github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-28 15:47:25 +00:00
Code Issues Projects Releases Wiki Activity
4,866 Commits 121 Branches 172 Tags 104 MiB
f4f7ccf777
Commit Graph

4866 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Melissa Kilby
f8398213ba update(metrics): always refresh ifinfo 
Because libs constantly refreshes them, it's fine to re-create the JSON
each time

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-08-27 10:18:26 +02:00
Melissa Kilby
1caece2cf9 update(metrics): use new libs addr_to_string methods for host_ifinfo_json 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-08-27 10:18:26 +02:00
Melissa Kilby
23b412ea3c new(metrics): add host_ifinfo metric 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-08-27 10:18:26 +02:00
Fede Barcelona
7a684fdf13 feat(cmake): add conditional builds for falcoctl and rules 
There are systems, like Nix derivations where the build process
does not have network access in order to enforce reproducibility.
This patch allows people building Falco to optionally skip the build
of falcoctl with `-DADD_FALCOCTL_DEPENDENCY=OFF` and point to their own
self-backed, or pre-fetched rules files with
`-DFALCOSECURITY_RULES_FALCO_PATH=<some-path>` and
`-DFALCOSECURITY_RULES_LOCAL_PATH=<some-path>`.

For context, I needed to apply these patches while building the
project with Nix in https://github.com/tembleking/falco-nix but I think
that would be benefitial for the community to have also these options
open, and that would also make Falco feasible to be added to the
nixpkgs repository at https://github.com/nixos/nixpkgs

Signed-off-by: Fede Barcelona <fede_rico_94@hotmail.com>
 2024-08-27 10:15:26 +02:00
dependabot[bot]
8920701385 chore(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `baecf18` to `b6ad373`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](baecf181ea...b6ad373719)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-08-26 18:27:25 +02:00
Federico Di Pierro
db52442b3f fix(userspace/falco): fixed windows build by enforcing NOMINMAX compile definition. 
Also, minified config schema, since the big schema string leads to an MSVC compiler error.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
3fff994b19 chore(userspace/falco): include numeric header for std::accumulate. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
05bbe74d69 fix(unit_tests): skip Configuration.schema_validate_config test if Falco config is not present. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
d1c715e7a8 chore(unit_tests,userspace): use nlhomann json instead of jsoncpp. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
be927edfe8 new(userspace/falco,unit_tests): added new tests around schema validation feature. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
94dc7da986 cleanup(unit_tests,userspace/falco): moved all config validation logic to be more testable. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
6dfdfdd649 chore(unit_tests): moved config_files and env vars config tests to their own source file. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
c807727475 chore(userspace/falco): use minProperties where needed. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
5c551df116 new(userspace/falco): validate loaded configuration files against config schema. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
4e45152521 fix(cmake,userspace/falco): bumped libs to latest master. 
Also, fixes some newly introduced API breaks.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 15:51:25 +02:00
Luca Guerra
1886aca8b5 update(falco): update metrics interface 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-08-26 15:51:25 +02:00
Luca Guerra
d93c51c929 update(build): update libs to latest master 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-08-26 15:51:25 +02:00
Luca Guerra
784d2d27cb update(cmake): bump libs and drivers to fix compilation issue 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-08-26 15:51:25 +02:00
Jason Dellaluce
6783cc7055 fix(unit_tests): adapt tests to new engine warning formats 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-08-26 15:51:25 +02:00
Jason Dellaluce
4ae942f1c6 update(cmake): bump libs and driver to latest master 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-08-26 15:51:25 +02:00
dependabot[bot]
d3191bdf15 chore(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `342b20d` to `baecf18`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](342b20dc7d...baecf181ea)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-08-20 10:46:43 +02:00
Luca Guerra
6824bdb660 update(docs): update changelog for 0.38.2 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-08-19 16:34:41 +02:00
Bill Vandenberk
1755527ad7 Add Tulip Retail to adopters list 
Signed-off-by: Bill Vandenberk <bill@vandenberk.me>
 2024-08-08 15:00:54 +02:00
Melissa Kilby
33a0d9c6ab fix(metrics/prometheus): adopt best prometheus practices for rules counters and sha256 file metrics 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-08-05 11:39:40 +02:00
dependabot[bot]
7a9048125f chore(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `068f0f2` to `342b20d`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](068f0f2dc9...342b20dc7d)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-08-02 19:55:30 +02:00
dependabot[bot]
d12b0ce290 chore(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `28b98b6` to `068f0f2`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](28b98b6f5f...068f0f2dc9)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-07-23 14:03:45 +02:00
Samuel Gaist
0e0428c5f7 vote: request to join maintainers 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-07-08 16:45:35 +02:00
Federico Di Pierro
1f2943da1e chore(ci): add ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION:true env to enforce the usage of node16. 
Centos:7 does not support node20 (glibc required mismatch).

