github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-01 00:52:16 +00:00
Code Issues Projects Releases Wiki Activity
3,607 Commits 119 Branches 172 Tags 104 MiB
dad382edd6
Commit Graph

3607 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alessandro Brucato
409ca4382e Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
 2022-07-13 11:54:23 +02:00
Alessandro Brucato
a71a635b7e Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
 2022-07-13 11:54:23 +02:00
Alessandro Brucato
07024a2e0f Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
 2022-07-13 11:54:23 +02:00
Brucedh
6feeaee0cd Added exception to Launch Privileged Container 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-07-13 11:54:23 +02:00
Andrea Terzolo
a7153f2fd8 fix(userspace): compute the drop ratio in the right way 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Shane Lawrence <shane@lawrence.dev>
 2022-07-13 09:38:22 +02:00
Ravi Ranjan
c078f7c21d Falco Rules/Conditions Updates 
Signed-off-by: Ravi Ranjan <ravi.ranjan@elastisys.com>
 2022-07-12 12:08:38 +02:00
Aldo Lacuku
46f625c449 chore(engine): remove trailing colon from logs when loading rule files 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-07-12 10:40:43 +02:00
Luca Guerra
4c4ed56c19 update(docs): changelog for version 0.32.1 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-11 11:19:44 +02:00
Luca Guerra
773156de04 update(falco): update libs to 0.7.0 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-11 10:16:43 +02:00
Jason Dellaluce
62c1e875d5 update(userspace/falco): simplify sinsp logger sev decoding 
Co-authored-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-07 12:46:51 +02:00
Jason Dellaluce
7dade32688 refactor(userspace/falco): make sinsp logging part of the configuration (default to false) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-07 12:46:51 +02:00
Jason Dellaluce
bae68b37ee new(userspace/falco): enable attaching libsinsp logger to the falco one 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-07 12:46:51 +02:00
Federico Di Pierro
3ddabc3b95 docs(readme): added arm64 mention + packages + badge. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-07-05 17:46:00 +02:00
Federico Di Pierro
a8b9ec18b0 fix(circleci): properly set BUILD_DIR and SOURCE_DIR to /build and /source respectively. 
Inside job "build-arm64" these are the locations used inside the container.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-07-05 17:45:01 +02:00
Federico Di Pierro
34404141e4 fix(circleci): share docker socket with docker container. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-07-05 17:45:01 +02:00
Federico Di Pierro
315b44dc17 new(circleci): enable integration tests for arm64. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-07-05 17:45:01 +02:00
Luca Guerra
161fe6fb3c update(falco): upgrade drivers to 2.0.0, libs to latest rc 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-05 11:02:38 +02:00
Luca Guerra
3cde70eda8 fix(falco): parameter ordering in initialization 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
982e8663be update(gvisor): make gvisor_enable depend on config 
Signed-off-by: Luca Guerra <luca@guerra.sh>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-01 14:17:38 +02:00
Luca Guerra
993516f430 new(falco): add compile-time option to enable or disable gvisor support 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
60b149709d fix(gvisor): formatting 
Signed-off-by: Luca Guerra <luca@guerra.sh>
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-01 14:17:38 +02:00
Luca Guerra
698eda8680 new(gvisor): add option to generate gVisor configuration 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
0b75433cee update(gvisor): update to the latest sinsp interface 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
0ba492c280 new(falco): do not alert on syscall frequency when gvisor is enabled 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
927c1c4126 new(falco): enable gVisor event collection 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 14:17:38 +02:00
Luca Guerra
1966fa1f91 update(falco): update libs to 0.7.0-rc2, 2.0.0-rc1+driver 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-07-01 12:53:23 +02:00
Andrea Terzolo
e4fe6a3353 chore(cmake): bump plugins versions 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-06-29 16:41:29 +02:00
Federico Di Pierro
610b67838b fix(docker): fixed deb tester sub image. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-06-29 11:52:31 +02:00
Jason Dellaluce
effabf533d test(plugins): drop macro source warning test 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-28 11:33:08 +02:00
Jason Dellaluce
3c2effb498 refactor(userspace/engine): remove source field from macros in rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-28 11:33:08 +02:00
Jason Dellaluce
555bf9971c fix(test): update expected test result for docker-compose scap file 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Luca Guerra <luca@guerra.sh>
 2022-06-23 18:12:24 +02:00
Leonardo Grasso
c309107949 fix(test): correct "incompat_plugin_api" expectation 
See https://github.com/falcosecurity/libs/pull/389

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 18:12:24 +02:00
Leonardo Grasso
b6245d77c7 update(rules): lower priority to noisy rule (after the dup improvement) 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 18:12:24 +02:00
Leonardo Grasso
2f208b52fc fix(userspace/falco/app_actions/print_version.cpp): correct getter call for schema version 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
f3bc178e40 fix(userspace/falco/app_actions/print_version.cpp): ensure destructor gets invoked 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
308f001b87 chore(cmake/modules): remove leftover 
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
fda9fb36de update(userspace/falco): add more info to --version output 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
92fdbbcc52 update(userspace/falco): do not print driver version by default 
Since now each Falco version is compatible with a range of driver version and not just one.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
4b694896a4 build: temporarily bump libs and driver 
Note that another bump is required before releasing Falco, since this commit uses alpha versions.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
d589ec2144 build(cmake/modules): dedicated cmake module for the driver 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
6c08fa2a20 build(cmake/modules): divorce driver from falcosecurity-libs module 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
9af20a000d chore(cmake/modules): duplicate git history (part 2) 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
7e1e7c2e42 chore(cmake/modules): duplicate git history (part 1) 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 12:47:03 +02:00
Leonardo Grasso
1f2e6d4629 chore(cmake/modules): indentation 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 12:47:03 +02:00
Mark Stemm
85ca1eb3dd fix(app_actions): perform validate_rules before load_rules action 
Perform the validate_rules action before the load_rules action. This
ensures that *only* the rules files named with -V arguments are
validated.

This fixes https://github.com/falcosecurity/falco/issues/2087.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-06-23 12:24:03 +02:00
Luca Guerra
5dce4d2025 fix(tests): make tests run locally (take 2) 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-06-23 12:22:03 +02:00
Aldo Lacuku
d90421387f update(rules): add macro for dup syscalls 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-23 10:06:13 +02:00
Aldo Lacuku
07b4d5a47a fix(rules): use exit event in reverse shell detection rule 
In some cases the rule is not triggered when a reverse shell is spawned.
That's because in the rule we are checking that the file descriptor passed
as argument to the dup functions is of type socket and its fd number is "0, 1, or 2"
and the event direction is "enter".
The following event does not trigger the rule: dup2(socket_fd, STDIN_FILENO);
But using the exit event the rule is triggered.

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-23 10:06:13 +02:00
Kaizhe Huang
8a1f43f284 remove kaizhe from falco rule owner 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2022-06-22 22:16:21 -05:00
Federico Di Pierro
fcac635780 update(OWNERS): add Federico Di Pierro to owners. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-06-22 19:06:20 +02:00