github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-21 04:02:14 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: github:0.28.0
Branches Tags
github:master github:fix/buffered_outputs github:fix/http-output-on-non-linux-platforms github:dependabot/submodules/submodules/falcosecurity-rules-048d2f8 github:feat/capture-events-filesize-limits github:update/libs github:3485_webserver_with_own_uid_gid github:release/0.43.x github:ekoops-patch-1 github:release/0.42.x github:release/0.41.x github:test/wip github:new/musl_static_aarch64 github:release/0.40.x github:release/0.39.x github:wip/test_libs_master github:release/0.38.x github:generalize-indexable-ruleset-polymorphic github:chore/test_pr1803 github:LucaGuerra-patch-1 github:release/0.37.x github:fix_CI_5 github:chore/use_actuated_helper github:fix_CI_4 github:bump_falco_latest_libs github:new/static_aarch64 github:fix/use_plugin_name github:new/mode-in-config github:release/0.36.x github:test_filterchecks github:test_release_0.36.0 github:fix/workaround_glibc_bug_timer_delete github:wip/test github:add-load-files-method github:test/ci github:update/pidfile-usage-doc github:bump_libs_andrea github:release/0.35.x github:remove-source-ruleset-overwrite-when-loading github:mstemm-works-with-latest-libs github:test/PR546 github:test/PR959 github:libs_bump github:release/0.34.x github:release/0.34.0 github:fix/kmod_cleanup github:chore/move-rules-to-their-repo github:enable_maintainers_gh_jobs github:dev_docker github:fix/dev_version github:exec-hashes github:falco_modern_probe github:release/0.33.1 github:test_modern_probe github:fix/docker_img_host_root_runtime github:release/0.33.0 github:test_falco_bump github:chore/falco_lock_file github:fix_falco_service github:test_deb_rpm github:buffer_dimension github:testing/falco-0-32-3/issue/1909 github:test/libs/pr/567 github:test/new_libs github:release/0.32.2 github:update/remove-mesos-support github:remove-fntlnz github:test/libs/pr/213 github:leogr-patch-1 github:build/fix-conffiles github:add-app-actions github:add-app-actions-prerebase-2 github:add-grpc-rules-loading github:fix-plugins-issue-56 github:field-properties-changes github:embed-lua-scripts github:new/plugin-system-api-additions-prerebase github:embeddable-falco-engine github:build/apply-libs-pr-41 github:build/upgrade-driver-version-mid2021 github:build/upgrade-driver-version-for-0-29-0 github:build/update-driver-version-wip github:hotfix/grpc-in-packages github:use-url-safe-chars-version github:rules-fp-fixes-2021-02 github:allow-unknown-sources github:libhawk-rules github:build/docs github:update/cli github:update/logo github:caniszczyk-patch-1 github:new/logger github:new/inspect-per-cpu github:new/ci-build-aarch64 github:release/0.26.2 github:temporary/test-ci-broken-tests github:libhawk github:add-exceptions-support-copy2 github:add-exceptions-support-copy github:chore/remove-time-macrodefs github:update/release-drivers github:rules-bash-history-top-only github:fix/scripts-modprobe github:perf-experiments github:fix/1272 github:fix/1272-test github:readme-update github:proposal/rules-engine-version-scope github:nova-debug github:falco-driver-loader-dockerfile github:chore/integration-grpc-with-event-generator github:feat/grpc-integration-tests github:new/profiler github:falco-arm-support github:falco-on-arm github:feature/inputs-mvp github:adding-install-script github:feat/modulecheck github:falco-release-0-17-0 github:falco-release-0-17-1 github:add-addl-pst-owners github:683-handle-sinsp-errors github:allow-regex-chars-rule-names github:backup-master github:add-context-to-rules-errors
github:0.43.0 github:0.43.0-rc4 github:0.43.0-rc3 github:0.43.0-rc2 github:0.43.0-rc1 github:0.42.1 github:0.42.0 github:0.42.0-rc4 github:0.42.0-rc3 github:0.42.0-rc2 github:0.42.0-rc1 github:0.41.3 github:0.41.2 github:0.41.1 github:0.41.1-rc1 github:0.41.0 github:0.41.0-rc2 github:0.41.0-rc1 github:0.40.0 github:0.40.0-rc1 github:0.39.2 github:0.39.1 github:0.39.1-rc1 github:0.39.0 github:0.39.0-rc3 github:0.39.0-rc2 github:0.39.0-rc1 github:0.38.2 github:0.38.2-rc2 github:0.38.2-rc1 github:0.38.1 github:0.38.1-rc1 github:0.38.0 github:0.38.0-rc5 github:0.38.0-rc4 github:0.38.0-rc3 github:0.38.0-rc2 github:0.38.0-rc1 github:0.37.1 github:0.37.1-rc1 github:0.37.0 github:0.37.0-rc3 github:0.37.0-rc2 github:0.37.0-rc1 github:0.36.2 github:0.36.2-rc1 github:0.36.1 github:0.36.1-rc1 github:0.36.0 github:0.36.0-rc3 github:0.36.0-rc2 github:0.36.0-rc1 github:0.35.1 github:0.35.0 github:0.35.0-rc2 github:0.35.0-rc1 github:0.35.0-alpha5 github:0.35.0-alpha4 github:0.35.0-alpha3 github:0.35.0-alpha2 github:0.35.0-alpha1 github:0.34.1 github:0.34.0 github:0.33.1 github:0.33.0 github:0.32.2 github:0.32.1 github:0.32.0 github:0.31.1 github:0.31.0 github:0.30.0 github:0.29.1 github:0.29.0 github:0.28.1 github:0.28.0 github:0.27.0 github:0.26.2 github:0.26.1 github:0.26.0 github:0.25.0 github:0.24.0 github:0.23.0 github:0.22.1 github:0.22.0 github:0.21.0 github:0.20.0 github:0.19.0 github:0.18.0 github:0.17.1 github:0.17.0 github:0.16.0 github:0.15.3 github:0.15.2 github:0.15.1 github:0.15.0 github:0.14.0 github:0.13.1 github:0.13.0 github:agent/0.85.1 github:0.12.1 github:0.12.0 github:agent/0.85.0 github:agent/0.84.2 github:agent/0.84.3 github:agent/0.84.1 github:agent/0.84.0 github:0.11.1 github:0.11.0 github:agent/0.83.1 github:agent/0.83.0 github:agent/0.81.0 github:agent/0.82.0 github:agent/0.80.2 github:agent/0.80.1 github:0.10.0 github:agent/0.80.0 github:agent/0.79.0 github:agent/0.79.1 github:agent/0.78.0 github:agent/0.78.1 github:agent/0.76.4 github:agent/0.77.0 github:agent/0.76.3 github:0.9.0 github:agent/0.76.0 github:agent/0.76.1 github:agent/0.76.2 github:agent/0.75.0 github:agent/0.74.0 github:agent/0.73.2 github:agent/0.73.1 github:agent/0.73.0 github:agent/0.72.4 github:agent/0.72.0 github:agent/0.72.1 github:agent/0.72.2 github:agent/0.72.3 github:agent/0.71.0 github:agent/0.70.0 github:0.8.1 github:0.8.0 github:agent/0.69.0 github:agent/0.68.0 github:agent/0.66.0 github:agent/0.67.0 github:agent/0.65.0 github:agent/0.65.1 github:agent/0.63.0 github:agent/0.63.1 github:agent/0.64.0 github:agent/0.61.0 github:agent/0.62.0 github:0.7.0 github:0.6.1 github:agent/0.60.0 github:agent/0.59.0 github:agent/0.58.0 github:agent/0.57.0 github:agent/0.56.0 github:0.6.0 github:0.6.0-test github:agent/0.55.0 github:agent/0.54.0 github:agent/0.53.0 github:agent/0.52.0 github:agent/0.51.0 github:agent/0.50.1 github:agent/0.50.0 github:0.5.0 github:agent/0.49.1 github:agent/0.49.0 github:agent/0.48.0 github:agent/0.47.0 github:agent/0.46.0 github:agent/0.45.0 github:agent/0.44.0 github:agent/0.43.0 github:0.4.0 github:agent/0.42.0 github:agent/0.40.0 github:agent/0.41.0 github:0.3.0 github:v0.2.0 github:v0.1.0
..
compare: github:build/docs
Branches Tags
github:fix/buffered_outputs github:fix/http-output-on-non-linux-platforms github:dependabot/submodules/submodules/falcosecurity-rules-048d2f8 github:master github:feat/capture-events-filesize-limits github:update/libs github:3485_webserver_with_own_uid_gid github:release/0.43.x github:ekoops-patch-1 github:release/0.42.x github:release/0.41.x github:test/wip github:new/musl_static_aarch64 github:release/0.40.x github:release/0.39.x github:wip/test_libs_master github:release/0.38.x github:generalize-indexable-ruleset-polymorphic github:chore/test_pr1803 github:LucaGuerra-patch-1 github:release/0.37.x github:fix_CI_5 github:chore/use_actuated_helper github:fix_CI_4 github:bump_falco_latest_libs github:new/static_aarch64 github:fix/use_plugin_name github:new/mode-in-config github:release/0.36.x github:test_filterchecks github:test_release_0.36.0 github:fix/workaround_glibc_bug_timer_delete github:wip/test github:add-load-files-method github:test/ci github:update/pidfile-usage-doc github:bump_libs_andrea github:release/0.35.x github:remove-source-ruleset-overwrite-when-loading github:mstemm-works-with-latest-libs github:test/PR546 github:test/PR959 github:libs_bump github:release/0.34.x github:release/0.34.0 github:fix/kmod_cleanup github:chore/move-rules-to-their-repo github:enable_maintainers_gh_jobs github:dev_docker github:fix/dev_version github:exec-hashes github:falco_modern_probe github:release/0.33.1 github:test_modern_probe github:fix/docker_img_host_root_runtime github:release/0.33.0 github:test_falco_bump github:chore/falco_lock_file github:fix_falco_service github:test_deb_rpm github:buffer_dimension github:testing/falco-0-32-3/issue/1909 github:test/libs/pr/567 github:test/new_libs github:release/0.32.2 github:update/remove-mesos-support github:remove-fntlnz github:test/libs/pr/213 github:leogr-patch-1 github:build/fix-conffiles github:add-app-actions github:add-app-actions-prerebase-2 github:add-grpc-rules-loading github:fix-plugins-issue-56 github:field-properties-changes github:embed-lua-scripts github:new/plugin-system-api-additions-prerebase github:embeddable-falco-engine github:build/apply-libs-pr-41 github:build/upgrade-driver-version-mid2021 github:build/upgrade-driver-version-for-0-29-0 github:build/update-driver-version-wip github:hotfix/grpc-in-packages github:use-url-safe-chars-version github:rules-fp-fixes-2021-02 github:allow-unknown-sources github:libhawk-rules github:build/docs github:update/cli github:update/logo github:caniszczyk-patch-1 github:new/logger github:new/inspect-per-cpu github:new/ci-build-aarch64 github:release/0.26.2 github:temporary/test-ci-broken-tests github:libhawk github:add-exceptions-support-copy2 github:add-exceptions-support-copy github:chore/remove-time-macrodefs github:update/release-drivers github:rules-bash-history-top-only github:fix/scripts-modprobe github:perf-experiments github:fix/1272 github:fix/1272-test github:readme-update github:proposal/rules-engine-version-scope github:nova-debug github:falco-driver-loader-dockerfile github:chore/integration-grpc-with-event-generator github:feat/grpc-integration-tests github:new/profiler github:falco-arm-support github:falco-on-arm github:feature/inputs-mvp github:adding-install-script github:feat/modulecheck github:falco-release-0-17-0 github:falco-release-0-17-1 github:add-addl-pst-owners github:683-handle-sinsp-errors github:allow-regex-chars-rule-names github:backup-master github:add-context-to-rules-errors
github:0.43.0 github:0.43.0-rc4 github:0.43.0-rc3 github:0.43.0-rc2 github:0.43.0-rc1 github:0.42.1 github:0.42.0 github:0.42.0-rc4 github:0.42.0-rc3 github:0.42.0-rc2 github:0.42.0-rc1 github:0.41.3 github:0.41.2 github:0.41.1 github:0.41.1-rc1 github:0.41.0 github:0.41.0-rc2 github:0.41.0-rc1 github:0.40.0 github:0.40.0-rc1 github:0.39.2 github:0.39.1 github:0.39.1-rc1 github:0.39.0 github:0.39.0-rc3 github:0.39.0-rc2 github:0.39.0-rc1 github:0.38.2 github:0.38.2-rc2 github:0.38.2-rc1 github:0.38.1 github:0.38.1-rc1 github:0.38.0 github:0.38.0-rc5 github:0.38.0-rc4 github:0.38.0-rc3 github:0.38.0-rc2 github:0.38.0-rc1 github:0.37.1 github:0.37.1-rc1 github:0.37.0 github:0.37.0-rc3 github:0.37.0-rc2 github:0.37.0-rc1 github:0.36.2 github:0.36.2-rc1 github:0.36.1 github:0.36.1-rc1 github:0.36.0 github:0.36.0-rc3 github:0.36.0-rc2 github:0.36.0-rc1 github:0.35.1 github:0.35.0 github:0.35.0-rc2 github:0.35.0-rc1 github:0.35.0-alpha5 github:0.35.0-alpha4 github:0.35.0-alpha3 github:0.35.0-alpha2 github:0.35.0-alpha1 github:0.34.1 github:0.34.0 github:0.33.1 github:0.33.0 github:0.32.2 github:0.32.1 github:0.32.0 github:0.31.1 github:0.31.0 github:0.30.0 github:0.29.1 github:0.29.0 github:0.28.1 github:0.28.0 github:0.27.0 github:0.26.2 github:0.26.1 github:0.26.0 github:0.25.0 github:0.24.0 github:0.23.0 github:0.22.1 github:0.22.0 github:0.21.0 github:0.20.0 github:0.19.0 github:0.18.0 github:0.17.1 github:0.17.0 github:0.16.0 github:0.15.3 github:0.15.2 github:0.15.1 github:0.15.0 github:0.14.0 github:0.13.1 github:0.13.0 github:agent/0.85.1 github:0.12.1 github:0.12.0 github:agent/0.85.0 github:agent/0.84.2 github:agent/0.84.3 github:agent/0.84.1 github:agent/0.84.0 github:0.11.1 github:0.11.0 github:agent/0.83.1 github:agent/0.83.0 github:agent/0.81.0 github:agent/0.82.0 github:agent/0.80.2 github:agent/0.80.1 github:0.10.0 github:agent/0.80.0 github:agent/0.79.0 github:agent/0.79.1 github:agent/0.78.0 github:agent/0.78.1 github:agent/0.76.4 github:agent/0.77.0 github:agent/0.76.3 github:0.9.0 github:agent/0.76.0 github:agent/0.76.1 github:agent/0.76.2 github:agent/0.75.0 github:agent/0.74.0 github:agent/0.73.2 github:agent/0.73.1 github:agent/0.73.0 github:agent/0.72.4 github:agent/0.72.0 github:agent/0.72.1 github:agent/0.72.2 github:agent/0.72.3 github:agent/0.71.0 github:agent/0.70.0 github:0.8.1 github:0.8.0 github:agent/0.69.0 github:agent/0.68.0 github:agent/0.66.0 github:agent/0.67.0 github:agent/0.65.0 github:agent/0.65.1 github:agent/0.63.0 github:agent/0.63.1 github:agent/0.64.0 github:agent/0.61.0 github:agent/0.62.0 github:0.7.0 github:0.6.1 github:agent/0.60.0 github:agent/0.59.0 github:agent/0.58.0 github:agent/0.57.0 github:agent/0.56.0 github:0.6.0 github:0.6.0-test github:agent/0.55.0 github:agent/0.54.0 github:agent/0.53.0 github:agent/0.52.0 github:agent/0.51.0 github:agent/0.50.1 github:agent/0.50.0 github:0.5.0 github:agent/0.49.1 github:agent/0.49.0 github:agent/0.48.0 github:agent/0.47.0 github:agent/0.46.0 github:agent/0.45.0 github:agent/0.44.0 github:agent/0.43.0 github:0.4.0 github:agent/0.42.0 github:agent/0.40.0 github:agent/0.41.0 github:0.3.0 github:v0.2.0 github:v0.1.0

6 Commits
0.28.0 ... build/docs

Author SHA1 Message Date
Leonardo Grasso
b0180de545 docs(README): correct badge link path to fix docs rendering 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-01-12 11:40:30 +01:00
Leonardo Di Donato
d76eec5f9e build(documentation): generate docs target 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-12-24 15:26:56 +00:00
Leonardo Di Donato
eabd8b677b new(documentation): navbar config 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-12-24 15:26:23 +00:00
Leonardo Di Donato
fc6d39767f new(documentation): about page skeleton (for Falco development docs) 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-12-24 15:23:31 +00:00
Leonardo Di Donato
c24f3c276b new(documentation): doxygen configuration 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-12-24 15:23:05 +00:00
Leonardo Di Donato
d9cd2f1bb7 build(cmake/modules): introduce CPM 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-12-24 15:22:16 +00:00
100 changed files with 1234 additions and 3542 deletions
Expand all files Collapse all files

4
.circleci/OWNERS
View File

@@ -1,4 +0,0 @@
approvers:
- jonahjon
reviewers:
- jonahjon

257
.circleci/config.yml
View File

@@ -368,49 +368,59 @@ jobs:
root: /
paths:
- build/release/*.rpm
# Publish the dev packages
# Publish the packages
"publish/packages-dev":
docker:
- image: docker.io/centos:7
- image: docker.bintray.io/jfrog/jfrog-cli-go:latest
steps:
- attach_workspace:
at: /
- run:
name: Setup
command: |
yum install epel-release -y
yum update -y
yum install createrepo gpg python python-pip -y
pip install awscli==1.19.47
echo $GPG_KEY | base64 -d | gpg --import
- run:
name: Publish rpm-dev
name: Create versions
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
/source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -r rpm-dev
- run:
name: Publish bin-dev
command: |
FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
/source/falco/scripts/publish-bin -f /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin-dev -a x86_64
"publish/packages-deb-dev":
docker:
- image: docker.io/debian:stable
steps:
- attach_workspace:
at: /
- run:
name: Setup
command: |
apt update -y
apt-get install apt-utils bzip2 gpg python python-pip -y
pip install awscli
echo $GPG_KEY | base64 -d | gpg --import
jfrog bt vs falcosecurity/deb-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
jfrog bt vs falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
jfrog bt vs falcosecurity/bin-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
- run:
name: Publish deb-dev
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
/source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -r deb-dev
jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
- run:
name: Publish rpm-dev
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
- run:
name: Publish bin-dev
command: |
FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
# Clenup the Falco development release packages
"cleanup/packages-dev":
docker:
- image: docker.bintray.io/jfrog/jfrog-cli-go:latest
steps:
- checkout:
path: /source/falco
- run:
name: Prepare env
command: |
apk add --no-cache --update
apk add curl jq
- run:
name: Only keep the 10 most recent Falco development release tarballs
command: |
/source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r bin-dev
- run:
name: Only keep the 50 most recent Falco development release RPMs
command: |
/source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r rpm-dev
- run:
name: Only keep the 50 most recent Falco development release DEBs
command: |
/source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r deb-dev
# Publish docker packages
"publish/docker-dev":
docker:
@@ -442,89 +452,35 @@ jobs:
docker build --build-arg FALCO_IMAGE_TAG=master -t falcosecurity/falco-driver-loader:master docker/driver-loader
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
docker push falcosecurity/falco-driver-loader:master
# Publish container images to AWS ECR Public
"publish/container-images-aws-dev":
docker:
- image: docker:stable
steps:
- attach_workspace:
at: /
- checkout
- setup_remote_docker
- run:
name: Build and publish no-driver (dev) to AWS
command: |
apk update
apk add --update groff less py-pip
pip install awscli
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco-no-driver:master" docker/no-driver
docker tag public.ecr.aws/falcosecurity/falco-no-driver:master public.ecr.aws/falcosecurity/falco:master-slim
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco-no-driver:master"
docker push "public.ecr.aws/falcosecurity/falco:master-slim"
- run:
name: Build and publish falco (dev) to AWS
command: |
apk update
apk add --update groff less py-pip
pip install awscli
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco:master" docker/falco
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco:master"
- run:
name: Build and publish driver-loader (dev) to AWS
command: |
apk update
apk add --update groff less py-pip
pip install awscli
docker build --build-arg FALCO_IMAGE_TAG=master -t "public.ecr.aws/falcosecurity/falco-driver-loader:master" docker/driver-loader
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco-driver-loader:master"
# Publish the packages
"publish/packages":
docker:
- image: docker.io/centos:7
- image: docker.bintray.io/jfrog/jfrog-cli-go:latest
steps:
- attach_workspace:
at: /
- run:
name: Setup
command: |
yum install epel-release -y
yum update -y
yum install createrepo gpg python python-pip -y
pip install awscli==1.19.47
echo $GPG_KEY | base64 -d | gpg --import
- run:
name: Publish rpm
name: Create versions
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
/source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -r rpm
- run:
name: Publish bin
command: |
FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
/source/falco/scripts/publish-bin -f /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin -a x86_64
"publish/packages-deb":
docker:
- image: docker.io/debian:stable
steps:
- attach_workspace:
at: /
- run:
name: Setup
command: |
apt update -y
apt-get install apt-utils bzip2 gpg python python-pip -y
pip install awscli
echo $GPG_KEY | base64 -d | gpg --import
jfrog bt vs falcosecurity/deb/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
jfrog bt vs falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
jfrog bt vs falcosecurity/bin/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
- run:
name: Publish deb
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
/source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -r deb
jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
- run:
name: Publish rpm
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
- run:
name: Publish bin
command: |
FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
# Publish docker packages
"publish/docker":
docker:
@@ -562,52 +518,6 @@ jobs:
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
docker push "falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
docker push "falcosecurity/falco-driver-loader:latest"
# Publish container images to AWS ECR Public
"publish/container-images-aws":
docker:
- image: docker:stable
steps:
- attach_workspace:
at: /
- checkout
- setup_remote_docker
- run:
name: Build and publish no-driver to AWS
command: |
apk update
apk add --update groff less py-pip
pip install awscli
docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" docker/no-driver
docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-no-driver:latest
docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:latest-slim"
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
docker push "public.ecr.aws/falcosecurity/falco:latest-slim"
docker push "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}"
docker push "public.ecr.aws/falcosecurity/falco-no-driver:latest"
- run:
name: Build and publish falco to AWS
command: |
apk update
apk add --update groff less py-pip
pip install awscli
docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" docker/falco
docker tag "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco:latest
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}"
docker push "public.ecr.aws/falcosecurity/falco:latest"
- run:
name: Build and publish falco-driver-loader to AWS
command: |
apk update
apk add --update groff less py-pip
pip install awscli
docker build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" docker/driver-loader
docker tag "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-driver-loader:latest
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
docker push "public.ecr.aws/falcosecurity/falco-driver-loader:latest"
workflows:
version: 2
build_and_test:
@@ -639,9 +549,7 @@ workflows:
requires:
- "tests/integration"
- "publish/packages-dev":
context:
- falco
- test-infra
context: falco
filters:
tags:
ignore: /.*/
@@ -650,17 +558,15 @@ workflows:
requires:
- "rpm/sign"
- "tests/integration-static"
- "publish/packages-deb-dev":
context:
- falco
- test-infra
- "cleanup/packages-dev":
context: falco
filters:
tags:
ignore: /.*/
branches:
only: master
requires:
- "tests/integration"
- "publish/packages-dev"
- "publish/docker-dev":
context: falco
filters:
@@ -670,18 +576,8 @@ workflows:
only: master
requires:
- "publish/packages-dev"
- "publish/packages-deb-dev"
- "tests/driver-loader/integration"
- "publish/container-images-aws-dev":
context: test-infra # contains Falco AWS credentials
filters:
tags:
ignore: /.*/
branches:
only: master
requires:
- publish/docker-dev
# - "quality/static-analysis" # This is temporarly disabled: https://github.com/falcosecurity/falco/issues/1526
- "quality/static-analysis"
release:
jobs:
- "build/musl":
@@ -706,9 +602,7 @@ workflows:
branches:
ignore: /.*/
- "publish/packages":
context:
- falco
- test-infra
context: falco
requires:
- "build/musl"
- "rpm/sign"
@@ -717,33 +611,10 @@ workflows:
only: /.*/
branches:
ignore: /.*/
- "publish/packages-deb":
context:
- falco
- test-infra
requires:
- "build/centos7"
filters:
tags:
only: /.*/
branches:
ignore: /.*/
- "publish/docker":
context:
- falco
- test-infra
context: falco
requires:
- "publish/packages"
- "publish/packages-deb"
filters:
tags:
only: /.*/
branches:
ignore: /.*/
- "publish/container-images-aws":
context: test-infra # contains Falco AWS credentials
requires:
- "publish/docker"
filters:
tags:
only: /.*/

1
.gitignore vendored
View File

@@ -2,6 +2,7 @@
*~
*.pyc
test/falco_tests.yaml
test/traces-negative
test/traces-positive
test/traces-info

11
ADOPTERS.md
View File

@@ -2,8 +2,6 @@
This is a list of production adopters of Falco (in alphabetical order):
* [ASAPP](https://www.asapp.com/) - ASAPP is a pushing the boundaries of fundamental artificial intelligence research. We apply our research into AI-Native® products that make organizations, in the customer experience industry, highly productive, efficient, and effective—by augmenting human activity and automating workflows. We constantly monitor our workloads against different hazards and FALCO helps us extend our threat monitoring boundaries.
* [Booz Allen Hamilton](https://www.boozallen.com/) - BAH leverages Falco as part of their Kubernetes environment to verify that work loads behave as they did in their CD DevSecOps pipelines. BAH offers a solution to internal developers to easily build DevSecOps pipelines for projects. This makes it easy for developers to incorporate Security principles early on in the development cycle. In production, Falco is used to verify that the code the developer ships does not violate any of the production security requirements. BAH [are speaking at Kubecon NA 2019](https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig) on their use of Falco.
* [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.
@@ -12,13 +10,11 @@ This is a list of production adopters of Falco (in alphabetical order):
* [GitLab](https://about.gitlab.com/direction/defend/container_host_security/) - GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate. GitLab Ultimate provides the single tool teams need to find, triage, and fix vulnerabilities in applications, services, and cloud-native environments enabling them to manage their risk. This provides them with repeatable, defensible processes that automate security and compliance policies. GitLab includes a tight integration with Falco, allowing users to defend their containerized applications from attacks while running in production.
* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containers which could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containerswhich could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
* [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
* https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
* [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
* https://hipaa.preferral.com/01-preferral_hipaa_compliance/
@@ -30,8 +26,5 @@ This is a list of production adopters of Falco (in alphabetical order):
* [Sumo Logic](https://www.sumologic.com/) - Sumo Logic provides a SaaS based log aggregation service that provides dashboards and applications to easily identify and analyze problems in your application and infrastructure. Sumo Logic provides native integrations for many CNCF projects, such as Falco, that allows end users to easily collect Falco events and analyze Falco events on DecSecOps focused dashboards.
* [Swissblock Technologies](https://swissblock.net/) At Swissblock we connect the dots by combining cutting-edge algorithmic trading strategies with in-depth market analysis. We route all Falco events to our control systems, both monitoring and logging. Being able to deeply analyse alerts, we can understand what is running on our Kubernetes clusters and check against security policies, specifically defined for each workload. A set of alarms notifies us in case of critical events, letting us react fast. In the near future we plan to build a little application to route Kubernetes internal events directly to Falco, fully leveraging Falco PodSecurityPolicies analyses.
* [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-define infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
* [Shapesecurity/F5] (https://www.shapesecurity.com/) Shapesecurity defends against application fraud attacks like Account Take Over, Credential Stuffing, Fake Accounts, etc. Required by FedRamp certification, we needed to find a FIM solution to help monitor and protect our Kubernetes clusters. Traditional FIM solutions were not scalable and not working for our environment, but with Falco we found the solution we needed. Falco's detection capabilities have helped us identify anomalous behaviour within our clusters. We leverage Sidekick (https://github.com/falcosecurity/charts/tree/master/falcosidekick) to send Falco alerts to a PubSub which in turn publishes those alerts to our SIEM (SumoLogic)
* [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.

