github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-20 19:52:08 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: github:0.29.0
Branches Tags
github:master github:fix/buffered_outputs github:fix/http-output-on-non-linux-platforms github:dependabot/submodules/submodules/falcosecurity-rules-048d2f8 github:feat/capture-events-filesize-limits github:update/libs github:3485_webserver_with_own_uid_gid github:release/0.43.x github:ekoops-patch-1 github:release/0.42.x github:release/0.41.x github:test/wip github:new/musl_static_aarch64 github:release/0.40.x github:release/0.39.x github:wip/test_libs_master github:release/0.38.x github:generalize-indexable-ruleset-polymorphic github:chore/test_pr1803 github:LucaGuerra-patch-1 github:release/0.37.x github:fix_CI_5 github:chore/use_actuated_helper github:fix_CI_4 github:bump_falco_latest_libs github:new/static_aarch64 github:fix/use_plugin_name github:new/mode-in-config github:release/0.36.x github:test_filterchecks github:test_release_0.36.0 github:fix/workaround_glibc_bug_timer_delete github:wip/test github:add-load-files-method github:test/ci github:update/pidfile-usage-doc github:bump_libs_andrea github:release/0.35.x github:remove-source-ruleset-overwrite-when-loading github:mstemm-works-with-latest-libs github:test/PR546 github:test/PR959 github:libs_bump github:release/0.34.x github:release/0.34.0 github:fix/kmod_cleanup github:chore/move-rules-to-their-repo github:enable_maintainers_gh_jobs github:dev_docker github:fix/dev_version github:exec-hashes github:falco_modern_probe github:release/0.33.1 github:test_modern_probe github:fix/docker_img_host_root_runtime github:release/0.33.0 github:test_falco_bump github:chore/falco_lock_file github:fix_falco_service github:test_deb_rpm github:buffer_dimension github:testing/falco-0-32-3/issue/1909 github:test/libs/pr/567 github:test/new_libs github:release/0.32.2 github:update/remove-mesos-support github:remove-fntlnz github:test/libs/pr/213 github:leogr-patch-1 github:build/fix-conffiles github:add-app-actions github:add-app-actions-prerebase-2 github:add-grpc-rules-loading github:fix-plugins-issue-56 github:field-properties-changes github:embed-lua-scripts github:new/plugin-system-api-additions-prerebase github:embeddable-falco-engine github:build/apply-libs-pr-41 github:build/upgrade-driver-version-mid2021 github:build/upgrade-driver-version-for-0-29-0 github:build/update-driver-version-wip github:hotfix/grpc-in-packages github:use-url-safe-chars-version github:rules-fp-fixes-2021-02 github:allow-unknown-sources github:libhawk-rules github:build/docs github:update/cli github:update/logo github:caniszczyk-patch-1 github:new/logger github:new/inspect-per-cpu github:new/ci-build-aarch64 github:release/0.26.2 github:temporary/test-ci-broken-tests github:libhawk github:add-exceptions-support-copy2 github:add-exceptions-support-copy github:chore/remove-time-macrodefs github:update/release-drivers github:rules-bash-history-top-only github:fix/scripts-modprobe github:perf-experiments github:fix/1272 github:fix/1272-test github:readme-update github:proposal/rules-engine-version-scope github:nova-debug github:falco-driver-loader-dockerfile github:chore/integration-grpc-with-event-generator github:feat/grpc-integration-tests github:new/profiler github:falco-arm-support github:falco-on-arm github:feature/inputs-mvp github:adding-install-script github:feat/modulecheck github:falco-release-0-17-0 github:falco-release-0-17-1 github:add-addl-pst-owners github:683-handle-sinsp-errors github:allow-regex-chars-rule-names github:backup-master github:add-context-to-rules-errors
github:0.43.0 github:0.43.0-rc4 github:0.43.0-rc3 github:0.43.0-rc2 github:0.43.0-rc1 github:0.42.1 github:0.42.0 github:0.42.0-rc4 github:0.42.0-rc3 github:0.42.0-rc2 github:0.42.0-rc1 github:0.41.3 github:0.41.2 github:0.41.1 github:0.41.1-rc1 github:0.41.0 github:0.41.0-rc2 github:0.41.0-rc1 github:0.40.0 github:0.40.0-rc1 github:0.39.2 github:0.39.1 github:0.39.1-rc1 github:0.39.0 github:0.39.0-rc3 github:0.39.0-rc2 github:0.39.0-rc1 github:0.38.2 github:0.38.2-rc2 github:0.38.2-rc1 github:0.38.1 github:0.38.1-rc1 github:0.38.0 github:0.38.0-rc5 github:0.38.0-rc4 github:0.38.0-rc3 github:0.38.0-rc2 github:0.38.0-rc1 github:0.37.1 github:0.37.1-rc1 github:0.37.0 github:0.37.0-rc3 github:0.37.0-rc2 github:0.37.0-rc1 github:0.36.2 github:0.36.2-rc1 github:0.36.1 github:0.36.1-rc1 github:0.36.0 github:0.36.0-rc3 github:0.36.0-rc2 github:0.36.0-rc1 github:0.35.1 github:0.35.0 github:0.35.0-rc2 github:0.35.0-rc1 github:0.35.0-alpha5 github:0.35.0-alpha4 github:0.35.0-alpha3 github:0.35.0-alpha2 github:0.35.0-alpha1 github:0.34.1 github:0.34.0 github:0.33.1 github:0.33.0 github:0.32.2 github:0.32.1 github:0.32.0 github:0.31.1 github:0.31.0 github:0.30.0 github:0.29.1 github:0.29.0 github:0.28.1 github:0.28.0 github:0.27.0 github:0.26.2 github:0.26.1 github:0.26.0 github:0.25.0 github:0.24.0 github:0.23.0 github:0.22.1 github:0.22.0 github:0.21.0 github:0.20.0 github:0.19.0 github:0.18.0 github:0.17.1 github:0.17.0 github:0.16.0 github:0.15.3 github:0.15.2 github:0.15.1 github:0.15.0 github:0.14.0 github:0.13.1 github:0.13.0 github:agent/0.85.1 github:0.12.1 github:0.12.0 github:agent/0.85.0 github:agent/0.84.2 github:agent/0.84.3 github:agent/0.84.1 github:agent/0.84.0 github:0.11.1 github:0.11.0 github:agent/0.83.1 github:agent/0.83.0 github:agent/0.81.0 github:agent/0.82.0 github:agent/0.80.2 github:agent/0.80.1 github:0.10.0 github:agent/0.80.0 github:agent/0.79.0 github:agent/0.79.1 github:agent/0.78.0 github:agent/0.78.1 github:agent/0.76.4 github:agent/0.77.0 github:agent/0.76.3 github:0.9.0 github:agent/0.76.0 github:agent/0.76.1 github:agent/0.76.2 github:agent/0.75.0 github:agent/0.74.0 github:agent/0.73.2 github:agent/0.73.1 github:agent/0.73.0 github:agent/0.72.4 github:agent/0.72.0 github:agent/0.72.1 github:agent/0.72.2 github:agent/0.72.3 github:agent/0.71.0 github:agent/0.70.0 github:0.8.1 github:0.8.0 github:agent/0.69.0 github:agent/0.68.0 github:agent/0.66.0 github:agent/0.67.0 github:agent/0.65.0 github:agent/0.65.1 github:agent/0.63.0 github:agent/0.63.1 github:agent/0.64.0 github:agent/0.61.0 github:agent/0.62.0 github:0.7.0 github:0.6.1 github:agent/0.60.0 github:agent/0.59.0 github:agent/0.58.0 github:agent/0.57.0 github:agent/0.56.0 github:0.6.0 github:0.6.0-test github:agent/0.55.0 github:agent/0.54.0 github:agent/0.53.0 github:agent/0.52.0 github:agent/0.51.0 github:agent/0.50.1 github:agent/0.50.0 github:0.5.0 github:agent/0.49.1 github:agent/0.49.0 github:agent/0.48.0 github:agent/0.47.0 github:agent/0.46.0 github:agent/0.45.0 github:agent/0.44.0 github:agent/0.43.0 github:0.4.0 github:agent/0.42.0 github:agent/0.40.0 github:agent/0.41.0 github:0.3.0 github:v0.2.0 github:v0.1.0
..
compare: github:libhawk-rules
Branches Tags
github:fix/buffered_outputs github:fix/http-output-on-non-linux-platforms github:dependabot/submodules/submodules/falcosecurity-rules-048d2f8 github:master github:feat/capture-events-filesize-limits github:update/libs github:3485_webserver_with_own_uid_gid github:release/0.43.x github:ekoops-patch-1 github:release/0.42.x github:release/0.41.x github:test/wip github:new/musl_static_aarch64 github:release/0.40.x github:release/0.39.x github:wip/test_libs_master github:release/0.38.x github:generalize-indexable-ruleset-polymorphic github:chore/test_pr1803 github:LucaGuerra-patch-1 github:release/0.37.x github:fix_CI_5 github:chore/use_actuated_helper github:fix_CI_4 github:bump_falco_latest_libs github:new/static_aarch64 github:fix/use_plugin_name github:new/mode-in-config github:release/0.36.x github:test_filterchecks github:test_release_0.36.0 github:fix/workaround_glibc_bug_timer_delete github:wip/test github:add-load-files-method github:test/ci github:update/pidfile-usage-doc github:bump_libs_andrea github:release/0.35.x github:remove-source-ruleset-overwrite-when-loading github:mstemm-works-with-latest-libs github:test/PR546 github:test/PR959 github:libs_bump github:release/0.34.x github:release/0.34.0 github:fix/kmod_cleanup github:chore/move-rules-to-their-repo github:enable_maintainers_gh_jobs github:dev_docker github:fix/dev_version github:exec-hashes github:falco_modern_probe github:release/0.33.1 github:test_modern_probe github:fix/docker_img_host_root_runtime github:release/0.33.0 github:test_falco_bump github:chore/falco_lock_file github:fix_falco_service github:test_deb_rpm github:buffer_dimension github:testing/falco-0-32-3/issue/1909 github:test/libs/pr/567 github:test/new_libs github:release/0.32.2 github:update/remove-mesos-support github:remove-fntlnz github:test/libs/pr/213 github:leogr-patch-1 github:build/fix-conffiles github:add-app-actions github:add-app-actions-prerebase-2 github:add-grpc-rules-loading github:fix-plugins-issue-56 github:field-properties-changes github:embed-lua-scripts github:new/plugin-system-api-additions-prerebase github:embeddable-falco-engine github:build/apply-libs-pr-41 github:build/upgrade-driver-version-mid2021 github:build/upgrade-driver-version-for-0-29-0 github:build/update-driver-version-wip github:hotfix/grpc-in-packages github:use-url-safe-chars-version github:rules-fp-fixes-2021-02 github:allow-unknown-sources github:libhawk-rules github:build/docs github:update/cli github:update/logo github:caniszczyk-patch-1 github:new/logger github:new/inspect-per-cpu github:new/ci-build-aarch64 github:release/0.26.2 github:temporary/test-ci-broken-tests github:libhawk github:add-exceptions-support-copy2 github:add-exceptions-support-copy github:chore/remove-time-macrodefs github:update/release-drivers github:rules-bash-history-top-only github:fix/scripts-modprobe github:perf-experiments github:fix/1272 github:fix/1272-test github:readme-update github:proposal/rules-engine-version-scope github:nova-debug github:falco-driver-loader-dockerfile github:chore/integration-grpc-with-event-generator github:feat/grpc-integration-tests github:new/profiler github:falco-arm-support github:falco-on-arm github:feature/inputs-mvp github:adding-install-script github:feat/modulecheck github:falco-release-0-17-0 github:falco-release-0-17-1 github:add-addl-pst-owners github:683-handle-sinsp-errors github:allow-regex-chars-rule-names github:backup-master github:add-context-to-rules-errors
github:0.43.0 github:0.43.0-rc4 github:0.43.0-rc3 github:0.43.0-rc2 github:0.43.0-rc1 github:0.42.1 github:0.42.0 github:0.42.0-rc4 github:0.42.0-rc3 github:0.42.0-rc2 github:0.42.0-rc1 github:0.41.3 github:0.41.2 github:0.41.1 github:0.41.1-rc1 github:0.41.0 github:0.41.0-rc2 github:0.41.0-rc1 github:0.40.0 github:0.40.0-rc1 github:0.39.2 github:0.39.1 github:0.39.1-rc1 github:0.39.0 github:0.39.0-rc3 github:0.39.0-rc2 github:0.39.0-rc1 github:0.38.2 github:0.38.2-rc2 github:0.38.2-rc1 github:0.38.1 github:0.38.1-rc1 github:0.38.0 github:0.38.0-rc5 github:0.38.0-rc4 github:0.38.0-rc3 github:0.38.0-rc2 github:0.38.0-rc1 github:0.37.1 github:0.37.1-rc1 github:0.37.0 github:0.37.0-rc3 github:0.37.0-rc2 github:0.37.0-rc1 github:0.36.2 github:0.36.2-rc1 github:0.36.1 github:0.36.1-rc1 github:0.36.0 github:0.36.0-rc3 github:0.36.0-rc2 github:0.36.0-rc1 github:0.35.1 github:0.35.0 github:0.35.0-rc2 github:0.35.0-rc1 github:0.35.0-alpha5 github:0.35.0-alpha4 github:0.35.0-alpha3 github:0.35.0-alpha2 github:0.35.0-alpha1 github:0.34.1 github:0.34.0 github:0.33.1 github:0.33.0 github:0.32.2 github:0.32.1 github:0.32.0 github:0.31.1 github:0.31.0 github:0.30.0 github:0.29.1 github:0.29.0 github:0.28.1 github:0.28.0 github:0.27.0 github:0.26.2 github:0.26.1 github:0.26.0 github:0.25.0 github:0.24.0 github:0.23.0 github:0.22.1 github:0.22.0 github:0.21.0 github:0.20.0 github:0.19.0 github:0.18.0 github:0.17.1 github:0.17.0 github:0.16.0 github:0.15.3 github:0.15.2 github:0.15.1 github:0.15.0 github:0.14.0 github:0.13.1 github:0.13.0 github:agent/0.85.1 github:0.12.1 github:0.12.0 github:agent/0.85.0 github:agent/0.84.2 github:agent/0.84.3 github:agent/0.84.1 github:agent/0.84.0 github:0.11.1 github:0.11.0 github:agent/0.83.1 github:agent/0.83.0 github:agent/0.81.0 github:agent/0.82.0 github:agent/0.80.2 github:agent/0.80.1 github:0.10.0 github:agent/0.80.0 github:agent/0.79.0 github:agent/0.79.1 github:agent/0.78.0 github:agent/0.78.1 github:agent/0.76.4 github:agent/0.77.0 github:agent/0.76.3 github:0.9.0 github:agent/0.76.0 github:agent/0.76.1 github:agent/0.76.2 github:agent/0.75.0 github:agent/0.74.0 github:agent/0.73.2 github:agent/0.73.1 github:agent/0.73.0 github:agent/0.72.4 github:agent/0.72.0 github:agent/0.72.1 github:agent/0.72.2 github:agent/0.72.3 github:agent/0.71.0 github:agent/0.70.0 github:0.8.1 github:0.8.0 github:agent/0.69.0 github:agent/0.68.0 github:agent/0.66.0 github:agent/0.67.0 github:agent/0.65.0 github:agent/0.65.1 github:agent/0.63.0 github:agent/0.63.1 github:agent/0.64.0 github:agent/0.61.0 github:agent/0.62.0 github:0.7.0 github:0.6.1 github:agent/0.60.0 github:agent/0.59.0 github:agent/0.58.0 github:agent/0.57.0 github:agent/0.56.0 github:0.6.0 github:0.6.0-test github:agent/0.55.0 github:agent/0.54.0 github:agent/0.53.0 github:agent/0.52.0 github:agent/0.51.0 github:agent/0.50.1 github:agent/0.50.0 github:0.5.0 github:agent/0.49.1 github:agent/0.49.0 github:agent/0.48.0 github:agent/0.47.0 github:agent/0.46.0 github:agent/0.45.0 github:agent/0.44.0 github:agent/0.43.0 github:0.4.0 github:agent/0.42.0 github:agent/0.40.0 github:agent/0.41.0 github:0.3.0 github:v0.2.0 github:v0.1.0

