github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-02 17:42:18 +00:00
Code Issues Projects Releases Wiki Activity
1,646 Commits 117 Branches 173 Tags 104 MiB
dfdd9693fc
Commit Graph

1646 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Lorenzo Fontana
3712c8a2b4 ci: enable tests on plain travis 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
7a1e351aa4 build: gRPC fixes for the bundled path 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
cd938a5aad build: build all the targets on travis 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
d4fccebcc9 build(cmake/cpack): fix cmake options script 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
34e3ad937e build: bump cmake version to 3.5.1 and modules 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
50af72c393 build(docker/builder): adapt entrypoint to the new dependencies 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
5baa4b4046 build: cURL cmake module 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
8ca687575b build: delete unused cmake modules 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
fd94e2c891 build: gRPC cmake module 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
a28f861a8f build: jq cmake module 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
b8f649a610 build: yaml-cpp cmake module 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
f99dec47e0 build: add missing grpc dependencies on travis 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
7db8b9eb73 build(CMakeLists): include external dependencies from file 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
f567172bff update(docker/builder): install build dependencies in builder 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
74ac37c10a new: allow protobuf to be compiled statically optionally 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
66f8a47cc1 build: allow yamlcpp to be compiled statically optionally 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
3ccc0656f5 build: allow jq to be compiled statically optionally 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
d908a107b1 fix: allow gRPC to take protobuf from custom pkgconfig path 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
69031a4c9e build: libyaml-cpp-dev in travis 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
8688e5abfc new: cmake format colums to 120 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
98a82dd33e build: libjq-dev in travis 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
ce568a16a6 build: allow building gRPC as an alternative to dynamic linking 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
12d76f4426 build: fix building from the falcosecurity folder 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
490ebf306b build: include Coverage and add headers 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
e75bb732fe fix: use libssl-dev instead of openssl-dev 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
fb3f47a7c3 new: reorganize cmakelists.txt 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
fb42613cf1 new: use travis as the actual build environment 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
f492992c28 new: cpack under cmake folder 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
bcd485530a new: organize cmake dependencies better 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
b96e17fe5d new: fix lyaml dependencies 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
abdd099c0a new: initial dynamic build changes 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Mark Stemm
09cdc857c1 Fix compile warnings 
Noticed these while compiling in the latest alpine image.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-01-15 09:35:28 +01:00
Mark Stemm
c3f7d15e26 Add k8s audit support to falco event generator 
Currently, the falco event generator only generates system call
activity. This adds support for k8s_audit events by adding a script +
supporting k8s object files that generate activity that matches the k8s
audit event ruleset.

The main script is k8s_event_generator.sh, which loops over the files in
the yaml subdirectory, running kubectl apply -f for each.

In the interests of keeping things self-contained, all objects are
created in a `falco-event-generator` namespace. This means that some
activity related with cluster roles/cluster role bindings is not
performed.

Each k8s object has annotations that note:

1. The specific falco rules that should trigger.
2. A user-friendly message to print when apply-ing the file.

You can provide a specific rule name to the script. If provided, only
those objects related to that rule will trigger. The default is "all",
meaning that all objects are created.

The script loops forever, deleting the falco-event-generator namespace
after each iteration.

Additionally, the docker image has been updated to also copy the script
+ supporting files, as well as fetching the latest available `kubectl`
binary. The entrypoint is now a script that allows choosing between:
 - syscall activity: run with .... "syscall"
 - k8s_audit activity: run with .... "k8s_audit"
 - spawn a shell: run with .... "bash"

The default is "syscall" to preserve existing behavior.

In most cases, you'll need to provide kube config
files/directories that allow access to your cluster. A
command like the following will work:

```
docker run -v $HOME/.kube:/root/.kube -it falcosecurity/falco-event-generator
k8s_audit
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-01-15 09:35:28 +01:00
Nacho Rasche
4a7e318833 Add Skyscanner to adopters 
Signed-off-by: Nacho Rasche <nacho.rasche@skyscanner.net>
 2020-01-14 13:41:08 +01:00
toc-me[bot]
373d2bfd89 Update ToC for proposals/20191217-rules-naming-convention.md 
Signed-off-by: kaizhe <derek0405@gmail.com>

address comments

Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-01-07 14:58:12 +01:00
Kaizhe Huang
4065af25c1 Update proposals/20191217-rules-naming-convention.md 
Co-Authored-By: Leo Di Donato <leodidonato@gmail.com>

Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-01-07 14:58:12 +01:00
kaizhe
cc1892177a falco rule naming convention 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-01-07 14:58:12 +01:00
Michael Ducy
2041932ad2 move audit doc 
Signed-off-by: Michael Ducy <michael@ducy.org>
 2019-12-17 09:15:41 +01:00
Michael Ducy
64b50978e0 Publish security audit 
Signed-off-by: Michael Ducy <michael@ducy.org>
 2019-12-17 09:15:41 +01:00
Mark Stemm
c53df3af00 Don't rethrow exceptions in parse_k8s_audit_json 
Callers aren't expected to catch execeptions and instead rely on the
bool return value to indicate whether or not the parsing was successful.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-12-16 17:00:50 -08:00
Mark Stemm
4c576f31f2 Also allow json arrays of k8s audit evts 
Currently, the json object POSTed to the /k8s_audit endpoint is assumed
to be an obect, with a "type" of either "Event" or "EventList". When the
K8s API Server POSTs events, it aggregates them into an EventList,
ensuring that there is always a single object.

However, we're going to add some intermediate tools that tail log files
and send them to the endpoint, and the easiest way to send a batch of
events is to pass them as a json array instead of a single object.

To properly handle this, modify parse_k8s_audit_event_json to also
handle a json array. For arrays, it iterates over the objects, calling
parse_k8s_audit_json recursively. This only iterates an initial top
level array to avoid excessive recursion/attacks involving degenerate
json objects with excessively nested arrays.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-12-16 17:00:50 -08:00
Hiroki Suezawa
cd94d05cd9 rule(list network_tool_binaries): delete ssh from the list 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-16 22:27:12 +01:00
Hiroki Suezawa
23a7203e50 rule(list network_tool_binaries): add network tool names 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-16 22:27:12 +01:00
Leonardo Di Donato
28fa4a72e8 docs(docker/builder): usage reports clang version too 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-13 13:04:23 +01:00
Leonardo Di Donato
ac4f089903 update(docker/builder): add llvm-toolset-7 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-13 13:04:23 +01:00
Leonardo Di Donato
cd1b23d2bc update(.github): remove unused kind/* label from PR template 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-13 11:17:02 +01:00
Leonardo Di Donato
de8714d2be chore(.github): delete issue templates in favor of default ones 
Default issue templates can be found in https://github.com/falcosecurity/.github repo.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-13 11:17:02 +01:00
Hiroki Suezawa
93fdf8ef61 rule(macro user_known_k8s_client_container): Rephrase the comment 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-11 12:53:06 +01:00
Hiroki Suezawa
bcc84c47c6 rule(macro user_known_k8s_client_container): have more strict condition to avoid false positives 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-11 12:53:06 +01:00
Chris Goller
965ead0c2a build: use consistent case for options in message 
Signed-off-by: Chris Goller <goller@gmail.com>
 2019-12-10 21:15:16 +01:00