00
Lorenzo Fontana
acae9dd9f1 new: cmake modules for catch2 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-25 17:01:38 +02:00
Lorenzo Fontana
68340944b1 new: use sysdig modules to build libscap 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-24 11:28:25 +02:00
Lorenzo Fontana
02d5c167ce build: lyaml paths from vars 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-24 11:28:25 +02:00
Lorenzo Fontana
29251f2078 build: disable brotli for curl 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-24 11:28:25 +02:00
Leonardo Di Donato
e1655be243 build: refine cmake rule for grpc and curl 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-24 11:28:25 +02:00
Leonardo Di Donato
03310800ed update: ignore lyaml 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-24 11:28:25 +02:00
kaizhe
d158d99800 rule update: add exception for rule change thread namespace 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-06-20 12:12:05 -07:00
Lorenzo Fontana
1d7c6c3356 update: fields checksum 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-20 10:11:56 -07:00
Lorenzo Fontana
147ec6073c fix: SYSDIG_DIR not as an option but as a set 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-06-20 08:47:00 +02:00
Lorenzo Fontana
3f200c52b0 new: SYSDIG_DIR can be passed as cmake option 
Signed-off-by: Lorenzo Fontana <lo@linux.com>

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-06-19 17:55:00 +02:00
kaizhe
88ed98ce81 update to macro 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-06-17 21:41:00 +02:00
kaizhe
18960b01b0 more comment 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-06-17 21:41:00 +02:00
kaizhe
5beddf5320 rule update: add back trusted_containers list for backport compatibility 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-06-17 21:41:00 +02:00
Naoki Oketani
2198147c35 docs: remove extra words 
Signed-off-by: Naoki Oketani <okepy.naoki@gmail.com>
 2019-06-17 08:44:00 +02:00
Kaizhe Huang
cfaa52f522 rule update: 
1. Extend macro mkdir with syscall mkdirat (#337)
2. add placeholder for whitelist in rule Clear Log Activities (#632)

Signed-off-by: kaizhe <derek0405@gmail.com>

add docker.io/ to the trusted images list

Signed-off-by: kaizhe <derek0405@gmail.com>

rule update: add container.id and image in the rule output except those rules with "not container" in condition

Signed-off-by: kaizhe <derek0405@gmail.com>

Remove empty line

Signed-off-by: Kaizhe Huang<derek0405@gmail.com>
 2019-06-13 22:27:59 +02:00