19 Commits
0.29.0 ... libhawk-ru

Author SHA1 Message Date
Lorenzo Fontana
38dbf28057 chore: comment out again rules validation for now 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:50:47 +01:00
Lorenzo Fontana
3239c16391 update(userspace/libhawk): further explaination for rules provider 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:49:52 +01:00
Lorenzo Fontana
549a4c3041 update(userspace/libhawk): watch rules transactional pattern documentation 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:49:52 +01:00
Lorenzo Fontana
6e7256569c update(userspace): transactional interface for engine updates 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:49:52 +01:00
Lorenzo Fontana
c1805281ac update: rules provider configuration 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:49:52 +01:00
Lorenzo Fontana
90c890bc2a update: extension loading mechanism 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:49:51 +01:00
Lorenzo Fontana
24e2d175f0 update: library management code 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:49:51 +01:00
Lorenzo Fontana
4ccbd9d194 update: initial library loader 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:49:51 +01:00
Lorenzo Fontana
1957bc75b7 update(userspace/engine): copy constructor for falco_engine 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:49:51 +01:00
Lorenzo Fontana
f8c10f6c27 update(userspace): atomic falco engine delete previous instance 
Co-Authored-By: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:49:51 +01:00
Lorenzo Fontana
b90164bac1 update(userspace): engine atomic and express lifecycle with a namespace 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:49:49 +01:00
Lorenzo Fontana
538e7286bc new(userspace): libhawk lifecycle destruction management 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:49:32 +01:00
Lorenzo Fontana
344b8c002c new(userspace): initial lifecycle implementation 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:49:32 +01:00
Lorenzo Fontana
f87e6f1871 chore: restore the classic flags for a future refactor for the new 
functionalities

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:49:31 +01:00
Lorenzo Fontana
cd71f62f04 update(userspace): pointer to pointer in hawk_engine rules_cb 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-01-21 10:48:29 +01:00
Leonardo Di Donato
458f7ccd3b new(userspace): use conditional_variable to signal when we have a 
ready-to-use (with rules) falco engine

