github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-04-11 06:23:50 +00:00
Code Issues Projects Releases Wiki Activity
1,642 Commits 129 Branches 185 Tags
fd7731cf09ebb8e5535d24094fe60992e1788e5b
Commit Graph

1642 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Leonardo Di Donato
fd7731cf09 new(userspace/falco): initial inputs service implementation 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-17 15:58:52 +00:00
Leonardo Di Donato
b1d33ddf08 new(userspace/falco): initial inputs.input RPC endpoint (unary) 
Initial implementation of the start, process, end methods for the unary
version of the Inputs API.

Infact, in some use cases we do not want a streaming API but an unary
one.
Also, having a unary API that accepts repeated events can prove to be
more performant than a streaming one. But this needs to be proven by
numbers.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-17 15:56:34 +00:00
Leonardo Di Donato
f7c66cbbdc wip(userspace/falco): initial input and event proto files 
Atm, these protos try to mimic sinps_event structure. It's very likely,
for performances reasons, decoding reasons, copying reasons, we do not
want them to be so big.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-17 15:53:58 +00:00
toc-me[bot]
d30df38e4b update(proposals): toc for 20190826-grpc-outputs.md 
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-11 12:57:23 +00:00
Leonardo Di Donato
74d1a1f18f update(userspace/falco): use falco::outputs 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-11 12:54:54 +00:00
Leonardo Di Donato
cc847f53bb build: using newer outputs.proto 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-11 12:51:20 +00:00
Leonardo Di Donato
051a1a6f74 chore(userspace/falco): renaming output.proto, packages, and RPC name to plural 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-11 12:50:51 +00:00
Leonardo Di Donato
9c112890d4 update(proposals): naming of Outputs API 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-11 12:49:29 +00:00
Leonardo Di Donato
8ecf208901 update(userspace/falco): use internal protobuf API for gRPC stream contexts and request contexts 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-11 01:59:45 +00:00
Leonardo Di Donato
bd3c2ce8e8 build: compile internal protobuf API for gRPC 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-11 01:56:25 +00:00
Leonardo Di Donato
f49014bbe4 new(userspace/falco): introducing internal protobuf API for gRPC 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-11 01:55:43 +00:00
Leonardo Di Donato
e4fe9104f3 update(userspace/falco): reuse falco protobuf schema for grpc logging level, too 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-11 00:45:00 +00:00
Leonardo Di Donato
03df81af23 update(userspace/falco): set gRPC logging severity using Falco logging level (config) 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-11 00:27:02 +00:00
Leonardo Di Donato
fcb33d32cf fix(userspace/falco): fixing logs without new line 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-11 00:23:15 +00:00
Leonardo Di Donato
cb1cb5b12c fix(userspace/falco): make log level a project-wide config 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-11 00:22:36 +00:00
Leonardo Di Donato
467f33c5ff update(userspace/falco): log (debug + error) info about gRPC events per thread 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-10 19:51:12 +00:00
Leonardo Di Donato
4e916a7a58 chore(userspace/falco): print debug info for gRPC service implementations 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-10 19:50:10 +00:00
Leonardo Di Donato
325357c465 update(userspace/falco): store a representation of grpc meta into the context 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-10 19:48:59 +00:00
Leonardo Di Donato
0f81e9b95a chore(userspace/falco): log request's context info like tag, state, stream (grpc) 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-10 18:30:18 +00:00
Leonardo Di Donato
8b167bb1d9 chore(userspace/falco): log grpc debug info like session_id, request_id, context status, ... 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-10 18:29:16 +00:00
Leonardo Di Donato
8dba2485e2 update(userspace/falco): make grpc context accessible 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-10 18:28:29 +00:00
Leonardo Di Donato
85cd219682 chore(userspace/falco): enable grpc debug logging verbosity 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-10 18:27:33 +00:00
Jean-Philippe Lachance
488e667f46 Add Coveo to the list of Falco adopters 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2020-02-07 11:47:06 +01:00
Leonardo Di Donato
253ff64d64 chore: stick with the error messages we have 
Because we can't easily change the integration test fixtures.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
b3171dbae1 update(userspace/falco): use mutable proto fields where applicable 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
738d757b08 docs(userspace/falco): document gRPC errors and actions 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
5663d4d02b update(userspace/falco): major, minor, patch are digits, so use integers 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
2a9c9bdc53 update(cmake/modules): module to detect Falco version from the git index 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
ae2eb8de8e fix(userspace): ensure threadiness is gt 0 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
c7aff2d4cb new(userspace/falco): register version gRPC service 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
bc297bdc8f build: better way to extract falco commit hash (also extract ref) 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
2a91289ee4 update(userspace/falco): request context and request stream context templatize the service too now 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
c224633454 new(userspace/falco): initial work for version gRPC svc registration 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
714a6619ad new(userspace/falco): gRPC unary version service impl 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
550ee0d8fc build: compile version proto 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
8d49e45d44 docs(userspace/falco): document version protobuf 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
5e8f98ea92 new(userspace/falco): protobuf for gRPC version service 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
e560056b92 update(userspace/falco): define version part variables 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
84261d2071 build: extract version pieces 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Leonardo Di Donato
c374264384 docs(tests/falco): license for webserver unit tests 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-07 11:28:57 +01:00
Lorenzo Fontana
af3d89b706 fix(userspace/engine): formatting and auto declarations 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-02-06 19:16:21 +01:00
Lorenzo Fontana
5b9001d1d5 fix(userspace/engine): make sure that m_uses_paths is always false by default 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-02-06 19:16:21 +01:00
Lorenzo Fontana
240f7e2057 fix(userspace/engine): base64 format fix 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-04 21:00:00 +01:00
Vaibhav
22a95796c1 feat(userspace): Add banned.h which includes banned functions. 
This defines certain functions as invalid tokens, i.e., when
compiled, the compiler throws an error.

