github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-28 15:47:25 +00:00
Code Issues Projects Releases Wiki Activity
3,333 Commits 121 Branches 172 Tags 104 MiB
f43e6c445a
Commit Graph

3333 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Oscar Utbult
f43e6c445a rules: add OpenSSH private key to macro private_key_or_password 
Signed-off-by: Oscar Utbult <oscar.utbult@gmail.com>
 2022-12-15 13:36:18 +01:00
Nicolas-Peiffer
1f15af1e4f feat: Support for detecting outbound connection to c2 servers with FQDN domains and IP addresses. 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

feat: Support for detecting outbound connection to c2 servers with FQDN domains and IP addresses.

doc: add comment

Fixing DCO append amend

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

Revert to original C2 rule name

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

modify comments on C2 rule

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

comment

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

clean comments

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

clean comments

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

modify stdout

Signed-off-by: thedetective <nicolas@lrasc.fr>
 2022-12-15 13:27:18 +01:00
Andrea Terzolo
39753b6130 update(ci): remove 2 usages of falco-builder 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-15 12:31:19 +01:00
Andrea Terzolo
b758206cf1 cleanup(ci): remove some no more useful jobs 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-15 12:31:19 +01:00
Leonardo Grasso
9c04622bd6 chore(proposals): fix typo found by FedeDP 
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-12-14 17:32:14 +01:00
Leonardo Grasso
0200ec288e chore(proposals): fix typo found by codespell 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-12-14 17:32:14 +01:00
Leonardo Grasso
50c169987e docs(proposal): new artifacts distribution proposal 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-12-14 17:32:14 +01:00
Jason Dellaluce
5552bcab76 chore: fix typo 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
cb58ea9c57 test: add regression tests for ref loops in lists and macros 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
0a6db28783 fix(test/engine): solve compilation issues with macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
25ddc3c6a2 update(userspace/engine): broader err catching support in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
35dd0fc153 fix(userspace/engine): implement loop detection in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Federico Di Pierro
0c39776557 chore(ci): properly checkout pull request HEAD instead of merge commit in gh actions. 
See https://github.com/actions/checkout#checkout-pull-request-head-commit-instead-of-merge-commit.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-12 11:11:44 +01:00
Federico Di Pierro
4696948754 fix(cmake): properly fetch dev version by appending latest Falco tag, delta between master and tag, and hash. 
`describe` can no more be used as tags are now made on release branches.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-12 11:11:44 +01:00
dependabot[bot]
ec04b758e6 chore(deps): Bump certifi from 2020.4.5.1 to 2022.12.7 in /test 
Bumps [certifi](https://github.com/certifi/python-certifi) from 2020.4.5.1 to 2022.12.7.
- [Release notes](https://github.com/certifi/python-certifi/releases)
- [Commits](https://github.com/certifi/python-certifi/compare/2020.04.05.1...2022.12.07)

---
updated-dependencies:
- dependency-name: certifi
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-12-12 11:01:44 +01:00
Andrea Terzolo
52ee61b800 chore(userspace): add njson lib as a dependency for falco_engine 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-10 17:07:06 +01:00
gentooise
70dfdb2e75 support older rhel distros in falco-driver-loader 
Tested on RHEL 6

Signed-off-by: gentooise <andrea.genuise@ibm.com>
 2022-12-09 12:03:13 +01:00
Federico Di Pierro
1b227cf90b update(cmake): bumped libs and driver to latest RC. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Andrea Terzolo
ff3a38415d fix: remove conflicting helper methods 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Andrea Terzolo
94ed56df95 chore: bump libs 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Andrea Terzolo
6a972272c0 update: the capture will be stopped in the inspector destructor 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Andrea Terzolo
55deb452d8 update: start/stop capture inside do_inspect 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Federico Di Pierro
87371492c5 update(userspace/engine): updated checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Federico Di Pierro
17dfe4f55d fix(userspace/falco): properly start/stop capture. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Federico Di Pierro
928ad6625b update(cmake): update libs to 8eef2e445364d892dba12564d20f9651232eba7c 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Mark Stemm
356a4a0749 Also copy ruleset when copying falco source 
In the copy constructor and assignment operator for falco_source, also
copy the ruleset along with factories/name.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:07:52 +01:00
Mark Stemm
910b8ff858 Fix(engine) Save parse positions when finding unresolved macros 
Now that ASTs contain parse positions, use them when reporting errors
about unknown macros.