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-01-21 10:47:35 +01:00
Leonardo Di Donato
305cb62162 new(userspace/falco): destroy rules watcher when needed 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-01-21 10:45:59 +01:00
Leonardo Di Donato
1a5a55a002 new(userspace): make hawk_watch_rules aware of the engine 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-01-21 10:45:57 +01:00
Lorenzo Fontana
387908d075 new(userspace): initial draft for libhawk 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
 2021-01-21 10:38:58 +01:00
88 changed files with 2997 additions and 2459 deletions
Expand all files Collapse all files

200
.circleci/config.yml
View File

@@ -368,49 +368,59 @@ jobs:
root: /
paths:
- build/release/*.rpm
# Publish the dev packages
# Publish the packages
"publish/packages-dev":
docker:
- image: docker.io/centos:7
- image: docker.bintray.io/jfrog/jfrog-cli-go:latest
steps:
- attach_workspace:
at: /
- run:
name: Setup
command: |
yum install epel-release -y
yum update -y
yum install createrepo gpg python python-pip -y
pip install awscli==1.19.47
echo $GPG_KEY | base64 -d | gpg --import
- run:
name: Publish rpm-dev
name: Create versions
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
/source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -r rpm-dev
- run:
name: Publish bin-dev
command: |
FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
/source/falco/scripts/publish-bin -f /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin-dev -a x86_64
"publish/packages-deb-dev":
docker:
- image: docker.io/debian:stable
steps:
- attach_workspace:
at: /
- run:
name: Setup
command: |
apt update -y
apt-get install apt-utils bzip2 gpg python python-pip -y
pip install awscli
echo $GPG_KEY | base64 -d | gpg --import
jfrog bt vs falcosecurity/deb-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
jfrog bt vs falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
jfrog bt vs falcosecurity/bin-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
- run:
name: Publish deb-dev
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
/source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -r deb-dev
jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
- run:
name: Publish rpm-dev
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
- run:
name: Publish bin-dev
command: |
FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
# Clenup the Falco development release packages
"cleanup/packages-dev":
docker:
- image: docker.bintray.io/jfrog/jfrog-cli-go:latest
steps:
- checkout:
path: /source/falco
- run:
name: Prepare env
command: |
apk add --no-cache --update
apk add curl jq
- run:
name: Only keep the 10 most recent Falco development release tarballs
command: |
/source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r bin-dev
- run:
name: Only keep the 50 most recent Falco development release RPMs
command: |
/source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r rpm-dev
- run:
name: Only keep the 50 most recent Falco development release DEBs
command: |
/source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r deb-dev
# Publish docker packages
"publish/docker-dev":
docker:
@@ -452,19 +462,7 @@ jobs:
- checkout
- setup_remote_docker
- run:
name: Build and publish no-driver (dev) to AWS
command: |
apk update
apk add --update groff less py-pip
pip install awscli
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco-no-driver:master" docker/no-driver
docker tag public.ecr.aws/falcosecurity/falco-no-driver:master public.ecr.aws/falcosecurity/falco:master-slim
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco-no-driver:master"
docker push "public.ecr.aws/falcosecurity/falco:master-slim"
- run:
name: Build and publish falco (dev) to AWS
name: Build and publish falco to AWS
command: |
apk update
apk add --update groff less py-pip
@@ -473,58 +471,35 @@ jobs:
docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco:master" docker/falco
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco:master"
- run:
name: Build and publish driver-loader (dev) to AWS
command: |
apk update
apk add --update groff less py-pip
pip install awscli
docker build --build-arg FALCO_IMAGE_TAG=master -t "public.ecr.aws/falcosecurity/falco-driver-loader:master" docker/driver-loader
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco-driver-loader:master"
# Publish the packages
"publish/packages":
docker:
- image: docker.io/centos:7
- image: docker.bintray.io/jfrog/jfrog-cli-go:latest
steps:
- attach_workspace:
at: /
- run:
name: Setup
command: |
yum install epel-release -y
yum update -y
yum install createrepo gpg python python-pip -y
pip install awscli==1.19.47
echo $GPG_KEY | base64 -d | gpg --import
- run:
name: Publish rpm
name: Create versions
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
/source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -r rpm
- run:
name: Publish bin
command: |
FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
/source/falco/scripts/publish-bin -f /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin -a x86_64
"publish/packages-deb":
docker:
- image: docker.io/debian:stable
steps:
- attach_workspace:
at: /
- run:
name: Setup
command: |
apt update -y
apt-get install apt-utils bzip2 gpg python python-pip -y
pip install awscli
echo $GPG_KEY | base64 -d | gpg --import
jfrog bt vs falcosecurity/deb/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
jfrog bt vs falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
jfrog bt vs falcosecurity/bin/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
- run:
name: Publish deb
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
/source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -r deb
jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
- run:
name: Publish rpm
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
- run:
name: Publish bin
command: |
FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
# Publish docker packages
"publish/docker":
docker:
@@ -571,21 +546,6 @@ jobs:
at: /
- checkout
- setup_remote_docker
- run:
name: Build and publish no-driver to AWS
command: |
apk update
apk add --update groff less py-pip
pip install awscli
docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" docker/no-driver
docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-no-driver:latest
docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:latest-slim"
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
docker push "public.ecr.aws/falcosecurity/falco:latest-slim"
docker push "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}"
docker push "public.ecr.aws/falcosecurity/falco-no-driver:latest"
- run:
name: Build and publish falco to AWS
command: |
@@ -597,17 +557,6 @@ jobs:
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}"
docker push "public.ecr.aws/falcosecurity/falco:latest"
- run:
name: Build and publish falco-driver-loader to AWS
command: |
apk update
apk add --update groff less py-pip
pip install awscli
docker build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" docker/driver-loader
docker tag "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-driver-loader:latest
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
docker push "public.ecr.aws/falcosecurity/falco-driver-loader:latest"
workflows:
version: 2
build_and_test:
@@ -639,9 +588,7 @@ workflows:
requires:
- "tests/integration"
- "publish/packages-dev":
context:
- falco
- test-infra
context: falco
filters:
tags:
ignore: /.*/
@@ -650,17 +597,15 @@ workflows:
requires:
- "rpm/sign"
- "tests/integration-static"
- "publish/packages-deb-dev":
context:
- falco
- test-infra
- "cleanup/packages-dev":
context: falco
filters:
tags:
ignore: /.*/
branches:
only: master
requires:
- "tests/integration"
- "publish/packages-dev"
- "publish/docker-dev":
context: falco
filters:
@@ -670,7 +615,6 @@ workflows:
only: master
requires:
- "publish/packages-dev"
- "publish/packages-deb-dev"
- "tests/driver-loader/integration"
- "publish/container-images-aws-dev":
context: test-infra # contains Falco AWS credentials
@@ -706,9 +650,7 @@ workflows:
branches:
ignore: /.*/
- "publish/packages":
context:
- falco
- test-infra
context: falco
requires:
- "build/musl"
- "rpm/sign"
@@ -717,24 +659,10 @@ workflows:
only: /.*/
branches:
ignore: /.*/
- "publish/packages-deb":
context:
- falco
- test-infra
requires:
- "build/centos7"
filters:
tags:
only: /.*/
branches:
ignore: /.*/
- "publish/docker":
context:
- falco
- test-infra
context: falco
requires:
- "publish/packages"
- "publish/packages-deb"
filters:
tags:
only: /.*/

2
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@@ -1,6 +1,6 @@
<!-- Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
2. Please label this pull request according to what type of issue you are addressing.
3. . Please add a release note!
4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"

