github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-01-25 14:54:04 +00:00
Code Issues Projects Releases Wiki Activity
2,597 Commits 122 Branches 182 Tags
ff21544186b76bbd9b8dd8b87bd405055463b65a
Commit Graph

648 Commits

Author SHA1 Message Date
Federico Di Pierro
ff21544186 update(build)!: replaced various PROBE with DRIVER where necessary. 
Follow-up of https://github.com/falcosecurity/libs/pull/197.
Updated libs too to master version, as needed.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-02-08 09:50:39 +01:00
Mike Stewart
ee2f7c50e8 Potential fix for falcosecurity/falco#1884 
Signed-off-by: Mike Stewart <mike.stewart@introhive.com>
 2022-02-04 11:40:09 +01:00
Federico Di Pierro
332d828204 update(userspace/engine): properly value required_version because it is used by caller. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-28 15:33:22 +01:00
Federico Di Pierro
75c6cfb414 update(userpace/engine): properly implement semver check for required plugin versions. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-28 15:33:22 +01:00
Federico Di Pierro
70bfb2426c fix(userspace/engine): forcefully set PPME_PLUGINEVENT_E event type for "plugin" source events. 
This workaround an issue in libs, targeting Falco 0.31.0.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-28 15:33:22 +01:00
Federico Di Pierro
8e6ffc6fc9 fix(userspace/engine): actually make m_filter_all_event_types useful by properly using it as fallback when no filter event types is provided. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-27 17:22:09 +01:00
Federico Di Pierro
8d9dd4440f chore(userspace/engine): cleanup unused alternate-lua-dir option and remove config_falco_engine.h.in, now unused since lua scripts are embedded in Falco. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-26 16:19:50 +01:00
Luca Guerra
69767bb51b fix(build): do not show plugin options in musl optimized builds 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-01-26 16:18:50 +01:00
Federico Di Pierro
2f82a9baa1 Update userspace/falco/falco.cpp 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
dfb743838e Update userspace/engine/rules.cpp 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
c7609192c7 Update userspace/engine/lua/rule_loader.lua 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
4d3fc354fa update(userspace/engine): updated no evt.type specified lua warning string. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
43bdfce6e5 update(userspace/falco): divide each plugin infos when dumping list of plugin with a newline. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
a3976463d5 update(userspace/engine): fixed lua CMakeLists deps, to let it be gracefully rebuilt when lua files are updated. 
Moreover, added back warning about performance impact for rules without event types.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-24 17:52:31 +01:00
Federico Di Pierro
1a485c3447 update(userspace/engine,userspace/falco): improved some string warnings. 
Always print warnings while loading rules.
Print a single line when warning for ignored events.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-24 17:52:31 +01:00
yoshi314
a9e7512936 fix setting the variable of User-Agent, it was missing the prefix. Switched to dedicated curl's method to do this 
Signed-off-by: Marcin Kowalski <marcin.kowalski@assecobs.pl>
 2022-01-18 09:49:34 +01:00
Marcin Kowalski
f67e8bdad7 fix indentation in outputs_http.cpp 
add sample config entry for user-agent variable

Signed-off-by: Marcin Kowalski <marcin.kowalski@assecobs.pl>
 2022-01-18 09:49:34 +01:00
Marcin Kowalski
a94e6de458 add useragent string to output 
Signed-off-by: Marcin Kowalski <marcin.kowalski@assecobs.pl>
 2022-01-18 09:49:34 +01:00
Leonardo Grasso
3e9f8c1ef1 chore(userpsace/engine): update fields checksum 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-17 18:15:43 +01:00
Mark Stemm
d20a326e09 Skip EPF_TABLE_ONLY fields with --list -N 
When listing fields with -N (names only), also skip fields with the
EPF_TABLE_ONLY flag. (Skipping fields without -N is handled in libs,
in the as_string() method).

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-01-17 18:15:43 +01:00
Federico Di Pierro
ae57718bda update(build): updated libs to latest master version. Updated plugins versions. Updated falco engine version. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-17 17:20:33 +01:00
Jason Dellaluce
4ab8d6db98 refactor(configuration): remove plugin config loading from file feature 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-17 14:55:11 +01:00
Jason Dellaluce
5e354859a9 new(configuration): allow defining plugin config as YAML maps 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-17 14:55:11 +01:00
Jason Dellaluce
f4b79296fc fix: improve nested configuration field support 
This fixes the parser introduced in https://github.com/falcosecurity/falco/pull/1792.
Now, nested fields such as `arr[1].subval` are supported, whereas the parser used
to recognize the `.` as an unexpected character.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-17 14:55:11 +01:00
Jason Dellaluce
6bf8f34d9f fix(engine): correctly format json output in json_event 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-14 13:29:33 +01:00
vadim.zyarko
f8f053c7fa Add an emty line to sattisfy the rules tests 
Signed-off-by: vadim.zyarko <vadim.zyarko@sysdig.com>
 2022-01-13 09:44:57 +01:00
VadimZy
b88a1cbb09 replace .. with table concat 
Signed-off-by: vadim.zyarko <vadim.zyarko@sysdig.com>
 2022-01-13 09:44:57 +01:00
Mark Stemm
c86615f68c Embed .lua files into falco executable 
Instead of having .lua files external to the program responsible for
loading rules, embed the contents of those files into the executable
and load them as strings instead of as files:

Add a cmake custom command below userspace/engine/lua that calls a
bash script lua-to-cpp.sh to generate falco_engine_lua_files.{cpp,hh}
that are compiled into the falco engine library.

