github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-07 11:49:07 +00:00
Code Issues Projects Releases Wiki Activity
4,513 Commits 118 Branches 173 Tags 104 MiB
f18ea1e8b7
Commit Graph

4513 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mark Stemm
d74c8d6d4d Add cxxopts command line parsing library 
We'll use this to better manage the fairly large set of command line
options in self-contained objects instead of a scattering of
individual stack variables.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-02-24 10:40:16 +01:00
Andrea Bonanno
888c15c6ee update(falco): updates usage description for -o, --option 
Signed-off-by: Andrea Bonanno <andrea@bonanno.cloud>
 2022-02-21 18:50:12 +01:00
Andrea Bonanno
eedb794fd5 fix(userspace/falco): applies FALCO_INSTALL_CONF_FILE as the default config. 
Signed-off-by: Andrea Bonanno <andrea@bonanno.cloud>
 2022-02-18 17:33:43 +01:00
Mark Stemm
83c527dd91 Use cmake function to copy files, as a single target 
Replace nearly-identical blocks of code that defined individual custom
targets/custom commands to copy files from source to build dir with
the copy_files_to_build_dir function.

This reduces the number of build targets and speeds up/cleans up the
make output.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-02-18 16:47:43 +01:00
Mark Stemm
cbcc680c77 Cmake function to copy files from source to build dir, as a target 
Define a cmake function copy_files_to_build_dir(source_files,
targetsuffix) that defines a single custom target and single custom
command to copy the set of source files to
CMAKE_CURRENT_BINARY_DIR. All of the real work is done via cmake -E
copy_if_different.

This function will replace the nearly identical cmake code in several
other directories. This function has the advantage of being a single
target for the set of source files instead of a target per-file.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-02-18 16:47:43 +01:00
Mark Stemm
ad90209177 Always skip update command for git based external projects 
I noticed that some external projects were being reconfigured/built
with every make, even though no files in the external project had been
updated.

With some debugging I noticed that git based external projects were
re-running their "update" step every time, and that in turn caused the
configure/build/install steps to re-run as well. (Generally the build
step is a no-op as the Makefile/etc. in the external project is well
formed and doesn't do anything, but the configure/install steps still
run).

It seems related to this cmake bug:
https://gitlab.kitware.com/cmake/cmake/-/issues/19703. In short, the
git update step for an external project does not create any "done"
file that denotes that the files are still up-to-date. Without that
"done" file, the update step is always run, and that in turn causes
the other steps for the external project to re-run as well.

The best way to fix this seems to be to skip the update step by
defining an empty UPDATE_COMMAND. As long as the downloaded code for a
given hash/tag/etc does not change, the update step is unnecessary.

And if we *really* wanted to ensure unchanged dependencies, we would
download our own copies anyway.

Making this change significantly cleans up the falco build to avoid
rebuilding git based external dependencies.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-02-18 16:47:43 +01:00
Leonardo Grasso
204f9ff875 fix(scripts): correct typo in falco-driver-loader help message 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-02-14 10:06:41 +01:00
pablopez
87c410e49e upgrade macro(keepalived_writing_conf) 
Signed-off-by: pablopez <pablo.lopezzaldivar@sysdig.com>
 2022-02-11 11:36:47 +01:00
schie
b9925577ef Update rules/falco_rules.yaml 
Signed-off-by: darryk10 stefano.chierici@sysdig.com

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-02-11 11:28:46 +01:00
Stefano
ae5342c54b Fixed rule condition 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-02-11 11:28:46 +01:00
Stefano
1324522721 Added new Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) 
Co-authored-by: javery-sysdig <jason.avery@sysdig.com>

Signed-off-by: Stefano <stefano.chierici@sysdig.com>
 2022-02-11 11:28:46 +01:00
rileydakota
7999e33aea Rule Update - Adds npm support 
Adds `npm` to `package_mgmt_binaries` for detection of "living off the land" style attacks that utilize NPM pull down additional tooling