164
CHANGELOG.md
View File

@@ -1,169 +1,5 @@
# Change Log
## v0.28.0
Released on 2021-04-12
### Major Changes
* BREAKING CHANGE: Bintray is deprecated, no new packages will be published at https://dl.bintray.com/falcosecurity/ [[#1577](https://github.com/falcosecurity/falco/pull/1577)] - [@leogr](https://github.com/leogr)
* BREAKING CHANGE: SKIP_MODULE_LOAD env variable no more disables the driver loading (use SKIP_DRIVER_LOADER env variable introduced in Falco 0.24) [[#1599](https://github.com/falcosecurity/falco/pull/1599)] - [@leodido](https://github.com/leodido)
* BREAKING CHANGE: the init.d service unit is not shipped anymore in deb/rpm packages in favor of a systemd service file [[#1448](https://github.com/falcosecurity/falco/pull/1448)] - [@jenting](https://github.com/jenting)
* new: add support for exceptions as rule attributes to provide a compact way to add exceptions to Falco rules [[#1427](https://github.com/falcosecurity/falco/pull/1427)] - [@mstemm](https://github.com/mstemm)
* new: falco-no-driver container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-no-driver) [[#1519](https://github.com/falcosecurity/falco/pull/1519)] - [@jonahjon](https://github.com/jonahjon)
* new: falco-driver-loader container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-driver-loader) [[#1519](https://github.com/falcosecurity/falco/pull/1519)] - [@jonahjon](https://github.com/jonahjon)
* new: add healthz endpoint to the webserver [[#1546](https://github.com/falcosecurity/falco/pull/1546)] - [@cpanato](https://github.com/cpanato)
* new: introduce a new configuration field `syscall_event_drops.threshold` to tune the drop noisiness [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
* new: falco-driver-loader script can get a custom driver name from DRIVER_NAME env variable [[#1488](https://github.com/falcosecurity/falco/pull/1488)] - [@leodido](https://github.com/leodido)
* new: falco-driver-loader know the Falco version [[#1488](https://github.com/falcosecurity/falco/pull/1488)] - [@leodido](https://github.com/leodido)
### Minor Changes
* docs(proposals): libraries and drivers donation [[#1530](https://github.com/falcosecurity/falco/pull/1530)] - [@leodido](https://github.com/leodido)
* docs(docker): update links to the new Falco website URLs [[#1545](https://github.com/falcosecurity/falco/pull/1545)] - [@cpanato](https://github.com/cpanato)
* docs(test): update links to new Falco website URLs [[#1563](https://github.com/falcosecurity/falco/pull/1563)] - [@shane-lawrence](https://github.com/shane-lawrence)
* build: now Falco packages are published at https://download.falco.org [[#1577](https://github.com/falcosecurity/falco/pull/1577)] - [@leogr](https://github.com/leogr)
* update: lower the `syscall_event_drops.max_burst` default value to 1 [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
* update: falco-driver-loader tries to download a Falco driver before then compiling it on the fly for the host [[#1599](https://github.com/falcosecurity/falco/pull/1599)] - [@leodido](https://github.com/leodido)
* docs(test): document the prerequisites for running the integration test suite locally [[#1609](https://github.com/falcosecurity/falco/pull/1609)] - [@fntlnz](https://github.com/fntlnz)
* update: Debian/RPM package migrated from init to systemd [[#1448](https://github.com/falcosecurity/falco/pull/1448)] - [@jenting](https://github.com/jenting)
### Bug Fixes
* fix(userspace/engine): properly handle field extraction over lists of containers when not all containers match the specified sub-properties [[#1601](https://github.com/falcosecurity/falco/pull/1601)] - [@mstemm](https://github.com/mstemm)
* fix(docker/falco): add flex and bison dependency to container image [[#1562](https://github.com/falcosecurity/falco/pull/1562)] - [@schans](https://github.com/schans)
* fix: ignore action can not be used with log and alert ones (`syscall_event_drops` config) [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
* fix(userspace/engine): allows fields starting with numbers to be parsed properly [[#1598](https://github.com/falcosecurity/falco/pull/1598)] - [@mstemm](https://github.com/mstemm)
### Rule Changes
* rule(Write below monitored dir): improve rule description [[#1588](https://github.com/falcosecurity/falco/pull/1588)] - [@stevenshuang](https://github.com/stevenshuang)
* rule(macro allowed_aws_eks_registry_root): macro to match the official eks registry [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(macro aws_eks_image): match aws image repository for eks [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(macro aws_eks_image_sensitive_mount): match aws cni images [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(macro k8s_containers): include fluent/fluentd-kubernetes-daemonset and prom/prometheus [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(Launch Privileged Container): exclude aws_eks_image [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(Launch Sensitive Mount Container): exclude aws_eks_image_sensitive_mount [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(Debugfs Launched in Privileged Container): new rule [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(Mount Launched in Privileged Container): new rule [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(Set Setuid or Setgid bit): add k3s-agent in the whitelist [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(macro user_ssh_directory): using glob operator [[#1560](https://github.com/falcosecurity/falco/pull/1560)] - [@shane-lawrence](https://github.com/shane-lawrence)
* rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud [[#1337](https://github.com/falcosecurity/falco/pull/1337)] - [@nibalizer](https://github.com/nibalizer)
* rule(list rpm_binaries): add rhsmcertd [[#1385](https://github.com/falcosecurity/falco/pull/1385)] - [@epcim](https://github.com/epcim)
* rule(list deb_binaries): add apt.systemd.daily [[#1385](https://github.com/falcosecurity/falco/pull/1385)] - [@epcim](https://github.com/epcim)
* rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156 [[#1543](https://github.com/falcosecurity/falco/pull/1543)] - [@darryk10](https://github.com/darryk10)
* rule(list allowed_k8s_users): add `eks:node-manager` [[#1536](https://github.com/falcosecurity/falco/pull/1536)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(list mysql_mgmt_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list db_mgmt_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_ansible_running_python): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_bro_running_python): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_python_running_denyhosts): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_linux_image_upgrade_script): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_java_running_echo): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_scripting_running_builds): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_Xvfb_running_xkbcomp): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_nginx_running_serf): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_node_running_npm): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_java_running_sbt): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list known_container_shell_spawn_cmdlines): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list known_shell_spawn_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro run_by_puppet): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro user_privileged_containers): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list rancher_images): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list images_allow_network_outside_subnet): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_python_running_sdchecks): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro trusted_containers): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list authorized_server_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
### Non user-facing changes
* chore(test): replace bucket url with official distribution url [[#1608](https://github.com/falcosecurity/falco/pull/1608)] - [@fntlnz](https://github.com/fntlnz)
* adding asapp as an adopter [[#1611](https://github.com/falcosecurity/falco/pull/1611)] - [@Stuxend](https://github.com/Stuxend)
* update: fixtures URLs [[#1603](https://github.com/falcosecurity/falco/pull/1603)] - [@leogr](https://github.com/leogr)
* cleanup publishing jobs [[#1596](https://github.com/falcosecurity/falco/pull/1596)] - [@leogr](https://github.com/leogr)
* fix(falco/test): bump pyyaml from 5.3.1 to 5.4 [[#1595](https://github.com/falcosecurity/falco/pull/1595)] - [@leodido](https://github.com/leodido)
* fix(.circleci): tar must be present in the image [[#1594](https://github.com/falcosecurity/falco/pull/1594)] - [@leogr](https://github.com/leogr)
* fix: publishing jobs [[#1591](https://github.com/falcosecurity/falco/pull/1591)] - [@leogr](https://github.com/leogr)
* Pocteo as an adopter [[#1574](https://github.com/falcosecurity/falco/pull/1574)] - [@pocteo-labs](https://github.com/pocteo-labs)
* build: fetch build deps from download.falco.org [[#1572](https://github.com/falcosecurity/falco/pull/1572)] - [@leogr](https://github.com/leogr)
* adding shapesecurity to adopters [[#1566](https://github.com/falcosecurity/falco/pull/1566)] - [@irivera007](https://github.com/irivera007)
* Use default pip version to get avocado version [[#1565](https://github.com/falcosecurity/falco/pull/1565)] - [@shane-lawrence](https://github.com/shane-lawrence)
* Added Swissblock to list of adopters [[#1551](https://github.com/falcosecurity/falco/pull/1551)] - [@bygui86](https://github.com/bygui86)
* Fix various typos in markdown files. [[#1514](https://github.com/falcosecurity/falco/pull/1514)] - [@didier-durand](https://github.com/didier-durand)
* docs: move governance to falcosecurity/.github [[#1524](https://github.com/falcosecurity/falco/pull/1524)] - [@leogr](https://github.com/leogr)
* ci: fix missing infra context to publish stable Falco packages [[#1615](https://github.com/falcosecurity/falco/pull/1615)] - [@leodido](https://github.com/leodido)
## v0.27.0
Released on 2021-01-18
### Major Changes
* new: Added falco engine version to grpc version service [[#1507](https://github.com/falcosecurity/falco/pull/1507)] - [@nibalizer](https://github.com/nibalizer)
* BREAKING CHANGE: Users who run Falco without a config file will be unable to do that any more, Falco now expects a configuration file to be passed all the times. Developers may need to adjust their processes. [[#1494](https://github.com/falcosecurity/falco/pull/1494)] - [@nibalizer](https://github.com/nibalizer)
* new: asynchronous outputs implementation, outputs channels will not block event processing anymore [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
* new: slow outputs detection [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
* new: `output_timeout` config option for slow outputs detection [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
### Minor Changes
* build: bump b64 to v2.0.0.1 [[#1441](https://github.com/falcosecurity/falco/pull/1441)] - [@fntlnz](https://github.com/fntlnz)
* rules(macro container_started): re-use `spawned_process` macro inside `container_started` macro [[#1449](https://github.com/falcosecurity/falco/pull/1449)] - [@leodido](https://github.com/leodido)
* docs: reach out documentation [[#1472](https://github.com/falcosecurity/falco/pull/1472)] - [@fntlnz](https://github.com/fntlnz)
* docs: Broken outputs.proto link [[#1493](https://github.com/falcosecurity/falco/pull/1493)] - [@deepskyblue86](https://github.com/deepskyblue86)
* docs(README.md): correct broken links [[#1506](https://github.com/falcosecurity/falco/pull/1506)] - [@leogr](https://github.com/leogr)
* docs(proposals): Exceptions handling proposal [[#1376](https://github.com/falcosecurity/falco/pull/1376)] - [@mstemm](https://github.com/mstemm)
* docs: fix a broken link of README [[#1516](https://github.com/falcosecurity/falco/pull/1516)] - [@oke-py](https://github.com/oke-py)
* docs: adding the kubernetes privileged use case to use cases [[#1484](https://github.com/falcosecurity/falco/pull/1484)] - [@fntlnz](https://github.com/fntlnz)
* rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
* rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
* docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [[#1518](https://github.com/falcosecurity/falco/pull/1518)] - [@leodido](https://github.com/leodido)
* build: falcosecurity/falco:master also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
* build: falcosecurity/falco:latest also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
* update: gRPC clients can now subscribe to drop alerts via gRCP API [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
* macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s [[#1444](https://github.com/falcosecurity/falco/pull/1444)] - [@fntlnz](https://github.com/fntlnz)
### Bug Fixes
* fix(userspace/falco): use given priority in falco_outputs::handle_msg() [[#1450](https://github.com/falcosecurity/falco/pull/1450)] - [@leogr](https://github.com/leogr)
* fix(userspace/engine): free formatters, if any [[#1447](https://github.com/falcosecurity/falco/pull/1447)] - [@leogr](https://github.com/leogr)
* fix(scripts/falco-driver-loader): lsmod usage [[#1474](https://github.com/falcosecurity/falco/pull/1474)] - [@dnwe](https://github.com/dnwe)
* fix: a bug that prevents Falco driver to be consumed by many Falco instances in some circumstances [[#1485](https://github.com/falcosecurity/falco/pull/1485)] - [@leodido](https://github.com/leodido)
* fix: set `HOST_ROOT=/host` environment variable for the `falcosecurity/falco-no-driver` container image by default [[#1492](https://github.com/falcosecurity/falco/pull/1492)] - [@leogr](https://github.com/leogr)
### Rule Changes
* rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list [[#1501](https://github.com/falcosecurity/falco/pull/1501)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(Container Run as Root User): new rule created [[#1500](https://github.com/falcosecurity/falco/pull/1500)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(Linux Kernel Module injection detected): adds a new rule that detects when an LKM module is injected using `insmod` from a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [[#1478](https://github.com/falcosecurity/falco/pull/1478)] - [@d1vious](https://github.com/d1vious)
* rule(macro multipath_writing_conf): create and use the macro [[#1475](https://github.com/falcosecurity/falco/pull/1475)] - [@nmarier-coveo](https://github.com/nmarier-coveo)
* rule(list falco_privileged_images): add calico/node without registry prefix to prevent false positive alerts [[#1457](https://github.com/falcosecurity/falco/pull/1457)] - [@czunker](https://github.com/czunker)
* rule(Full K8s Administrative Access): use the right list of admin users (fix) [[#1454](https://github.com/falcosecurity/falco/pull/1454)] - [@mstemm](https://github.com/mstemm)
### Non user-facing changes
* chore(cmake): remove unnecessary whitespace patch [[#1522](https://github.com/falcosecurity/falco/pull/1522)] - [@leogr](https://github.com/leogr)
* remove stale bot in favor of the new lifecycle bot [[#1490](https://github.com/falcosecurity/falco/pull/1490)] - [@leodido](https://github.com/leodido)
* chore(cmake): mark some variables as advanced [[#1496](https://github.com/falcosecurity/falco/pull/1496)] - [@deepskyblue86](https://github.com/deepskyblue86)
* chore(cmake/modules): avoid useless rebuild [[#1495](https://github.com/falcosecurity/falco/pull/1495)] - [@deepskyblue86](https://github.com/deepskyblue86)
* build: BUILD_BYPRODUCTS for civetweb [[#1489](https://github.com/falcosecurity/falco/pull/1489)] - [@fntlnz](https://github.com/fntlnz)
* build: remove duplicate item from FALCO_SOURCES [[#1480](https://github.com/falcosecurity/falco/pull/1480)] - [@leodido](https://github.com/leodido)
* build: make our integration tests report clear steps for CircleCI UI [[#1473](https://github.com/falcosecurity/falco/pull/1473)] - [@fntlnz](https://github.com/fntlnz)
* further improvements outputs impl. [[#1443](https://github.com/falcosecurity/falco/pull/1443)] - [@leogr](https://github.com/leogr)
* fix(test): make integration tests properly fail [[#1439](https://github.com/falcosecurity/falco/pull/1439)] - [@leogr](https://github.com/leogr)
* Falco outputs refactoring [[#1412](https://github.com/falcosecurity/falco/pull/1412)] - [@leogr](https://github.com/leogr)
## v0.26.2
Released on 2020-11-10

55
GOVERNANCE.md Normal file
View File

@@ -0,0 +1,55 @@
# Process for becoming a maintainer
* Express interest to the existing maintainers that you or your organization is interested in becoming a
maintainer. Becoming a maintainer generally means that you are going to be spending substantial
time (>25%) on Falco for the foreseeable future. You should have domain expertise and be extremely
proficient in C++. Ultimately your goal is to become a maintainer that will represent your
organization.
* We will expect you to start contributing increasingly complicated PRs, under the guidance
of the existing maintainers.
* We may ask you to do some PRs from our backlog.
* As you gain experience with the code base and our standards, we will ask you to do code reviews
for incoming PRs (i.e., all maintainers are expected to shoulder a proportional share of
community reviews).
* After a period of approximately 2-3 months of working together and making sure we see eye to eye,
the existing maintainers will confer and decide whether to grant maintainer status or not.
We make no guarantees on the length of time this will take, but 2-3 months is the approximate
goal.
## Maintainer responsibilities
* Monitor Slack (delayed response is perfectly acceptable).
* Triage GitHub issues and perform pull request reviews for other maintainers and the community.
* During GitHub issue triage, apply all applicable [labels](https://github.com/falcosecurity/falco/labels)
to each new issue. Labels are extremely useful for future issue follow up. Which labels to apply
is somewhat subjective so just use your best judgment.
* Make sure that ongoing PRs are moving forward at the right pace or closing them.
* Participate when called upon in the security releases. Note that although this should be a rare
occurrence, if a serious vulnerability is found, the process may take up to several full days of
work to implement. This reality should be taken into account when discussing time commitment
obligations with employers.
* In general continue to be willing to spend at least 25% of ones time working on Falco (~1.25
business days per week).
## When does a maintainer lose maintainer status
If a maintainer is no longer interested or cannot perform the maintainer duties listed above, they
should volunteer to be moved to emeritus status. In extreme cases this can also occur by a vote of
the maintainers per the voting process below.
# Conflict resolution and voting
In general, we prefer that technical issues and maintainer membership are amicably worked out
between the persons involved. If a dispute cannot be decided independently, the maintainers can be
called in to decide an issue. If the maintainers themselves cannot decide an issue, the issue will
be resolved by voting. The voting process is a simple majority in which each senior maintainer
receives two votes and each normal maintainer receives one vote.
# Adding new projects to the falcosecurity GitHub organization
New projects will be added to the falcosecurity organization via GitHub issue discussion in one of the
existing projects in the organization. Once sufficient discussion has taken place (~3-5 business
days but depending on the volume of conversation), the maintainers of *the project where the issue
was opened* (since different projects in the organization may have different maintainers) will
decide whether the new project should be added. See the section above on voting if the maintainers
cannot easily decide.

62
README.md
View File

@@ -3,7 +3,7 @@
<hr>
[![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
[![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](./COPYING)
Want to talk? Join us on the [#falco](https://kubernetes.slack.com/archives/CMWH3EH32) channel in the [Kubernetes Slack](https://slack.k8s.io).
@@ -11,60 +11,22 @@ Want to talk? Join us on the [#falco](https://kubernetes.slack.com/archives/CMWH
Read the [change log](CHANGELOG.md).
<!--
Badges in the following table are constructed by using the
https://img.shields.io/badge/dynamic/xml endpoint.
Parameters are configured for fetching packages from S3 before
(filtered by prefix, sorted in ascending order) and for picking
the latest package by using an XPath selector after.
- Common query parameters:
color=#300aec7
style=flat-square
label=Falco
- DEB packages parameters:
url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/deb/stable/falco-
query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
- RPM packages parameters:
url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/rpm/falco-
query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
- BIN packages parameters:
url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/bin/x86_64/falco-
query=substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'], "falco-")
Notes:
- if more than 1000 items are present under as S3 prefix,
the actual latest package will be not picked;
see https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html
- for `-dev` packages, the S3 prefix is modified accordingly
- finally, all parameters are URL encoded and appended to the badge endpoint
-->
| | development | stable |
|--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
| rpm | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-)][1] | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-)][2] |
| deb | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-)][3] | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-)][4] |
| binary | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Fx86_64%2Ffalco-)][5] | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Fx86_64%2Ffalco-)][6] |
| rpm | [![rpm-dev](https://img.shields.io/bintray/v/falcosecurity/rpm-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][1] | [![rpm](https://img.shields.io/bintray/v/falcosecurity/rpm/falco?label=Falco&color=%23005763&style=flat-square)][2] |
| deb | [![deb-dev](https://img.shields.io/bintray/v/falcosecurity/deb-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][3] | [![deb](https://img.shields.io/bintray/v/falcosecurity/deb/falco?label=Falco&color=%23005763&style=flat-square)][4] |
| binary | [![bin-dev](https://img.shields.io/bintray/v/falcosecurity/bin-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][5] | [![bin](https://img.shields.io/bintray/v/falcosecurity/bin/falco?label=Falco&color=%23005763&style=flat-square)][6] |
---
The Falco Project, originally created by [Sysdig](https://sysdig.com), is an incubating [CNCF](https://cncf.io) open source cloud native runtime security tool.
Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native.
Falco has a rich rule set of security rules specifically built for Kubernetes, Linux, and cloud-native.
If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.
### Installing Falco
If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/getting-started/installation/).
If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/installation/).
##### Kubernetes
@@ -137,9 +99,9 @@ Please report security vulnerabilities following the community process documente
Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
[1]: https://download.falco.org/?prefix=packages/rpm-dev/
[2]: https://download.falco.org/?prefix=packages/rpm/
[3]: https://download.falco.org/?prefix=packages/deb-dev/stable/
[4]: https://download.falco.org/?prefix=packages/deb/stable/
[5]: https://download.falco.org/?prefix=packages/bin-dev/x86_64/
[6]: https://download.falco.org/?prefix=packages/bin/x86_64/
[1]: https://dl.bintray.com/falcosecurity/rpm-dev
[2]: https://dl.bintray.com/falcosecurity/rpm
[3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
[4]: https://dl.bintray.com/falcosecurity/deb/stable
[5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
[6]: https://dl.bintray.com/falcosecurity/bin/x86_64