37
ADOPTERS.md
View File

@@ -1,25 +1,7 @@
# Adopters
Known end users with notable contributions to the project include:
* AWS
* IBM
* Red Hat
Falco is being used by numerous other companies, both large and small, to build higher layer products and services. The list includes but is not limited to:
* Equinix Metal
* IEEE
* Lowes
* Reckrut
* Yellow Pepper
* CTx
* Utikal
* Discrete Events
* Agritech Infra
This is a list of production adopters of Falco (in alphabetical order):
* [ASAPP](https://www.asapp.com/) - ASAPP is a pushing the boundaries of fundamental artificial intelligence research. We apply our research into AI-Native® products that make organizations, in the customer experience industry, highly productive, efficient, and effective—by augmenting human activity and automating workflows. We constantly monitor our workloads against different hazards and FALCO helps us extend our threat monitoring boundaries.
* [Booz Allen Hamilton](https://www.boozallen.com/) - BAH leverages Falco as part of their Kubernetes environment to verify that work loads behave as they did in their CD DevSecOps pipelines. BAH offers a solution to internal developers to easily build DevSecOps pipelines for projects. This makes it easy for developers to incorporate Security principles early on in the development cycle. In production, Falco is used to verify that the code the developer ships does not violate any of the production security requirements. BAH [are speaking at Kubecon NA 2019](https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig) on their use of Falco.
* [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.
@@ -33,17 +15,9 @@ This is a list of production adopters of Falco (in alphabetical order):
* [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
* https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
* [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).
* [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
* https://hipaa.preferral.com/01-preferral_hipaa_compliance/
* [Replicated](https://www.replicated.com/) - Replicated is the modern way to ship on-prem software. Replicated gives software vendors a container-based platform for easily deploying cloud native applications inside customers' environments to provide greater security and control. Replicated uses Falco as runtime security to detect threats in the Kubernetes clusters which host our critical SaaS services.
* [Secureworks](https://www.secureworks.com/) - Secureworks is a leading worldwide cybersecurity company with a cloud-native security product that combines the power of human intellect with security analytics to unify detection and response across cloud, network, and endpoint environments for improved security operations and outcomes. Our Taegis XDR platform and detection system processes petabytes of security relevant data to expose active threats amongst the billions of daily events from our customers. We are proud to protect our platforms Kubernetes deployments, as well as help our customers protect their own Linux and container environments, using Falco.
* [Shopify](https://www.shopify.com) - Shopify is the leading multi-channel commerce platform. Merchants use Shopify to design, set up, and manage their stores across multiple sales channels, including mobile, web, social media, marketplaces, brick-and-mortar locations, and pop-up shops. The platform also provides merchants with a powerful back-office and a single view of their business, from payments to shipping. The Shopify platform was engineered for reliability and scale, making enterprise-level technology available to businesses of all sizes. Shopify uses Falco to complement its Host and Network Intrusion Detection Systems.
* [Sight Machine](https://www.sightmachine.com) - Sight Machine is the category leader for manufacturing analytics and used by Global 500 companies to make better, faster decisions about their operations. Sight Machine uses Falco to help enforce SOC2 compliance as well as a tool for real time security monitoring and alerting in Kubernetes.
@@ -52,14 +26,5 @@ This is a list of production adopters of Falco (in alphabetical order):
* [Sumo Logic](https://www.sumologic.com/) - Sumo Logic provides a SaaS based log aggregation service that provides dashboards and applications to easily identify and analyze problems in your application and infrastructure. Sumo Logic provides native integrations for many CNCF projects, such as Falco, that allows end users to easily collect Falco events and analyze Falco events on DecSecOps focused dashboards.
* [Swissblock Technologies](https://swissblock.net/) At Swissblock we connect the dots by combining cutting-edge algorithmic trading strategies with in-depth market analysis. We route all Falco events to our control systems, both monitoring and logging. Being able to deeply analyse alerts, we can understand what is running on our Kubernetes clusters and check against security policies, specifically defined for each workload. A set of alarms notifies us in case of critical events, letting us react fast. In the near future we plan to build a little application to route Kubernetes internal events directly to Falco, fully leveraging Falco PodSecurityPolicies analyses.
* [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
* [Shapesecurity/F5] (https://www.shapesecurity.com/) Shapesecurity defends against application fraud attacks like Account Take Over, Credential Stuffing, Fake Accounts, etc. Required by FedRamp certification, we needed to find a FIM solution to help monitor and protect our Kubernetes clusters. Traditional FIM solutions were not scalable and not working for our environment, but with Falco we found the solution we needed. Falco's detection capabilities have helped us identify anomalous behaviour within our clusters. We leverage Sidekick (https://github.com/falcosecurity/charts/tree/master/falcosidekick) to send Falco alerts to a PubSub which in turn publishes those alerts to our SIEM (SumoLogic)
* [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
* [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
## Adding a name
If you would like to add your name to this file, submit a pull request with your change.

