github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-21 12:29:19 +00:00
Code Issues Projects Releases Wiki Activity
4,285 Commits 119 Branches 172 Tags 104 MiB
eed5b906a8
Commit Graph

4285 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mark Stemm
eed5b906a8 Provide the entire compile output to ruleset vs individual add()s 
In order to support external rules loaders that may extend the falco
rules format with new top level objects, move away from providing
individual filter objects to the filter_ruleset via calls to add().

Instead, pass the entire compile output returned by the compiler to
the ruleset using a new method add_compile_output(). Custom users can
then cast back the compile output to the appropriate derived class for
use in the ruleset.

Move the declaration of the compile output to a standalone class so it
can be used by rulesets without including the entire rules loader
header files, and add a new factory method new_compile_output() to the
compiler so it can create a derived class if necessary.

This change is
backwards-compatible with existing rulesets, as the default
implementation of add_compile_output() simply iterates over rules and
calls add() for each rule.

This change also speeds up rule loading. Previously, each rule
condition was compiled twice:

1. First, in the compiler, to see if it was valid.
2. Second, in the falco engine before providing each rule to the
ruleset.

Add the compiled filter to the falco_rule object instead of throwing
it away in the compiler.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-30 20:24:33 +01:00
Mark Stemm
2d0159ae05 Add ability to provide external rules reader/collector/compiler 
In some cases, a user of the falco engine may want to extend the falco
rules format to provide additional objects to the rules file.

To support that, add a new method set_rule_loader() that allows a user
to provide classes that derive from
rule_loader::{reader,collector,compiler} and read those additional
objects from the rules file.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-30 20:24:33 +01:00
Federico Di Pierro
f66780eb81 fix(ci): fixed release body driver version. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-01-30 13:26:32 +01:00
dependabot[bot]
67a7685c29 build(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `c39d31a` to `3f668d0`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](c39d31a0bc...3f668d0568)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-01-30 12:59:32 +01:00
Andrea Terzolo
135ce35ac2 new(docs): add changelog for 0.37.0 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-30 11:57:31 +01:00
Leonardo Grasso
2e19960522 update(cmake/modules): bump Falco rules to 3.0 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2024-01-25 17:03:15 +01:00
Melissa Kilby
bb4a643385 update(config): soft deprecation of old stats 
add CHANGE NOTICE wrt syscall_event_drops

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-01-25 10:33:15 +01:00
Melissa Kilby
3675587aad cleanup(configs): adjust old stats deprecation notice 
Co-authored-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-01-25 10:33:15 +01:00
Melissa Kilby
8a697502b9 update!(config): add deprecation notice for syscall_event_drops 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-01-25 10:33:15 +01:00
Melissa Kilby
2dc8d452ae fix(userspace/metric): minor fixes in new libsinsp state metrics handling 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-01-24 11:04:13 +01:00
Federico Aponte
8143a194d2 fix: nlohmann_json lib include path 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2024-01-24 09:38:13 +01:00
Jason Dellaluce
acba90d97a test(engine): assess proper list escaping in engine collector 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-01-23 11:58:09 +01:00
Jason Dellaluce
ccf62a3745 fix(userspace/engine): avoid storing escaped strings in engine defs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-01-23 11:58:09 +01:00
Federico Di Pierro
10eaf31881 update(cmake): bumped falcoctl to v0.7.1. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-01-23 11:57:09 +01:00
Andrea Terzolo
f4aef006fe chore: bump falco rules 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-17 16:20:55 +01:00
Andrea Terzolo
e1c07568b4 chore: bump Falco to libs 0.14.1 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-17 15:12:55 +01:00
dependabot[bot]
ded4bdde96 build(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `2ac430b` to `c39d31a`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](2ac430be13...c39d31a0bc)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-01-17 09:42:54 +01:00
Andrea Terzolo
ae9ffe414f cleanup: rename none into nodriver 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2024-01-17 09:41:55 +01:00
Melissa Kilby
d8c368b5ce update(config): graduate outputs_queue to stable 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-01-16 12:54:51 +01:00
Federico Di Pierro
b718083fe7 update(cmake): bump falcoctl to v0.7.0. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-01-12 11:50:39 +01:00
dependabot[bot]
3f4ed4ca4b build(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `1221b9e` to `2ac430b`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](1221b9e817...2ac430be13)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-01-12 00:55:38 +01:00
Andrea Terzolo
a6a1a9769f cleanup: restore the name of a variable 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Co-authored-by: Luca Guerra <luca.guerra@sysdig.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
e601ec2eab chore: bump testing submodule manually to fix e2e tests 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
64bbffe5ef fix codespell 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
5ee05abc08 cleanup: adopt a new helper method in tests 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
c308f5c7e2 cleanup: rename some error messages 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
ee78c862ad tests: add some new tests on override replace 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
8ebdbe3e6f cleanup: use macros for default error messages 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
91d1511285 tests: add test on the order for macro and rules 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
3f9ede86bb tests: add some new tests about list order 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
5192921732 doc: typo in the exception 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
56de6e6786 update(rule_loader): remove the warning on the required_engine_version 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
f5dea33b5e update(falco): always enable rules warnings 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
b318c165da cleanup(falco_engine): remove unused methods 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
5ac005bd4d update(rule_loader): deprecate all non-SemVer compatible values 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
2367d36867 cleanup(tests): use new check_error_message helper 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
95e4c58e7f update(rule_loader): deprecate enabled usage 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
4aebee684a update(rule_loader): deprecate append key and add a warning 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
63736563a2 cleanup(rule_loader): remove useless include 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
7cac2833b2 cleanup(rule_loader): add a common log message 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Federico Di Pierro
447a251e16 chore(ci): bumped rn2md to latest master. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-01-11 09:52:38 +01:00
Federico Di Pierro
b5e64c52f3 fix(ci): manually invoke falcoctl to install cloudtrail and k8saudit plugin before running tests. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-01-11 09:08:38 +01:00
Federico Di Pierro
bbef26aad0 cleanup(cmake): dropped bundled plugins since falcoctl takes care of everything. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-01-11 09:08:38 +01:00
Andrea Terzolo
6bb68c0c43 chore: bump Falco to latest libs 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 05:32:38 +01:00
dependabot[bot]
a25b5c1045 build(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `424b258` to `1221b9e`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](424b258789...1221b9e817)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-01-09 19:01:34 +01:00
Andrea Terzolo
f6ab7f2501 chore: bump driver version 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-08 20:20:31 +01:00
Mark Stemm
66df3dc417 Add unit tests for add_source() + related lookup methods 
Add unit tests for add_source() and its related find_*_for_source()
methods. The test just verifies that the values provided to
add_source() are the same as the values returned by the find methods.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-08 12:00:27 +01:00
Mark Stemm
14d1ca3c97 Add methods to look up the factories provided in add_source() 
Add methods that allow looking up the factories provided to
add_source(). This allows not having to keep track of the factories
outside of the engine.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-08 12:00:27 +01:00
Mark Stemm
07d7b9a57a Inline find_source() as it can be called in the event path 
Inline find_source as it can be called in the event processing path.

Also take the cached variant that assigns/uses m_syscall_source_idx
and put it in find_source() instead of process_event().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-08 12:00:27 +01:00
dependabot[bot]
70ce7b936b build(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `cd33bc3` to `424b258`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](cd33bc34af...424b258789)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-01-05 14:46:18 +01:00