28
RELEASE.md
View File

@@ -13,7 +13,7 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
### 1. Release notes
- Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
- Find the LAST release (-1) and use `YYYY-MM-DD` as the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
- Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
- Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
- If the PR has no milestone, assign it to the milestone currently undergoing release
@@ -28,10 +28,9 @@ Before cutting a release we need to do some homework in the Falco repository. Th
- Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
- If any, manually correct it then open an issue to automate version number bumping later
- Versions table in the `README.md` updates itself automatically
- Generate the change log using [rn2md](https://github.com/leodido/rn2md):
- Execute `rn2md -o falcosecurity -m <version> -r falco`
- In case `rn2md` emits error try to generate an GitHub OAuth access token and provide it with the `-t` flag
- Versions table in the `README.md` update itself automatically
- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
- If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
- Add the latest changes on top the previous `CHANGELOG.md`
- Submit a PR with the above modifications
- Await PR approval
@@ -66,16 +65,17 @@ Now assume `x.y.z` is the new version.
| Packages | Download |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| rpm | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-x.y.z-x86_64.rpm) |
| deb | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-x.y.z-x86_64.deb) |
| tgz | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-x.y.z-x86_64.tar.gz) |
| rpm | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/rpm/falco-x.y.z-x86_64.rpm) |
| deb | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
| tgz | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
| Images |
| --------------------------------------------------------------------------- |
| `docker pull docker.io/falcosecurity/falco:x.y.z` |
| `docker pull public.ecr.aws/falcosecurity/falco:x.y.z` |
| `docker pull docker.io/falcosecurity/falco-driver-loader:x.y.z` |
| `docker pull docker.io/falcosecurity/falco-no-driver:x.y.z` |
| Images |
| --------------------------------------------------------------- |
| `docker pull docker.io/falcosecurity/falco:_tag_` |
| `docker pull docker.io/falcosecurity/falco-driver-loader:_tag_` |
| `docker pull docker.io/falcosecurity/falco-no-driver:_tag_` |
<!-- Copy the relevant part of the changelog here -->
### Statistics

8
cmake/cpack/CMakeCPackOptions.cmake
View File

@@ -1,11 +1,11 @@
if(CPACK_GENERATOR MATCHES "DEB")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d/")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d")
endif()
if(CPACK_GENERATOR MATCHES "RPM")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d/")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d")
endif()
if(CPACK_GENERATOR MATCHES "TGZ")

19
cmake/modules/CPM.cmake Normal file
View File

@@ -0,0 +1,19 @@
set(CPM_DOWNLOAD_VERSION 0.27.2)
if(CPM_SOURCE_CACHE)
set(CPM_DOWNLOAD_LOCATION "${CPM_SOURCE_CACHE}/cpm/CPM_${CPM_DOWNLOAD_VERSION}.cmake")
elseif(DEFINED ENV{CPM_SOURCE_CACHE})
set(CPM_DOWNLOAD_LOCATION "$ENV{CPM_SOURCE_CACHE}/cpm/CPM_${CPM_DOWNLOAD_VERSION}.cmake")
else()
set(CPM_DOWNLOAD_LOCATION "${CMAKE_BINARY_DIR}/cmake/CPM_${CPM_DOWNLOAD_VERSION}.cmake")
endif()
if(NOT (EXISTS ${CPM_DOWNLOAD_LOCATION}))
message(STATUS "Downloading CPM.cmake to ${CPM_DOWNLOAD_LOCATION}")
file(DOWNLOAD
https://github.com/TheLartians/CPM.cmake/releases/download/v${CPM_DOWNLOAD_VERSION}/CPM.cmake
${CPM_DOWNLOAD_LOCATION}
)
endif()
include(${CPM_DOWNLOAD_LOCATION})

9
cmake/modules/CPackConfig.cmake
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
@@ -46,9 +46,8 @@ set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
)
set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
set(CPACK_RPM_PACKAGE_ARCHITECTURE, "amd64")
set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses, systemd")
set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
@@ -60,7 +59,9 @@ set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
/etc
/usr
/usr/bin
/usr/share)
/usr/share
/etc/rc.d
/etc/rc.d/init.d)
set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")
include(CPack)

2
cmake/modules/jq.cmake
View File

@@ -45,7 +45,7 @@ else ()
# https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
ExternalProject_Add(
jq
URL "https://download.falco.org/dependencies/jq-1.6.tar.gz"
URL "https://dl.bintray.com/falcosecurity/dependencies/jq-1.6.tar.gz"
URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static

11
cmake/modules/sysdig-repo/patch/libscap.patch
View File

@@ -38,6 +38,17 @@ index 6f51588e..5f9ea84e 100644
}
else
{
@@ -579,8 +579,8 @@ scap_t* scap_open_udig_int(char *error, int32_t *rc,
//
// Map the ppm_ring_buffer_info that contains the buffer pointers
//
- if(udig_alloc_ring_descriptors(&(handle->m_devs[0].m_bufinfo_fd),
- &handle->m_devs[0].m_bufinfo,
+ if(udig_alloc_ring_descriptors(&(handle->m_devs[0].m_bufinfo_fd),
+ &handle->m_devs[0].m_bufinfo,
&handle->m_devs[0].m_bufstatus,
error) != SCAP_SUCCESS)
{
@@ -2175,7 +2175,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
const char* scap_get_host_root()

13
docker/README.md
View File

@@ -1,16 +1,17 @@
# Falco Dockerfiles
This directory contains various ways to package Falco as a container and related tools.
This directory contains various ways to package Falco as a container and related tools.
## Currently Supported Images
| Name | Directory | Description |
|---|---|---|
| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/getting-started/source/) for more details on building from source. Used to build Falco (CI). |
| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). |
| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
| _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.

44
docker/falco/Dockerfile
View File

@@ -18,12 +18,10 @@ RUN apt-get update \
&& apt-get install -y --no-install-recommends \
bash-completion \
bc \
bison \
clang-7 \
ca-certificates \
curl \
dkms \
flex \
gnupg2 \
gcc \
jq \
@@ -41,15 +39,15 @@ RUN apt-get update \
# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
# or so.
RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
@@ -58,13 +56,13 @@ RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/
# version 3, 4, or 5 compiler. So grab copies we've saved from debian
# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
&& curl -L -o libasan2_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
&& curl -L -o libasan2_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
@@ -78,7 +76,7 @@ RUN rm -rf /usr/bin/clang \
&& ln -s /usr/bin/llc-7 /usr/bin/llc
RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
&& apt-get update -y \
&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
&& apt-get clean \
@@ -98,10 +96,10 @@ RUN rm -df /lib/modules \
# debian:stable head contains binutils 2.31, which generates
# binaries that are incompatible with kernels < 4.16. So manually
# forcibly install binutils 2.30-22 instead.
RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
&& dpkg -i *binutils*.deb \
&& rm -f *binutils*.deb

7
docker/falco/docker-entrypoint.sh
View File

@@ -16,9 +16,14 @@
# limitations under the License.
#
# todo(leogr): remove deprecation notice within a couple of releases
if [[ ! -z "${SKIP_MODULE_LOAD}" ]]; then
echo "* SKIP_MODULE_LOAD is deprecated and will be removed soon, use SKIP_DRIVER_LOADER instead"
fi
# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
if [[ -z "${SKIP_DRIVER_LOADER}" ]] && [[ -z "${SKIP_MODULE_LOAD}" ]]; then
echo "* Setting up /usr/src links from host"
for i in "$HOST_ROOT/usr/src"/*

42
docker/local/Dockerfile
View File

@@ -48,15 +48,15 @@ RUN apt-get update \
# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
# or so.
RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
@@ -65,13 +65,13 @@ RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/
# version 3, 4, or 5 compiler. So grab copies we've saved from debian
# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
&& curl -L -o libasan2_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
&& curl -L -o libasan2_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
@@ -96,15 +96,15 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
# Change the falco config within the container to enable ISO 8601
# output.
RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
# debian:stable head contains binutils 2.31, which generates
# binaries that are incompatible with kernels < 4.16. So manually
# forcibly install binutils 2.30-22 instead.
RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
&& dpkg -i *binutils*.deb \
&& rm -f *binutils*.deb

12
docker/no-driver/Dockerfile
View File

@@ -6,16 +6,14 @@ ARG VERSION_BUCKET=bin
ENV FALCO_VERSION=${FALCO_VERSION}
ENV VERSION_BUCKET=${VERSION_BUCKET}
RUN apt-get -y update && apt-get -y install gridsite-clients curl
WORKDIR /
RUN curl -L -o falco.tar.gz \
https://download.falco.org/packages/${VERSION_BUCKET}/x86_64/falco-$(urlencode ${FALCO_VERSION})-x86_64.tar.gz && \
tar -xvf falco.tar.gz && \
rm -f falco.tar.gz && \
ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
RUN tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
mv falco-${FALCO_VERSION}-x86_64 falco && \
rm -rf /falco/usr/src/falco-* /falco/usr/bin/falco-driver-loader
rm -rf falco/usr/src/falco-* falco/usr/bin/falco-driver-loader
RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
&& mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml

2
docker/tester/root/usr/bin/usage
View File

@@ -3,7 +3,7 @@
pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
dockerversion=$(docker --version)
avocadoversion=$(pip show avocado-framework | grep Version)
avocadoversion=$(pip2 show avocado-framework | grep Version)
avocadoversion=${avocadoversion#"Version: "}
cat <<EOF

35
documentation/CMakeLists.txt Normal file
View File

@@ -0,0 +1,35 @@
cmake_minimum_required(VERSION 3.14 FATAL_ERROR)
project(FalcoDocs)
# Dependencies
include(../cmake/modules/CPM.cmake)
CPMAddPackage(NAME Falco SOURCE_DIR ${CMAKE_CURRENT_LIST_DIR}/..)
CPMAddPackage(
NAME MCSS
DOWNLOAD_ONLY YES
GITHUB_REPOSITORY mosra/m.css
GIT_TAG 42d4a9a48f31f5df6e246c948403b54b50574a2a
)
# Doxygen variables
set(DOXYGEN_PROJECT_NAME Falco)
set(DOXYGEN_PROJECT_VERSION ${FALCO_VERSION})
set(DOXYGEN_PROJECT_ROOT "${CMAKE_CURRENT_LIST_DIR}/..")
set(DOXYGEN_OUTPUT_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}/doxygen")
configure_file(${CMAKE_CURRENT_LIST_DIR}/Doxyfile ${CMAKE_CURRENT_BINARY_DIR}/Doxyfile)
configure_file(${CMAKE_CURRENT_LIST_DIR}/conf.py ${CMAKE_CURRENT_BINARY_DIR}/conf.py)
add_custom_target(
GenerateDocs
${CMAKE_COMMAND} -E make_directory "${DOXYGEN_OUTPUT_DIRECTORY}"
COMMAND "${MCSS_SOURCE_DIR}/documentation/doxygen.py" "${CMAKE_CURRENT_BINARY_DIR}/conf.py"
COMMAND echo "Docs written to: ${DOXYGEN_OUTPUT_DIRECTORY}"
WORKING_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}"
)

31
documentation/Doxyfile Normal file
View File

@@ -0,0 +1,31 @@
# Configuration for Doxygen for use with CMake
# Only options that deviate from the default are included
# To create a new Doxyfile containing all available options, call `doxygen -g`
# Get Project name and version from CMake
PROJECT_NAME = @DOXYGEN_PROJECT_NAME@
PROJECT_NUMBER = @DOXYGEN_PROJECT_VERSION@
# Add sources
INPUT = @DOXYGEN_PROJECT_ROOT@/README.md @DOXYGEN_PROJECT_ROOT@/userspace @DOXYGEN_PROJECT_ROOT@/documentation/pages
EXTRACT_ALL = YES
RECURSIVE = YES
OUTPUT_DIRECTORY = @DOXYGEN_OUTPUT_DIRECTORY@
# Use the README as a main page
USE_MDFILE_AS_MAINPAGE = @DOXYGEN_PROJECT_ROOT@/README.md
# Set relative include paths
FULL_PATH_NAMES = YES
STRIP_FROM_PATH = @DOXYGEN_PROJECT_ROOT@/userspace @DOXYGEN_PROJECT_ROOT@
# We only need XML output because use m.css to generate the html documentation
GENERATE_XML = YES
GENERATE_HTML = NO
GENERATE_LATEX = NO
XML_PROGRAMLISTING = NO
CREATE_SUBDIRS = NO
# Include all directories, files and namespaces in the documentation
# Disable to include only explicitly documented objects
M_SHOW_UNDOCUMENTED = YES

19
documentation/conf.py Normal file
View File

@@ -0,0 +1,19 @@
DOXYFILE = 'Doxyfile'
LINKS_NAVBAR1 = [
(None, 'pages', [(None, 'about')]),
(None, 'namespaces', []),
]
# Add your own navbar links using the code below.
# To find the valid link names, you can inspect the URL of a generated documentation site.
# LINKS_NAVBAR1 = [
# (None, 'pages', [(None, 'about')]),
# (None, 'namespaces', [(None, 'namespacexyz')]),
# ]
#
# LINKS_NAVBAR2 = [
# (None, 'annotated', [(None, 'classxyz_1_1_xyz')]),
# (None, 'files', [(None, 'xyz_8h')]),
# ]

4
documentation/pages/about.dox Normal file
View File

@@ -0,0 +1,4 @@
/** @page about About
@section doc Falco Documentation
This is the documentation for the Falco project.
*/

31
falco.yaml
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -68,34 +68,24 @@ priority: debug
buffered_outputs: false
# Falco uses a shared buffer between the kernel and userspace to pass
# system call information. When Falco detects that this buffer is
# system call information. When falco detects that this buffer is
# full and system calls have been dropped, it can take one or more of
# the following actions:
# - ignore: do nothing (default when list of actions is empty)
# - log: log a DEBUG message noting that the buffer was full
# - alert: emit a Falco alert noting that the buffer was full
# - exit: exit Falco with a non-zero rc
#
# Notice it is not possible to ignore and log/alert messages at the same time.
# - "ignore": do nothing. If an empty list is provided, ignore is assumed.
# - "log": log a CRITICAL message noting that the buffer was full.
# - "alert": emit a falco alert noting that the buffer was full.
# - "exit": exit falco with a non-zero rc.
#
# The rate at which log/alert messages are emitted is governed by a
# token bucket. The rate corresponds to one message every 30 seconds
# with a burst of one message (by default).
#
# The messages are emitted when the percentage of dropped system calls
# with respect the number of events in the last second
# is greater than the given threshold (a double in the range [0, 1]).
#
# For debugging/testing it is possible to simulate the drops using
# the `simulate_drops: true`. In this case the threshold does not apply.
# with a burst of 10 messages.
syscall_event_drops:
threshold: .1
actions:
- log
- alert
rate: .03333
max_burst: 1
max_burst: 10
# Falco continuously monitors outputs performance. When an output channel does not allow
# to deliver an alert within a given deadline, an error is reported indicating
@@ -162,14 +152,11 @@ stdout_output:
# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
# $ cat certificate.pem key.pem > falco.pem
# $ sudo cp falco.pem /etc/falco/falco.pem
#
# It also exposes a healthy endpoint that can be used to check if Falco is up and running
# By default the endpoint is /healthz
webserver:
enabled: true
listen_port: 8765
k8s_audit_endpoint: /k8s-audit
k8s_healthz_endpoint: /healthz
ssl_enabled: false
ssl_certificate: /etc/falco/falco.pem

240
proposals/20200828-structured-exception-handling.md
View File

@@ -1,240 +0,0 @@
# Proposal for First Class Structured Exceptions in Falco Rules
## Summary
## Motivation
Almost all Falco Rules have cases where the behavior detected by the
rule should be allowed. For example, The rule Write Below Binary Dir
has exceptions for specific programs that are known to write below
these directories as a part of software installation/management:
```yaml
- rule: Write below binary dir
desc: an attempt to write to any file below a set of binary directories
condition: >
bin_dir and evt.dir = < and open_write
and not package_mgmt_procs
and not exe_running_docker_save
and not python_running_get_pip
and not python_running_ms_oms
and not user_known_write_below_binary_dir_activities
...
```
In most cases, these exceptions are expressed as concatenations to the original rule's condition. For example, looking at the macro package_mgmt_procs:
```yaml
- macro: package_mgmt_procs
condition: proc.name in (package_mgmt_binaries)
```
The result is appending `and not proc.name in (package_mgmt_binaries)` to the condition of the rule.
A more extreme case of this is the write_below_etc macro used by Write below etc rule. It has tens of exceptions:
```
...
and not sed_temporary_file
and not exe_running_docker_save
and not ansible_running_python
and not python_running_denyhosts
and not fluentd_writing_conf_files
and not user_known_write_etc_conditions
and not run_by_centrify
and not run_by_adclient
and not qualys_writing_conf_files
and not git_writing_nssdb
...
```
The exceptions all generally follow the same structure--naming a program and a directory prefix below /etc where that program is allowed to write files.
### Using Appends/Overwrites to Customize Rules
An important way to customize rules and macros is to use `append: true` to add to them, or `append: false` to define a new rule/macro, overwriting the original rule/macro. Here's an example from Update Package Repository:
```yaml
- list: package_mgmt_binaries
items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd]
- macro: package_mgmt_procs
condition: proc.name in (package_mgmt_binaries)
- macro: user_known_update_package_registry
condition: (never_true)
- rule: Update Package Repository
desc: Detect package repositories get updated
condition: >
((open_write and access_repositories) or (modify and modify_repositories))
and not package_mgmt_procs
and not exe_running_docker_save
and not user_known_update_package_registry
```
If someone wanted to add additional exceptions to this rule, they could add the following to the user_rules file:
```yaml
- list: package_mgmt_binaries
items: [puppet]
append: true
- macro: package_mgmt_procs
condition: and not proc.pname=chef
append: true
- macro: user_known_update_package_registry
condition: (proc.name in (npm))
append: false
```
This adds an 3 different exceptions:
* an additional binary to package_mgmt_binaries (because append is true),
* adds to package_mgmt_procs, adding an exception for programs spawned by chef (because append is true)
* overrides the macro user_known_update_package_registry to add an exception for npm (because append is false).
### Problems with Appends/Overrides to Define Exceptions
Although the concepts of macros and lists in condition fields, combined with appending to lists/conditions in macros/rules, is very general purpose, it can be unwieldy:
* Appending to conditions can result in incorrect behavior, unless the original condition has its logical operators set up properly with parentheses. For example:
```yaml
rule: my_rule
condition: (evt.type=open and (fd.name=/tmp/foo or fd.name=/tmp/bar))
rule: my_rule
condition: or fd.name=/tmp/baz
append: true
```
Results in unintended behavior. It will match any fd related event where the name is /tmp/baz, when the intent was probably to add /tmp/baz as an additional opened file.
* A good convention many rules use is to have a clause "and not user_known_xxxx" built into the condition field. However, it's not in all rules and its use is a bit haphazard.
* Appends and overrides can get confusing if you try to apply them multiple times. For example:
```yaml
macro: allowed_files
condition: fd.name=/tmp/foo
...
macro: allowed_files
condition: and fd.name=/tmp/bar
append: true
```
If someone wanted to override the original behavior of allowed_files, they would have to use `append: false` in a third definition of allowed_files, but this would result in losing the append: true override.
## Solution: Exceptions as first class objects
To address some of these problems, we will add the notion of Exceptions as top level objects alongside Rules, Macros, and Lists. A rule that supports exceptions must define a new key `exceptions` in the rule. The exceptions key is a list of identifier plus list of tuples of filtercheck fields. Here's an example:
```yaml
- rule: Write below binary dir
desc: an attempt to write to any file below a set of binary directories
condition: >
bin_dir and evt.dir = < and open_write
and not package_mgmt_procs
and not exe_running_docker_save
and not python_running_get_pip
and not python_running_ms_oms
and not user_known_write_below_binary_dir_activities
exceptions:
- name: proc_writer
fields: [proc.name, fd.directory]
- name: container_writer
fields: [container.image.repository, fd.directory]
comps: [=, startswith]
- name: proc_filenames
fields: [proc.name, fd.name]
comps: [=, in]
- name: filenames
fields: fd.filename
comps: in
```
This rule defines four kinds of exceptions:
* proc_writer: uses a combination of proc.name and fd.directory
* container_writer: uses a combination of container.image.repository and fd.directory
* proc_filenames: uses a combination of process and list of filenames.
* filenames: uses a list of filenames
The specific strings "proc_writer"/"container_writer"/"proc_filenames"/"filenames" are arbitrary strings and don't have a special meaning to the rules file parser. They're only used to link together the list of field names with the list of field values that exist in the exception object.
proc_writer does not have any comps property, so the fields are directly compared to values using the = operator. container_writer does have a comps property, so each field will be compared to the corresponding exception items using the corresponding comparison operator.
proc_filenames uses the in comparison operator, so the corresponding values entry should be a list of filenames.
filenames differs from the others in that it names a single field and single comp operator. This changes how the exception condition snippet is constructed (see below).
Notice that exceptions are defined as a part of the rule. This is important because the author of the rule defines what construes a valid exception to the rule. In this case, an exception can consist of a process and file directory (actor and target), but not a process name only (too broad).
Exception values will most commonly be defined in rules with append: true. Here's an example:
```yaml
- list: apt_files
items: [/bin/ls, /bin/rm]
- rule: Write below binary dir
exceptions:
- name: proc_writer
values:
- [apk, /usr/lib/alpine]
- [npm, /usr/node/bin]
- name: container_writer
values:
- [docker.io/alpine, /usr/libexec/alpine]
- name: proc_filenames
values:
- [apt, apt_files]
- [rpm, [/bin/cp, /bin/pwd]]
- name: filenames
values: [python, go]
```
A rule exception applies if for a given event, the fields in a rule.exception match all of the values in some exception.item. For example, if a program `apk` writes to a file below `/usr/lib/alpine`, the rule will not trigger, even if the condition is met.
Notice that an item in a values list can be a list. This allows building exceptions with operators like "in", "pmatch", etc. that work on a list of items. The item can also be a name of an existing list. If not present surrounding parantheses will be added.
Finally, note that the structure of the values property differs between the items where fields is a list of fields (proc_writer/container_writer/proc_filenames) and when it is a single field (procs_only). This changes how the condition snippet is constructed.
### Implementation
For exception items where the fields property is a list of field names, each exception can be thought of as an implicit "and not (field1 cmp1 val1 and field2 cmp2 val2 and...)" appended to the rule's condition. For exception items where the fields property is a single field name, the exception can be thought of as an implict "and not field cmp (val1, val2, ...)". In practice, that's how exceptions will be implemented.
When a rule is parsed, the original condition will be wrapped in an extra layer of parentheses and all exception values will be appended to the condition. For example, using the example above, the resulting condition will be:
```
(<Write below binary dir condition>) and not (
(proc.name = apk and fd.directory = /usr/lib/alpine) or (proc.name = npm and fd.directory = /usr/node/bin) or
(container.image.repository = docker.io/alpine and fd.directory startswith /usr/libexec/alpine) or
(proc.name=apt and fd.name in (apt_files))) or
(fd.filename in (python, go))))
```
The exceptions are effectively syntatic sugar that allows expressing sets of exceptions in a concise way.
### Advantages
Adding Exception objects as described here has several advantages:
* All rules will implicitly support exceptions. A rule writer doesn't need to define a user_known_xxx macro and add it to the condition.
* The rule writer has some controls on what defines a valid exception. The rule author knows best what is a good exception, and can define the fields that make up the exception.
* With this approach, it's much easier to add and manage multiple sets of exceptions from multiple sources. You're just combining lists of tuples of filtercheck field values.
## Backwards compatibility
To take advantage of these new features, users will need to upgrade Falco to a version that supports exception objects and exception keys in rules. For the most part, however, the rules file structure is unchanged.
This approach does not remove the ability to append to exceptions nor the existing use of user_xxx macros to define exceptions to rules. It only provides an additional way to express exceptions. Hopefully, we can migrate existing exceptions to use this approach, but there isn't any plan to make wholesale rules changes as a part of this.
This approach is for the most part backwards compatible with older Falco releases. To implement exceptions, we'll add a preprocessing element to rule parsing. The main Falco engine is unchanged.
However, there are a few changes we'll have to make to Falco rules file parsing:
* Currently, Falco will reject files containing anything other than rule/macro/list top-level objects. As a result, `exception` objects would be rejected. We'll probably want to make a one-time change to Falco to allow arbitrary top level objects.
* Similarly, Falco will reject rule objects with exception keys. We'll also probably want to change Falco to allow unknown keys inside rule/macro/list/exception objects.