166
CHANGELOG.md
View File

@@ -1,171 +1,5 @@
# Change Log
## v0.29.0
Released on 2021-06-21
### Minor Changes
* update: driver version is 17f5df52a7d9ed6bb12d3b1768460def8439936d now [[#1669](https://github.com/falcosecurity/falco/pull/1669)] - [@leogr](https://github.com/leogr)
### Rule Changes
* rule(list miner_domains): add rx.unmineable.com for anti-miner detection [[#1676](https://github.com/falcosecurity/falco/pull/1676)] - [@fntlnz](https://github.com/fntlnz)
* rule(Change thread namespace and Set Setuid or Setgid bit): disable by default [[#1632](https://github.com/falcosecurity/falco/pull/1632)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(list known_sa_list): add namespace-controller, statefulset-controller, disruption-controller, job-controller, horizontal-pod-autoscaler and persistent-volume-binder as allowed service accounts in the kube-system namespace [[#1659](https://github.com/falcosecurity/falco/pull/1659)] - [@sboschman](https://github.com/sboschman)
* rule(Non sudo setuid): check user id as well in case user name info is not available [[#1665](https://github.com/falcosecurity/falco/pull/1665)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(Debugfs Launched in Privileged Container): fix typo in description [[#1657](https://github.com/falcosecurity/falco/pull/1657)] - [@Kaizhe](https://github.com/Kaizhe)
### Non user-facing changes
* Fix link to CONTRIBUTING.md in the Pull Request Template [[#1679](https://github.com/falcosecurity/falco/pull/1679)] - [@tspearconquest](https://github.com/tspearconquest)
* fetch libs and drivers from the new repo [[#1552](https://github.com/falcosecurity/falco/pull/1552)] - [@leogr](https://github.com/leogr)
* build(test): upgrade urllib3 to 1.26.5 [[#1666](https://github.com/falcosecurity/falco/pull/1666)] - [@leogr](https://github.com/leogr)
* revert: add notes for 0.28.2 release [[#1663](https://github.com/falcosecurity/falco/pull/1663)] - [@maxgio92](https://github.com/maxgio92)
* changelog: add notes for 0.28.2 release [[#1661](https://github.com/falcosecurity/falco/pull/1661)] - [@maxgio92](https://github.com/maxgio92)
* docs(release.md): add blog announcement to post-release tasks [[#1652](https://github.com/falcosecurity/falco/pull/1652)] - [@maxgio92](https://github.com/maxgio92)
* add Yahoo!Japan as an adopter [[#1651](https://github.com/falcosecurity/falco/pull/1651)] - [@ukitazume](https://github.com/ukitazume)
* Add Replicated to adopters [[#1649](https://github.com/falcosecurity/falco/pull/1649)] - [@diamonwiggins](https://github.com/diamonwiggins)
* docs(proposals): fix libs contribution name [[#1641](https://github.com/falcosecurity/falco/pull/1641)] - [@leodido](https://github.com/leodido)
## v0.28.1
Released on 2021-05-07
### Major Changes
* new: `--support` output now includes info about the Falco engine version [[#1581](https://github.com/falcosecurity/falco/pull/1581)] - [@mstemm](https://github.com/mstemm)
* new: Falco outputs an alert in the unlikely situation it's receiving too many consecutive timeouts without an event [[#1622](https://github.com/falcosecurity/falco/pull/1622)] - [@leodido](https://github.com/leodido)
* new: configuration field `syscall_event_timeouts.max_consecutive` to configure after how many consecutive timeouts without an event Falco must alert [[#1622](https://github.com/falcosecurity/falco/pull/1622)] - [@leodido](https://github.com/leodido)
### Minor Changes
* build: enforcing hardening flags by default [[#1604](https://github.com/falcosecurity/falco/pull/1604)] - [@leogr](https://github.com/leogr)
### Bug Fixes
* fix: do not stop the webserver for k8s audit logs when invalid data is coming in the event to be processed [[#1617](https://github.com/falcosecurity/falco/pull/1617)] - [@fntlnz](https://github.com/fntlnz)
### Rule Changes
* rule(macro: allowed_aws_ecr_registry_root_for_eks): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [[#1640](https://github.com/falcosecurity/falco/pull/1640)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(macro: aws_eks_core_images): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [[#1640](https://github.com/falcosecurity/falco/pull/1640)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(macro: aws_eks_image_sensitive_mount): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [[#1640](https://github.com/falcosecurity/falco/pull/1640)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(list `falco_privileged_images`): remove deprecated Falco's OCI image repositories [[#1634](https://github.com/falcosecurity/falco/pull/1634)] - [@maxgio92](https://github.com/maxgio92)
* rule(list `falco_sensitive_mount_images`): remove deprecated Falco's OCI image repositories [[#1634](https://github.com/falcosecurity/falco/pull/1634)] - [@maxgio92](https://github.com/maxgio92)
* rule(macro `k8s_containers`): remove deprecated Falco's OCI image repositories [[#1634](https://github.com/falcosecurity/falco/pull/1634)] - [@maxgio92](https://github.com/maxgio92)
* rule(macro: python_running_sdchecks): macro removed [[#1620](https://github.com/falcosecurity/falco/pull/1620)] - [@leogr](https://github.com/leogr)
* rule(Change thread namespace): remove python_running_sdchecks exception [[#1620](https://github.com/falcosecurity/falco/pull/1620)] - [@leogr](https://github.com/leogr)
### Non user-facing changes
* urelease/docs: fix link and small refactor in the text [[#1636](https://github.com/falcosecurity/falco/pull/1636)] - [@cpanato](https://github.com/cpanato)
* Add Secureworks to adopters [[#1629](https://github.com/falcosecurity/falco/pull/1629)] - [@dwindsor-scwx](https://github.com/dwindsor-scwx)
* regression test for malformed k8s audit input (FAL-01-003) [[#1624](https://github.com/falcosecurity/falco/pull/1624)] - [@leodido](https://github.com/leodido)
* Add mathworks to adopterlist [[#1621](https://github.com/falcosecurity/falco/pull/1621)] - [@natchaphon-r](https://github.com/natchaphon-r)
* adding known users [[#1623](https://github.com/falcosecurity/falco/pull/1623)] - [@danpopSD](https://github.com/danpopSD)
* docs: update link for HackMD community call notes [[#1614](https://github.com/falcosecurity/falco/pull/1614)] - [@leodido](https://github.com/leodido)
## v0.28.0
Released on 2021-04-12
### Major Changes
* BREAKING CHANGE: Bintray is deprecated, no new packages will be published at https://dl.bintray.com/falcosecurity/ [[#1577](https://github.com/falcosecurity/falco/pull/1577)] - [@leogr](https://github.com/leogr)
* BREAKING CHANGE: SKIP_MODULE_LOAD env variable no more disables the driver loading (use SKIP_DRIVER_LOADER env variable introduced in Falco 0.24) [[#1599](https://github.com/falcosecurity/falco/pull/1599)] - [@leodido](https://github.com/leodido)
* BREAKING CHANGE: the init.d service unit is not shipped anymore in deb/rpm packages in favor of a systemd service file [[#1448](https://github.com/falcosecurity/falco/pull/1448)] - [@jenting](https://github.com/jenting)
* new: add support for exceptions as rule attributes to provide a compact way to add exceptions to Falco rules [[#1427](https://github.com/falcosecurity/falco/pull/1427)] - [@mstemm](https://github.com/mstemm)
* new: falco-no-driver container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-no-driver) [[#1519](https://github.com/falcosecurity/falco/pull/1519)] - [@jonahjon](https://github.com/jonahjon)
* new: falco-driver-loader container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-driver-loader) [[#1519](https://github.com/falcosecurity/falco/pull/1519)] - [@jonahjon](https://github.com/jonahjon)
* new: add healthz endpoint to the webserver [[#1546](https://github.com/falcosecurity/falco/pull/1546)] - [@cpanato](https://github.com/cpanato)
* new: introduce a new configuration field `syscall_event_drops.threshold` to tune the drop noisiness [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
* new: falco-driver-loader script can get a custom driver name from DRIVER_NAME env variable [[#1488](https://github.com/falcosecurity/falco/pull/1488)] - [@leodido](https://github.com/leodido)
* new: falco-driver-loader know the Falco version [[#1488](https://github.com/falcosecurity/falco/pull/1488)] - [@leodido](https://github.com/leodido)
### Minor Changes
* docs(proposals): libraries and drivers donation [[#1530](https://github.com/falcosecurity/falco/pull/1530)] - [@leodido](https://github.com/leodido)
* docs(docker): update links to the new Falco website URLs [[#1545](https://github.com/falcosecurity/falco/pull/1545)] - [@cpanato](https://github.com/cpanato)
* docs(test): update links to new Falco website URLs [[#1563](https://github.com/falcosecurity/falco/pull/1563)] - [@shane-lawrence](https://github.com/shane-lawrence)
* build: now Falco packages are published at https://download.falco.org [[#1577](https://github.com/falcosecurity/falco/pull/1577)] - [@leogr](https://github.com/leogr)
* update: lower the `syscall_event_drops.max_burst` default value to 1 [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
* update: falco-driver-loader tries to download a Falco driver before then compiling it on the fly for the host [[#1599](https://github.com/falcosecurity/falco/pull/1599)] - [@leodido](https://github.com/leodido)
* docs(test): document the prerequisites for running the integration test suite locally [[#1609](https://github.com/falcosecurity/falco/pull/1609)] - [@fntlnz](https://github.com/fntlnz)
* update: Debian/RPM package migrated from init to systemd [[#1448](https://github.com/falcosecurity/falco/pull/1448)] - [@jenting](https://github.com/jenting)
### Bug Fixes
* fix(userspace/engine): properly handle field extraction over lists of containers when not all containers match the specified sub-properties [[#1601](https://github.com/falcosecurity/falco/pull/1601)] - [@mstemm](https://github.com/mstemm)
* fix(docker/falco): add flex and bison dependency to container image [[#1562](https://github.com/falcosecurity/falco/pull/1562)] - [@schans](https://github.com/schans)
* fix: ignore action can not be used with log and alert ones (`syscall_event_drops` config) [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
* fix(userspace/engine): allows fields starting with numbers to be parsed properly [[#1598](https://github.com/falcosecurity/falco/pull/1598)] - [@mstemm](https://github.com/mstemm)
### Rule Changes
* rule(Write below monitored dir): improve rule description [[#1588](https://github.com/falcosecurity/falco/pull/1588)] - [@stevenshuang](https://github.com/stevenshuang)
* rule(macro allowed_aws_eks_registry_root): macro to match the official eks registry [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(macro aws_eks_image): match aws image repository for eks [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(macro aws_eks_image_sensitive_mount): match aws cni images [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(macro k8s_containers): include fluent/fluentd-kubernetes-daemonset and prom/prometheus [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(Launch Privileged Container): exclude aws_eks_image [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(Launch Sensitive Mount Container): exclude aws_eks_image_sensitive_mount [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(Debugfs Launched in Privileged Container): new rule [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(Mount Launched in Privileged Container): new rule [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(Set Setuid or Setgid bit): add k3s-agent in the whitelist [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(macro user_ssh_directory): using glob operator [[#1560](https://github.com/falcosecurity/falco/pull/1560)] - [@shane-lawrence](https://github.com/shane-lawrence)
* rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud [[#1337](https://github.com/falcosecurity/falco/pull/1337)] - [@nibalizer](https://github.com/nibalizer)
* rule(list rpm_binaries): add rhsmcertd [[#1385](https://github.com/falcosecurity/falco/pull/1385)] - [@epcim](https://github.com/epcim)
* rule(list deb_binaries): add apt.systemd.daily [[#1385](https://github.com/falcosecurity/falco/pull/1385)] - [@epcim](https://github.com/epcim)
* rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156 [[#1543](https://github.com/falcosecurity/falco/pull/1543)] - [@darryk10](https://github.com/darryk10)
* rule(list allowed_k8s_users): add `eks:node-manager` [[#1536](https://github.com/falcosecurity/falco/pull/1536)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(list mysql_mgmt_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list db_mgmt_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_ansible_running_python): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_bro_running_python): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_python_running_denyhosts): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_linux_image_upgrade_script): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_java_running_echo): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_scripting_running_builds): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_Xvfb_running_xkbcomp): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_nginx_running_serf): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_node_running_npm): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_java_running_sbt): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list known_container_shell_spawn_cmdlines): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list known_shell_spawn_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro run_by_puppet): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro user_privileged_containers): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list rancher_images): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list images_allow_network_outside_subnet): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_python_running_sdchecks): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro trusted_containers): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list authorized_server_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
### Non user-facing changes
* chore(test): replace bucket url with official distribution url [[#1608](https://github.com/falcosecurity/falco/pull/1608)] - [@fntlnz](https://github.com/fntlnz)
* adding asapp as an adopter [[#1611](https://github.com/falcosecurity/falco/pull/1611)] - [@Stuxend](https://github.com/Stuxend)
* update: fixtures URLs [[#1603](https://github.com/falcosecurity/falco/pull/1603)] - [@leogr](https://github.com/leogr)
* cleanup publishing jobs [[#1596](https://github.com/falcosecurity/falco/pull/1596)] - [@leogr](https://github.com/leogr)
* fix(falco/test): bump pyyaml from 5.3.1 to 5.4 [[#1595](https://github.com/falcosecurity/falco/pull/1595)] - [@leodido](https://github.com/leodido)
* fix(.circleci): tar must be present in the image [[#1594](https://github.com/falcosecurity/falco/pull/1594)] - [@leogr](https://github.com/leogr)
* fix: publishing jobs [[#1591](https://github.com/falcosecurity/falco/pull/1591)] - [@leogr](https://github.com/leogr)
* Pocteo as an adopter [[#1574](https://github.com/falcosecurity/falco/pull/1574)] - [@pocteo-labs](https://github.com/pocteo-labs)
* build: fetch build deps from download.falco.org [[#1572](https://github.com/falcosecurity/falco/pull/1572)] - [@leogr](https://github.com/leogr)
* adding shapesecurity to adopters [[#1566](https://github.com/falcosecurity/falco/pull/1566)] - [@irivera007](https://github.com/irivera007)
* Use default pip version to get avocado version [[#1565](https://github.com/falcosecurity/falco/pull/1565)] - [@shane-lawrence](https://github.com/shane-lawrence)
* Added Swissblock to list of adopters [[#1551](https://github.com/falcosecurity/falco/pull/1551)] - [@bygui86](https://github.com/bygui86)
* Fix various typos in markdown files. [[#1514](https://github.com/falcosecurity/falco/pull/1514)] - [@didier-durand](https://github.com/didier-durand)
* docs: move governance to falcosecurity/.github [[#1524](https://github.com/falcosecurity/falco/pull/1524)] - [@leogr](https://github.com/leogr)
* ci: fix missing infra context to publish stable Falco packages [[#1615](https://github.com/falcosecurity/falco/pull/1615)] - [@leodido](https://github.com/leodido)
## v0.27.0
Released on 2021-01-18

