github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-28 15:47:25 +00:00
Code Issues Projects Releases Wiki Activity
2,864 Commits 121 Branches 172 Tags 104 MiB
c3bcf604a5
Commit Graph

2864 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Stefano
c3bcf604a5 Changed Rule focus to be broader then just a specific CVE 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
2e2b13236b Fixed CVE number 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
24bd1abc43 Added new rule for CVE-2022-4092 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Federico Di Pierro
acbbcf7481 Update userspace/falco/app_cmdline_options.h 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-05-12 14:26:34 +02:00
Federico Di Pierro
3ba64d8a49 new(userspace/falco): new inotify watcher is now able to properly watch rules folders, when specified. 
This means that when starting Falco passing to it a folder for its rules, it will properly manage
changes to any file inside the folders, plus any created/deleted file inside it.

Unified list of rules parsing, instead of having it done twice inside cmdline_options and configuration.
Instead, it is done only once, inside load_rules_files.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-05-12 14:26:34 +02:00
Federico Di Pierro
293a6c2b40 update(userspace/falco): moved to a config option. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-05-12 14:26:34 +02:00
Federico Di Pierro
a9fe979071 chore(userspace/falco): small cleanup. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-05-12 14:26:34 +02:00
Federico Di Pierro
e32f5a66c5 new(userspace/falco): added an option to listen to changes on the config file and rules files, and trigger a Falco reload. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-05-12 14:26:34 +02:00
Milkshak3s
8c6cfae18f Include origin host in output json 
Signed-off-by: Milkshak3s <justchris.vantine@gmail.com>
 2022-05-09 12:16:50 +02:00
Leonardo Grasso
eae193ade0 build(userspace/engine): cleanup unused include dir 
`CURL_INCLUDE_DIR` is a leftover since now the correct include path is injected via libs.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-05-04 16:12:30 +02:00
Sebastien Le Digabel
2bc4fec33c rule(Anonymous Request Allowed): exclude {/livez, /readyz} 
Fixes #1794.

/livez and /readyz don't require authentication and can generate a lot
of noise if the cluster is checked by an anonymous external
system.

Some k8s systems have those endpoints required to be anonymous, as per this
[link to an OpenShift
setup](http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_api_server_anonymous_auth).

Signed-off-by: Sebastien Le Digabel <sledigabel@gmail.com>
 2022-05-04 13:04:29 +02:00
Jason Dellaluce
dbbc93f69d fix(userspace/falco): listen to proper host in webserver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-04-29 20:47:19 +02:00
Jason Dellaluce
de754fb4e7 chore(falco.yaml): comment-out k8s plugin default config values 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-29 20:47:19 +02:00
Jason Dellaluce
63b7aabc81 chore: solve compilation issues and polish code 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-04-29 20:47:19 +02:00
Jason Dellaluce
69db6adf9d refactor(test): use SKIP_PLUGINS_TESTS to skip k8s audit regression tests 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-29 20:47:19 +02:00
Jason Dellaluce
67d2fe45a5 refactor: add k8saudit plugin and adapt config, tests, and rulesets 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-29 20:47:19 +02:00
Jason Dellaluce
b91ff34b97 refactor: drop civetweb dependency and implement healtz using cpp-httplib 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-29 20:47:19 +02:00
Jason Dellaluce
42fcc7291f refactor(userspace/falco): remove k8s audit references from falco 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-29 20:47:19 +02:00
Andrea Terzolo
21b127ef65 docs(falco_scripts): update Copyright 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-04-29 13:46:58 +02:00
Andrea Terzolo
9937565416 docs(falco_scripts): add some punctuation marks in comments 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-04-29 13:46:58 +02:00
Andrea Terzolo
b94226569f update(falco_scripts): delete all versions of the module from dkms 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-04-29 13:46:58 +02:00
Andrea Terzolo
f8b97bfbce docs(falco_scripts): update comments in falco-driver-loader. 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-04-29 13:46:58 +02:00
Andrea Terzolo
1ebdb5648f update(falco_scripts): remove only the current version 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-04-29 13:46:58 +02:00
Andrea Terzolo
a11d513bff chore(falco_scripts): Update falco-driver-loader cleaning phase 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-04-29 13:46:58 +02:00
Federico Di Pierro
7aed3b6d01 fix(test): fixed wrong test expected output. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-04-29 10:16:50 +02:00
Leonardo Grasso
98916e547d build(cmake): bump libs version to c778e452985aa7f17be781754d4ad0658fcc3254 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-04-29 10:16:50 +02:00
Federico Di Pierro
9ec05c7048 fix(test): dropped get_type() api from test_source/extract tests. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-04-29 10:16:50 +02:00
Federico Di Pierro
fd9bb83d85 update(build): updated libs version to latest master. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-04-29 10:16:50 +02:00
Federico Di Pierro
08ded97596 new(userspace/falco): use new plugin caps API. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-04-29 10:16:50 +02:00
Lorenzo Susini
9fb9215dbf new(rule): excessively capable containers 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Kaizhe Huang <khuang@aurora.tech>
 2022-04-29 07:35:50 +02:00
Leonardo Grasso
3a6274ab36 build: correct conffiles for DEB packages 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-04-28 17:01:45 +02:00
Mark Stemm
86d632d343 fix: allow empty exceptions property 
This matches prior behavior before the lua-to-c++ switch.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-28 14:42:24 +02:00
Mark Stemm
e909babe20 fix: add implied exception comp to item for single item variant 
When adding an implied "in" comparison to an exception using the
single value form, add it to item, not items.

