github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-30 08:32:12 +00:00
Code Issues Projects Releases Wiki Activity
3,607 Commits 121 Branches 172 Tags 104 MiB
dad382edd6
Commit Graph

3607 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jason Dellaluce
5f2267f716 update(userspace/engine): add new loader files to CMakeLists 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b65157af5e refactor(userspace/engine): split rule loader git history (5) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b2b1feb1f2 refactor(userspace/engine): split rule loader git history (4) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b900e46dfe refactor(userspace/engine): split rule loader git history (3) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
a98c9cdd20 refactor(userspace/engine): split rule loader git history (2) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
2a427925a0 refactor(userspace/engine): split rule loader git history (1) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Andrea Terzolo
c0c37d87f5 fix(process_events): check the return value of open_live_inspector 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 18:07:30 +02:00
Andrea Terzolo
f57c67cc96 docs(falco.yaml): fix a typo 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
7686c03a36 update(app_actions): add a depraction comment for BPF 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
aa0abb4288 tests: fix traces-positive/run-shell-untrusted.scap test 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
8b927fb010 chore: bump libs version 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
a325086363 test(falco): fix broken tests 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
1930ec56c7 test(plugin): bump plugin API in test 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
3902779409 chore(plugins.cmake): bump plugin versions 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
7e37c72431 update: falco works with the latest libs commit 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Federico Di Pierro
e068df514c chore(userspace/engine,userspace/falco): upgraded to latest libs. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-20 11:35:28 +02:00
Federico Di Pierro
9048d84ed4 chore(cmake): bumped libs to latest master. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-20 11:35:28 +02:00
Federico Di Pierro
00459f3447 chore(cmake): dropped SCAP_BPF_PROBE_ENV_VAR_NAME variable; unused. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Federico Di Pierro
0274959981 update(userspace/falco, cmake): updated libs to latest master. 
Adapted API to sinsp::open API break, and simple consumer API break.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Hi120ki
30b56d2960 revert and create new known macro 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:24:40 +02:00
Hi120ki
d6b5789b7a add user_known_mount_in_privileged_containers 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:24:40 +02:00
Hi120ki
af4524491d put open_read in the beginning of the rule 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
36a08aee13 Update rules/falco_rules.yaml to delete enabled field 
Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
39de011751 Update rules/falco_rules.yaml to add argoexec into allowlist 
Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
a83d38c6d7 add allowlist 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
86c3a9cd69 revert to container 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
8473706526 add systemd-sysctl to allowlist 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
4e622fc033 add host to target 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
16dca8f905 add rule Read environment variable from /proc files 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Mark Stemm
2d5fc0b647 Use the same falco_rule struct for every call to filter_ruleset 
Instead of using a falco_rule struct on the stack, use a single value
inside the falco_source struct. It's mutable as find_source returns a
const struct.

At very high event volumes (> 1M syscalls/second), even the tiny time
it takes to create/destroy the struct starts to add up, and this
switch has some small cpu savings.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-16 12:50:39 +02:00
Mark Stemm
e5cd5eacf5 Save syscall source separately and check explicitly in process_event 
When doing some testing of falco on very high event volumes (> 1.5M
events/second), I found that the time taken to look up a falco_source
struct had a non-negligible contribution to cpu usage.

So instead of looking up the source from the source_idx every time,
separately save the source for syscalls in the falco_engine object
directly. The separately saved copy is only used once someone calls
add_source with source="syscall".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-16 12:50:39 +02:00
Stefano
366bcfd7a3 Added disable by default option to reduce noise 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-09-16 12:44:38 +02:00
Stefano
c844eb9ef3 Added rule to detect CVE-2019-5736 
Co-authored-by: wcc526 <wcc526@gmail.com>
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-09-16 12:44:38 +02:00
Leonardo Grasso
b71eb7e6ed chore(OWNERS): cleanup inactive reviewer 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-09-14 15:31:25 +02:00
Leonardo Grasso
c732e5d800 update: gRPC server sock defaults to /run/falco/falco.sock 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-09-14 10:27:24 +02:00
Leonardo Grasso
c0ea753262 update(userspace/falco): gVisor sock now defaults to /run/falco/gvisor.sock 
Co-authored-by: Vicente J. Jiménez Miras <vjjmiras@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-09-14 10:27:24 +02:00
Vicente JJ. Miras
e4008217b9 Replacing /tmp/gvisor.sock with /run/gvisor.sock 
According to the FHS 3.0 (https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html), transient UNIX-domain sockets should be placed under the directory /run, so this commit updates the implicit value generated by the application.

Signed-off-by: Vicente J. Jiménez Miras <vjjmiras@gmail.com>
 2022-09-14 10:27:24 +02:00
Jason Dellaluce
9c184af2a1 fix(userspace/falco): adopt stricter memory order semantics 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
d11aec28d5 fix(userspace/falco): move stats collection in event success path 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
d17e173e35 chore(userspace/falco): rename sources app state list for more clarity 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
25e9bd1c91 chore(userspace/falco): fix codespell typo 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
4bc9fc74c8 update(userspace/falco)!: adapt stats writer for multiple parallel event sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
b65cc49221 update(userspace/falco): rename init_inspector action into init_inspectors 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
ce769b1fbe fix(test): adapt plugin tests to new error msgs and features 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
65993ad1ed refactor(userspace/falco): support multiple parallel event processing loops 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
f4c6a81ed8 update(userspace/falco): fix plugin list access in rule file loading action 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
f9a152b24c refactor(userspace/falco): generalize responsibilities of init_inspector action 
Now, the action takes care of inizializing all app inspectors
(just one in capture mode, one for each evt source in live mode), and of
registering and initializing all loaded plugins in the right inspector as needed.
The plugin initialization logic, which also involves the filtercheck list
population and checks, was moved and refactored from the previous
implementation of the load_plugins action.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
ed025f1a86 refactor(userspace/falco): init all event sources in falco engine and in the right order 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
8ba779de8c refactor(userspace/falco): restrict load_plugins action responsibilities 
Now, the action is in charge of loading all plugins and initializing:
- the offline inspector
- the list of loaded event sources
- the list of loaded plugins and their config

After this action runs, plugins are loaded but not yet initialized.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
cf8b85ad86 refactor(userspace/falco): turn open inspector action into convenience private methods 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00