167
proposals/2021019-libraries-donation.md
View File

@@ -1,167 +0,0 @@
# OSS Libraries Donation Plan
## Summary
Sysdig Inc. intends to donate **libsinsp**, **libscap**, the **kernel module driver** and the **eBPF driver sources** by moving them to the Falco project.
This means that some parts of the [draios/sysdig](https://github.com/draios/sysdig) repository will be moved to a new GitHub repository called [falcosecurity/libs](https://github.com/falcosecurity/libs).
This plan aims to describe and clarify the terms and goals to get the donation done.
## Motivation
There are two main OSS projects using the libraries and drivers that we are aware of:
- [sysdig](https://github.com/draios/sysdig) the command line tool
- [Falco](https:/github.com/falcosecurity/falco), the CNCF project.
Since the Falco project is a heavy user of the libraries, a lot more than the sysdig cli tool, Sysdig (the company) decided to donate the libraries and the driver to the Falco community.
Sysdig (the command line tool) will continue to use the libraries now provided by the Falco community underneath.
This change is win-win for both parties because of the following reasons:
- The Falco community owns the source code of the three most important parts of the software it distributes.
- Right now it is "only" an engine on top of the libraries. This **donation** helps in making the scope of the Falco project broader. Having the majority of the source code under an **open governance** in the same organization gives the Falco project more contribution opportunities, helps it in **evolving independently** and makes the whole Falco community a strong owner of the processes and decision making regarding those crucial parts.
- Given the previous point, Sysdig (the command line tool) will benefit from the now **extended contributors base**
- Sysdig (the company) can now focus on the user experience and user space features
- **Contributions** to the libraries and drivers will be **easier** to spread across the Falco community
- By being donated, with their own **release process**, **release artifacts**, and **documentation**, the libraries can now live on their own and possibly be used directly in other projects by becoming fundamental pieces for their success.
## Goals
There are many sub-projects and each of them interacts in a different way in this donation.
Let's see the goals per sub-project.
### libsinsp
1. Extract libsinsp from `draios/sysdig/userspace/libsinsp` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
2. The migration comes first, then we can do additional PRs for the points below so that we do only one thing at a time and keep the history linear
3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
4. Adapt the CMake and build files
5. Install [poiana](https://github.com/poiana) and its workflows on it
6. Define the `OWNERS`
- Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
7. When possible, migrate issues and PRs to the new repository
8. Distribute the `libsinsp.so` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
9. Distribute the `libsinsp.a` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
10. Creation of the CI scripts using the Falco CI and Falco Infra
11. The CI scripts will need to publish the artifacts in the current falcosecurity artifacts repository
12. Artifacts will be pushed for every tag (release) and for every master merge (development release)
13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
14. This project will go already "Official support" once the donation is completed
15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
16. Every other additional change will need to have its own process with a proposal
17. Implement the release process as described above
18. Propose a change to Falco repository to use the artifacts produced by the libsinsp release process for the build
19. Document the API
### libscap
1. Extract libscap from `draios/sysdig/userspace/libscap` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
2. The migration comes first, then we can do additional PRs for the points below so that we do only one thing at a time and keep the history linear
3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
4. Adapt the CMake and build files
5. Install [poiana](https://github.com/poiana) and its workflows on it
6. Define the `OWNERS`
- Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
7. When possible, migrate issues and PRs to the new repository
8. Distribute the `libscap.so` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
9. Distribute the `libscap.a` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
10. Creation of the CI scripts using the Falco CI and Falco Infra
11. The CI scripts will need to publish the artifacts in the current falcosecurity artifacts repository
12. Artifacts will be pushed for every tag (release) and for every master merge (development release)
13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
14. This project will go already "Official support" once the donation is completed
15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
16. Every other additional change will need to have its own process with a proposal
17. Implement the release process as described above
18. Propose a change to Falco repository to use the artifacts produced by the libscap release process for the build
19. Document the API
### Drivers: Kernel module and eBPF probe
1. Extract them from `draios/sysdig/driver` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
2. The migration comes first, then we can do additional PRs for the point below so that we do only one thing at a time and keep the history linear
3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
4. Adapt the Makefiles and build files
5. Install [poiana](https://github.com/poiana) and its workflows on it
6. Define the `OWNERS`
- Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
7. When possible, migrate issues and PRs to the new repository
8. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already. We are just changing maintenance ownership
9. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
10. Every other additional change will need to have its own process with a proposal
11. The Falco community already ships driver artifacts using [driverkit](https://github.com/falcosecurity/driverkit) and the [test-infra repository](https://github.com/falcosecurity/test-infra)
- Adapt the place from which [driverkit](https://github.com/falcosecurity/driverkit) grabs the drivers source
12. This project will go already "Official support" once the migration is completed.
### Falco
1. Adapt the CMake files to point to the new homes for libscap, libsinsp and the drivers
2. When distributing the deb and rpm, libscap and libsinsp will need to be install dependencies and not anymore compiled into Falco
### Driverkit
1. Change the source location for the drivers to point to the new driver repository
### pdig
1. The project will need to be adapted to use libscap and libsinsp and the fillers from their new location

193
rules/falco_rules.yaml
View File

@@ -15,9 +15,14 @@
# limitations under the License.
#
# The latest Falco Engine version is 8 if you want to
# use exceptions. However the default rules file does not
# use them so we stick with 7 for compatibility.
# See xxx for details on falco engine and rules versioning. Currently,
# this specific rules file is compatible with engine version 0
# (e.g. falco releases <= 0.13.1), so we'll keep the
# required_engine_version lines commented out, so maintain
# compatibility with older falco releases. With the first incompatible
# change to this rules file, we'll uncomment this line and set it to
# the falco engine version in use at the time.
#
- required_engine_version: 7
# Currently disabled as read/write are ignored syscalls. The nearly
@@ -181,9 +186,15 @@
- list: db_server_binaries
items: [mysqld, postgres, sqlplus]
- list: mysql_mgmt_binaries
items: [mysql_install_d, mysql_ssl_rsa_s]
- list: postgres_mgmt_binaries
items: [pg_dumpall, pg_ctl, pg_lsclusters, pg_ctlcluster]
- list: db_mgmt_binaries
items: [mysql_mgmt_binaries, postgres_mgmt_binaries]
- list: nosql_server_binaries
items: [couchdb, memcached, redis-server, rabbitmq-server, mongod]
@@ -203,7 +214,7 @@
# The explicit quotes are needed to avoid the - characters being
# interpreted by the filter expression.
- list: rpm_binaries
items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, rhsmcertd, subscription-ma,
items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma,
repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump,
abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb]
@@ -216,7 +227,7 @@
- list: deb_binaries
items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude,
frontend, preinst, add-apt-reposit, apt-auto-remova, apt-key,
apt-listchanges, unattended-upgr, apt-add-reposit, apt-config, apt-cache, apt.systemd.dai
apt-listchanges, unattended-upgr, apt-add-reposit, apt-config, apt-cache
]
# The truncated dpkg-preconfigu is intentional, process names are
@@ -538,11 +549,60 @@
- macro: system_users
condition: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uucp, www-data)
# These macros will be removed soon. Only keeping them to maintain
# compatiblity with some widely used rules files.
# Begin Deprecated
- macro: parent_ansible_running_python
condition: (proc.pname in (python, pypy, python3) and proc.pcmdline contains ansible)
- macro: parent_bro_running_python
condition: (proc.pname=python and proc.cmdline contains /usr/share/broctl)
- macro: parent_python_running_denyhosts
condition: >
(proc.cmdline startswith "denyhosts.py /usr/bin/denyhosts.py" or
(proc.pname=python and
(proc.pcmdline contains /usr/sbin/denyhosts or
proc.pcmdline contains /usr/local/bin/denyhosts.py)))
- macro: parent_python_running_sdchecks
condition: >
(proc.pname in (python, python2.7) and
(proc.pcmdline contains /opt/draios/bin/sdchecks))
- macro: python_running_sdchecks
condition: >
(proc.name in (python, python2.7) and
(proc.cmdline contains /opt/draios/bin/sdchecks))
- macro: parent_linux_image_upgrade_script
condition: proc.pname startswith linux-image-
- macro: parent_java_running_echo
condition: (proc.pname=java and proc.cmdline startswith "sh -c echo")
- macro: parent_scripting_running_builds
condition: >
(proc.pname in (php,php5-fpm,php-fpm7.1,python,ruby,ruby2.3,ruby2.1,node,conda) and (
proc.cmdline startswith "sh -c git" or
proc.cmdline startswith "sh -c date" or
proc.cmdline startswith "sh -c /usr/bin/g++" or
proc.cmdline startswith "sh -c /usr/bin/gcc" or
proc.cmdline startswith "sh -c gcc" or
proc.cmdline startswith "sh -c if type gcc" or
proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git" or
proc.cmdline startswith "sh -c /var/www/edi/bin/sftp.sh" or
proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx" or
proc.cmdline startswith "sh -c make parent" or
proc.cmdline startswith "node /jenkins/tools" or
proc.cmdline startswith "sh -c '/usr/bin/node'" or
proc.cmdline startswith "sh -c stty -a |" or
proc.pcmdline startswith "node /opt/nodejs/bin/yarn" or
proc.pcmdline startswith "node /usr/local/bin/yarn" or
proc.pcmdline startswith "node /root/.config/yarn" or
proc.pcmdline startswith "node /opt/yarn/bin/yarn.js"))
- macro: httpd_writing_ssl_conf
condition: >
(proc.pname=run-httpd and
@@ -552,6 +612,28 @@
- macro: userhelper_writing_etc_security
condition: (proc.name=userhelper and fd.name startswith /etc/security)
- macro: parent_Xvfb_running_xkbcomp
condition: (proc.pname=Xvfb and proc.cmdline startswith 'sh -c "/usr/bin/xkbcomp"')
- macro: parent_nginx_running_serf
condition: (proc.pname=nginx and proc.cmdline startswith "sh -c serf")
- macro: parent_node_running_npm
condition: (proc.pcmdline startswith "node /usr/local/bin/npm" or
proc.pcmdline startswith "node /usr/local/nodejs/bin/npm" or
proc.pcmdline startswith "node /opt/rh/rh-nodejs6/root/usr/bin/npm")
- macro: parent_java_running_sbt
condition: (proc.pname=java and proc.pcmdline contains sbt-launch.jar)
- list: known_container_shell_spawn_cmdlines
items: []
- list: known_shell_spawn_binaries
items: []
## End Deprecated
- macro: ansible_running_python
condition: (proc.name in (python, pypy, python3) and proc.cmdline contains ansible)
@@ -607,6 +689,9 @@
- macro: run_by_centrify
condition: (proc.aname[2]=centrify or proc.aname[3]=centrify or proc.aname[4]=centrify)
- macro: run_by_puppet
condition: (proc.aname[2]=puppet or proc.aname[3]=puppet)
# Also handles running semi-indirectly via scl
- macro: run_by_foreman
condition: >
@@ -792,7 +877,7 @@
or proc.cmdline contains "/var/run/docker")
and proc.pname in (dockerd, docker, dockerd-current, docker-current)
# Ideally we'd have a length check here as well but
# Ideally we'd have a length check here as well but sysdig
# filterchecks don't have operators like len()
- macro: sed_temporary_file
condition: (proc.name=sed and fd.name startswith "/etc/sed")
@@ -903,10 +988,15 @@
# the following rule and lists.
- list: monitored_directories
items: [/boot, /lib, /lib64, /usr/lib, /usr/local/lib, /usr/local/sbin, /usr/local/bin, /root/.ssh]
items: [/boot, /lib, /lib64, /usr/lib, /usr/local/lib, /usr/local/sbin, /usr/local/bin, /root/.ssh, /etc/cardserver]
# Until https://github.com/draios/sysdig/pull/1153, which fixes
# https://github.com/draios/sysdig/issues/1152, is widely available,
# we can't use glob operators to match pathnames. Until then, we do a
# looser check to match ssh directories.
# When fixed, we will use "fd.name glob '/home/*/.ssh/*'"
- macro: user_ssh_directory
condition: (fd.name glob '/home/*/.ssh/*')
condition: (fd.name startswith '/home' and fd.name contains '.ssh')
# google_accounts_(daemon)
- macro: google_accounts_daemon_writing_ssh
@@ -934,7 +1024,7 @@
condition: (never_true)
- rule: Write below monitored dir
desc: an attempt to write to any file below a set of monitored directories
desc: an attempt to write to any file below a set of binary directories
condition: >
evt.dir = < and open_write and monitored_dir
and not package_mgmt_procs
@@ -1511,12 +1601,7 @@
- rule: Mkdir binary dirs
desc: an attempt to create a directory below a set of binary directories.
condition: >
mkdir
and bin_dir_mkdir
and not package_mgmt_procs
and not user_known_mkdir_bin_dir_activities
and not exe_running_docker_save
condition: mkdir and bin_dir_mkdir and not package_mgmt_procs and not user_known_mkdir_bin_dir_activities
output: >
Directory below known binary directory created (user=%user.name user_loginuid=%user.loginuid
command=%proc.cmdline directory=%evt.arg.path container_id=%container.id image=%container.image.repository)
@@ -1754,6 +1839,13 @@
- list: trusted_images
items: []
# NOTE: This macro is only provided for backwards compatibility with
# older local falco rules files that may have been appending to
# trusted_images. To make customizations, it's better to add containers to
# user_trusted_containers, user_privileged_containers or user_sensitive_mount_containers.
- macro: trusted_containers
condition: (container.image.repository in (trusted_images))
# Add conditions to this macro (probably in a separate file,
# overwriting this macro) to specify additional containers that are
# trusted and therefore allowed to run privileged *and* with sensitive
@@ -1820,6 +1912,12 @@
- macro: user_privileged_containers
condition: (never_true)
- list: rancher_images
items: [
rancher/network-manager, rancher/dns, rancher/agent,
rancher/lb-service-haproxy, rancher/metadata, rancher/healthcheck
]
# These container images are allowed to mount sensitive paths from the
# host filesystem.
- list: falco_sensitive_mount_images
@@ -1831,7 +1929,7 @@
docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
amazon/amazon-ecs-agent, prom/node-exporter, amazon/cloudwatch-agent
amazon/amazon-ecs-agent
]
- macro: falco_sensitive_mount_containers
@@ -2315,12 +2413,6 @@
priority: NOTICE
tags: [network, container, mitre_discovery]
# Containers from IBM Cloud
- list: ibm_cloud_containers
items:
- icr.io/ext/sysdig/agent
- registry.ng.bluemix.net/armada-master/metrics-server-amd64
- registry.ng.bluemix.net/armada-master/olm
# In a local/user rules file, list the namespace or container images that are
# allowed to contact the K8s API Server from within a container. This
@@ -2331,10 +2423,7 @@
(container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
gcr.io/google_containers/kube2sky, docker.io/sysdig/falco,
docker.io/sysdig/sysdig, docker.io/falcosecurity/falco,
sysdig/falco, sysdig/sysdig, falcosecurity/falco,
fluent/fluentd-kubernetes-daemonset, prom/prometheus,
ibm_cloud_containers)
or (k8s.ns.name = "kube-system"))
sysdig/falco, sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system"))
- macro: k8s_api_server
condition: (fd.sip.name="kubernetes.default.svc.cluster.local")
@@ -2345,9 +2434,9 @@
- rule: Contact K8S API Server From Container
desc: Detect attempts to contact the K8S API Server from a container
condition: >
evt.type=connect and evt.dir=< and
evt.type=connect and evt.dir=< and
(fd.typechar=4 or fd.typechar=6) and
container and
container and
not k8s_containers and
k8s_api_server and
not user_known_contact_k8s_api_server_activities
@@ -2593,7 +2682,7 @@
condition: (always_true)
- list: user_known_chmod_applications
items: [hyperkube, kubelet, k3s-agent]
items: [hyperkube, kubelet]
# This macro should be overridden in user rules as needed. This is useful if a given application
# should not be ignored alltogether with the user_known_chmod_applications list, but only in
@@ -2636,7 +2725,6 @@
(open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories))) and
consider_hidden_file_creation and
not user_known_create_hidden_file_activities
and not exe_running_docker_save
output: >
Hidden file or directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
@@ -2812,7 +2900,7 @@
tags: [container, mitre_execution]
# This rule is enabled by default.
# This rule is enabled by default.
# If you want to disable it, modify the following macro.
- macro: consider_packet_socket_communication
condition: (always_true)
@@ -2831,6 +2919,10 @@
- macro: enabled_rule_network_only_subnet
condition: (never_true)
# Images that are allowed to have outbound traffic
- list: images_allow_network_outside_subnet
items: []
# Namespaces where the rule is enforce
- list: namespace_scope_network_only_subnet
items: []
@@ -2870,6 +2962,9 @@
- list: allowed_image
items: [] # add image to monitor, i.e.: bitnami/nginx
- list: authorized_server_binaries
items: [] # add binary to allow, i.e.: nginx
- list: authorized_server_port
items: [] # add port to allow, i.e.: 80
@@ -2967,7 +3062,7 @@
- list: white_listed_modules
items: []
- rule: Linux Kernel Module Injection Detected
desc: Detect kernel module was injected (from container).
condition: spawned_process and container and proc.name=insmod and not proc.args in (white_listed_modules)
@@ -2991,40 +3086,6 @@
priority: INFO
tags: [container, process]
# This rule helps detect CVE-2021-3156:
# A privilege escalation to root through heap-based buffer overflow
- rule: Sudo Potential Privilege Escalation
desc: Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root.
condition: spawned_process and user.uid!= 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \)
output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"
priority: CRITICAL
tags: [filesystem, mitre_privilege_escalation]
- rule: Debugfs Launched in Privileged Container
desc: Detect file system debugger debugfs launched inside a privilegd container which might lead to container escape.
condition: >
spawned_process and container
and container.privileged=true
and proc.name=debugfs
output: Debugfs launched started in a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
priority: WARNING
tags: [container, cis, mitre_lateral_movement]
- macro: mount_info
condition: (proc.args="" or proc.args intersects ("-V", "-l", "-h"))
- rule: Mount Launched in Privileged Container
desc: Detect file system mount happened inside a privilegd container which might lead to container escape.
condition: >
spawned_process and container
and container.privileged=true
and proc.name=mount
and not mount_info
output: Mount was executed inside a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
priority: WARNING
tags: [container, cis, mitre_lateral_movement]
# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to
# falco_rules.local.yaml.

47
rules/k8s_audit_rules.yaml
View File

@@ -50,9 +50,7 @@
vertical_pod_autoscaler_users,
cluster-autoscaler,
"system:addon-manager",
"cloud-controller-manager",
"eks:node-manager",
"system:kube-controller-manager"
"cloud-controller-manager"
]
- rule: Disallowed K8s User
@@ -209,10 +207,6 @@
# events to be stateful, so it could know if a container named in an
# attach request was created privileged or not. For now, we have a
# less severe rule that detects attaches/execs to any pod.
#
# For the same reason, you can't use things like image names/prefixes,
# as the event that creates the pod (which has the images) is a
# separate event than the actual exec/attach to the pod.
- macro: user_known_exec_pod_activities
condition: (k8s_audit_never_true)
@@ -301,13 +295,8 @@
- list: user_known_sa_list
items: []
- list: known_sa_list
items: ["pod-garbage-collector","resourcequota-controller","cronjob-controller","generic-garbage-collector",
"daemon-set-controller","endpointslice-controller","deployment-controller", "replicaset-controller",
"endpoint-controller"]
- macro: trusted_sa
condition: (ka.target.name in (known_sa_list, user_known_sa_list))
condition: (ka.target.name in (user_known_sa_list))
# Detect creating a service account in the kube-system/kube-public namespace
- rule: Service Account Created in Kube Namespace
@@ -532,11 +521,11 @@
- list: full_admin_k8s_users
items: ["admin", "kubernetes-admin", "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
# This rules detect an operation triggered by an user name that is
# included in the list of those that are default administrators upon
# cluster creation. This may signify a permission setting too broader.
# As we can't check for role of the user on a general ka.* event, this
# may or may not be an administrator. Customize the full_admin_k8s_users
# This rules detect an operation triggered by an user name that is
# included in the list of those that are default administrators upon
# cluster creation. This may signify a permission setting too broader.
# As we can't check for role of the user on a general ka.* event, this
# may or may not be an administrator. Customize the full_admin_k8s_users
# list to your needs, and activate at your discrection.
# # How to test:
@@ -546,8 +535,8 @@
- rule: Full K8s Administrative Access
desc: Detect any k8s operation by a user name that may be an administrator with full access.
condition: >
kevt
and non_system_user
kevt
and non_system_user
and ka.user.name in (full_admin_k8s_users)
and not allowed_full_admin_users
output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
@@ -586,7 +575,7 @@
output: >
K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
namespace=%ka.target.namespace)
source: k8s_audit
source: k8s_audit
priority: WARNING
tags: [k8s, network]
@@ -609,10 +598,10 @@
desc: >
Detect a node successfully joined the cluster outside of the list of allowed nodes.
condition: >
kevt and node
and kcreate
and response_successful
and not allow_all_k8s_nodes
kevt and node
and kcreate
and response_successful
and not allow_all_k8s_nodes
and not ka.target.name in (allowed_k8s_nodes)
output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
priority: ERROR
@@ -623,10 +612,10 @@
desc: >
Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.
condition: >
kevt and node
and kcreate
and not response_successful
and not allow_all_k8s_nodes
kevt and node
and kcreate
and not response_successful
and not allow_all_k8s_nodes
and not ka.target.name in (allowed_k8s_nodes)
output: Node not in allowed list tried unsuccessfully to join the cluster (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
priority: WARNING

6
scripts/CMakeLists.txt
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,14 +19,14 @@ configure_file(debian/postinst.in debian/postinst)
configure_file(debian/postrm.in debian/postrm)
configure_file(debian/prerm.in debian/prerm)
file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
configure_file(rpm/postinstall.in rpm/postinstall)
configure_file(rpm/postuninstall.in rpm/postuninstall)
configure_file(rpm/preuninstall.in rpm/preuninstall)
file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
configure_file(falco-driver-loader falco-driver-loader @ONLY)

61
scripts/cleanup Executable file
View File

@@ -0,0 +1,61 @@
#!/usr/bin/env bash
usage() {
echo "usage: $0 -p 0987654321 -r <deb-dev|rpm-dev|bin-dev>"
exit 1
}
user=poiana
# Get the versions to delete.
#
# $1: repository to lookup
# $2: number of versions to skip.
get_versions() {
# The API endpoint returns the Falco package versions sort by most recent.
IFS=$'\n' read -r -d '' -a all < <(curl -s --header "Content-Type: application/json" "https://api.bintray.com/packages/falcosecurity/$1/falco" | jq -r '.versions | .[]' | tail -n "+$2")
}
# Remove all the versions (${all[@]} array).
#
# $1: repository containing the versions.
rem_versions() {
for i in "${!all[@]}";
do
JFROG_CLI_LOG_LEVEL=DEBUG jfrog bt vd --quiet --user "${user}" --key "${pass}" "falcosecurity/$1/falco/${all[$i]}"
done
}
while getopts ":p::r:" opt; do
case "${opt}" in
p )
pass=${OPTARG}
;;
r )
repo="${OPTARG}"
[[ "${repo}" == "deb-dev" || "${repo}" == "rpm-dev" || "${repo}" == "bin-dev" ]] || usage
;;
: )
echo "invalid option: ${OPTARG} requires an argument" 1>&2
exit 1
;;
\?)
echo "invalid option: ${OPTARG}" 1>&2
exit 1
;;
esac
done
shift $((OPTIND-1))
if [ -z "${pass}" ] || [ -z "${repo}" ]; then
usage
fi
skip=51
if [[ "${repo}" == "bin-dev" ]]; then
skip=11
fi
get_versions "${repo}" ${skip}
echo "number of versions to delete: ${#all[@]}"
rem_versions "${repo}"

176
scripts/debian/falco Executable file
View File

@@ -0,0 +1,176 @@
#! /bin/sh
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
### BEGIN INIT INFO
# Provides: falco
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Falco syscall activity monitoring agent
# Description: Falco is a system activity monitoring agent
# driven by system calls with support for containers.
### END INIT INFO
# Author: The Falco Authors <cncf-falco-dev@lists.cncf.io>
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="Falco"
NAME=falco
DAEMON=/usr/bin/$NAME
PIDFILE=/var/run/$NAME.pid
DAEMON_ARGS="--daemon --pidfile=$PIDFILE"
SCRIPTNAME=/etc/init.d/$NAME
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
if [ ! -d /sys/module/falco ]; then
/sbin/modprobe falco || exit 1
fi
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
/sbin/rmmod falco
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
:

24
scripts/debian/falco.service
View File

@@ -1,24 +0,0 @@
[Unit]
Description=Falco: Container Native Runtime Security
Documentation=https://falco.org/docs/
[Service]
Type=simple
User=root
ExecStartPre=/sbin/modprobe falco
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
ExecStopPost=/sbin/rmmod falco
UMask=0077
TimeoutSec=30
RestartSec=15s
Restart=on-failure
PrivateTmp=true
NoNewPrivileges=yes
ProtectHome=read-only
ProtectSystem=full
ProtectKernelTunables=true
RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET
[Install]
WantedBy=multi-user.target

7
scripts/debian/postinst.in
View File

@@ -1,6 +1,6 @@
#!/bin/sh
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -41,3 +41,8 @@ case "$1" in
fi
;;
esac
if [ -x "/etc/init.d/$NAME" ]; then
update-rc.d $NAME defaults >/dev/null
fi

9
scripts/debian/postrm.in
View File

@@ -1,6 +1,6 @@
#!/bin/sh
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,3 +15,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
set -e
NAME=falco
if [ "$1" = "purge" ] ; then
update-rc.d $NAME remove >/dev/null
fi

