Hiroki Suezawa
fc58ac7356
rule update: modify rule to detect connection to K8S API Server from a container
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2019-12-05 10:59:05 +01:00
Leonardo Di Donato
e893e048a1
docs(README): community call + repo planning + correct mailing list URL
...
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-12-04 18:41:28 +01:00
Leo Di Donato
0c9787624b
docs(CONTRIBUTING): rule type subsection title
...
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-12-04 18:09:14 +01:00
Lorenzo Fontana
daca750cd9
docs(CONTRIBUTING): commit convention details
...
Signed-off-by: Lorenzo Fontana <lo@linux.com>
2019-12-04 18:09:14 +01:00
Jean-Philippe Lachance
418bcf2177
Apply Kaizhe's code review
...
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
2019-12-04 03:36:04 +01:00
Jean-Philippe Lachance
f97a33d40a
Exclude exe_running_docker_save in the "Update Package Repository" rule
...
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
2019-12-04 03:36:04 +01:00
Jean-Philippe Lachance
df7a356e1d
Apply Kaizhe's code review
...
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
2019-12-04 03:35:11 +01:00
Jean-Philippe Lachance
03e8b7f53d
Exclude exe_running_docker_save in the "Modify Shell Configuration File" rule
...
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
2019-12-04 03:35:11 +01:00
Jean-Philippe Lachance
146343e5f0
Update the exe_running_docker_save macro to support docker in docker
...
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
2019-12-04 02:20:21 +01:00
Hiroki Suezawa
7da245e902
rule update: Modify rule to detect raw packets creation
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2019-12-04 00:19:26 +00:00
Hiroki Suezawa
d0e6279bb2
rule update: Modify condition for raw packets creation
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2019-12-04 00:19:26 +00:00
Hiroki Suezawa
8b2d4e1fe6
rule update: Fix condition for raw packets creation and renamed
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2019-12-04 00:19:26 +00:00
Hiroki Suezawa
ebec520ebc
rule update: Add rules to detect raw packets creation
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2019-12-04 00:19:26 +00:00
kaizhe
2f8caf99cd
rule update: align sensitive mount macro between k8s_audit rules and syscall rules
...
Signed-off-by: kaizhe <derek0405@gmail.com>
2019-12-03 12:58:21 -08:00
Hiroki Suezawa
0b402e2326
rule update: Rename rule for Cloud Metadata access again
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2019-12-03 20:15:33 +00:00
Hiroki Suezawa
54329a64cd
rule update: Rename rule for Cloud Metadata access
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2019-12-03 20:15:33 +00:00
rung
89d8259860
rule update: Add consider_gce_metadata_access macro for rule to detect GCE Metadata access
...
Signed-off-by: rung <suezawa@gmail.com>
2019-12-03 20:15:33 +00:00
Hiroki Suezawa
e70febc8db
rule update: Add rules for GCE Metadata detection
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2019-12-03 20:15:33 +00:00
kaizhe
722ab4f2f9
minor changes
...
Signed-off-by: kaizhe <derek0405@gmail.com>
2019-12-03 19:37:01 +00:00
kaizhe
6c9bce6f73
update k8s audit rule
...
Signed-off-by: kaizhe <derek0405@gmail.com>
2019-12-03 19:37:01 +00:00
kaizhe
7c33fafe89
minor changes
...
Signed-off-by: kaizhe <derek0405@gmail.com>
2019-12-03 19:37:01 +00:00
kaizhe
18acea4a73
minor changes
...
Signed-off-by: kaizhe <derek0405@gmail.com>
2019-12-03 19:37:01 +00:00
kaizhe
8011fe7ce7
rules update: add more sensitive host path to sensitive_host_mount macro
...
Signed-off-by: kaizhe <derek0405@gmail.com>
2019-12-03 19:37:01 +00:00
Lorenzo Fontana
d328ff3fde
update(cmake/patch): include Makefile template in patch for grpc 1.25.0
...
Signed-off-by: Lorenzo Fontana <lo@linux.com>
2019-12-03 17:43:57 +00:00
Lorenzo Fontana
fbcc6a0781
build: update gRPC to 1.25.0
...