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-07-08 07:03:33 +02:00
Federico Di Pierro
a9f3d98a00 chore(ci): use correct vault repo path for arm64. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-07-08 07:03:33 +02:00
Federico Di Pierro
aa42e380e0 fix(ci): use vault.centos.org for centos:7 CI build. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-07-08 07:03:33 +02:00
dependabot[bot]
5283dca335 chore(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `c0a9bf1` to `28b98b6`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](c0a9bf17d5...28b98b6f5f)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-07-03 11:27:18 +02:00
harshitasao
c25ded8f39 made some required changes 
Signed-off-by: harshitasao <harshitasao@gmail.com>
 2024-07-02 11:16:12 +02:00
harshitasao
a9ef7f9f97 added the openssf scorecard badge 
Signed-off-by: harshitasao <harshitasao@gmail.com>
 2024-07-02 11:16:12 +02:00
dependabot[bot]
62a448f805 chore(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `ea57e78` to `c0a9bf1`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](ea57e78ea1...c0a9bf17d5)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-06-27 14:45:50 +02:00
Federico Di Pierro
4a4ed1e118 update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-06-26 10:32:44 +02:00
Federico Di Pierro
c602be596b update(docs): update CHANGELOG for 0.38.1 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-06-26 10:32:44 +02:00
Federico Di Pierro
24eec1e92a update(cmake,userspace): bump libs and driver to latest master. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-06-26 10:32:44 +02:00
Mark Stemm
a3bf8b472b If rule compilation fails, return immediately 
There's no need to populate rulesets with the output if compilation
failed.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-06-25 18:27:39 +02:00
Mark Stemm
adeca79d1c Modify evttype_index_ruleset to derive from indexable_ruleset 
Modify evttype_index_ruleset to derive from indexable_ruleset instead
of having its own implementation of segregating filters by ruleset
id/event type.

An evttype_index_wrapper contains a falco rule and filter, and
implements the methods required by the template. run_wrappers()
evaluate the filter as before, without the segregation by ruleset
id/event type.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-06-20 11:23:12 +02:00
Mark Stemm
bbcfa61d82 Add an indexable ruleset that can split filters by ruleset/evttype 
Now that custom rules loading implementations (and related, custom
rulesets) can be swapped into falco in a customizable way, there is
some functionality in evttype_index_ruleset that could be used by
other rulesets, specifically the part that segregates filters by
ruleset and enables/disables filters based on name substring + tags.

To allow for this, create a new template indexable_ruleset<class
filter_wrapper> which derives from filter_ruleset and segregates the
filter_wrappers by ruleset. It also optionally segregates
filter_wrappers by event type.

The filter_wrapper class is an object that can return a name, tags,
and sc/event codes.

The main interfaces for classes that derive from indexable_ruleset are:

- add_wrapper(), which provides a filter_wrapper to the
  indexable_ruleset. This is generally called from
  add()/add_compile_output(), which must be implemented by the derived class.
- run_wrappers(), which must be implemented by the derived class and
  is called for event processing.

Most of the methods required by filter_ruleset are implemented by
indexable_ruleset and do not need to be implemented by the derived
class.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-06-20 11:23:12 +02:00
Gianmatteo Palmieri
3e91a27538 new(metrics): enable plugins metrics 
Signed-off-by: Gianmatteo Palmieri <mail@gian.im>
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-06-13 16:32:48 +02:00
Federico Di Pierro
0e754aec14 chore(userspace): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-06-13 13:40:48 +02:00
Federico Di Pierro
0e4c580c1e update(cmake): bump libs to master. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-06-13 13:40:48 +02:00
Luca Guerra
b8e5e2e8dd update(engine): allow using -p to pass a format to plugin events 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-06-11 09:19:39 +02:00
dependabot[bot]
1c31390c56 chore(deps): Bump submodules/falcosecurity-rules 
Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `df963b6` to `ea57e78`.
- [Release notes](https://github.com/falcosecurity/rules/releases)
- [Commits](df963b6bcd...ea57e78ea1)

---
updated-dependencies:
- dependency-name: submodules/falcosecurity-rules
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-06-11 09:18:40 +02:00
Luca Guerra
8a59cee355 cleanup(falco): clarify that --print variants only affect syscalls 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-06-06 09:46:22 +02:00
Gianmatteo Palmieri
1c66b640f2 Revert "fix(engine): apply output substitutions for all sources" 
This reverts commit 4ef7c9553a.

Signed-off-by: Gianmatteo Palmieri <mail@gian.im>
 2024-06-05 12:43:19 +02:00
Federico Di Pierro
35395728cc chore(ci): enable dummy tests on the testing framework. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-06-04 10:15:13 +02:00
Melissa Kilby
5777a44ca1 fix(metrics): fix sha256 metric names for prometheus 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-06-04 09:52:13 +02:00
Melissa Kilby
97207d309a fix(metrics): allow each metric output channel to be selected independently 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-06-04 09:52:13 +02:00