The script creates a .cpp file that has const char * symbols for each
file, as well as lists of files that should be loaded when the falco
engine is loaded. There are actually two lists:

- lua_module_strings: these are loaded and also added to the lua
  runtime package.preload table, so they are available when lua code
  require()s them.

- lua_code_strings: these are loaded *and* evaluated, so the functions
  in them are availble to be called from C++.

This simplifies some of the falco_common methods, as there's no need
to keep track of a "main" lua file to load or paths from which the lua
loader should find files for modules, and there's no need to keep
track of an "alternate" lua directory that occurs for debug builds.

Also, there's no need to include any .lua files in the installed
packages, as they're built into the falco binary.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-01-13 09:26:35 +01:00
Mark Stemm
10512b9ef9 Move compiler/parser lua files to a "modules" subdir 
This will distinguish it from rule_loader.lua, which is *not* a module
but lua code with functions that can be called directly.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-01-13 09:26:35 +01:00
Jason Dellaluce
0e52ef9971 fix(grpc): ignore protobuf deprecation warning 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-12 00:16:49 +01:00
Jason Dellaluce
a371a995b4 update(outputs): adapt grpc output to new protobuf definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-12 00:16:49 +01:00
Jason Dellaluce
0f984c4dbe update(grpc): substitute and deprecate enum source field from protobuf 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-01-12 00:16:49 +01:00
Federico Di Pierro
48a23121df new(userspace/falco): add support for kernel side simple consumer. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-10 10:58:44 +01:00
Federico Di Pierro
475ed0dbeb fix(userspace/engine,userspace/falco): set http output contenttype to text/plain when json output is disabled 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-10 10:57:44 +01:00
Lorenzo Susini
cef2c2d5c1 chore: improve --list output using is_source_valid 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-01-10 10:53:44 +01:00
Mark Stemm
455be15b0b Fill in new shortdesc/data_type/tags for json fields 
Update json_event_filter_factory::get_fields() to add the new
info (shortdesc, data_type, tags) to field descriptions.

This allows for richer outputs when printing info on the fields.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-12-23 17:05:39 +01:00
Mark Stemm
64e8feb200 Update fields checksum (no changes, order only) 
With the new implementation of list_fields(), the order of fields
changed slightly. So update the checksum.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-12-23 17:05:39 +01:00
Mark Stemm
eded1062cd Use filter_fieldclass_info::as_string to print field info 
Instead of having a falco-specific function to print field info, use
the built-in filter_fieldclass_info::as_string() instead. This is a
better implementation (displays addl info, has better wrapping, wider
output) and having a single implementation allows for consistent
outputs between falco and other potential programs that could use the libs.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-12-23 17:05:39 +01:00
Federico Di Pierro
bb8b75a2cd update(userspace/falco): enforce check that content-type actually starts with "application/json" string. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2021-12-09 21:04:47 +01:00
Federico Di Pierro
b359f71511 fix(userspace/falco): accept 'Content-Type' header that contains "application/json", but it is not strictly equal to it. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2021-12-09 21:04:47 +01:00
Federico Di Pierro
9dcd8bccac fix(userspace/falco): in case output_file cannot be opened, throw a falco exception. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2021-12-09 21:02:48 +01:00
Jason Dellaluce
c005af22cc fix: set config value and create node if not existing 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:04:15 +01:00
Jason Dellaluce
1a7611a761 chore(engine): using is_defined config method instead of private get_node 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:04:15 +01:00
Jason Dellaluce
7fb61ba4a3 refactor(engine): access config fields with new key syntax 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:04:15 +01:00
Jason Dellaluce
9ab810f431 update(engine): support accessing nested config fields 
Since now, the maximum depth supported to access config fields is two.
This adds support for accessing fields of arbitrary nesting depth.
A formal grammar has been explicited for the regular language representing
the field keys. The accessor methods have been updated accordingly.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:04:15 +01:00
Jason Dellaluce
7781385769 refactor(engine): support string config loading and add ad-hoc methods 
This is a change of direction from the current design, that imposes loading
the configuration from file only, and in the object constructor. Instead,
yaml_configuration objects can now be reused ad can load the YAML config
from either file or string. This also makes it easier to unit test this class.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:04:15 +01:00
Jason Dellaluce
85db078dc4 chore: renaming comment references 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2021-11-18 16:26:18 +01:00
sai-arigeli
23706da75e Allow append of new exceptions to rules 
Signed-off-by: Sai Arigeli <saiharisharigeli@gmail.com>

Return warnings after validation of rule exceptions

Signed-off-by: Sai Arigeli <saiharisharigeli@gmail.com>

Update FALCO_ENGINE_VERSION

Signed-off-by: Sai Arigeli <saiharisharigeli@gmail.com>
 2021-11-18 09:11:20 +01:00
Federico Di Pierro
8a603c3c5d update(build): latest libs correctly set OPENSSL_LIBRARIES for us. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2021-11-17 16:18:23 +01:00
Federico Di Pierro
5f1d04ec82 fix(build): build civetweb using cmake and linking to static openssl built by us. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2021-11-17 16:18:23 +01:00