Signed-off-by: Lorenzo Fontana <lo@linux.com>
2019-12-03 17:43:57 +00:00
Jean-Philippe Lachance
80d69917ea
* Rename the macro to user_known_package_manager_in_container
...
+ Add a comment to explain how we should use this macro
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
2019-12-03 00:03:35 +01:00
Jean-Philippe Lachance
3713f7a614
+ Add a simple user_known_package_manager_in_container_conditions macro
...
* Use the user_known_package_manager_in_container_conditions macro in the "Launch Package Management Process in Container" rule
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
2019-12-03 00:03:35 +01:00
Jean-Philippe Lachance
79cb75dcd1
! Exclude exe_running_docker_save in the "Set Setuid or Setgid bit" rule
...
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
2019-12-02 23:54:53 +01:00
Hiroki Suezawa
c736a843a0
rule update: Add kubelet to user_known_chmod_applications list
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2019-12-01 23:27:04 +01:00
Adrián Arroyo Calle
1b05f0e6a7
chore: read hostname in initialization
...
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
2019-11-27 22:23:49 +01:00
Adrián Arroyo Calle
4d180cbc31
chore: use std::string to have safer copies
...
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
2019-11-27 22:23:49 +01:00
Adrián Arroyo Calle
137e7fc0ec
chore: hostname can be 253 characters maximum
...
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
2019-11-27 22:23:49 +01:00
Adrián Arroyo Calle
52fbcefa1d
chore: add environment variable FALCO_GRPC_HOSTNAME
...
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
2019-11-27 22:23:49 +01:00
Adrián Arroyo Calle
a084f17493
feat: add hostname field in gRPC output
...
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
2019-11-27 22:23:49 +01:00
Leonardo Di Donato
c96f85282d
fix: do not use wget to patch gRPC makefile
...
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-11-27 18:18:07 +01:00
Lorenzo Fontana
d2459aa0a8
update: add wget to the travis build
...
Signed-off-by: Lorenzo Fontana <lo@linux.com>
2019-11-27 18:18:07 +01:00
Lorenzo Fontana
d11ac4a59d
update: cleanup the gRPC dependency and use the url from the main project
...
Signed-off-by: Lorenzo Fontana <lo@linux.com>
2019-11-27 18:18:07 +01:00
Mark Stemm
4e39fee54e
Always catch json type errors when extracting
...
In all extraction functions, always catch json type errors alongside
json out of range errors. Both cases result in not extracting any value
from the event.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2019-11-18 16:19:58 -08:00
Leonardo Di Donato
885e131451
fix(scripts): copy falco-probe-loader during packages build
...
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-11-14 10:00:36 -08:00
Leonardo Di Donato
6ede7bd422
chore: removing sysdig references
...
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-11-14 10:00:36 -08:00
Leonardo Di Donato
a64a827d72
update: puppet module had been renamed to falco
...
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-11-14 10:00:36 -08:00
Leonardo Di Donato
a200d17581
chore: improving naming
...
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-11-14 10:00:36 -08:00
Leonardo Di Donato
a17a12c306
update(scripts): rename env variables for falco probe loader
...
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-11-14 10:00:36 -08:00
Leonardo Di Donato
514d8bacc3
update(docker): introduce SKIP_MODULE_LOAD env variable
...
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-11-14 10:00:36 -08:00
Leonardo Di Donato
3e9ebfb354
fix(docker): adapt dockerfiles to HOST_ROOT env var
...
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-11-14 10:00:36 -08:00
Leonardo Di Donato
17bc344381
fix(scripts): rename SYSDIG_HOST_ROOT env variable into HOST_ROOT
...
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-11-14 10:00:36 -08:00
Leonardo Di Donato
3ce2056dc5
fix(docker): glob rather than ls in the docker entrypoints
...
Plus, make them use HOST_ROOT env var, not SYSDIG_HOST_ROOT
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-11-14 10:00:36 -08:00
Leonardo Di Donato
9e355e1a74
fix(userspace/falco): typo for consumer related methods
...
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-11-14 10:00:36 -08:00
Loris Degioanni
468fa35965
chore: naming cleanup
...
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-11-14 10:00:36 -08:00
Loris Degioanni
bb3c0275cc
fix(scripts): license header
...
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-11-14 10:00:36 -08:00