Signed-off-by: rileydakota <dakotariley2@gmail.com>
 2022-02-11 11:27:46 +01:00
m4wh6k
f49a95f334 rule(macro modify_shell_history): Fix missing s on endswith 
Signed-off-by: m4wh6k m4wh6k@users.noreply.github.com
 2022-02-11 11:26:46 +01:00
m4wh6k
9e8687401d fix(macro truncate_shell_history): avoid false positives from .zsh_history.new and .LOCK files 
Signed-off-by: m4wh6k m4wh6k@users.noreply.github.com
 2022-02-11 11:26:46 +01:00
m4wh6k
6ead925f51 fix(macro modify_shell_history): avoid false positives from .zsh_history.new and .LOCK files 
Signed-off-by: m4wh6k <m4wh6k@users.noreply.github.com>
 2022-02-11 11:26:46 +01:00
Mac Chaffee
8a3a4c4d57 rule(maco write_etc_common): Fix false-positive of sssd updating /etc/krb5.keytab 
Signed-off-by: Mac Chaffee <me@macchaffee.com>
 2022-02-11 11:25:47 +01:00
Federico Di Pierro
ff21544186 update(build)!: replaced various PROBE with DRIVER where necessary. 
Follow-up of https://github.com/falcosecurity/libs/pull/197.
Updated libs too to master version, as needed.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-02-08 09:50:39 +01:00
Mike Stewart
ee2f7c50e8 Potential fix for falcosecurity/falco#1884 
Signed-off-by: Mike Stewart <mike.stewart@introhive.com>
 2022-02-04 11:40:09 +01:00
pablopez
5da10a3b89 rule_output(Delete Bucket Public Access Block) typo 
Signed-off-by: pablopez <pablo.lopezzaldivar@sysdig.com>
 2022-02-03 18:23:08 +01:00
Federico Di Pierro
f86423db76 fix(build): fixed build folder path for publish bin static. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-31 17:02:48 +01:00
Federico Di Pierro
5eed3a6638 fix(build): hotfix for release 0.31.0. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-31 17:02:48 +01:00
Leonardo Grasso
d585343483 docs(CHANGELOG.md): last update 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-31 14:01:48 +01:00
Teryl
9e57b5b4ba docs(changelog.md): update for release 0.31.0 
Signed-off-by: Teryl <terylt@ibm.com>
 2022-01-31 14:01:48 +01:00
Federico Di Pierro
47f38c8ae2 chore(build): dropped centos8 circleci build because it is useless and right now it is causing issues with yum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-31 12:48:48 +01:00
Federico Di Pierro
332d828204 update(userspace/engine): properly value required_version because it is used by caller. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-28 15:33:22 +01:00
Federico Di Pierro
75c6cfb414 update(userpace/engine): properly implement semver check for required plugin versions. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-28 15:33:22 +01:00
Leonardo Grasso
a4199814a0 fix(tests/engine): correct unit tests 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-28 15:33:22 +01:00
Leonardo Grasso
24e7e84153 update(rules): updated aws cloudtrail rule bumping plugins version 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-28 15:33:22 +01:00
Federico Di Pierro
70bfb2426c fix(userspace/engine): forcefully set PPME_PLUGINEVENT_E event type for "plugin" source events. 
This workaround an issue in libs, targeting Falco 0.31.0.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-28 15:33:22 +01:00
Federico Di Pierro
ce3598f801 update(plugins): updated json plugin to latest v0.2.2. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-27 17:22:09 +01:00
Federico Di Pierro
8e6ffc6fc9 fix(userspace/engine): actually make m_filter_all_event_types useful by properly using it as fallback when no filter event types is provided. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-27 17:22:09 +01:00
Luca Guerra
6a42f4a133 new(build): publish both static and glibc binaries 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-01-26 17:45:50 +01:00
Federico Di Pierro
8d9dd4440f chore(userspace/engine): cleanup unused alternate-lua-dir option and remove config_falco_engine.h.in, now unused since lua scripts are embedded in Falco. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-26 16:19:50 +01:00
Luca Guerra
c49093005d fix(build): do not include plugins in musl builds 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-01-26 16:18:50 +01:00
Luca Guerra
69767bb51b fix(build): do not show plugin options in musl optimized builds 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-01-26 16:18:50 +01:00
Andrea Terzolo
7750b6f209 rule: update Copyright in falco rules 
Signed-off-by: Andrea Terzolo <s276109@studenti.polito.it>
 2022-01-25 18:58:05 +01:00
Andrea Terzolo
8c705448cc rule: add execveat as evt.type for spawned_process macro in falco rules 
Signed-off-by: Andrea Terzolo <s276109@studenti.polito.it>
 2022-01-25 18:58:05 +01:00
Shay Berkovich
6b9fafb75f rule update(Sudo Potential Privilege Escalation): trigger the most common CVE-2021-3156 exploit 
Signed-off-by: Shay Berkovich <sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Shay Berkovich
fdcd7bffd0 rule update(Detect crypto miners using the Stratum protocol): update protocols 
Signed-off-by: Shay Berkovich <Sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Shay Berkovich
d989e9c2d5 new(rules): Create Hardlink Over Sensitive Files 
New rule to prevent hardlink bypass and symlink rule set to WARNING for consistency
Signed-off-by: Shay Berkovich <sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Federico Di Pierro
996ccf555c rule: updated aws_cloudtrail_rules with correct copyright year and required plugin versions. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-25 17:50:06 +01:00
Federico Di Pierro
2f82a9baa1 Update userspace/falco/falco.cpp 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
dfb743838e Update userspace/engine/rules.cpp 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
c7609192c7 Update userspace/engine/lua/rule_loader.lua 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
4d3fc354fa update(userspace/engine): updated no evt.type specified lua warning string. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
43bdfce6e5 update(userspace/falco): divide each plugin infos when dumping list of plugin with a newline. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
a3976463d5 update(userspace/engine): fixed lua CMakeLists deps, to let it be gracefully rebuilt when lua files are updated. 
Moreover, added back warning about performance impact for rules without event types.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
1a485c3447 update(userspace/engine,userspace/falco): improved some string warnings. 
Always print warnings while loading rules.
Print a single line when warning for ignored events.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-24 17:52:31 +01:00
Leonardo Grasso
96529300f6 fix(script/falco-driver-loader): fix typo 
Co-Authored-By: Thomas Spear <tspear@conquestcyber.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 17:49:34 +01:00
Leonardo Grasso
27922faa27 fix(scripts/falco-driver-loader): missing compression formats for .ko files 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 17:49:34 +01:00