12
scripts/debian/prerm.in
View File

@@ -1,6 +1,6 @@
#!/bin/sh
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,6 +17,16 @@
#
set -e
NAME="@PACKAGE_NAME@"
if [ -x "/etc/init.d/$NAME" ]; then
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
invoke-rc.d $NAME stop || exit $?
else
/etc/init.d/$NAME stop || exit $?
fi
fi
DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
DKMS_VERSION="@PROBE_VERSION@"

236
scripts/falco-driver-loader
View File

@@ -1,6 +1,6 @@
#!/usr/bin/env bash
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,7 +16,7 @@
# limitations under the License.
#
# Simple script that desperately tries to load the kernel instrumentation by
# looking for it in a bunch of ways. Convenient when running Falco inside
# looking for it in a bunch of ways. Convenient when running falco inside
# a container or in other weird environments.
#
@@ -82,7 +82,7 @@ get_kernel_config() {
echo "* Found kernel config at ${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
KERNEL_CONFIG_PATH="${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
elif [ -f "/lib/modules/${KERNEL_RELEASE}/config" ]; then
# This code works both for native host and containers assuming that
# this code works both for native host and agent container assuming that
# Dockerfile sets up the desired symlink /lib/modules -> $HOST_ROOT/lib/modules
echo "* Found kernel config at /lib/modules/${KERNEL_RELEASE}/config"
KERNEL_CONFIG_PATH="/lib/modules/${KERNEL_RELEASE}/config"
@@ -107,14 +107,12 @@ get_target_id() {
source "${HOST_ROOT}/etc/os-release"
OS_ID=$ID
elif [ -f "${HOST_ROOT}/etc/debian_version" ]; then
# Older debian distros
# fixme > Can this happen on older Ubuntu?
# Older Debian
# fixme > can this happen on older Ubuntu?
OS_ID=debian
elif [ -f "${HOST_ROOT}/etc/centos-release" ]; then
# Older CentOS distros
# Older CentOS
OS_ID=centos
elif [ -f "${HOST_ROOT}/etc/VERSION" ]; then
OS_ID=minikube
else
>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
exit 1
@@ -142,25 +140,25 @@ get_target_id() {
}
load_kernel_module_compile() {
# Skip dkms on UEK hosts because it will always fail
# skip dkms on UEK hosts because it will always fail
if [[ $(uname -r) == *uek* ]]; then
>&2 echo "Skipping because the dkms install always fail (on UEK hosts)"
echo "* Skipping dkms install for UEK host"
return
fi
if ! hash dkms >/dev/null 2>&1; then
>&2 echo "This program requires dkms"
if ! hash dkms &>/dev/null; then
echo "* Skipping dkms install (dkms not found)"
return
fi
# Try to compile using all the available gcc versions
# try to compile using all the available gcc versions
for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -r); do
echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
chmod +x /tmp/falco-dkms-make
if dkms install --directive="MAKE='/tmp/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"
echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"
if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
exit 0
@@ -183,6 +181,7 @@ load_kernel_module_compile() {
}
load_kernel_module_download() {
get_target_id
local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
@@ -190,14 +189,14 @@ load_kernel_module_download() {
local URL
URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
echo "* Trying to download a prebuilt ${DRIVER_NAME} module from ${URL}"
echo "* Trying to download prebuilt module from ${URL}"
if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
echo "* Download succeeded"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module loaded"
exit $?
else
>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module"
return
>&2 echo "Download failed, consider compiling your own ${DRIVER_NAME} module and loading it or getting in touch with the Falco community"
exit 1
fi
}
@@ -221,7 +220,7 @@ load_kernel_module() {
rmmod "${DRIVER_NAME}" 2>/dev/null
WAIT_TIME=0
KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
if rmmod "${DRIVER_NAME}" 2>/dev/null; then
echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
break
@@ -238,77 +237,33 @@ load_kernel_module() {
exit 0
fi
echo "* Trying to load a system ${DRIVER_NAME} module, if present"
if [ -n "$ENABLE_COMPILE" ]; then
load_kernel_module_compile
fi
echo "* Trying to load a system ${DRIVER_NAME} driver, if present"
if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
exit 0
fi
fi
echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
echo "* Trying to find locally a prebuilt ${DRIVER_NAME} module for kernel ${KERNEL_RELEASE}, if present"
get_target_id
local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
if [ -f "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
echo "* Found a prebuilt module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module loaded"
exit $?
fi
if [ -n "$ENABLE_DOWNLOAD" ]; then
load_kernel_module_download
fi
if [ -n "$ENABLE_COMPILE" ]; then
load_kernel_module_compile
fi
# Not able to download a prebuilt module nor to compile one on-the-fly
>&2 echo "Consider compiling your own ${DRIVER_NAME} driver and loading it or getting in touch with the Falco community"
exit 1
}
clean_kernel_module() {
if ! hash lsmod > /dev/null 2>&1; then
>&2 echo "This program requires lsmod"
exit 1
fi
if ! hash rmmod > /dev/null 2>&1; then
>&2 echo "This program requires rmmod"
exit 1
fi
KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}"; then
if rmmod "${DRIVER_NAME}" 2>/dev/null; then
echo "* Unloading ${DRIVER_NAME} module succeeded"
else
echo "* Unloading ${DRIVER_NAME} module failed"
fi
else
echo "* There is no ${DRIVER_NAME} module loaded"
fi
if ! hash dkms >/dev/null 2>&1; then
echo "* Skipping dkms remove (dkms not found)"
return
fi
DRIVER_VERSIONS=$(dkms status -m "${DRIVER_NAME}" | cut -d',' -f2 | sed -e 's/^[[:space:]]*//')
if [ -z "${DRIVER_VERSIONS}" ]; then
echo "* There is no ${DRIVER_NAME} module in dkms"
return
fi
for CURRENT_VER in ${DRIVER_VERSIONS}; do
if dkms remove -m "${DRIVER_NAME}" -v "${CURRENT_VER}" --all 2>/dev/null; then
echo "* Removing ${DRIVER_NAME}/${CURRENT_VER} succeeded"
else
echo "* Removing ${DRIVER_NAME}/${CURRENT_VER} failed"
exit 1
fi
done
}
load_bpf_probe_compile() {
@@ -317,14 +272,14 @@ load_bpf_probe_compile() {
customize_kernel_build() {
if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
fi
make olddefconfig > /dev/null
make modules_prepare > /dev/null
}
if [ "${TARGET_ID}" == "cos" ]; then
echo "* COS detected (build ${BUILD_ID}), using COS kernel headers"
if [ -n "${COS}" ]; then
echo "* COS detected (build ${BUILD_ID}), using cos kernel headers"
BPF_KERNEL_SOURCES_URL="https://storage.googleapis.com/cos-tools/${BUILD_ID}/kernel-headers.tgz"
KERNEL_EXTRA_VERSION="+"
@@ -355,8 +310,7 @@ load_bpf_probe_compile() {
}
fi
if [ "${TARGET_ID}" == "minikube" ]; then
MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
if [ -n "${MINIKUBE}" ]; then
echo "* Minikube detected (${MINIKUBE_VERSION}), using linux kernel sources for minikube kernel"
local kernel_version
kernel_version=$(uname -r)
@@ -382,16 +336,14 @@ load_bpf_probe_compile() {
fi
if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
get_kernel_config
echo "* Downloading ${BPF_KERNEL_SOURCES_URL}"
mkdir -p /tmp/kernel
cd /tmp/kernel || exit
cd "$(mktemp -d -p /tmp/kernel)" || exit
if ! curl -L -o kernel-sources.tgz --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
>&2 echo "Unable to download the kernel sources"
return
>&2 echo "Download failed"
exit 1;
fi
echo "* Extracting kernel sources"
@@ -432,22 +384,47 @@ load_bpf_probe_download() {
echo "* Trying to download a prebuilt eBPF probe from ${URL}"
if ! curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}"; then
>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} eBPF probe"
return
>&2 echo "Download failed"
exit 1;
fi
}
load_bpf_probe() {
echo "* Mounting debugfs"
if [ ! -d /sys/kernel/debug/tracing ]; then
mount -t debugfs nodev /sys/kernel/debug
fi
get_kernel_config
if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/os-release" ]; then
# shellcheck source=/dev/null
source "${HOST_ROOT}/etc/os-release"
if [ "${ID}" == "cos" ]; then
COS=1
fi
fi
if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/VERSION" ]; then
MINIKUBE=1
MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
fi
get_target_id
BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
if [ -n "$ENABLE_COMPILE" ]; then
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* Skipping compile, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
else
load_bpf_probe_compile
fi
fi
if [ -n "$ENABLE_DOWNLOAD" ]; then
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* Skipping download, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
@@ -456,22 +433,21 @@ load_bpf_probe() {
fi
fi
if [ -n "$ENABLE_COMPILE" ]; then
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* Skipping compilation, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
else
load_bpf_probe_compile
fi
fi
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* eBPF probe located in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
if [ ! -f /proc/sys/net/core/bpf_jit_enable ]; then
echo "******************************************************************"
echo "** BPF doesn't have JIT enabled, performance might be degraded. **"
echo "** Please ensure to run on a kernel with CONFIG_BPF_JIT on. **"
echo "******************************************************************"
fi
ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o" \
&& echo "* Success: eBPF probe symlinked to ${HOME}/.falco/${DRIVER_NAME}-bpf.o"
exit $?
else
>&2 echo "Unable to load the ${DRIVER_NAME} eBPF probe"
>&2 echo "Failure to find an eBPF probe"
exit 1
fi
}
@@ -487,32 +463,15 @@ print_usage() {
echo ""
echo "Options:"
echo " --help show brief help"
echo " --clean try to remove an already present driver installation"
echo " --compile try to compile the driver locally (default true)"
echo " --download try to download a prebuilt driver (default true)"
echo " --compile try to compile the driver locally"
echo " --download try to download a prebuilt driver"
echo " --source-only skip execution and allow sourcing in another script"
echo ""
echo "Environment variables:"
echo " DRIVER_REPO specify a different URL where to look for prebuilt Falco drivers"
echo " DRIVER_NAME specify a different name for the driver"
echo " DRIVER_INSECURE_DOWNLOAD whether you want to allow insecure downloads or not"
echo ""
echo "Versions:"
echo " Falco version ${FALCO_VERSION}"
echo " Driver version ${DRIVER_VERSION}"
echo ""
}
ARCH=$(uname -m)
KERNEL_RELEASE=$(uname -r)
if ! hash sed > /dev/null 2>&1; then
>&2 echo "This program requires sed"
exit 1
fi
KERNEL_VERSION=$(uname -v | sed 's/#\([[:digit:]]\+\).*/\1/')
DRIVERS_REPO=${DRIVERS_REPO:-"@DRIVERS_REPO@"}
if [ -n "$DRIVER_INSECURE_DOWNLOAD" ]
@@ -527,8 +486,7 @@ if [[ -z "$MAX_RMMOD_WAIT" ]]; then
fi
DRIVER_VERSION="@PROBE_VERSION@"
DRIVER_NAME=${DRIVER_NAME:-"@PROBE_NAME@"}
FALCO_VERSION="@FALCO_VERSION@"
DRIVER_NAME="@PROBE_NAME@"
DRIVER="module"
if [ -v FALCO_BPF_PROBE ]; then
@@ -538,7 +496,6 @@ fi
ENABLE_COMPILE=
ENABLE_DOWNLOAD=
clean=
has_args=
has_opts=
source_only=
@@ -546,7 +503,7 @@ while test $# -gt 0; do
case "$1" in
module|bpf)
if [ -n "$has_args" ]; then
>&2 echo "Only one driver per invocation"
>&2 echo "Only one driver can be passed"
print_usage
exit 1
else
@@ -559,10 +516,6 @@ while test $# -gt 0; do
print_usage
exit 0
;;
--clean)
clean="true"
shift
;;
--compile)
ENABLE_COMPILE="yes"
has_opts="true"
@@ -596,42 +549,23 @@ if [ -z "$has_opts" ]; then
fi
if [ -z "$source_only" ]; then
echo "* Running falco-driver-loader for: falco version=${FALCO_VERSION}, driver version=${DRIVER_VERSION}"
if [ "$(id -u)" != 0 ]; then
>&2 echo "This program must be run as root (or with sudo)"
exit 1
fi
if [ -n "$clean" ]; then
if [ -n "$has_opts" ]; then
>&2 echo "Cannot use --clean with other options"
exit 1
fi
if ! hash curl > /dev/null 2>&1; then
>&2 echo "This program requires curl"
exit 1
fi
echo "* Running falco-driver-loader with: driver=$DRIVER, clean=yes"
case $DRIVER in
echo "* Running falco-driver-loader with: driver=$DRIVER, compile=${ENABLE_COMPILE:-"no"}, download=${ENABLE_DOWNLOAD:-"no"}"
case $DRIVER in
module)
clean_kernel_module
load_kernel_module
;;
bpf)
>&2 echo "--clean not supported for driver=bpf"
exit 1
esac
else
if ! hash curl > /dev/null 2>&1; then
>&2 echo "This program requires curl"
exit 1
fi
echo "* Running falco-driver-loader with: driver=$DRIVER, compile=${ENABLE_COMPILE:-"no"}, download=${ENABLE_DOWNLOAD:-"no"}"
case $DRIVER in
module)
load_kernel_module
;;
bpf)
load_bpf_probe
;;
esac
fi
fi
load_bpf_probe
;;
esac
fi

47
scripts/publish-bin
View File

@@ -1,47 +0,0 @@
#!/usr/bin/env bash
set -e
usage() {
echo "usage: $0 -f <package.tar.gz> -r <bin|bin-dev> -a <arch>"
exit 1
}
# parse options
while getopts ":f::r::a:" opt; do
case "${opt}" in
f )
file=${OPTARG}
;;
r )
repo="${OPTARG}"
[[ "${repo}" == "bin" || "${repo}" == "bin-dev" ]] || usage
;;
a )
arch=${OPTARG}
;;
: )
echo "invalid option: ${OPTARG} requires an argument" 1>&2
exit 1
;;
\?)
echo "invalid option: ${OPTARG}" 1>&2
exit 1
;;
esac
done
shift $((OPTIND-1))
if [ -z "${file}" ] || [ -z "${repo}" ] || [ -z "${arch}" ]; then
usage
fi
# settings
s3_bucket_repo="s3://falco-distribution/packages/${repo}/${arch}"
cloudfront_path="/packages/${repo}/${arch}"
# publish
package=$(basename -- ${file})
echo "Publishing ${package} to ${s3_bucket_repo}..."
aws s3 cp ${file} ${s3_bucket_repo}/${package} --acl public-read
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}

132
scripts/publish-deb
View File

@@ -1,132 +0,0 @@
#!/usr/bin/env bash
set -e
usage() {
echo "usage: $0 -f <package.deb> -r <deb|deb-dev>"
exit 1
}
check_program() {
if ! command -v $1 &> /dev/null
then
echo "$1 is required and could not be found"
exit
fi
}
# Add a package to the local DEB repository
#
# $1: path of the repository.
# $2: suite (eg. "stable")
# $3: path of the DEB file.
add_deb() {
cp -f $3 $1/$2
pushd $1/$2 > /dev/null
rm -f $(basename -- $3).asc
gpg --detach-sign --armor $(basename -- $3)
popd > /dev/null
}
# Update the local DEB repository
#
# $1: path of the repository
# $2: suite (eg. "stable")
update_repo() {
# fixme(leogr): we cannot use apt-ftparchive --arch packages ...
# since our .deb files ends with "_x86_64" instead of "amd64".
# See https://manpages.debian.org/jessie/apt-utils/apt-ftparchive.1.en.html
#
# As a workaround, we temporarily stick here with "amd64"
# (the only supported arch at the moment)
local arch=amd64
local component=main
local debs_dir=$2
local release_dir=dists/$2
local packages_dir=${release_dir}/${component}/binary-${arch}
pushd $1 > /dev/null
# packages metadata
apt-ftparchive packages ${debs_dir} > ${packages_dir}/Packages
gzip -c ${packages_dir}/Packages > ${packages_dir}/Packages.gz
bzip2 -z -c ${packages_dir}/Packages > ${packages_dir}/Packages.bz2
# release metadata
apt-ftparchive release \
-o APT::FTPArchive::Release::Origin=Falco \
-o APT::FTPArchive::Release::Label=Falco \
-o APT::FTPArchive::Release::Suite=$2 \
-o APT::FTPArchive::Release::Codename=$2 \
-o APT::FTPArchive::Release::Components=${component} \
-o APT::FTPArchive::Release::Architectures=${arch} \
${release_dir} > ${release_dir}/Release
# release signature
gpg --detach-sign --armor ${release_dir}/Release
rm -f ${release_dir}/Release.gpg
mv ${release_dir}/Release.asc ${release_dir}/Release.gpg
popd > /dev/null
}
# parse options
while getopts ":f::r:" opt; do
case "${opt}" in
f )
file=${OPTARG}
;;
r )
repo="${OPTARG}"
[[ "${repo}" == "deb" || "${repo}" == "deb-dev" ]] || usage
;;
: )
echo "invalid option: ${OPTARG} requires an argument" 1>&2
exit 1
;;
\?)
echo "invalid option: ${OPTARG}" 1>&2
exit 1
;;
esac
done
shift $((OPTIND-1))
# check options
if [ -z "${file}" ] || [ -z "${repo}" ]; then
usage
fi
# check prerequisites
check_program apt-ftparchive
check_program gzip
check_program bzip2
check_program gpg
check_program aws
# settings
debSuite=stable
s3_bucket_repo="s3://falco-distribution/packages/${repo}"
cloudfront_path="/packages/${repo}"
tmp_repo_path=/tmp/falco-$repo
# prepare repository local copy
echo "Fetching ${s3_bucket_repo}..."
mkdir -p ${tmp_repo_path}
aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
# update the repo
echo "Adding ${file}..."
add_deb ${tmp_repo_path} ${debSuite} ${file}
update_repo ${tmp_repo_path} ${debSuite}
# publish
package=$(basename -- ${file})
echo "Publishing ${package} to ${s3_bucket_repo}..."
aws s3 cp ${tmp_repo_path}/${debSuite}/${package} ${s3_bucket_repo}/${debSuite}/${package} --acl public-read
aws s3 cp ${tmp_repo_path}/${debSuite}/${package}.asc ${s3_bucket_repo}/${debSuite}/${package}.asc --acl public-read
aws s3 sync ${tmp_repo_path}/dists ${s3_bucket_repo}/dists --delete --acl public-read
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}.asc
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/dists/*

96
scripts/publish-rpm
View File

@@ -1,96 +0,0 @@
#!/usr/bin/env bash
set -e
usage() {
echo "usage: $0 -f <package.rpm> -r <rpm|rpm-dev>"
exit 1
}
check_program() {
if ! command -v $1 &> /dev/null
then
echo "$1 is required and could not be found"
exit
fi
}
# Add a package to the local RPM repository
#
# $1: path of the repository.
# $2: path of the RPM file.
add_rpm() {
cp -f $2 $1
pushd $1 > /dev/null
rm -f $(basename -- $2).asc
gpg --detach-sign --armor $(basename -- $2)
popd > /dev/null
}
# Update the local RPM repository
#
# $1: path of the repository.
update_repo() {
pushd $1 > /dev/null
createrepo --update --no-database .
rm -f repodata/repomd.xml.asc
gpg --detach-sign --armor repodata/repomd.xml
popd > /dev/null
}
# parse options
while getopts ":f::r:" opt; do
case "${opt}" in
f )
file=${OPTARG}
;;
r )
repo="${OPTARG}"
[[ "${repo}" == "rpm" || "${repo}" == "rpm-dev" ]] || usage
;;
: )
echo "invalid option: ${OPTARG} requires an argument" 1>&2
exit 1
;;
\?)
echo "invalid option: ${OPTARG}" 1>&2
exit 1
;;
esac
done
shift $((OPTIND-1))
if [ -z "${file}" ] || [ -z "${repo}" ]; then
usage
fi
# check prerequisites
check_program createrepo
check_program gpg
check_program aws
# settings
s3_bucket_repo="s3://falco-distribution/packages/${repo}"
cloudfront_path="/packages/${repo}"
tmp_repo_path=/tmp/falco-$repo
# prepare repository local copy
echo "Fetching ${s3_bucket_repo}..."
mkdir -p ${tmp_repo_path}
aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
# update the repo
echo "Adding ${file}..."
add_rpm ${tmp_repo_path} ${file}
update_repo ${tmp_repo_path}
# publish
package=$(basename -- ${file})
echo "Publishing ${package} to ${s3_bucket_repo}..."
aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
aws s3 sync ${tmp_repo_path}/repodata ${s3_bucket_repo}/repodata --delete --acl public-read
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}.asc
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/repodata/*

127
scripts/rpm/falco Executable file
View File

@@ -0,0 +1,127 @@
#!/bin/sh
#
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
# falco syscall monitoring agent
#
# chkconfig: 2345 55 45
# description: Falco syscall monitoring agent
#
### BEGIN INIT INFO
# Provides:
# Required-Start:
# Required-Stop:
# Should-Start:
# Should-Stop:
# Default-Start:
# Default-Stop:
# Short-Description:
# Description:
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
exec="/usr/bin/falco"
prog="falco"
# config="<path to major config file>"
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
lockfile=/var/lock/subsys/$prog
pidfile="/var/run/falco.pid"
start() {
[ -x $exec ] || exit 5
# [ -f $config ] || exit 6
echo -n $"Starting $prog: "
daemon $exec --daemon --pidfile=$pidfile
if [ ! -d /sys/module/falco ]; then
/sbin/modprobe falco || return $?
fi
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc -p $pidfile
retval=$?
echo
/sbin/rmmod falco
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
stop
start
}
reload() {
restart
}
force_reload() {
restart
}
rh_status() {
status -p $pidfile $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?