55
CMakeLists.txt
View File

@@ -66,17 +66,10 @@ if(MINIMAL_BUILD)
endif()
if(MUSL_OPTIMIZED_BUILD)
set(MUSL_FLAGS "-static -Os -fPIE -pie")
set(MUSL_FLAGS "-static -Os")
endif()
# explicitly set hardening flags
set(CMAKE_POSITION_INDEPENDENT_CODE ON)
set(FALCO_SECURITY_FLAGS "-Wl,-z,relro,-z,now -fstack-protector-strong")
if(CMAKE_BUILD_TYPE STREQUAL "release")
set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2")
endif()
set(CMAKE_COMMON_FLAGS "${FALCO_SECURITY_FLAGS} -Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
if(BUILD_WARNINGS_AS_ERRORS)
set(CMAKE_SUPPRESSED_WARNINGS
@@ -110,12 +103,6 @@ set(CMD_MAKE make)
include(ExternalProject)
# LuaJIT
include(luajit)
# libs
include(falcosecurity-libs)
# jq
include(jq)
@@ -131,6 +118,12 @@ ExternalProject_Add(
BUILD_COMMAND ""
INSTALL_COMMAND "")
# curses
# We pull this in because libsinsp won't build without it
set(CURSES_NEED_NCURSES TRUE)
find_package(Curses REQUIRED)
message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")
# b64
include(b64)
@@ -139,12 +132,15 @@ include(yaml-cpp)
if(NOT MINIMAL_BUILD)
# OpenSSL
include(openssl)
include(OpenSSL)
# libcurl
include(curl)
include(cURL)
endif()
# LuaJIT
include(luajit)
# Lpeg
include(lpeg)
@@ -155,7 +151,21 @@ include(libyaml)
include(lyaml)
# One TBB
include(tbb)
set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
message(STATUS "Using bundled tbb in '${TBB_SRC}'")
set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
ExternalProject_Add(
tbb
URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz"
URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372"
CONFIGURE_COMMAND ""
BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${TBB_LIB}
INSTALL_COMMAND "")
if(NOT MINIMAL_BUILD)
# civetweb
@@ -179,13 +189,13 @@ endif()
include(DownloadStringViewLite)
if(NOT MINIMAL_BUILD)
include(zlib)
include(cares)
include(protobuf)
# gRPC
include(grpc)
include(gRPC)
endif()
# sysdig
include(sysdig)
# Installation
install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")
@@ -216,6 +226,7 @@ set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
set(FALCO_BIN_DIR bin)
add_subdirectory(scripts)
add_subdirectory(userspace/libhawk)
add_subdirectory(userspace/engine)
add_subdirectory(userspace/falco)
add_subdirectory(tests)

56
README.md
View File

@@ -11,49 +11,11 @@ Want to talk? Join us on the [#falco](https://kubernetes.slack.com/archives/CMWH
Read the [change log](CHANGELOG.md).
<!--
Badges in the following table are constructed by using the
https://img.shields.io/badge/dynamic/xml endpoint.
Parameters are configured for fetching packages from S3 before
(filtered by prefix, sorted in ascending order) and for picking
the latest package by using an XPath selector after.
- Common query parameters:
color=#300aec7
style=flat-square
label=Falco
- DEB packages parameters:
url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/deb/stable/falco-
query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
- RPM packages parameters:
url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/rpm/falco-
query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
- BIN packages parameters:
url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/bin/x86_64/falco-
query=substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'], "falco-")
Notes:
- if more than 1000 items are present under as S3 prefix,
the actual latest package will be not picked;
see https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html
- for `-dev` packages, the S3 prefix is modified accordingly
- finally, all parameters are URL encoded and appended to the badge endpoint
-->
| | development | stable |
|--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
| rpm | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-)][1] | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-)][2] |
| deb | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-)][3] | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-)][4] |
| binary | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Fx86_64%2Ffalco-)][5] | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Fx86_64%2Ffalco-)][6] |
| rpm | [![rpm-dev](https://img.shields.io/bintray/v/falcosecurity/rpm-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][1] | [![rpm](https://img.shields.io/bintray/v/falcosecurity/rpm/falco?label=Falco&color=%23005763&style=flat-square)][2] |
| deb | [![deb-dev](https://img.shields.io/bintray/v/falcosecurity/deb-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][3] | [![deb](https://img.shields.io/bintray/v/falcosecurity/deb/falco?label=Falco&color=%23005763&style=flat-square)][4] |
| binary | [![bin-dev](https://img.shields.io/bintray/v/falcosecurity/bin-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][5] | [![bin](https://img.shields.io/bintray/v/falcosecurity/bin/falco?label=Falco&color=%23005763&style=flat-square)][6] |
---
@@ -137,9 +99,9 @@ Please report security vulnerabilities following the community process documente
Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
[1]: https://download.falco.org/?prefix=packages/rpm-dev/
[2]: https://download.falco.org/?prefix=packages/rpm/
[3]: https://download.falco.org/?prefix=packages/deb-dev/stable/
[4]: https://download.falco.org/?prefix=packages/deb/stable/
[5]: https://download.falco.org/?prefix=packages/bin-dev/x86_64/
[6]: https://download.falco.org/?prefix=packages/bin/x86_64/
[1]: https://dl.bintray.com/falcosecurity/rpm-dev
[2]: https://dl.bintray.com/falcosecurity/rpm
[3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
[4]: https://dl.bintray.com/falcosecurity/deb/stable
[5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
[6]: https://dl.bintray.com/falcosecurity/bin/x86_64

28
RELEASE.md
View File

@@ -13,12 +13,12 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
### 1. Release notes
- Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
- Find the LAST release (-1) and use `YYYY-MM-DD` as the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
- Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
- Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
- Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
- If the PR has no milestone, assign it to the milestone currently undergoing release
- Check issues without a milestone (using `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) ) and add them to the milestone currently undergoing release
- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, update those missing
- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYY-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) filter) and add them to the milestone currently undergoing release
- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, fix them
### 2. Milestones
@@ -29,9 +29,8 @@ Before cutting a release we need to do some homework in the Falco repository. Th
- Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
- If any, manually correct it then open an issue to automate version number bumping later
- Versions table in the `README.md` updates itself automatically
- Generate the change log using [rn2md](https://github.com/leodido/rn2md):
- Execute `rn2md -o falcosecurity -m <version> -r falco`
- In case `rn2md` emits error try to generate an GitHub OAuth access token and provide it with the `-t` flag
- Generate the change log https://github.com/leodido/rn2md:
- If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
- Add the latest changes on top the previous `CHANGELOG.md`
- Submit a PR with the above modifications
- Await PR approval
@@ -52,7 +51,7 @@ Now assume `x.y.z` is the new version.
git push origin x.y.z
```
> **N.B.**: do NOT use an annotated tag. For reference https://git-scm.com/book/en/v2/Git-Basics-Tagging
> **N.B.**: do NOT use an annotated tag
- Wait for the CI to complete
@@ -66,9 +65,9 @@ Now assume `x.y.z` is the new version.
| Packages | Download |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| rpm | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-x.y.z-x86_64.rpm) |
| deb | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-x.y.z-x86_64.deb) |
| tgz | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-x.y.z-x86_64.tar.gz) |
| rpm | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/rpm/falco-x.y.z-x86_64.rpm) |
| deb | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
| tgz | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
| Images |
| --------------------------------------------------------------------------- |
@@ -86,10 +85,6 @@ Now assume `x.y.z` is the new version.
| Total | x |
<!-- Calculate stats and fill the above table -->
#### Release Manager <github handle>
<!-- Substitute Github handle with the release manager's one -->
```
- Finally, publish the release!
@@ -98,7 +93,7 @@ Now assume `x.y.z` is the new version.
For each release we archive the meeting notes in git for historical purposes.
- The notes from the Falco meetings can be [found here](https://hackmd.io/3qYPnZPUQLGKCzR14va_qg).
- The notes from the Falco meetings can be [found here](https://hackmd.io/6sEAlInlSaGnLz2FnFz21A).
- Note: There may be other notes from working groups that can optionally be added as well as needed.
- Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-x.y.z.md`
- Open up a pull request with the new change.
@@ -108,6 +103,5 @@ For each release we archive the meeting notes in git for historical purposes.
Announce the new release to the world!
- Publish a blog on [Falco website](https://github.com/falcosecurity/falco-website) ([example](https://github.com/falcosecurity/falco-website/blob/master/content/en/blog/falco-0-28-1.md))
- Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
- Let folks in the slack #falco channel know about a new release came out

8
cmake/cpack/CMakeCPackOptions.cmake
View File

@@ -1,11 +1,11 @@
if(CPACK_GENERATOR MATCHES "DEB")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d/")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d")
endif()
if(CPACK_GENERATOR MATCHES "RPM")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d/")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d")
endif()
if(CPACK_GENERATOR MATCHES "TGZ")

9
cmake/modules/CPackConfig.cmake
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
@@ -46,9 +46,8 @@ set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
)
set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
set(CPACK_RPM_PACKAGE_ARCHITECTURE, "amd64")
set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, systemd")
set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
@@ -60,7 +59,9 @@ set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
/etc
/usr
/usr/bin
/usr/share)
/usr/share
/etc/rc.d
/etc/rc.d/init.d)
set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")
include(CPack)