This fixes #1984.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-28 14:42:24 +02:00
Furkan
990a8fd6d5 update(rules): k8s: secret get detection 
Signed-off-by: Furkan <furkan.turkal@trendyol.com>
 2022-04-28 11:33:00 +02:00
Jason Dellaluce
a16eac221e refactor(userspace/engine): apply C++ best practices to newest engine classes 
This include making a coherent use of const, remove private inheritance, and adding virtual destructors.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-27 16:22:59 +02:00
Jason Dellaluce
be177795c2 refactor(userspace/engine): use supported_operators helper from libsinsp filter parser 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-27 16:22:59 +02:00
Jason Dellaluce
c36300a48c update(build): bump libs version to d6b75db133602dee81b4408902f2510275feae57 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-27 16:22:59 +02:00
Mark Stemm
120027dc2e Add constructor/destructor to stats_manager 
This ensures m_total is properly initialized.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-22 13:27:52 +02:00
Mark Stemm
b89b3f82ee Falco main changes for app actions 
This involves moving the code in falco_init() into individual files
below app_actions/. falco_init() simply calls app.run() now. When
app.run() returns false, print any erorr. When app.run() sets restart
to true, falco_init() is called again.

app.run() is still inside a catch block to catch any uncaught
exception.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-22 13:27:52 +02:00
Mark Stemm
1639e22462 Move most code from falco_init() to individual app actions 
Each file below app_actions/ defines some of the methods declared in
falco::app::application.

Any state that needs to be shared betweeen methods, or between the run
and teardown methods, resides in falco::app::application::state(), so
the moved code stays pretty much as-is, other than replacing stack
variables with member variables in app_state.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-22 13:27:52 +02:00
Mark Stemm
e3b82c00e1 Copying falco.cpp to process_events.cpp to preserve history (step 2, restoring falco.cpp) 
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-22 13:27:52 +02:00
Mark Stemm
6e10d3d884 Copying falco.cpp to process_events.cpp to preserve history (step 1, copying file) 
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-22 13:27:52 +02:00
Mark Stemm
0daff8f829 Copying falco.cpp to open_inspector.cpp to preserve history (step 2, restoring falco.cpp) 
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-22 13:27:52 +02:00
Mark Stemm
5d7bed8d74 Copying falco.cpp to open_inspector.cpp to preserve history (step 1, copying file) 
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-22 13:27:52 +02:00
Mark Stemm
64b7092f56 Copying falco.cpp to daemonize.cpp to preserve history (step 2, restoring falco.cpp) 
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-22 13:27:52 +02:00
Mark Stemm
a9417d60df Copying falco.cpp to daemonize.cpp to preserve history (step 1, copying file) 
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-22 13:27:52 +02:00
Mark Stemm
365b97a9db Copying falco.cpp to validate_rules_files.cpp to preserve history (step 2, restoring falco.cpp) 
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-22 13:27:52 +02:00
Mark Stemm
70dc7360c9 Copying falco.cpp to validate_rules_files.cpp to preserve history (step 1, copying file) 
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-22 13:27:52 +02:00
Mark Stemm
b845fccc72 Copying falco.cpp to start_webserver.cpp to preserve history (step 2, restoring falco.cpp) 
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-22 13:27:52 +02:00
Mark Stemm
d4def892be Copying falco.cpp to start_webserver.cpp to preserve history (step 1, copying file) 
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-04-22 13:27:52 +02:00