24
scripts/rpm/falco.service
View File

@@ -1,24 +0,0 @@
[Unit]
Description=Falco: Container Native Runtime Security
Documentation=https://falco.org/docs/
[Service]
Type=simple
User=root
ExecStartPre=/sbin/modprobe falco
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
ExecStopPost=/sbin/rmmod falco
UMask=0077
TimeoutSec=30
RestartSec=15s
Restart=on-failure
PrivateTmp=true
NoNewPrivileges=yes
ProtectHome=read-only
ProtectSystem=full
ProtectKernelTunables=true
RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET
[Install]
WantedBy=multi-user.target

4
scripts/rpm/postinstall.in
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -29,3 +29,5 @@ else
echo -e "Module build for the currently running kernel was skipped since the"
echo -e "kernel source for this kernel does not seem to be installed."
fi
/sbin/chkconfig --add falco

6
scripts/rpm/postuninstall.in
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,3 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
if [ "$1" -ge "1" ]; then
/sbin/service falco condrestart > /dev/null 2>&1
fi

7
scripts/rpm/preuninstall.in
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,5 +15,10 @@
# limitations under the License.
#
if [ $1 = 0 ]; then
/sbin/service falco stop > /dev/null 2>&1
/sbin/chkconfig --del falco
fi
mod_version="@PROBE_VERSION@"
dkms remove -m falco -v $mod_version --all --rpm_safe_upgrade