45
cmake/modules/OpenSSL.cmake Normal file
View File

@@ -0,0 +1,45 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
mark_as_advanced(OPENSSL_BINARY)
if(NOT USE_BUNDLED_DEPS)
find_package(OpenSSL REQUIRED)
message(STATUS "Found openssl: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
find_program(OPENSSL_BINARY openssl)
if(NOT OPENSSL_BINARY)
message(FATAL_ERROR "Couldn't find the openssl command line in PATH")
else()
message(STATUS "Found openssl: binary: ${OPENSSL_BINARY}")
endif()
else()
mark_as_advanced(OPENSSL_BUNDLE_DIR OPENSSL_INSTALL_DIR OPENSSL_INCLUDE_DIR
OPENSSL_LIBRARY_SSL OPENSSL_LIBRARY_CRYPTO)
set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include")
set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl.a")
set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto.a")
set(OPENSSL_BINARY "${OPENSSL_INSTALL_DIR}/bin/openssl")
message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
ExternalProject_Add(
openssl
# START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
URL "https://github.com/openssl/openssl/archive/OpenSSL_1_0_2n.tar.gz"
URL_HASH "SHA256=4f4bc907caff1fee6ff8593729e5729891adcee412049153a3bb4db7625e8364"
# END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
CONFIGURE_COMMAND ./config no-shared --prefix=${OPENSSL_INSTALL_DIR}
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
INSTALL_COMMAND ${CMD_MAKE} install)
endif()

27
cmake/modules/b64.cmake Normal file
View File

@@ -0,0 +1,27 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
message(STATUS "Using bundled b64 in '${B64_SRC}'")
set(B64_INCLUDE "${B64_SRC}/include")
set(B64_LIB "${B64_SRC}/src/libb64.a")
externalproject_add(
b64
URL "https://github.com/libb64/libb64/archive/ce864b17ea0e24a91e77c7dd3eb2d1ac4175b3f0.tar.gz"
URL_HASH "SHA256=d07173e66f435e5c77dbf81bd9313f8d0e4a3b4edd4105a62f4f8132ba932811"
CONFIGURE_COMMAND ""
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${B64_LIB}
INSTALL_COMMAND ""
)

76
cmake/modules/cURL.cmake Normal file
View File

@@ -0,0 +1,76 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
if(NOT USE_BUNDLED_DEPS)
find_package(CURL REQUIRED)
message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIR}, lib: ${CURL_LIBRARIES}")
else()
set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")
set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
externalproject_add(
curl
DEPENDS openssl
# START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
URL "https://github.com/curl/curl/releases/download/curl-7_61_0/curl-7.61.0.tar.bz2"
URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
# END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
CONFIGURE_COMMAND
./configure
${CURL_SSL_OPTION}
--disable-shared
--enable-optimize
--disable-curldebug
--disable-rt
--enable-http
--disable-ftp
--disable-file
--disable-ldap
--disable-ldaps
--disable-rtsp
--disable-telnet
--disable-tftp
--disable-pop3
--disable-imap
--disable-smb
--disable-smtp
--disable-gopher
--disable-sspi
--disable-ntlm-wb
--disable-tls-srp
--without-winssl
--without-darwinssl
--without-polarssl
--without-cyassl
--without-nss
--without-axtls
--without-ca-path
--without-ca-bundle
--without-libmetalink
--without-librtmp
--without-winidn
--without-libidn2
--without-libpsl
--without-nghttp2
--without-libssh2
--disable-threaded-resolver
--without-brotli
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
INSTALL_COMMAND "")
endif()

67
cmake/modules/falcosecurity-libs.cmake
View File

@@ -1,67 +0,0 @@
#
# Copyright (C) 2021 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
set(FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/falcosecurity-libs-repo")
set(FALCOSECURITY_LIBS_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/falcosecurity-libs-repo")
file(MAKE_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
# The falcosecurity/libs git reference (branch name, commit hash, or tag) To update falcosecurity/libs version for the next release, change the
# default below In case you want to test against another falcosecurity/libs version just pass the variable - ie., `cmake
# -DFALCOSECURITY_LIBS_VERSION=dev ..`
if(NOT FALCOSECURITY_LIBS_VERSION)
set(FALCOSECURITY_LIBS_VERSION "17f5df52a7d9ed6bb12d3b1768460def8439936d")
set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=34a2a466f1e5045591f102de2bc812d9b4f0d5874094cc73b97a7970fb2a3a18")
endif()
# cd /path/to/build && cmake /path/to/source
execute_process(COMMAND "${CMAKE_COMMAND}" -DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION} -DFALCOSECURITY_LIBS_CHECKSUM=${FALCOSECURITY_LIBS_CHECKSUM}
${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
# todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
# execute_process(COMMAND "${CMAKE_COMMAND}" -B ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR} WORKING_DIRECTORY
# "${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR}")
execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}")
set(FALCOSECURITY_LIBS_SOURCE_DIR "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}/falcosecurity-libs-prefix/src/falcosecurity-libs")
add_definitions(-D_GNU_SOURCE)
add_definitions(-DHAS_CAPTURE)
if(MUSL_OPTIMIZED_BUILD)
add_definitions(-DMUSL_OPTIMIZED)
endif()
set(PROBE_VERSION "${FALCOSECURITY_LIBS_VERSION}")
if(NOT LIBSCAP_DIR)
set(LIBSCAP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
endif()
set(LIBSINSP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
# explicitly disable the tests/examples of this dependency
set(CREATE_TEST_TARGETS OFF CACHE BOOL "")
set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "")
# todo(leogr): although Falco does not actually depend on chisels, we need this for the lua_parser.
# Hopefully, we can switch off this in the future
set(WITH_CHISEL ON CACHE BOOL "")
set(USE_BUNDLED_TBB ON CACHE BOOL "")
set(USE_BUNDLED_B64 ON CACHE BOOL "")
set(USE_BUNDLED_JSONCPP ON CACHE BOOL "")
list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")
include(libscap)
include(libsinsp)

145
cmake/modules/gRPC.cmake Normal file
View File

@@ -0,0 +1,145 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
if(NOT USE_BUNDLED_DEPS)
# zlib
include(FindZLIB)
set(ZLIB_INCLUDE "${ZLIB_INCLUDE_DIRS}")
set(ZLIB_LIB "${ZLIB_LIBRARIES}")
if(ZLIB_INCLUDE AND ZLIB_LIB)
message(STATUS "Found zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}")
endif()
# c-ares
mark_as_advanced(CARES_INCLUDE CARES_LIB)
find_path(CARES_INCLUDE NAMES ares.h)
find_library(CARES_LIB NAMES libcares.so)
if(CARES_INCLUDE AND CARES_LIB)
message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
else()
message(FATAL_ERROR "Couldn't find system c-ares")
endif()
# protobuf
mark_as_advanced(PROTOC PROTOBUF_INCLUDE PROTOBUF_LIB)
find_program(PROTOC NAMES protoc)
find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
find_library(PROTOBUF_LIB NAMES libprotobuf.so)
if(PROTOC
AND PROTOBUF_INCLUDE
AND PROTOBUF_LIB)
message(STATUS "Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
else()
message(FATAL_ERROR "Couldn't find system protobuf")
endif()
# gpr
mark_as_advanced(GPR_LIB)
find_library(GPR_LIB NAMES gpr)
if(GPR_LIB)
message(STATUS "Found gpr lib: ${GPR_LIB}")
else()
message(FATAL_ERROR "Couldn't find system gpr")
endif()
# gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
mark_as_advanced(GRPC_INCLUDE GRPC_SRC
GRPC_LIB GRPC_LIBS_ABSOLUTE GRPCPP_LIB GRPC_CPP_PLUGIN)
find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
if(GRPCXX_INCLUDE)
set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
unset(GRPCXX_INCLUDE CACHE)
else()
find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
unset(GRPCPP_INCLUDE CACHE)
add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
endif()
find_library(GRPC_LIB NAMES grpc)
find_library(GRPCPP_LIB NAMES grpc++)
if(GRPC_INCLUDE
AND GRPC_LIB
AND GRPCPP_LIB)
message(STATUS "Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}")
else()
message(FATAL_ERROR "Couldn't find system grpc")
endif()
find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
if(NOT GRPC_CPP_PLUGIN)
message(FATAL_ERROR "System grpc_cpp_plugin not found")
endif()
else()
find_package(PkgConfig)
if(NOT PKG_CONFIG_FOUND)
message(FATAL_ERROR "pkg-config binary not found")
endif()
message(STATUS "Found pkg-config executable: ${PKG_CONFIG_EXECUTABLE}")
set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
set(GRPC_INCLUDE "${GRPC_SRC}/include")
set(GRPC_LIBS_ABSOLUTE "${GRPC_SRC}/libs/opt")
set(GRPC_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc.a")
set(GRPCPP_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc++.a")
set(GRPC_CPP_PLUGIN "${GRPC_SRC}/bins/opt/grpc_cpp_plugin")
# we tell gRPC to compile protobuf for us because when a gRPC package is not available, like on CentOS, it's very
# likely that protobuf will be very outdated
set(PROTOBUF_INCLUDE "${GRPC_SRC}/third_party/protobuf/src")
set(PROTOC "${PROTOBUF_INCLUDE}/protoc")
set(PROTOBUF_LIB "${GRPC_LIBS_ABSOLUTE}/protobuf/libprotobuf.a")
# we tell gRPC to compile zlib for us because when a gRPC package is not available, like on CentOS, it's very likely
# that zlib will be very outdated
set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
# we tell gRPC to compile c-ares for us because when a gRPC package is not available, like on CentOS, it's very likely
# that c-ares will be very outdated
set(CARES_INCLUDE "${GRPC_SRC}/third_party/cares" "${GRPC_SRC}/third_party/cares/cares")
set(CARES_LIB "${GRPC_LIBS_ABSOLUTE}/libares.a")
message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
message(
STATUS
"Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
message(STATUS "Bundled gRPC comes with cares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}}")
message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")
get_filename_component(PROTOC_DIR ${PROTOC} PATH)
ExternalProject_Add(
grpc
DEPENDS openssl
GIT_REPOSITORY https://github.com/grpc/grpc.git
GIT_TAG v1.32.0
GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares third_party/abseil-cpp third_party/re2"
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
INSTALL_COMMAND ""
CONFIGURE_COMMAND ""
BUILD_COMMAND
CFLAGS=-Wno-implicit-fallthrough
HAS_SYSTEM_ZLIB=false
HAS_SYSTEM_PROTOBUF=false
HAS_SYSTEM_CARES=false
HAS_EMBEDDED_OPENSSL_ALPN=false
HAS_SYSTEM_OPENSSL_ALPN=true
PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}
PKG_CONFIG=${PKG_CONFIG_EXECUTABLE}
PATH=${PROTOC_DIR}:$ENV{PATH}
make
static_cxx
static_c
grpc_cpp_plugin)
endif()