Currently only `strcpy` is included as a banned function.

Fixes #788

Signed-off-by: Vaibhav <vrongmeal@gmail.com>
 2020-02-04 17:47:56 +01:00
Leonardo Di Donato
f98da284d0 docs: update references to branches into README 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-03 17:15:45 +01:00
Mark Stemm
3693b16c91 Let puma reactor spawn shells 
Sample Falco alert:

```
Shell spawned by untrusted binary (user=git shell=sh parent=puma reactor
cmdline=sh -c pgrep -fl "unicorn.* worker\[.*?\]" pcmdline=puma reactor
gparent=puma ggparent=runsv aname[4]=ru...
```

https://github.com/puma/puma says it is "A Ruby/Rack web server built
for concurrency".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
48a0f512fb Let cilium-cni change namespaces 
Sample Falco alert:

```
Namespace change (setns) by unexpected program (user=root
command=cilium-cni parent=cilium-cni host CID2 CID1 image=<NA>)
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
01c9d8ba31 Let runc write to /exec.fifo 
Sample Falco alert:

```
File below / or /root opened for writing (user=<NA>
command=runc:[1:CHILD] init parent=docker-runc-cur file=/exec.fifo
program=runc:[1:CHILD] CID1 image=<NA>)
```

This github issue provides some context:
https://github.com/opencontainers/runc/pull/1698

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
7794e468ba Alow writes to /etc/pki from openshift secrets dir 
Sample falco alert:

```
File below /etc opened for writing (user=root command=cp
/run/secrets/kubernetes.io/serviceaccount/ca.crt
/etc/pki/ca-trust/source/anchors/openshift-ca.crt parent=bash
pcmdline=bash -c #!/bin/bash\nset -euo pipefail\n\n# set by the node
image\nunset KUB...
```

The exception is conditioned on containers.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
0d74f3938d Let avinetworks supervisor write some ssh cfg 
Sample Falco alert:

```
File below /etc opened for writing (user=root command=se_supervisor.p
/opt/avi/scripts/se_supervisor.py -d parent=systemd pcmdline=systemd
file=/etc/ssh/ssh_monitor_config_10.24.249.200 program=se_supervisor.p
gparent=docker-containe ggparent=docker-con...
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00