14
test/README.md
View File

@@ -2,7 +2,7 @@
This folder contains the Regression tests suite for Falco.
You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/getting-started/source/#run-regression-tests).
You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/source/#run-regression-tests).
## Test suites
@@ -16,7 +16,7 @@ You can find instructions on how to run this test suite on the Falco website [he
This step assumes you already built Falco.
Note that the tests are intended to be run against a [release build](https://falco.org/docs/getting-started/source/#specify-the-build-type) of Falco, at the moment.
Note that the tests are intended to be run against a [release build](https://falco.org/docs/source/#specify-the-build-type) of Falco, at the moment.
Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:
@@ -26,15 +26,7 @@ make test-trace-files
It prepares the fixtures (`json` and `scap` files) needed by the integration tests.
**Requirements**
- Python 3.x
- [Virtualenv](https://virtualenv.pypa.io/en/latest/)
- [grpcurl](https://github.com/fullstorydev/grpcurl)
**Setup and execution**
Using `virtualenv` the steps to locally run a specific test suite are the following ones (**from this directory**):
Using `virtualenv` the steps to locally run a specific test suite are the following ones (from this directory):
```console
virtualenv venv

12
test/confs/drops_ignore_log.yaml
View File

@@ -1,12 +0,0 @@
syscall_event_drops:
actions:
- ignore
- log
rate: .03333
max_burst: 10
simulate_drops: true
stdout_output:
enabled: true
log_stderr: true

2
test/confs/drops_log.yaml
View File

@@ -9,5 +9,3 @@ stdout_output:
enabled: true
log_stderr: true
log_level: debug

12
test/confs/drops_threshold_neg.yaml
View File

@@ -1,12 +0,0 @@
syscall_event_drops:
threshold: -1
actions:
- ignore
rate: .03333
max_burst: 10
simulate_drops: true
stdout_output:
enabled: true
log_stderr: true

12
test/confs/drops_threshold_oor.yaml
View File

@@ -1,12 +0,0 @@
syscall_event_drops:
threshold: 1.1
actions:
- ignore
rate: .03333
max_burst: 10
simulate_drops: true
stdout_output:
enabled: true
log_stderr: true

10
test/falco_k8s_audit_tests.yaml
View File

@@ -128,16 +128,6 @@ trace_files: !mux
- Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
create_privileged_no_secctx_1st_container_2nd_container_pod:
detect: True
detect_level: WARNING
rules_file:
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
create_privileged_2nd_container_pod:
detect: True
detect_level: WARNING

3
test/falco_test.py
View File

@@ -675,8 +675,7 @@ class FalcoTest(Test):
self.check_rules_warnings(res)
if len(self.rules_events) > 0:
self.check_rules_events(res)
if len(self.validate_rules_file) == 0:
self.check_detections(res)
self.check_detections(res)
if len(self.detect_counts) > 0:
self.check_detections_by_rule(res)
self.check_json_output(res)

126
test/falco_tests.yaml
View File

@@ -262,7 +262,6 @@ trace_files: !mux
invalid_not_yaml:
exit_status: 1
stdout_is: |+
1 errors:
Rules content is not yaml
---
This is not yaml
@@ -274,7 +273,6 @@ trace_files: !mux
invalid_not_array:
exit_status: 1
stdout_is: |+
1 errors:
Rules content is not yaml array of objects
---
foo: bar
@@ -286,7 +284,6 @@ trace_files: !mux
invalid_array_item_not_object:
exit_status: 1
stdout_is: |+
1 errors:
Unexpected element of type string. Each element should be a yaml associative array.
---
- foo
@@ -295,10 +292,20 @@ trace_files: !mux
- rules/invalid_array_item_not_object.yaml
trace_file: trace_files/cat_write.scap
invalid_unexpected object:
exit_status: 1
stdout_is: |+
Unknown rule object: {foo="bar"}
---
- foo: bar
---
validate_rules_file:
- rules/invalid_unexpected_object.yaml
trace_file: trace_files/cat_write.scap
invalid_engine_version_not_number:
exit_status: 1
stdout_is: |+
1 errors:
Value of required_engine_version must be a number
---
- required_engine_version: not-a-number
@@ -310,7 +317,6 @@ trace_files: !mux
invalid_yaml_parse_error:
exit_status: 1
stdout_is: |+
1 errors:
mapping values are not allowed in this context
---
this : is : not : yaml
@@ -322,7 +328,6 @@ trace_files: !mux
invalid_list_without_items:
exit_status: 1
stdout_is: |+
1 errors:
List must have property items
---
- list: bad_list
@@ -335,7 +340,6 @@ trace_files: !mux
invalid_macro_without_condition:
exit_status: 1
stdout_is: |+
1 errors:
Macro must have property condition
---
- macro: bad_macro
@@ -348,7 +352,6 @@ trace_files: !mux
invalid_rule_without_output:
exit_status: 1
stdout_is: |+
1 errors:
Rule must have property output
---
- rule: no output rule
@@ -363,8 +366,7 @@ trace_files: !mux
invalid_append_rule_without_condition:
exit_status: 1
stdout_is: |+
1 errors:
Rule must have exceptions or condition property
Rule must have property condition
---
- rule: no condition rule
append: true
@@ -376,7 +378,6 @@ trace_files: !mux
invalid_append_macro_dangling:
exit_status: 1
stdout_is: |+
1 errors:
Macro dangling append has 'append' key but no macro by that name already exists
---
- macro: dangling append
@@ -390,7 +391,6 @@ trace_files: !mux
invalid_list_append_dangling:
exit_status: 1
stdout_is: |+
1 errors:
List my_list has 'append' key but no list by that name already exists
---
- list: my_list
@@ -404,7 +404,6 @@ trace_files: !mux
invalid_rule_append_dangling:
exit_status: 1
stdout_is: |+
1 errors:
Rule my_rule has 'append' key but no rule by that name already exists
---
- rule: my_rule
@@ -419,8 +418,7 @@ trace_files: !mux
exit_status: 1
stdout_contains: |+
.*invalid_base_macro.yaml: Ok
.*invalid_overwrite_macro.yaml: 1 errors:
Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
.*invalid_overwrite_macro.yaml: Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
---
- macro: some macro
condition: foo
@@ -435,8 +433,7 @@ trace_files: !mux
exit_status: 1
stdout_contains: |+
.*invalid_base_macro.yaml: Ok
.*invalid_append_macro.yaml: 1 errors:
Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
.*invalid_append_macro.yaml: Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
---
- macro: some macro
condition: evt.type=execve
@@ -453,7 +450,6 @@ trace_files: !mux
invalid_overwrite_macro_multiple_docs:
exit_status: 1
stdout_is: |+
1 errors:
Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
---
- macro: some macro
@@ -467,7 +463,6 @@ trace_files: !mux
invalid_append_macro_multiple_docs:
exit_status: 1
stdout_is: |+
1 errors:
Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
---
- macro: some macro
@@ -485,8 +480,7 @@ trace_files: !mux
exit_status: 1
stdout_contains: |+
.*invalid_base_rule.yaml: Ok
.*invalid_overwrite_rule.yaml: 1 errors:
Undefined macro 'bar' used in filter.
.*invalid_overwrite_rule.yaml: Undefined macro 'bar' used in filter.
---
- rule: some rule
desc: some desc
@@ -504,8 +498,7 @@ trace_files: !mux
exit_status: 1
stdout_contains: |+
.*invalid_base_rule.yaml: Ok
.*invalid_append_rule.yaml: 1 errors:
Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
.*invalid_append_rule.yaml: Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
---
- rule: some rule
desc: some desc
@@ -528,7 +521,6 @@ trace_files: !mux
invalid_overwrite_rule_multiple_docs:
exit_status: 1
stdout_is: |+
1 errors:
Undefined macro 'bar' used in filter.
---
- rule: some rule
@@ -567,7 +559,6 @@ trace_files: !mux
invalid_missing_rule_name:
exit_status: 1
stdout_is: |+
1 errors:
Rule name is empty
---
- rule:
@@ -582,7 +573,6 @@ trace_files: !mux
invalid_missing_list_name:
exit_status: 1
stdout_is: |+
1 errors:
List name is empty
---
- list:
@@ -595,7 +585,6 @@ trace_files: !mux
invalid_missing_macro_name:
exit_status: 1
stdout_is: |+
1 errors:
Macro name is empty
---
- macro:
@@ -607,17 +596,8 @@ trace_files: !mux
invalid_rule_output:
exit_status: 1
stdout_is: |+
1 errors:
Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'
---
- rule: rule_with_invalid_output
desc: A rule with an invalid output field
condition: evt.type=open
output: "An open was seen %not_a_real_field"
priority: WARNING
---
validate_rules_file:
stderr_contains: "Runtime error: Error loading rules:.* Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'. Exiting."
rules_file:
- rules/invalid_rule_output.yaml
trace_file: trace_files/cat_write.scap
@@ -1137,7 +1117,7 @@ trace_files: !mux
skip_unknown_noevt:
detect: False
stdout_contains: Skipping rule "Contains Unknown Event And Skipping". contains unknown filter proc.nobody
stdout_contains: Skipping rule "Contains Unknown Event And Skipping" that contains unknown filter proc.nobody
rules_file:
- rules/skip_unknown_evt.yaml
trace_file: trace_files/cat_write.scap
@@ -1150,33 +1130,14 @@ trace_files: !mux
skip_unknown_error:
exit_status: 1
stderr_contains: |+
Could not load rules file.*skip_unknown_error.yaml: 1 errors:
rule "Contains Unknown Event And Not Skipping". contains unknown filter proc.nobody
---
- rule: Contains Unknown Event And Not Skipping
desc: Contains an unknown event
condition: proc.nobody=cat
output: Never
skip-if-unknown-filter: false
priority: INFO
---
stderr_contains: Rule "Contains Unknown Event And Not Skipping" contains unknown filter proc.nobody. Exiting.
rules_file:
- rules/skip_unknown_error.yaml
trace_file: trace_files/cat_write.scap
skip_unknown_unspec_error:
exit_status: 1
stderr_contains: |+
Could not load rules file .*skip_unknown_unspec.yaml: 1 errors:
rule "Contains Unknown Event And Unspecified". contains unknown filter proc.nobody
---
- rule: Contains Unknown Event And Unspecified
desc: Contains an unknown event
condition: proc.nobody=cat
output: Never
priority: INFO
---
stderr_contains: Rule "Contains Unknown Event And Unspecified" contains unknown filter proc.nobody. Exiting.
rules_file:
- rules/skip_unknown_unspec.yaml
trace_file: trace_files/cat_write.scap
@@ -1215,51 +1176,6 @@ trace_files: !mux
stdout_not_contains:
- "Falco internal: syscall event drop"
monitor_syscall_drops_ignore_and_log:
exit_status: 1
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_ignore_log.yaml
trace_file: trace_files/ping_sendto.scap
stderr_not_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
stderr_contains:
- "syscall event drop action \"log\" does not make sense with the \"ignore\" action"
monitor_syscall_drops_threshold_oor:
exit_status: 1
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_threshold_oor.yaml
trace_file: trace_files/ping_sendto.scap
stderr_not_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
stderr_contains:
- "syscall event drops threshold must be a double in the range"
monitor_syscall_drops_threshold_neg:
exit_status: 1
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_threshold_neg.yaml
trace_file: trace_files/ping_sendto.scap
stderr_not_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
stderr_contains:
- "syscall event drops threshold must be a double in the range"
monitor_syscall_drops_log:
exit_status: 0
rules_file:

314
test/falco_tests_exceptions.yaml
View File

@@ -1,314 +0,0 @@
#
# Copyright (C) 2016-2020 The Falco Authors..
#
# This file is part of falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
trace_files: !mux
rule_exception_no_fields:
exit_status: 1
stdout_is: |+
1 errors:
Rule exception item ex1: must have fields property with a list of fields
---
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- name: ex1
priority: error
---
validate_rules_file:
- rules/exceptions/item_no_fields.yaml
trace_file: trace_files/cat_write.scap
rule_exception_no_name:
exit_status: 1
stdout_is: |+
1 errors:
Rule exception item must have name property
---
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- fields: [proc.name, fd.filename]
priority: error
---
validate_rules_file:
- rules/exceptions/item_no_name.yaml
trace_file: trace_files/cat_write.scap
rule_exception_append_no_name:
exit_status: 1
stdout_is: |+
1 errors:
Rule exception item must have name property
---
- rule: My Rule
exceptions:
- values:
- [nginx, /tmp/foo]
append: true
---
validate_rules_file:
- rules/exceptions/append_item_no_name.yaml
trace_file: trace_files/cat_write.scap
rule_exception_unknown_fields:
exit_status: 1
stdout_is: |+
1 errors:
Rule exception item ex1: field name not.exist is not a supported filter field
---
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- name: ex1
fields: [not.exist]
priority: error
---
validate_rules_file:
- rules/exceptions/item_unknown_fields.yaml
trace_file: trace_files/cat_write.scap
rule_exception_comps_fields_len_mismatch:
exit_status: 1
stdout_is: |+
1 errors:
Rule exception item ex1: fields and comps lists must have equal length
---
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- name: ex1
fields: [proc.name, fd.filename]
comps: [=]
priority: error
---
validate_rules_file:
- rules/exceptions/item_comps_fields_len_mismatch.yaml
trace_file: trace_files/cat_write.scap
rule_exception_unknown_comp:
exit_status: 1
stdout_is: |+
1 errors:
Rule exception item ex1: comparison operator no-comp is not a supported comparison operator
---
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- name: ex1
fields: [proc.name, fd.filename]
comps: [=, no-comp]
priority: error
---
validate_rules_file:
- rules/exceptions/item_unknown_comp.yaml
trace_file: trace_files/cat_write.scap
rule_exception_fields_values_len_mismatch:
exit_status: 1
stdout_is: |+
1 errors:
Exception item ex1: fields and values lists must have equal length
---
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- name: ex1
fields: [proc.name, fd.filename]
values:
- [nginx]
priority: error
---
validate_rules_file:
- rules/exceptions/item_fields_values_len_mismatch.yaml
trace_file: trace_files/cat_write.scap
rule_exception_append_fields_values_len_mismatch:
exit_status: 1
stdout_is: |+
1 errors:
Exception item ex1: fields and values lists must have equal length
---
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- name: ex1
fields: [proc.name, fd.filename]
priority: error
- rule: My Rule
exceptions:
- name: ex1
values:
- [nginx]
append: true
---
validate_rules_file:
- rules/exceptions/append_item_fields_values_len_mismatch.yaml
trace_file: trace_files/cat_write.scap
rule_exception_append_item_not_in_rule:
exit_status: 0
stderr_contains: |+
1 warnings:
Rule My Rule with append=true: no set of fields matching name ex2
validate_rules_file:
- rules/exceptions/append_item_not_in_rule.yaml
trace_file: trace_files/cat_write.scap
rule_exception_no_values:
detect: True
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_no_values.yaml
trace_file: trace_files/cat_write.scap
rule_exception_one_value:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_one_value.yaml
trace_file: trace_files/cat_write.scap
rule_exception_append_one_value:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_append_one_value.yaml
trace_file: trace_files/cat_write.scap
rule_exception_second_value:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_second_value.yaml
trace_file: trace_files/cat_write.scap
rule_exception_append_second_value:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_append_second_value.yaml
trace_file: trace_files/cat_write.scap
rule_exception_second_item:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_second_item.yaml
trace_file: trace_files/cat_write.scap
rule_exception_append_second_item:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_append_second_item.yaml
trace_file: trace_files/cat_write.scap
rule_exception_third_item:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_third_item.yaml
trace_file: trace_files/cat_write.scap
rule_exception_append_third_item:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_append_third_item.yaml
trace_file: trace_files/cat_write.scap
rule_exception_quoted:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_quoted.yaml
trace_file: trace_files/cat_write.scap
rule_exception_append_multiple_values:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_append_multiple.yaml
trace_file: trace_files/cat_write.scap
rule_exception_comp:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_comp.yaml
trace_file: trace_files/cat_write.scap
rule_exception_append_comp:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_append_comp.yaml
trace_file: trace_files/cat_write.scap
rule_exception_values_listref:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_values_listref.yaml
trace_file: trace_files/cat_write.scap
rule_exception_values_listref_noparens:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_values_listref_noparens.yaml
trace_file: trace_files/cat_write.scap
rule_exception_values_list:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_values_list.yaml
trace_file: trace_files/cat_write.scap
rule_exception_single_field:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_single_field.yaml
trace_file: trace_files/cat_write.scap
rule_exception_single_field_append:
detect: False
detect_level: WARNING
rules_file:
- rules/exceptions/rule_exception_single_field_append.yaml
trace_file: trace_files/cat_write.scap

4
test/requirements.txt
View File

@@ -5,9 +5,9 @@ chardet==3.0.4
idna==2.9
pathtools==0.1.2
pbr==5.4.5
PyYAML==5.4
PyYAML==5.3.1
requests==2.23.0
six==1.14.0
stevedore==1.32.0
urllib3==1.25.9
watchdog==0.10.2
watchdog==0.10.2

31
test/rules/exceptions/append_item_fields_values_len_mismatch.yaml
View File

@@ -1,31 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- name: ex1
fields: [proc.name, fd.filename]
priority: error
- rule: My Rule
exceptions:
- name: ex1
values:
- [nginx]
append: true

30
test/rules/exceptions/append_item_no_name.yaml
View File

@@ -1,30 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- name: ex1
fields: [proc.name, fd.filename]
priority: error
- rule: My Rule
exceptions:
- values:
- [nginx, /tmp/foo]
append: true

31
test/rules/exceptions/append_item_not_in_rule.yaml
View File

@@ -1,31 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- name: ex1
fields: [proc.name, fd.filename]
priority: error
- rule: My Rule
exceptions:
- name: ex2
values:
- [apache, /tmp]
append: true

25
test/rules/exceptions/item_comps_fields_len_mismatch.yaml
View File

@@ -1,25 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- name: ex1
fields: [proc.name, fd.filename]
comps: [=]
priority: error

26
test/rules/exceptions/item_fields_values_len_mismatch.yaml
View File

@@ -1,26 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- name: ex1
fields: [proc.name, fd.filename]
values:
- [nginx]
priority: error

23
test/rules/exceptions/item_no_fields.yaml
View File

@@ -1,23 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- name: ex1
priority: error

23
test/rules/exceptions/item_no_name.yaml
View File

@@ -1,23 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- fields: [proc.name, fd.filename]
priority: error

25
test/rules/exceptions/item_unknown_comp.yaml
View File

@@ -1,25 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- name: ex1
fields: [proc.name, fd.filename]
comps: [=, no-comp]
priority: error

24
test/rules/exceptions/item_unknown_fields.yaml
View File

@@ -1,24 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
exceptions:
- name: ex1
fields: [not.exist]
priority: error

38
test/rules/exceptions/rule_exception_append_comp.yaml
View File

@@ -1,38 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name
fields: [proc.name]
- name: proc_name_contains
fields: [proc.name]
comps: [contains]
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
- name: proc_name_cmdline_pname
fields: [proc.name, proc.cmdline, proc.pname]
priority: WARNING
- rule: Open From Cat
exceptions:
- name: proc_name_contains
values:
- [cat]
append: true

42
test/rules/exceptions/rule_exception_append_multiple.yaml
View File

@@ -1,42 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name
fields: [proc.name]
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
- name: proc_name_cmdline_pname
fields: [proc.name, proc.cmdline, proc.pname]
priority: WARNING
- rule: Open From Cat
exceptions:
- name: proc_name
values:
- [not-cat]
append: true
- rule: Open From Cat
exceptions:
- name: proc_name
values:
- [cat]
append: true

37
test/rules/exceptions/rule_exception_append_one_value.yaml
View File

@@ -1,37 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name
fields: [proc.name]
values:
- [cat]
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
- name: proc_name_cmdline_pname
fields: [proc.name, proc.cmdline, proc.pname]
priority: WARNING
- rule: Open From Cat
exceptions:
- name: proc_name
values:
- [cat]
append: true

41
test/rules/exceptions/rule_exception_append_second_item.yaml
View File

@@ -1,41 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name
fields: [proc.name]
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
- name: proc_name_cmdline_pname
fields: [proc.name, proc.cmdline, proc.pname]
priority: WARNING
- rule: Open From Cat
exceptions:
- name: proc_name
values:
- [not-cat]
- name: proc_name_cmdline
values:
- [cat, "cat /dev/null"]
- name: proc_name_cmdline_pname
values:
- [not-cat, "cat /dev/null", bash]
append: true

36
test/rules/exceptions/rule_exception_append_second_value.yaml
View File

@@ -1,36 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name
fields: [proc.name]
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
- name: proc_name_cmdline_pname
fields: [proc.name, proc.cmdline, proc.pname]
priority: WARNING
- rule: Open From Cat
exceptions:
- name: proc_name_cmdline
values:
- [not-cat, not-cat]
- [cat, "cat /dev/null"]
append: true

41
test/rules/exceptions/rule_exception_append_third_item.yaml
View File

@@ -1,41 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name
fields: [proc.name]
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
- name: proc_name_cmdline_pname
fields: [proc.name, proc.cmdline, proc.pname]
priority: WARNING
- rule: Open From Cat
exceptions:
- name: proc_name
values:
- [not-cat]
- name: proc_name_cmdline
values:
- [not-cat, "cat /dev/null"]
- name: proc_name_cmdline_pname
values:
- [cat, "cat /dev/null", bash]
append: true

34
test/rules/exceptions/rule_exception_comp.yaml
View File

@@ -1,34 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name
fields: [proc.name]
- name: proc_name_contains
fields: [proc.name]
comps: [contains]
values:
- [cat]
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
- name: proc_name_cmdline_pname
fields: [proc.name, proc.cmdline, proc.pname]
priority: WARNING

28
test/rules/exceptions/rule_exception_no_values.yaml
View File

@@ -1,28 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name
fields: [proc.name]
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
- name: proc_name_cmdline_pname
fields: [proc.name, proc.cmdline, proc.pname]
priority: WARNING

30
test/rules/exceptions/rule_exception_one_value.yaml
View File

@@ -1,30 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name
fields: [proc.name]
values:
- [cat]
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
- name: proc_name_cmdline_pname
fields: [proc.name, proc.cmdline, proc.pname]
priority: WARNING

36
test/rules/exceptions/rule_exception_quoted.yaml
View File

@@ -1,36 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name
fields: [proc.name]
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
- name: proc_name_cmdline_pname
fields: [proc.name, proc.cmdline, proc.pname]
priority: WARNING
- rule: Open From Cat
exceptions:
- name: proc_name_cmdline
values:
- [not-cat, not-cat]
- [cat, '"cat /dev/null"']
append: true

34
test/rules/exceptions/rule_exception_second_item.yaml
View File

@@ -1,34 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name
fields: [proc.name]
values:
- [not-cat]
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
values:
- [cat, "cat /dev/null"]
- name: proc_name_cmdline_pname
fields: [proc.name, proc.cmdline, proc.pname]
values:
- [not-cat, "cat /dev/null", bash]
priority: WARNING

32
test/rules/exceptions/rule_exception_second_value.yaml
View File

@@ -1,32 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name
fields: [proc.name]
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
values:
- [not-cat, not-cat]
- [cat, "cat /dev/null"]
- name: proc_name_cmdline_pname
fields: [proc.name, proc.cmdline, proc.pname]
priority: WARNING

30
test/rules/exceptions/rule_exception_single_field.yaml
View File

@@ -1,30 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_cmdline
fields: proc.cmdline
comps: in
values:
- cat /dev/zero
- "cat /dev/null"
priority: WARNING

37
test/rules/exceptions/rule_exception_single_field_append.yaml
View File

@@ -1,37 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_cmdline
fields: proc.cmdline
comps: in
values:
- cat /dev/zero
priority: WARNING
- rule: Open From Cat
exceptions:
- name: proc_cmdline
values:
- "cat /dev/null"
append: true

34
test/rules/exceptions/rule_exception_third_item.yaml
View File

@@ -1,34 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name
fields: [proc.name]
values:
- [not-cat]
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
values:
- [not-cat, "cat /dev/null"]
- name: proc_name_cmdline_pname
fields: [proc.name, proc.cmdline, proc.pname]
values:
- [cat, "cat /dev/null", bash]
priority: WARNING

29
test/rules/exceptions/rule_exception_values_list.yaml
View File

@@ -1,29 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
comps: [=, in]
values:
- [cat, [cat /dev/zero, "cat /dev/null"]]
priority: WARNING

32
test/rules/exceptions/rule_exception_values_listref.yaml
View File

@@ -1,32 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- list: cat_cmdlines
items: [cat /dev/zero, "cat /dev/null"]
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
comps: [=, in]
values:
- [cat, (cat_cmdlines)]
priority: WARNING

32
test/rules/exceptions/rule_exception_values_listref_noparens.yaml
View File

@@ -1,32 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- list: cat_cmdlines
items: [cat /dev/zero, "cat /dev/null"]
- rule: Open From Cat
desc: A process named cat does an open
condition: evt.type=open and proc.name=cat
output: "An open was seen (command=%proc.cmdline)"
exceptions:
- name: proc_name_cmdline
fields: [proc.name, proc.cmdline]
comps: [=, in]
values:
- [cat, cat_cmdlines]
priority: WARNING

1
test/rules/invalid_unexpected_object.yaml Normal file
View File

@@ -0,0 +1 @@
- foo: bar

4
test/run_performance_tests.sh Executable file → Normal file
View File

@@ -20,11 +20,9 @@
trap "cleanup; exit" SIGHUP SIGINT SIGTERM
TRACE_FILES_BASE_URL=${TRACE_FILES_BASE_URL:-"https://download.falco.org/fixtures/trace-files/"}
function download_trace_files() {
(mkdir -p $TRACEDIR && rm -rf $TRACEDIR/traces-perf && curl -fo $TRACEDIR/traces-perf.zip "${TRACE_FILES_BASE_URL}traces-perf.zip" && unzip -d $TRACEDIR $TRACEDIR/traces-perf.zip && rm -f $TRACEDIR/traces-perf.zip) || exit 1
(mkdir -p $TRACEDIR && rm -rf $TRACEDIR/traces-perf && curl -fo $TRACEDIR/traces-perf.zip https://s3.amazonaws.com/download.draios.com/falco-tests/traces-perf.zip && unzip -d $TRACEDIR $TRACEDIR/traces-perf.zip && rm -f $TRACEDIR/traces-perf.zip) || exit 1
}

7
test/run_regression_tests.sh
View File

@@ -20,7 +20,6 @@ set -euo pipefail
SCRIPT=$(readlink -f $0)
SCRIPTDIR=$(dirname "$SCRIPT")
SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
TRACE_FILES_BASE_URL=${TRACE_FILES_BASE_URL:-"https://download.falco.org/fixtures/trace-files/"}
# Trace file tarballs are now versioned. Any time a substantial change
# is made that affects the interaction of rules+engine and the trace
@@ -32,9 +31,9 @@ function download_trace_files() {
for TRACE in traces-positive traces-negative traces-info ; do
if [ ! -e "$TRACE_DIR/$TRACE" ]; then
if [ "$OPT_BRANCH" != "none" ]; then
curl -fso "$TRACE_DIR/$TRACE.zip" "$TRACE_FILES_BASE_URL$TRACE-$OPT_BRANCH.zip"
curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$OPT_BRANCH.zip
else
curl -fso "$TRACE_DIR/$TRACE.zip" "$TRACE_FILES_BASE_URL$TRACE-$TRACE_FILES_VERSION.zip"
curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$TRACE_FILES_VERSION.zip
fi
unzip -d "$TRACE_DIR" "$TRACE_DIR/$TRACE.zip"
rm -rf "$TRACE_DIR/$TRACE.zip"
@@ -99,7 +98,7 @@ function run_tests() {
# as we're watching the return status when running avocado.
set +e
TEST_RC=0
suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml $SCRIPTDIR/falco_tests_exceptions.yaml)
suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml)
if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
suites+=($SCRIPTDIR/falco_tests_package.yaml)

1
test/trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
View File

@@ -1 +0,0 @@
{"annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""},"auditID":"f83ecd50-5bf4-4fe7-a419-dea22852ca49","kind":"Event","level":"RequestResponse","metadata":{"creationTimestamp":"2018-10-25T17:53:07Z"},"objectRef":{"apiVersion":"v1","namespace":"default","resource":"pods"},"requestObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":null,"generateName":"nginx-deployment-544b59f8b8-","labels":{"app":"nginx","pod-template-hash":"1006159464"},"ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-544b59f8b8","uid":"d40b40e1-d87e-11e8-a473-080027728ac4"}]},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx1","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"},{"image":"mysql:latest","imagePullPolicy":"Always","name":"mysql","resources":{},"securityContext":{"privileged":true},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30},"status":{}},"requestReceivedTimestamp":"2018-10-25T17:53:06.995407Z","requestURI":"/api/v1/namespaces/default/pods","responseObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":"2018-10-25T17:53:06Z","generateName":"nginx-deployment-544b59f8b8-","labels":{"app":"nginx","pod-template-hash":"1006159464"},"name":"nginx-deployment-544b59f8b8-ffkxm","namespace":"default","ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-544b59f8b8","uid":"d40b40e1-d87e-11e8-a473-080027728ac4"}],"resourceVersion":"246302","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-544b59f8b8-ffkxm","uid":"d40dfcd7-d87e-11e8-a473-080027728ac4"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx1","resources":{},"securityContext":{"privileged":false},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]},{"image":"mysql:latest","imagePullPolicy":"Always","name":"mysql","resources":{},"securityContext":{"privileged":true},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300}],"volumes":[{"name":"default-token-g2sp7","secret":{"defaultMode":420,"secretName":"default-token-g2sp7"}}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"responseStatus":{"code":201,"metadata":{}},"sourceIPs":["::1"],"stage":"ResponseComplete","stageTimestamp":"2018-10-25T17:53:07.006845Z","timestamp":"2018-10-25T17:53:06Z","user":{"groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","username":"system:serviceaccount:kube-system:replicaset-controller"},"verb":"create"}

61
userspace/engine/falco_engine.cpp
View File

@@ -302,9 +302,31 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_sinsp_event(sinsp_ev
}
unique_ptr<struct rule_result> res(new rule_result());
res->source = "syscall";
populate_rule_result(res, ev);
std::lock_guard<std::mutex> guard(m_ls_semaphore);
lua_getglobal(m_ls, lua_on_event.c_str());
if(lua_isfunction(m_ls, -1))
{
lua_pushnumber(m_ls, ev->get_check_id());
if(lua_pcall(m_ls, 1, 3, 0) != 0)
{
const char* lerr = lua_tostring(m_ls, -1);
string err = "Error invoking function output: " + string(lerr);
throw falco_exception(err);
}
res->evt = ev;
const char *p = lua_tostring(m_ls, -3);
res->rule = p;
res->source = "syscall";
res->priority_num = (falco_common::priority_type) lua_tonumber(m_ls, -2);
res->format = lua_tostring(m_ls, -1);
lua_pop(m_ls, 3);
}
else
{
throw falco_exception("No function " + lua_on_event + " found in lua compiler module");
}
return res;
}
@@ -328,50 +350,33 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_k8s_audit_event(json
}
unique_ptr<struct rule_result> res(new rule_result());
res->source = "k8s_audit";
populate_rule_result(res, ev);
return res;
}
void falco_engine::populate_rule_result(unique_ptr<struct rule_result> &res, gen_event *ev)
{
std::lock_guard<std::mutex> guard(m_ls_semaphore);
lua_getglobal(m_ls, lua_on_event.c_str());
if(lua_isfunction(m_ls, -1))
{
lua_pushnumber(m_ls, ev->get_check_id());
if(lua_pcall(m_ls, 1, 4, 0) != 0)
if(lua_pcall(m_ls, 1, 3, 0) != 0)
{
const char* lerr = lua_tostring(m_ls, -1);
string err = "Error invoking function output: " + string(lerr);
throw falco_exception(err);
}
const char *p = lua_tostring(m_ls, -4);
res->rule = p;
res->evt = ev;
res->priority_num = (falco_common::priority_type) lua_tonumber(m_ls, -3);
res->format = lua_tostring(m_ls, -2);
// Exception fields are passed back as a table
lua_pushnil(m_ls); /* first key */
while (lua_next(m_ls, -2) != 0) {
// key is at index -2, value is at index
// -1. We want the keys.
res->exception_fields.insert(luaL_checkstring(m_ls, -2));
// Remove value, keep key for next iteration
lua_pop(m_ls, 1);
}
lua_pop(m_ls, 4);
const char *p = lua_tostring(m_ls, -3);
res->rule = p;
res->source = "k8s_audit";
res->priority_num = (falco_common::priority_type) lua_tonumber(m_ls, -2);
res->format = lua_tostring(m_ls, -1);
lua_pop(m_ls, 3);
}
else
{
throw falco_exception("No function " + lua_on_event + " found in lua compiler module");
}
return res;
}
bool falco_engine::parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts, bool top)

3
userspace/engine/falco_engine.h
View File

@@ -160,7 +160,6 @@ public:
std::string source;
falco_common::priority_type priority_num;
std::string format;
std::set<std::string> exception_fields;
};
//
@@ -263,8 +262,6 @@ private:
std::unique_ptr<falco_sinsp_ruleset> m_sinsp_rules;
std::unique_ptr<falco_ruleset> m_k8s_audit_rules;
void populate_rule_result(unique_ptr<struct rule_result> &res, gen_event *ev);
//
// Here's how the sampling ratio and multiplier influence
// whether or not an event is dropped in

2
userspace/engine/falco_engine_version.h
View File

@@ -16,7 +16,7 @@ limitations under the License.
// The version of rules/filter fields/etc supported by this falco
// engine.
#define FALCO_ENGINE_VERSION (8)
#define FALCO_ENGINE_VERSION (7)
// This is the result of running "falco --list -N | sha256sum" and
// represents the fields supported by this version of falco. It's used

21
userspace/engine/formats.cpp
View File

@@ -60,32 +60,25 @@ int falco_formats::lua_formatter(lua_State *ls)
{
sinsp_evt_formatter *formatter;
formatter = new sinsp_evt_formatter(s_inspector, format);
lua_pushnil(ls);
lua_pushlightuserdata(ls, formatter);
}
else
{
json_event_formatter *formatter;
formatter = new json_event_formatter(s_engine->json_factory(), format);
lua_pushnil(ls);
lua_pushlightuserdata(ls, formatter);
}
}
catch(exception &e)
catch(sinsp_exception &e)
{
std::ostringstream os;
os << "Invalid output format '"
<< format
<< "': '"
<< e.what()
<< "'";
lua_pushstring(ls, os.str().c_str());
lua_pushnil(ls);
luaL_error(ls, "Invalid output format '%s': '%s'", format.c_str(), e.what());
}
catch(falco_exception &e)
{
luaL_error(ls, "Invalid output format '%s': '%s'", format.c_str(), e.what());
}
return 2;
return 1;
}
int falco_formats::lua_free_formatter(lua_State *ls)

2
userspace/engine/json_evt.cpp
View File

@@ -312,7 +312,7 @@ bool json_event_filter_check::def_extract(const nlohmann::json &root,
{
if(!def_extract(item, ptrs, std::next(it, 1)))
{
add_extracted_value(no_value);
return false;
}
}
}

2
userspace/engine/lua/parser.lua
View File

@@ -204,7 +204,7 @@ local G = {
Hex = (P("0x") + P("0X")) * xdigit ^ 1,
Expo = S("eE") * S("+-") ^ -1 * digit ^ 1,
Float = (((digit ^ 1 * P(".") * digit ^ 0) + (P(".") * digit ^ 1)) * V "Expo" ^ -1) + (digit ^ 1 * V "Expo"),
Number = C(V "Hex" + V "Float" + V "Int") * - V "idStart" / function(n)
Number = C(V "Hex" + V "Float" + V "Int") / function(n)
return tonumber(n)
end,
String = (P '"' * C(((P "\\" * P(1)) + (P(1) - P '"')) ^ 0) * P '"' +

511
userspace/engine/lua/rule_loader.lua
View File

@@ -126,31 +126,6 @@ function set_output(output_format, state)
end
end
-- This should be keep in sync with parser.lua
defined_comp_operators = {
["="]=1,
["=="] = 1,
["!="] = 1,
["<="] = 1,
[">="] = 1,
["<"] = 1,
[">"] = 1,
["contains"] = 1,
["icontains"] = 1,
["glob"] = 1,
["startswith"] = 1,
["endswith"] = 1,
["in"] = 1,
["intersects"] = 1,
["pmatch"] = 1
}
defined_list_comp_operators = {
["in"] = 1,
["intersects"] = 1,
["pmatch"] = 1
}
-- Note that the rules_by_name and rules_by_idx refer to the same rule
-- object. The by_name index is used for things like describing rules,
-- and the by_idx index is used to map the relational node index back
@@ -278,126 +253,19 @@ function get_lines(rules_lines, row, num_lines)
return ret
end
function quote_item(item)
-- Add quotes if the string contains spaces and doesn't start/end
-- w/ quotes
if string.find(item, " ") then
if string.sub(item, 1, 1) ~= "'" and string.sub(item, 1, 1) ~= '"' then
item = "\""..item.."\""
end
end
return item
end
function paren_item(item)
if string.sub(item, 1, 1) ~= "(" then
item = "("..item..")"
end
return item
end
function build_error(rules_lines, row, num_lines, err)
local ret = err.."\n---\n"..get_lines(rules_lines, row, num_lines).."---"
return {ret}
return ret
end
function build_error_with_context(ctx, err)
local ret = err.."\n---\n"..ctx.."---"
return {ret}
return ret
end
function validate_exception_item_multi_fields(eitem, context)
local name = eitem['name']
local fields = eitem['fields']
local values = eitem['values']
local comps = eitem['comps']
if comps == nil then
comps = {}
for c=1,#fields do
table.insert(comps, "=")
end
