github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-04-10 22:13:48 +00:00
Code Issues Projects Releases Wiki Activity
1,251 Commits 129 Branches 185 Tags
f710edcde289ca16fd34f17974546da2e8487d36
Commit Graph

1251 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Leonardo Di Donato
f710edcde2 wip(userspace): checking module using event timestamps rather than an external timer 
This approach does not sound good to me since events can miss
timestamps.

Furthermore logically it is wrong to check the module sends event using
the events ...

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-30 08:32:43 +00:00
Leonardo Di Donato
7a3d5c62a0 docs: configuration opts for kernel module check 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:37 +00:00
Leonardo Di Donato
435a3b01db fix: improvements to the gitignore for integration tests 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:37 +00:00
Leonardo Di Donato
acd3e7f23a fix: check module in main loop 
This way it will be able to detect events (and signals etc).
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:37 +00:00
Leonardo Di Donato
deaae756c0 new: helper to insert module 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:37 +00:00
Leonardo Di Donato
5a6c7af0c5 new: make backoff maximum wait per run configurable 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:37 +00:00
Leonardo Di Donato
05565f3524 update: minimum frequency for module check 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:37 +00:00
Leonardo Di Donato
980fb2f3a9 new: read module check configs 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:37 +00:00
Leonardo Di Donato
ba5e59964d new: method to grab nested (3 levels) configs 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:37 +00:00
Leonardo Di Donato
60721d52cb new: default falco config for module checking 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:36 +00:00
Leonardo Di Donato
8d9f88d45a new: lively check module every x seconds 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:36 +00:00
Leonardo Di Donato
4c04821d48 chore: bash improvements to engine fields verifier 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:36 +00:00
Leonardo Di Donato
fc2c1ac6cb new: generic exponential backoff helper 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:36 +00:00
Leonardo Di Donato
295c7afc32 new: helper to check module is inserted and loaded 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:36 +00:00
Leonardo Di Donato
f10b170174 new: timer 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:36 +00:00
Leonardo Di Donato
9f9d0e751b fix: remove polyfill for make_unique 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:36 +00:00
Leonardo Di Donato
322a2cdd25 build: get SYSDIG_DIR realpath 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:36 +00:00
Leonardo Di Donato
5c5c2e3309 build: compile usinf the 2014 ISO C++ standard 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:36 +00:00
Leonardo Di Donato
71832bc3ad new: explicitly check module is present at startup 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:43:35 +00:00
Leonardo Di Donato
93a3d14c41 fix(userspace): re-throw exceptions coming from sinsp 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:40:54 +00:00
Leonardo Di Donato
c7e7a868ed build: set SYSDIG_DIR to its real path 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-29 10:29:41 +00:00
Leonardo Di Donato
193f33cd40 fix: office hours are bi-weekly 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-21 17:28:30 +02:00
Leonardo Di Donato
14853597d3 docs: office hours zoom link 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Lorenzo Fontana <lo@linux.com>
 2019-08-21 17:08:03 +02:00
Leonardo Di Donato
49c4ef5d8c feat(userspace): open the event source/s depending on the flags 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Lorenzo Fonanta <lo@linux.com>
 2019-08-21 17:08:03 +02:00
Leonardo Di Donato
1eeb059e10 feat(userspace): can not disable both the event sources 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-21 17:08:03 +02:00
Leonardo Di Donato
870c17e31d feat: flag to disable sources (syscall, k8s_audit) 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-21 17:08:03 +02:00
Kris Nova
c713b89542 Adding OSS changes to README 
Signed-off-by: Kris Nova <kris@nivenly.com>
 2019-08-21 15:38:59 +02:00
Lorenzo Fontana
7d8e1dee9b fix(docker/local): fix build dependencies 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-21 14:45:37 +02:00
Lorenzo Fontana
39b51562ed fix(rules): modification of a file should trigger as if it was opened or created 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-08-20 09:45:08 +02:00
Lorenzo Fontana
f05d18a847 new: download all dependencies over https 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-08-17 17:36:43 +02:00
Guangming Wang
731e197108 cleanup: fix misspelled words in readme.md 
Signed-off-by: Guangming Wang <guangming.wang@daocloud.io>
 2019-08-16 18:13:42 +02:00
Lorenzo Fontana
e229cecbe1 fix(rules): make chmod rules enabled by default 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-08-16 10:23:28 +02:00
Lorenzo Fontana
3ea98b05dd fix(rules/Set Setuid or Setgid bit): use chmod syscalls instead of chmod command 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-08-16 10:23:28 +02:00
Lorenzo Fontana
7bc3fa165f new: add @kris-nova to owners 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-08-13 22:42:43 +02:00
Leonardo Di Donato
3a1ab88111 new: webserver unit test skeleton 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-13 15:48:06 +02:00
Leonardo Di Donato
2439e97da6 update(tests): setup unit tests for userspace/falco too 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-13 15:48:06 +02:00
Leonardo Di Donato
8c62ec5472 fix(usperspace): webserver must not fail with input that exceeds the expected ranges 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-13 15:48:06 +02:00
Leonardo Di Donato
c9cd6eebf7 update(userspace): falco webserver must catch json type errors (exceptions) 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-13 15:48:06 +02:00
Leonardo Di Donato
723bc1cabf fix(userspace): accessing a (json) object can throw exceptions because of wrong types 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-13 15:48:06 +02:00
Leonardo Di Donato
330d7ef2d7 fix: ignore build files generated by the regression tests 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-08-13 15:48:06 +02:00
kaizhe
1fc509d78b rule update: fine grained sending to mining domain 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-08-12 17:37:01 +02:00
kaizhe
a7ee01103d rule update: add rules for crypto mining 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-08-12 17:37:01 +02:00
Lorenzo Fontana
03fbf432f1 fix: make sure that when deleting shell history the system call is taken into account 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-08-07 15:38:22 +02:00
Mark Stemm
94d89eaea2 New tests for handling multi-doc files 
New automated tests for testing parsing of multiple-doc rules files:

 - invalid_{overwrite,append}_{macro,rule}_multiple_docs are just like
   the previous versions, but with the multiple files combined into a
   single multi-document file.

 - multiple_docs combines the rules file from multiple_rules

The expect the same results and output as the multiple-file versions.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-08-02 11:01:59 -07:00
Mark Stemm
76f64f5d79 Properly parse multi-document yaml files 
Properly parse multi-document yaml files e.g. blocks separated by
---. This is easily handled by lyaml itself--you just need to pass the
option all = true to yaml.load, and each document will be provided as a table.

This does break the table iteration a bit, so some more refactoring:

 - Create a load_state table that holds context like the current
 - document index, the required_engine_version, etc.
 - Pull out the parts that parse a single document to load_rules_doc(),
   which is given the table for a single document + load_state.
 - Simplify get_orig_yaml_obj to just provide a single row index and
 - return all rows from that point to the next blank line or line
   starting with '-'

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-08-02 11:01:59 -07:00
kaizhe
3dbd43749a rule update: add exception for write below rpm (#745) 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-08-01 20:07:24 +02:00
Mark Stemm
2439873a96 Prepare for 0.17.0 
New changelog, bump version.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
0.17.0 0.17.1 		2019-07-31 14:05:12 -07:00
Mark Stemm
204f5f219d Remove containers from empty capture file 
A recent sysdig change resulted in container info embedded in capture
files being reported as events. In turn, this caused some tests that
were depending on empty.scap not having any events to fail.

So recreate empty.scap from an environment where no containers were
running. As a result they won't be included in the capture file and
there won't be any container events.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-31 12:18:47 -07:00
Mark Stemm
9b7c7ff5e4 Addl test for validation across files 
Add new tests that ensure that validation across files and involving
multiple macro/rule objects display the right context. When appending,
both objects are displayed. When overwriting, the overwritten object is
displayed.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-31 11:22:38 +02:00
Mark Stemm
1f0065e4b1 Further improvements when displaying contexts 
Make additional improvements to display relevant context when validating
files. This handles cases where a macro/rule overwrites a prior rule.

 - Instead of saving the index into the array of lines for each rule,
   save the rule yaml itself, as a property 'context' for each object.

 - When appending rules, the context of the base macro/rule and the
   context of the appended rule/macro are concatenated.

 - New functions get_orig_yaml_obj, build_error, and
   build_error_with_context handle building the error string.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2019-07-31 11:22:38 +02:00