When doing the first pass to find all macro references, save macros as
a map<macro name,parse position> instead of a set<macro name>. While
making that change, change the visitor struct to use references
instead of pointers.

In the second pass, when reporting any unresolved macro references,
also report the parse position.

The unit tests also check that the positions of macros are properly
returned in the resolved/unresolved maps.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Mark Stemm
83b12bab1d Fix(engine): include parse positions in compile errors 
Now that ASTs have parse positions and the compiler will return the
position of the last error, use that in falco rules to return errors
within condition strings instead of reporting the position as the
beginning of the condition.

This led to a change in the filter_ruleset interface--now, an ast is
compiled to a filter before being passed to the filter_ruleset
object. That avoids polluting the interface with a lot of details
about rule_loader contexts, errors, etc. The ast is still provided in
case the filter_ruleset wants to do indexing/analysis of the filter.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Lorenzo Susini
ecc1853d60 update(rule): improve insmod detection within container using CAP_SYS_MODULE 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-12-01 11:17:50 +01:00
Andrea Terzolo
fbd6628693 new(config): add the simulate_drops config explicitly 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-11-30 19:26:47 +01:00
Jason Dellaluce
ba61706557 update(userspace/falco): enable using zlib with webserver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-30 19:24:47 +01:00
vin01
234026e14b rule(macro rpm_procs): let salt-call write to rpm database 
Signed-off-by: vin01 <vinc.i@protonmail.ch>
 2022-11-30 19:20:47 +01:00
vin01
d03826379b rule(Read sensitive file untrusted): let salt-call read sensitive files 
Signed-off-by: vin01 <vinc.i@protonmail.ch>
 2022-11-30 19:20:47 +01:00
Alessandro Brucato
3697d1fae2 Fixed typo 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-11-30 19:12:47 +01:00
Alessandro Brucato
e76c31b493 Added PTRACE_SEIZE, PTRACE_POKETEXT, PTRACE_POKEDATA, PTRACE_SETREGS and whitelist macro 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-11-30 19:12:47 +01:00
Alessandro Brucato
d95e36b526 Rule: PTRACE attached to process 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-11-30 19:12:47 +01:00
Jason Dellaluce
15b57bd972 fix: remove minor string view dependencies 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
68f4d5bb59 fix(userspace/engine): no need to use external deps 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
138e373ace chore(cmake/modlule): cleanup DownloadStringViewLite 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
47fd90bb7f chore: remove not used dependency - string-view-lite 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Luca Guerra
3a56804cff new(CHANGELOG): add entry for 0.33.1 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-29 10:29:41 +01:00
Melissa Kilby
8f188ebe06 update(docs): polish release.md based on community feedback 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-11-28 10:45:35 +01:00
Melissa Kilby
7ead21daac update(docs): polish overview and versioning sections of release.md 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-11-28 10:45:35 +01:00
Melissa Kilby
d3badeb77e update(docs): add overview and versioning to release.md 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-11-28 10:45:35 +01:00
Edvin Norling
588ab01bfd Add Xenit AB to adopters 
Signed-off-by: Edvin Norling <edvin.norling@xenit.se>
 2022-11-23 13:12:57 +01:00
Luca Guerra
f08a5b4067 update(cli): also add cg / kg container-gvisor / kubernetes-gvisor 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-23 13:03:57 +01:00
Luca Guerra
dea02f82e8 update(falco): add container-gvisor and kubernetes-gvisor print options 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-23 13:03:57 +01:00
Luca Guerra
e3dbae3259 fix(engine): fix warning about redundant std::move 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-11 16:19:11 +01:00
Federico Di Pierro
d0ceba83b4 update(cmake, docker, circleci): updated libs and driver to latest master. 
Docker builder image was updated to remove the libelf and libz deps as they are now properly bundled, in BUNDLED_DEPS mode.
Finally, circleci musl job was updated to enforce the use of alpine-provided libelf package, since it is already static,
and building libelf on musl is pretty cumbersome.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-11-11 14:56:10 +01:00
Aldo Lacuku
161246fe1a fix(output): do not print syscall_buffer_size when gvisor is enabled 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-11-10 10:32:05 +01:00