eitem['comps'] = comps
else
if #fields ~= #comps then
return false, build_error_with_context(context, "Rule exception item "..name..": fields and comps lists must have equal length"), warnings
end
end
for k, fname in ipairs(fields) do
if not is_defined_filter(fname) then
return false, build_error_with_context(context, "Rule exception item "..name..": field name "..fname.." is not a supported filter field"), warnings
end
end
for k, comp in ipairs(comps) do
if defined_comp_operators[comp] == nil then
return false, build_error_with_context(context, "Rule exception item "..name..": comparison operator "..comp.." is not a supported comparison operator"), warnings
end
end
end
function validate_exception_item_single_field(eitem, context)
local name = eitem['name']
local fields = eitem['fields']
local values = eitem['values']
local comps = eitem['comps']
if comps == nil then
eitem['comps'] = "in"
comps = eitem['comps']
else
if type(fields) ~= "string" or type(comps) ~= "string" then
return false, build_error_with_context(context, "Rule exception item "..name..": fields and comps must both be strings"), warnings
end
end
if not is_defined_filter(fields) then
return false, build_error_with_context(context, "Rule exception item "..name..": field name "..fields.." is not a supported filter field"), warnings
end
if defined_comp_operators[comps] == nil then
return false, build_error_with_context(context, "Rule exception item "..name..": comparison operator "..comps.." is not a supported comparison operator"), warnings
end
end
function is_defined_filter(filter)
if defined_noarg_filters[filter] ~= nil then
return true
else
bracket_idx = string.find(filter, "[", 1, true)
if bracket_idx ~= nil then
subfilter = string.sub(filter, 1, bracket_idx-1)
if defined_arg_filters[subfilter] ~= nil then
return true
end
end
dot_idx = string.find(filter, ".", 1, true)
while dot_idx ~= nil do
subfilter = string.sub(filter, 1, dot_idx-1)
if defined_arg_filters[subfilter] ~= nil then
return true
end
dot_idx = string.find(filter, ".", dot_idx+1, true)
end
end
return false
end
function load_rules_doc(rules_mgr, doc, load_state)
local warnings = {}
-- Iterate over yaml list. In this pass, all we're doing is
-- populating the set of rules, macros, and lists. We're not
-- expanding/compiling anything yet. All that will happen in a
@@ -411,7 +279,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
load_state.indices[load_state.cur_item_idx])
if (not (type(v) == "table")) then
return false, build_error_with_context(context, "Unexpected element of type " ..type(v)..". Each element should be a yaml associative array."), warnings
return false, build_error_with_context(context, "Unexpected element of type " ..type(v)..". Each element should be a yaml associative array.")
end
v['context'] = context
@@ -423,13 +291,13 @@ function load_rules_doc(rules_mgr, doc, load_state)
end
if falco_rules.engine_version(rules_mgr) < v['required_engine_version'] then
return false, build_error_with_context(v['context'], "Rules require engine version "..v['required_engine_version']..", but engine version is "..falco_rules.engine_version(rules_mgr)), warnings
return false, build_error_with_context(v['context'], "Rules require engine version "..v['required_engine_version']..", but engine version is "..falco_rules.engine_version(rules_mgr))
end
elseif (v['macro']) then
if (v['macro'] == nil or type(v['macro']) == "table") then
return false, build_error_with_context(v['context'], "Macro name is empty"), warnings
return false, build_error_with_context(v['context'], "Macro name is empty")
end
if v['source'] == nil then
@@ -442,7 +310,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
for j, field in ipairs({'condition'}) do
if (v[field] == nil) then
return false, build_error_with_context(v['context'], "Macro must have property "..field), warnings
return false, build_error_with_context(v['context'], "Macro must have property "..field)
end
end
@@ -455,7 +323,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
if append then
if state.macros_by_name[v['macro']] == nil then
return false, build_error_with_context(v['context'], "Macro " ..v['macro'].. " has 'append' key but no macro by that name already exists"), warnings
return false, build_error_with_context(v['context'], "Macro " ..v['macro'].. " has 'append' key but no macro by that name already exists")
end
state.macros_by_name[v['macro']]['condition'] = state.macros_by_name[v['macro']]['condition'] .. " " .. v['condition']
@@ -470,7 +338,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
elseif (v['list']) then
if (v['list'] == nil or type(v['list']) == "table") then
return false, build_error_with_context(v['context'], "List name is empty"), warnings
return false, build_error_with_context(v['context'], "List name is empty")
end
if state.lists_by_name[v['list']] == nil then
@@ -479,7 +347,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
for j, field in ipairs({'items'}) do
if (v[field] == nil) then
return false, build_error_with_context(v['context'], "List must have property "..field), warnings
return false, build_error_with_context(v['context'], "List must have property "..field)
end
end
@@ -492,7 +360,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
if append then
if state.lists_by_name[v['list']] == nil then
return false, build_error_with_context(v['context'], "List " ..v['list'].. " has 'append' key but no list by that name already exists"), warnings
return false, build_error_with_context(v['context'], "List " ..v['list'].. " has 'append' key but no list by that name already exists")
end
for j, elem in ipairs(v['items']) do
@@ -505,11 +373,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
elseif (v['rule']) then
if (v['rule'] == nil or type(v['rule']) == "table") then
return false, build_error_with_context(v['context'], "Rule name is empty"), warnings
end
if (v['condition'] == nil and v['exceptions'] == nil) then
return false, build_error_with_context(v['context'], "Rule must have exceptions or condition property"), warnings
return false, build_error_with_context(v['context'], "Rule name is empty")
end
-- By default, if a rule's condition refers to an unknown
@@ -522,11 +386,6 @@ function load_rules_doc(rules_mgr, doc, load_state)
v['source'] = "syscall"
end
-- Add an empty exceptions property to the rule if not defined
if v['exceptions'] == nil then
v['exceptions'] = {}
end
-- Possibly append to the condition field of an existing rule
append = false
@@ -534,95 +393,21 @@ function load_rules_doc(rules_mgr, doc, load_state)
append = v['append']
end
-- Validate the contents of the rule exception
if next(v['exceptions']) ~= nil then
if append then
-- This validation only applies if append=false. append=true validation is handled below
if append == false then
for _, eitem in ipairs(v['exceptions']) do
if eitem['name'] == nil then
return false, build_error_with_context(v['context'], "Rule exception item must have name property"), warnings
end
if eitem['fields'] == nil then
return false, build_error_with_context(v['context'], "Rule exception item "..eitem['name']..": must have fields property with a list of fields"), warnings
end
if eitem['values'] == nil then
-- An empty values array is okay
eitem['values'] = {}
end
-- Different handling if the fields property is a single item vs a list
local valid, err
if type(eitem['fields']) == "table" then
valid, err = validate_exception_item_multi_fields(eitem, v['context'])
else
valid, err = validate_exception_item_single_field(eitem, v['context'])
end
if valid == false then
return valid, err
end
-- For append rules, all you need is the condition
for j, field in ipairs({'condition'}) do
if (v[field] == nil) then
return false, build_error_with_context(v['context'], "Rule must have property "..field)
end
end
end
if append then
if state.rules_by_name[v['rule']] == nil then
if state.skipped_rules_by_name[v['rule']] == nil then
return false, build_error_with_context(v['context'], "Rule " ..v['rule'].. " has 'append' key but no rule by that name already exists"), warnings
return false, build_error_with_context(v['context'], "Rule " ..v['rule'].. " has 'append' key but no rule by that name already exists")
end
else
if next(v['exceptions']) ~= nil then
for _, eitem in ipairs(v['exceptions']) do
local name = eitem['name']
local fields = eitem['fields']
local comps = eitem['comps']
if name == nil then
return false, build_error_with_context(v['context'], "Rule exception item must have name property"), warnings
end
-- You can't append exception fields or comps to a rule
if fields ~= nil then
return false, build_error_with_context(v['context'], "Can not append exception fields to existing rule, only values"), warnings
end
if comps ~= nil then
return false, build_error_with_context(v['context'], "Can not append exception comps to existing rule, only values"), warnings
end
-- You can append values. They are added to the
-- corresponding name, if it exists. If no
-- exception with that name exists, add a
-- warning.
if eitem['values'] ~= nil then
local found=false
for _, reitem in ipairs(state.rules_by_name[v['rule']]['exceptions']) do
if reitem['name'] == eitem['name'] then
found=true
for _, values in ipairs(eitem['values']) do
reitem['values'][#reitem['values'] + 1] = values
end
end
end
if found == false then
warnings[#warnings + 1] = "Rule "..v['rule'].." with append=true: no set of fields matching name "..eitem['name']
end
end
end
end
if v['condition'] ~= nil then
state.rules_by_name[v['rule']]['condition'] = state.rules_by_name[v['rule']]['condition'] .. " " .. v['condition']
end
state.rules_by_name[v['rule']]['condition'] = state.rules_by_name[v['rule']]['condition'] .. " " .. v['condition']
-- Add the current object to the context of the base rule
state.rules_by_name[v['rule']]['context'] = state.rules_by_name[v['rule']]['context'].."\n"..v['context']
@@ -632,7 +417,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
for j, field in ipairs({'condition', 'output', 'desc', 'priority'}) do
if (v[field] == nil) then
return false, build_error_with_context(v['context'], "Rule must have property "..field), warnings
return false, build_error_with_context(v['context'], "Rule must have property "..field)
end
end
@@ -661,116 +446,16 @@ function load_rules_doc(rules_mgr, doc, load_state)
end
end
else
-- Remove the context from the table, so the table is exactly what was parsed
local context = v['context']
arr = build_error_with_context(context, "Unknown top level object: "..table.tostring(v))
warnings[#warnings + 1] = arr[1]
v['context'] = nil
return false, build_error_with_context(context, "Unknown rule object: "..table.tostring(v))
end
end
return true, {}, warnings
return true, ""
end
-- cond and not ((proc.name=apk and fd.directory=/usr/lib/alpine) or (proc.name=npm and fd.directory=/usr/node/bin) or ...)
-- Populates exfields with all fields used
function build_exception_condition_string_multi_fields(eitem, exfields)
local fields = eitem['fields']
local comps = eitem['comps']
local icond = "("
for i, values in ipairs(eitem['values']) do
if #fields ~= #values then
return nil, "Exception item "..eitem['name']..": fields and values lists must have equal length"
end
if icond ~= "(" then
icond=icond.." or "
end
icond=icond.."("
for k=1,#fields do
if k > 1 then
icond=icond.." and "
end
local ival = values[k]
local istr = ""
-- If ival is a table, express it as (titem1, titem2, etc)
if type(ival) == "table" then
istr = "("
for _, item in ipairs(ival) do
if istr ~= "(" then
istr = istr..", "
end
istr = istr..quote_item(item)
end
istr = istr..")"
else
-- If the corresponding operator is one that works on lists, possibly add surrounding parentheses.
if defined_list_comp_operators[comps[k]] then
istr = paren_item(ival)
else
-- Quote the value if not already quoted
istr = quote_item(ival)
end
end
icond = icond..fields[k].." "..comps[k].." "..istr
exfields[fields[k]] = true
end
icond=icond..")"
end
icond = icond..")"
-- Don't return a trivially empty condition string
if icond == "()" then
icond = ""
end
return icond, nil
end
function build_exception_condition_string_single_field(eitem, exfields)
local icond = ""
for i, value in ipairs(eitem['values']) do
if type(value) ~= "string" then
return "", "Expected values array for item "..eitem['name'].." to contain a list of strings"
end
if icond == "" then
icond = "("..eitem['fields'].." "..eitem['comps'].." ("
else
icond = icond..", "
end
exfields[eitem['fields']] = true
icond = icond..quote_item(value)
end
if icond ~= "" then
icond = icond.."))"
end
return icond, nil
end
-- Returns:
-- - Load Result: bool
-- - required engine version. will be nil when load result is false
-- - List of Errors
-- - List of Warnings
function load_rules(sinsp_lua_parser,
json_lua_parser,
rules_content,
@@ -781,8 +466,6 @@ function load_rules(sinsp_lua_parser,
replace_container_info,
min_priority)
local warnings = {}
local load_state = {lines={}, indices={}, cur_item_idx=0, min_priority=min_priority, required_engine_version=0}
load_state.lines, load_state.indices = split_lines(rules_content)
@@ -804,42 +487,36 @@ function load_rules(sinsp_lua_parser,
row = tonumber(row)
col = tonumber(col)
return false, nil, build_error(load_state.lines, row, 3, docs), warnings
return false, build_error(load_state.lines, row, 3, docs)
end
if docs == nil then
-- An empty rules file is acceptable
return true, load_state.required_engine_version, {}, warnings
return true, load_state.required_engine_version
end
if type(docs) ~= "table" then
return false, nil, build_error(load_state.lines, 1, 1, "Rules content is not yaml"), warnings
return false, build_error(load_state.lines, 1, 1, "Rules content is not yaml")
end
for docidx, doc in ipairs(docs) do
if type(doc) ~= "table" then
return false, nil, build_error(load_state.lines, 1, 1, "Rules content is not yaml"), warnings
return false, build_error(load_state.lines, 1, 1, "Rules content is not yaml")
end
-- Look for non-numeric indices--implies that document is not array
-- of objects.
for key, val in pairs(doc) do
if type(key) ~= "number" then
return false, nil, build_error(load_state.lines, 1, 1, "Rules content is not yaml array of objects"), warnings
return false, build_error(load_state.lines, 1, 1, "Rules content is not yaml array of objects")
end
end
res, errors, doc_warnings = load_rules_doc(rules_mgr, doc, load_state)
if (doc_warnings ~= nil) then
for idx, warning in pairs(doc_warnings) do
table.insert(warnings, warning)
end
end
res, errstr = load_rules_doc(rules_mgr, doc, load_state)
if not res then
return res, nil, errors, warnings
return res, errstr
end
end
@@ -861,9 +538,8 @@ function load_rules(sinsp_lua_parser,
-- the items and expand any references to the items in the list
for i, item in ipairs(v['items']) do
if (state.lists[item] == nil) then
items[#items+1] = quote_item(item)
items[#items+1] = item
else
state.lists[item].used = true
for i, exp_item in ipairs(state.lists[item].items) do
items[#items+1] = exp_item
end
@@ -880,7 +556,7 @@ function load_rules(sinsp_lua_parser,
local status, ast = compiler.compile_macro(v['condition'], state.macros, state.lists)
if status == false then
return false, nil, build_error_with_context(v['context'], ast), warnings
return false, build_error_with_context(v['context'], ast)
end
if v['source'] == "syscall" then
@@ -896,48 +572,16 @@ function load_rules(sinsp_lua_parser,
local v = state.rules_by_name[name]
local econd = ""
local exfields = {}
-- Turn exceptions into condition strings and add them to each
-- rule's condition
for _, eitem in ipairs(v['exceptions']) do
local icond, err
if type(eitem['fields']) == "table" then
icond, err = build_exception_condition_string_multi_fields(eitem, exfields)
else
icond, err = build_exception_condition_string_single_field(eitem, exfields)
end
if err ~= nil then
return false, nil, build_error_with_context(v['context'], err), warnings
end
if icond ~= "" then
econd = econd.." and not "..icond
end
end
state.rules_by_name[name]['exception_fields'] = exfields
if econd ~= "" then
state.rules_by_name[name]['compile_condition'] = "("..state.rules_by_name[name]['condition']..") "..econd
else
state.rules_by_name[name]['compile_condition'] = state.rules_by_name[name]['condition']
end
warn_evttypes = true
if v['warn_evttypes'] ~= nil then
warn_evttypes = v['warn_evttypes']
end
local status, filter_ast, filters = compiler.compile_filter(v['rule'], v['compile_condition'],
local status, filter_ast, filters = compiler.compile_filter(v['rule'], v['condition'],
state.macros, state.lists)
if status == false then
return false, nil, build_error_with_context(v['context'], filter_ast), warnings
return false, build_error_with_context(v['context'], filter_ast)
end
local evtttypes = {}
@@ -948,22 +592,52 @@ function load_rules(sinsp_lua_parser,
sinsp_rule_utils.check_for_ignored_syscalls_events(filter_ast, 'rule', v['rule'])
end
evttypes, syscallnums = sinsp_rule_utils.get_evttypes_syscalls(name, filter_ast, v['compile_condition'], warn_evttypes, verbose)
evttypes, syscallnums = sinsp_rule_utils.get_evttypes_syscalls(name, filter_ast, v['condition'], warn_evttypes, verbose)
end
-- If a filter in the rule doesn't exist, either skip the rule
-- or raise an error, depending on the value of
-- skip-if-unknown-filter.
for filter, _ in pairs(filters) do
if not is_defined_filter(filter) then
msg = "rule \""..v['rule'].."\": contains unknown filter "..filter
warnings[#warnings + 1] = msg
found = false
if not v['skip-if-unknown-filter'] then
return false, nil, build_error_with_context(v['context'], msg), warnings
else
print("Skipping "..msg)
if defined_noarg_filters[filter] ~= nil then
found = true
else
bracket_idx = string.find(filter, "[", 1, true)
if bracket_idx ~= nil then
subfilter = string.sub(filter, 1, bracket_idx-1)
if defined_arg_filters[subfilter] ~= nil then
found = true
end
end
if not found then
dot_idx = string.find(filter, ".", 1, true)
while dot_idx ~= nil do
subfilter = string.sub(filter, 1, dot_idx-1)
if defined_arg_filters[subfilter] ~= nil then
found = true
break
end
dot_idx = string.find(filter, ".", dot_idx+1, true)
end
end
end
if not found then
if v['skip-if-unknown-filter'] then
if verbose then
print("Skipping rule \""..v['rule'].."\" that contains unknown filter "..filter)
end
goto next_rule
else
error("Rule \""..v['rule'].."\" contains unknown filter "..filter)
end
end
end
@@ -1042,37 +716,33 @@ function load_rules(sinsp_lua_parser,
-- Ensure that the output field is properly formatted by
-- creating a formatter from it. Any error will be thrown
-- up to the top level.
local err, formatter = formats.formatter(v['source'], v['output'])
if err == nil then
formats.free_formatter(v['source'], formatter)
else
return false, nil, build_error_with_context(v['context'], err), warnings
end
formatter = formats.formatter(v['source'], v['output'])
formats.free_formatter(v['source'], formatter)
else
return false, nil, build_error_with_context(v['context'], "Unexpected type in load_rule: "..filter_ast.type), warnings
return false, build_error_with_context(v['context'], "Unexpected type in load_rule: "..filter_ast.type)
end
::next_rule::
end
-- Print info on any dangling lists or macros that were not used anywhere
for name, macro in pairs(state.macros) do
if macro.used == false then
msg = "macro "..name.." not refered to by any rule/macro"
warnings[#warnings + 1] = msg
if verbose then
-- Print info on any dangling lists or macros that were not used anywhere
for name, macro in pairs(state.macros) do
if macro.used == false then
print("Warning: macro "..name.." not refered to by any rule/macro")
end
end
end
for name, list in pairs(state.lists) do
if list.used == false then
msg = "list "..name.." not refered to by any rule/macro/list"
warnings[#warnings + 1] = msg
for name, list in pairs(state.lists) do
if list.used == false then
print("Warning: list "..name.." not refered to by any rule/macro/list")
end
end
end
io.flush()
return true, load_state.required_engine_version, {}, warnings
return true, load_state.required_engine_version
end
local rule_fmt = "%-50s %s"
@@ -1149,14 +819,7 @@ function on_event(rule_id)
-- Prefix output with '*' so formatting is permissive
output = "*"..rule.output
-- Also return all fields from all exceptions
combined_rule = state.rules_by_name[rule.rule]
if combined_rule == nil then
error ("rule_loader.on_event(): could not find rule by name: ", rule.rule)
end
return rule.rule, rule.priority_num, output, combined_rule.exception_fields
return rule.rule, rule.priority_num, output
end
function print_stats()

75
userspace/engine/rules.cpp
View File

@@ -14,9 +14,8 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
#include <sstream>
#include "rules.h"
#include "logger.h"
extern "C" {
#include "lua.h"
@@ -219,31 +218,6 @@ int falco_rules::engine_version(lua_State *ls)
return 1;
}
static std::list<std::string> get_lua_table_values(lua_State *ls, int idx)
{
std::list<std::string> ret;
if (lua_isnil(ls, idx)) {
return ret;
}
lua_pushnil(ls); /* first key */
while (lua_next(ls, idx-1) != 0) {
// key is at index -2, value is at index
// -1. We want the values.
if (! lua_isstring(ls, -1)) {
std::string err = "Non-string value in table of strings";
throw falco_exception(err);
}
ret.push_back(string(lua_tostring(ls, -1)));
// Remove value, keep key for next iteration
lua_pop(ls, 1);
}
return ret;
}
void falco_rules::load_rules(const string &rules_content,
bool verbose, bool all_events,
string &extra, bool replace_container_info,
@@ -449,7 +423,7 @@ void falco_rules::load_rules(const string &rules_content,
lua_pushstring(m_ls, extra.c_str());
lua_pushboolean(m_ls, (replace_container_info ? 1 : 0));
lua_pushnumber(m_ls, min_priority);
if(lua_pcall(m_ls, 9, 4, 0) != 0)
if(lua_pcall(m_ls, 9, 2, 0) != 0)
{
const char* lerr = lua_tostring(m_ls, -1);
@@ -458,49 +432,20 @@ void falco_rules::load_rules(const string &rules_content,
throw falco_exception(err);
}
// Returns:
// Load result: bool
// required engine version: will be nil when load result is false
// array of errors
// array of warnings
bool successful = lua_toboolean(m_ls, -4);
required_engine_version = lua_tonumber(m_ls, -3);
std::list<std::string> errors = get_lua_table_values(m_ls, -2);
std::list<std::string> warnings = get_lua_table_values(m_ls, -1);
// Either returns (true, required_engine_version), or (false, error string)
bool successful = lua_toboolean(m_ls, -2);
// Concatenate errors/warnings
std::ostringstream os;
if (errors.size() > 0)
if(successful)
{
os << errors.size() << " errors:" << std::endl;
for(auto err : errors)
{
os << err << std::endl;
}
required_engine_version = lua_tonumber(m_ls, -1);
}
if (warnings.size() > 0)
else
{
os << warnings.size() << " warnings:" << std::endl;
for(auto warn : warnings)
{
os << warn << std::endl;
}
std::string err = lua_tostring(m_ls, -1);
throw falco_exception(err);
}
if(!successful)
{
throw falco_exception(os.str());
}
if (verbose && os.str() != "") {
// We don't really have a logging callback
// from the falco engine, but this would be a
// good place to use it.
fprintf(stderr, "When reading rules content: %s", os.str().c_str());
}
lua_pop(m_ls, 4);
lua_pop(m_ls, 2);
} else {
throw falco_exception("No function " + m_lua_load_rules + " found in lua rule module");

34
userspace/falco/configuration.cpp
View File

@@ -1,5 +1,5 @@
/*
Copyright (C) 2021 The Falco Authors.
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -34,7 +34,6 @@ falco_configuration::falco_configuration():
m_webserver_enabled(false),
m_webserver_listen_port(8765),
m_webserver_k8s_audit_endpoint("/k8s-audit"),
m_webserver_k8s_healthz_endpoint("/healthz"),
m_webserver_ssl_enabled(false),
m_config(NULL)
{
@@ -194,7 +193,6 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
m_webserver_enabled = m_config->get_scalar<bool>("webserver", "enabled", false);
m_webserver_listen_port = m_config->get_scalar<uint32_t>("webserver", "listen_port", 8765);
m_webserver_k8s_audit_endpoint = m_config->get_scalar<string>("webserver", "k8s_audit_endpoint", "/k8s-audit");
m_webserver_k8s_healthz_endpoint = m_config->get_scalar<string>("webserver", "k8s_healthz_endpoint", "/healthz");
m_webserver_ssl_enabled = m_config->get_scalar<bool>("webserver", "ssl_enabled", false);
m_webserver_ssl_certificate = m_config->get_scalar<string>("webserver", "ssl_certificate", "/etc/falco/falco.pem");
@@ -205,46 +203,34 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
{
if(act == "ignore")
{
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::IGNORE);
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_IGNORE);
}
else if(act == "log")
{
if(m_syscall_evt_drop_actions.count(syscall_evt_drop_action::IGNORE))
{
throw logic_error("Error reading config file (" + m_config_file + "): syscall event drop action \"" + act + "\" does not make sense with the \"ignore\" action");
}
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::LOG);
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_LOG);
}
else if(act == "alert")
{
if(m_syscall_evt_drop_actions.count(syscall_evt_drop_action::IGNORE))
{
throw logic_error("Error reading config file (" + m_config_file + "): syscall event drop action \"" + act + "\" does not make sense with the \"ignore\" action");
}
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::ALERT);
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_ALERT);
}
else if(act == "exit")
{
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::EXIT);
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_EXIT);
}
else
{
throw logic_error("Error reading config file (" + m_config_file + "): available actions for syscall event drops are \"ignore\", \"log\", \"alert\", and \"exit\"");
throw logic_error("Error reading config file (" + m_config_file + "): syscall event drop action " + act + " must be one of \"ignore\", \"log\", \"alert\", or \"exit\"");
}
}
if(m_syscall_evt_drop_actions.empty())
{
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::IGNORE);
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_IGNORE);
}
m_syscall_evt_drop_threshold = m_config->get_scalar<double>("syscall_event_drops", "threshold", .1);
if(m_syscall_evt_drop_threshold < 0 || m_syscall_evt_drop_threshold > 1)
{
throw logic_error("Error reading config file (" + m_config_file + "): syscall event drops threshold must be a double in the range [0, 1]");
}
m_syscall_evt_drop_rate = m_config->get_scalar<double>("syscall_event_drops", "rate", .03333);
m_syscall_evt_drop_max_burst = m_config->get_scalar<double>("syscall_event_drops", "max_burst", 1);
m_syscall_evt_drop_rate = m_config->get_scalar<double>("syscall_event_drops", "rate", 0.3333);
m_syscall_evt_drop_max_burst = m_config->get_scalar<double>("syscall_event_drops", "max_burst", 10);
m_syscall_evt_simulate_drops = m_config->get_scalar<bool>("syscall_event_drops", "simulate_drops", false);
}

10
userspace/falco/configuration.h
View File

@@ -1,5 +1,5 @@
/*
Copyright (C) 2021 The Falco Authors.
Copyright (C) 2019 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -111,7 +111,7 @@ public:
}
catch(const YAML::BadConversion& ex)
{
std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "." + subkey + "\n";
std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "\n";
throw;
}
@@ -172,7 +172,7 @@ public:
}
catch(const YAML::BadConversion& ex)
{
std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "." + subkey +"\n";
std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "\n";
throw;
}
}
@@ -216,11 +216,9 @@ public:
bool m_webserver_enabled;
uint32_t m_webserver_listen_port;
std::string m_webserver_k8s_audit_endpoint;
std::string m_webserver_k8s_healthz_endpoint;
bool m_webserver_ssl_enabled;
std::string m_webserver_ssl_certificate;
syscall_evt_drop_actions m_syscall_evt_drop_actions;
double m_syscall_evt_drop_threshold;
std::set<syscall_evt_drop_mgr::action> m_syscall_evt_drop_actions;
double m_syscall_evt_drop_rate;
double m_syscall_evt_drop_max_burst;

72
userspace/falco/event_drops.cpp
View File

@@ -1,5 +1,5 @@
/*
Copyright (C) 2021 The Falco Authors.
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -34,8 +34,7 @@ syscall_evt_drop_mgr::~syscall_evt_drop_mgr()
void syscall_evt_drop_mgr::init(sinsp *inspector,
falco_outputs *outputs,
syscall_evt_drop_actions &actions,
double threshold,
std::set<action> &actions,
double rate,
double max_tokens,
bool simulate_drops)
@@ -44,15 +43,10 @@ void syscall_evt_drop_mgr::init(sinsp *inspector,
m_outputs = outputs;
m_actions = actions;
m_bucket.init(rate, max_tokens);
m_threshold = threshold;
m_inspector->get_capture_stats(&m_last_stats);
m_simulate_drops = simulate_drops;
if(m_simulate_drops)
{
m_threshold = 0;
}
}
bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt)
@@ -89,27 +83,19 @@ bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt)
if(delta.n_drops > 0)
{
double ratio = delta.n_drops;
// Assuming the number of event does not contains the dropped ones
ratio /= delta.n_drops + delta.n_evts;
m_num_syscall_evt_drops++;
// When simulating drops the threshold is always zero
if(ratio > m_threshold)
// There were new drops in the last second. If
// the token bucket allows, perform actions.
if(m_bucket.claim(1, evt->get_ts()))
{
m_num_syscall_evt_drops++;
m_num_actions++;
// There were new drops in the last second.
// If the token bucket allows, perform actions.
if(m_bucket.claim(1, evt->get_ts()))
{
m_num_actions++;
return perform_actions(evt->get_ts(), delta, inspector->is_bpf_enabled());
}
else
{
falco_logger::log(LOG_DEBUG, "Syscall event drop but token bucket depleted, skipping actions");
}
return perform_actions(evt->get_ts(), delta, inspector->is_bpf_enabled());
}
else
{
falco_logger::log(LOG_DEBUG, "Syscall event drop but token bucket depleted, skipping actions");
}
}
}
@@ -129,32 +115,36 @@ bool syscall_evt_drop_mgr::perform_actions(uint64_t now, scap_stats &delta, bool
std::string rule = "Falco internal: syscall event drop";
std::string msg = rule + ". " + std::to_string(delta.n_drops) + " system calls dropped in last second.";
std::map<std::string, std::string> output_fields;
output_fields["n_evts"] = std::to_string(delta.n_evts);
output_fields["n_drops"] = std::to_string(delta.n_drops);
output_fields["n_drops_buffer"] = std::to_string(delta.n_drops_buffer);
output_fields["n_drops_pf"] = std::to_string(delta.n_drops_pf);
output_fields["n_drops_bug"] = std::to_string(delta.n_drops_bug);
output_fields["ebpf_enabled"] = std::to_string(bpf_enabled);
bool should_exit = false;
for(auto &act : m_actions)
{
switch(act)
{
case syscall_evt_drop_action::IGNORE:
case ACT_IGNORE:
break;
case syscall_evt_drop_action::LOG:
falco_logger::log(LOG_DEBUG, msg);
case ACT_LOG:
falco_logger::log(LOG_ERR, msg);
break;
case syscall_evt_drop_action::ALERT:
{
std::map<std::string, std::string> output_fields;
output_fields["n_evts"] = std::to_string(delta.n_evts);
output_fields["n_drops"] = std::to_string(delta.n_drops);
output_fields["n_drops_buffer"] = std::to_string(delta.n_drops_buffer);
output_fields["n_drops_pf"] = std::to_string(delta.n_drops_pf);
output_fields["n_drops_bug"] = std::to_string(delta.n_drops_bug);
output_fields["ebpf_enabled"] = std::to_string(bpf_enabled);
m_outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, output_fields);
case ACT_ALERT:
m_outputs->handle_msg(now,
falco_common::PRIORITY_CRITICAL,
msg,
rule,
output_fields);
break;
}
case syscall_evt_drop_action::EXIT:
case ACT_EXIT:
should_exit = true;
break;

30
userspace/falco/event_drops.h
View File

@@ -1,5 +1,5 @@
/*
Copyright (C) 2021 The Falco Authors.
Copyright (C) 2019 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -23,28 +23,25 @@ limitations under the License.
#include "logger.h"
#include "falco_outputs.h"
// The possible actions that this class can take upon
// detecting a syscall event drop.
enum class syscall_evt_drop_action : uint8_t
{
IGNORE = 0,
LOG,
ALERT,
EXIT
};
using syscall_evt_drop_actions = std::set<syscall_evt_drop_action>;
class syscall_evt_drop_mgr
{
public:
// The possible actions that this class can take upon
// detecting a syscall event drop.
enum action
{
ACT_IGNORE = 0,
ACT_LOG,
ACT_ALERT,
ACT_EXIT,
};
syscall_evt_drop_mgr();
virtual ~syscall_evt_drop_mgr();
void init(sinsp *inspector,
falco_outputs *outputs,
syscall_evt_drop_actions &actions,
double threshold,
std::set<action> &actions,
double rate,
double max_tokens,
bool simulate_drops);
@@ -66,10 +63,9 @@ protected:
uint64_t m_num_actions;
sinsp *m_inspector;
falco_outputs *m_outputs;
syscall_evt_drop_actions m_actions;
std::set<action> m_actions;
token_bucket m_bucket;
uint64_t m_next_check_ts;
scap_stats m_last_stats;
bool m_simulate_drops;
double m_threshold;
};

49
userspace/falco/falco.cpp
View File

@@ -255,7 +255,6 @@ uint64_t do_inspect(falco_engine *engine,
sdropmgr.init(inspector,
outputs,
config.m_syscall_evt_drop_actions,
config.m_syscall_evt_drop_threshold,
config.m_syscall_evt_drop_rate,
config.m_syscall_evt_drop_max_burst,
config.m_syscall_evt_simulate_drops);
@@ -763,6 +762,8 @@ int falco_init(int argc, char **argv)
}
}
outputs = new falco_outputs();
// Some combinations of arguments are not allowed.
if (daemon && pidfilename == "") {
throw std::invalid_argument("If -d is provided, a pid file must also be provided");
@@ -814,7 +815,7 @@ int falco_init(int argc, char **argv)
}
catch(falco_exception &e)
{
printf("%s%s", prefix.c_str(), e.what());
printf("%s%s\n", prefix.c_str(), e.what());
throw;
}
printf("%sOk\n", prefix.c_str());
@@ -866,15 +867,7 @@ int falco_init(int argc, char **argv)
falco_logger::log(LOG_INFO, "Loading rules from file " + filename + ":\n");
uint64_t required_engine_version;
try {
engine->load_rules_file(filename, verbose, all_events, required_engine_version);
}
catch(falco_exception &e)
{
std::string prefix = "Could not load rules file " + filename + ": ";
throw falco_exception(prefix + e.what());
}
engine->load_rules_file(filename, verbose, all_events, required_engine_version);
required_engine_versions[filename] = required_engine_version;
}
@@ -972,6 +965,14 @@ int falco_init(int argc, char **argv)
hostname = c_hostname;
}
outputs->init(config.m_json_output,
config.m_json_include_output_property,
config.m_output_timeout,
config.m_notifications_rate, config.m_notifications_max_burst,
config.m_buffered_outputs,
config.m_time_format_iso_8601,
hostname);
if(!all_events)
{
inspector->set_drop_event_flags(EF_DROP_SIMPLE_CONS);
@@ -991,6 +992,11 @@ int falco_init(int argc, char **argv)
inspector->set_hostname_and_port_resolution_mode(false);
for(auto output : config.m_outputs)
{
outputs->add_output(output);
}
if(signal(SIGINT, signal_callback) == SIG_ERR)
{
fprintf(stderr, "An error occurred while setting SIGINT signal handler.\n");
@@ -1076,21 +1082,6 @@ int falco_init(int argc, char **argv)
g_daemonized = true;
}
outputs = new falco_outputs();
outputs->init(config.m_json_output,
config.m_json_include_output_property,
config.m_output_timeout,
config.m_notifications_rate, config.m_notifications_max_burst,
config.m_buffered_outputs,
config.m_time_format_iso_8601,
hostname);
for(auto output : config.m_outputs)
{
outputs->add_output(output);
}
if(trace_filename.size())
{
// Try to open the trace file as a sysdig
@@ -1186,8 +1177,8 @@ int falco_init(int argc, char **argv)
falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
}
open_f(inspector);
}
else
}
else
{
rethrow_exception(current_exception());
}
@@ -1296,7 +1287,7 @@ int falco_init(int argc, char **argv)
if(!trace_filename.empty() && !trace_is_scap)
{
#ifndef MINIMAL_BUILD
#ifndef MINIMAL_BUILD
read_k8s_audit_trace_file(engine,
outputs,
trace_filename);

14
userspace/falco/webserver.cpp
View File

@@ -34,15 +34,6 @@ k8s_audit_handler::~k8s_audit_handler()
{
}
bool k8s_healthz_handler::handleGet(CivetServer *server, struct mg_connection *conn)
{
const std::string status_body = "{\"status\": \"ok\"}";
mg_send_http_ok(conn, "application/json", status_body.size());
mg_printf(conn, "%s", status_body.c_str());
return true;
}
bool k8s_audit_handler::accept_data(falco_engine *engine,
falco_outputs *outputs,
std::string &data,
@@ -157,7 +148,7 @@ bool k8s_audit_handler::handlePost(CivetServer *server, struct mg_connection *co
return true;
}
const std::string ok_body = "<html><body>Ok</body></html>";
std::string ok_body = "<html><body>Ok</body></html>";
mg_send_http_ok(conn, "text/html", ok_body.size());
mg_printf(conn, "%s", ok_body.c_str());
@@ -242,8 +233,6 @@ void falco_webserver::start()
m_k8s_audit_handler = make_unique<k8s_audit_handler>(m_engine, m_outputs);
m_server->addHandler(m_config->m_webserver_k8s_audit_endpoint, *m_k8s_audit_handler);
m_k8s_healthz_handler = make_unique<k8s_healthz_handler>();
m_server->addHandler(m_config->m_webserver_k8s_healthz_endpoint, *m_k8s_healthz_handler);
}
void falco_webserver::stop()
@@ -252,6 +241,5 @@ void falco_webserver::stop()
{
m_server = NULL;
m_k8s_audit_handler = NULL;
m_k8s_healthz_handler = NULL;
}
}

15
userspace/falco/webserver.h
View File

@@ -41,20 +41,6 @@ private:
bool accept_uploaded_data(std::string &post_data, std::string &errstr);
};
class k8s_healthz_handler : public CivetHandler
{
public:
k8s_healthz_handler()
{
}
virtual ~k8s_healthz_handler()
{
}
bool handleGet(CivetServer *server, struct mg_connection *conn);
};
class falco_webserver
{
public:
@@ -74,5 +60,4 @@ private:
falco_outputs *m_outputs;
unique_ptr<CivetServer> m_server;
unique_ptr<k8s_audit_handler> m_k8s_audit_handler;
unique_ptr<k8s_healthz_handler> m_k8s_healthz_handler;
};