54
cmake/modules/jq.cmake Normal file
View File

@@ -0,0 +1,54 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
mark_as_advanced(JQ_INCLUDE JQ_LIB)
if (NOT USE_BUNDLED_DEPS)
find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
find_library(JQ_LIB NAMES jq)
if (JQ_INCLUDE AND JQ_LIB)
message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
else ()
message(FATAL_ERROR "Couldn't find system jq")
endif ()
else ()
set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
message(STATUS "Using bundled jq in '${JQ_SRC}'")
set(JQ_INCLUDE "${JQ_SRC}/target/include")
set(JQ_INSTALL_DIR "${JQ_SRC}/target")
set(JQ_LIB "${JQ_INSTALL_DIR}/lib/libjq.a")
set(ONIGURUMA_LIB "${JQ_INSTALL_DIR}/lib/libonig.a")
message(STATUS "Bundled jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
# Why we mirror jq here?
#
# In their readme, jq claims that you don't have
# to do autoreconf -fi when downloading a released tarball.
#
# However, they forgot to push the released makefiles
# into their release tarbal.
#
# For this reason, we have to mirror their release after
# doing the configuration ourselves.
#
# This is needed because many distros do not ship the right
# version of autoreconf, making virtually impossible to build Falco on them.
# Read more about it here:
# https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
ExternalProject_Add(
jq
URL "https://dl.bintray.com/falcosecurity/dependencies/jq-1.6.tar.gz"
URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
BUILD_IN_SOURCE 1
INSTALL_COMMAND ${CMD_MAKE} install)
endif ()

31
cmake/modules/luajit.cmake
View File

@@ -11,20 +11,17 @@
# specific language governing permissions and limitations under the License.
#
if(NOT LUAJIT_INCLUDE)
set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
externalproject_add(
luajit
GIT_REPOSITORY "https://github.com/LuaJIT/LuaJIT"
GIT_TAG "1d8b747c161db457e032a023ebbff511f5de5ec2"
CONFIGURE_COMMAND ""
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${LUAJIT_LIB}
INSTALL_COMMAND ""
)
endif()
include_directories("${LUAJIT_INCLUDE}")
set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
externalproject_add(
luajit
GIT_REPOSITORY "https://github.com/LuaJIT/LuaJIT"
GIT_TAG "1d8b747c161db457e032a023ebbff511f5de5ec2"
CONFIGURE_COMMAND ""
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${LUAJIT_LIB}
INSTALL_COMMAND ""
)

10
cmake/modules/falcosecurity-libs-repo/CMakeLists.txt → cmake/modules/sysdig-repo/CMakeLists.txt
View File

@@ -12,15 +12,15 @@
#
cmake_minimum_required(VERSION 3.5.1)
project(falcosecurity-libs-repo NONE)
project(sysdig-repo NONE)
include(ExternalProject)
message(STATUS "Driver version: ${FALCOSECURITY_LIBS_VERSION}")
message(STATUS "Driver version: ${SYSDIG_VERSION}")
ExternalProject_Add(
falcosecurity-libs
URL "https://github.com/falcosecurity/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
sysdig
URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
URL_HASH "${SYSDIG_CHECKSUM}"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND ""

0
cmake/modules/falcosecurity-libs-repo/patch/libscap.patch → cmake/modules/sysdig-repo/patch/libscap.patch
View File

18
cmake/modules/falcosecurity-libs-repo/patch/luajit.patch → cmake/modules/sysdig-repo/patch/luajit.patch
View File

@@ -1,7 +1,7 @@
diff --git a/userspace/chisel/chisel.cpp b/userspace/chisel/chisel.cpp
diff --git a/userspace/libsinsp/chisel.cpp b/userspace/libsinsp/chisel.cpp
index 0a6e3cf8..0c2e255a 100644
--- a/userspace/chisel/chisel.cpp
+++ b/userspace/chisel/chisel.cpp
--- a/userspace/libsinsp/chisel.cpp
+++ b/userspace/libsinsp/chisel.cpp
@@ -98,7 +98,7 @@ void lua_stackdump(lua_State *L)
// Lua callbacks
///////////////////////////////////////////////////////////////////////////////
@@ -29,10 +29,10 @@ index 0a6e3cf8..0c2e255a 100644
{
{"field", &lua_cbacks::field},
{"get_num", &lua_cbacks::get_num},
diff --git a/userspace/chisel/lua_parser.cpp b/userspace/chisel/lua_parser.cpp
diff --git a/userspace/libsinsp/lua_parser.cpp b/userspace/libsinsp/lua_parser.cpp
index 0e26617d..78810d96 100644
--- a/userspace/chisel/lua_parser.cpp
+++ b/userspace/chisel/lua_parser.cpp
--- a/userspace/libsinsp/lua_parser.cpp
+++ b/userspace/libsinsp/lua_parser.cpp
@@ -32,7 +32,7 @@ extern "C" {
#include "lauxlib.h"
}
@@ -42,10 +42,10 @@ index 0e26617d..78810d96 100644
{
{"rel_expr", &lua_parser_cbacks::rel_expr},
{"bool_op", &lua_parser_cbacks::bool_op},
diff --git a/userspace/chisel/lua_parser_api.cpp b/userspace/chisel/lua_parser_api.cpp
diff --git a/userspace/libsinsp/lua_parser_api.cpp b/userspace/libsinsp/lua_parser_api.cpp
index c89e9126..c3d8008a 100644
--- a/userspace/chisel/lua_parser_api.cpp
+++ b/userspace/chisel/lua_parser_api.cpp
--- a/userspace/libsinsp/lua_parser_api.cpp
+++ b/userspace/libsinsp/lua_parser_api.cpp
@@ -266,7 +266,7 @@ int lua_parser_cbacks::rel_expr(lua_State *ls)
string err = "Got non-table as in-expression operand\n";
throw sinsp_exception("parser API error");

78
cmake/modules/sysdig.cmake Normal file
View File

@@ -0,0 +1,78 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
set(SYSDIG_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/sysdig-repo")
set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
# this needs to be here at the top
if(USE_BUNDLED_DEPS)
# explicitly force this dependency to use the bundled OpenSSL
if(NOT MINIMAL_BUILD)
set(USE_BUNDLED_OPENSSL ON)
endif()
set(USE_BUNDLED_JQ ON)
endif()
file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
# The sysdig git reference (branch name, commit hash, or tag) To update sysdig version for the next release, change the
# default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
# -DSYSDIG_VERSION=dev ..`
if(NOT SYSDIG_VERSION)
set(SYSDIG_VERSION "5c0b863ddade7a45568c0ac97d037422c9efb750")
set(SYSDIG_CHECKSUM "SHA256=9de717b3a4b611ea6df56afee05171860167112f74bb7717b394bcc88ac843cd")
endif()
set(PROBE_VERSION "${SYSDIG_VERSION}")
# cd /path/to/build && cmake /path/to/source
execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM}
${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
# todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
# execute_process(COMMAND "${CMAKE_COMMAND}" -B ${SYSDIG_CMAKE_WORKING_DIR} WORKING_DIRECTORY
# "${SYSDIG_CMAKE_SOURCE_DIR}")
execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${SYSDIG_CMAKE_WORKING_DIR}")
set(SYSDIG_SOURCE_DIR "${SYSDIG_CMAKE_WORKING_DIR}/sysdig-prefix/src/sysdig")
# jsoncpp
set(JSONCPP_SRC "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp")
set(JSONCPP_INCLUDE "${JSONCPP_SRC}")
set(JSONCPP_LIB_SRC "${JSONCPP_SRC}/jsoncpp.cpp")
# Add driver directory
add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
# Add libscap directory
add_definitions(-D_GNU_SOURCE)
add_definitions(-DHAS_CAPTURE)
add_definitions(-DNOCURSESUI)
if(MUSL_OPTIMIZED_BUILD)
add_definitions(-DMUSL_OPTIMIZED)
endif()
add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
# Add libsinsp directory
add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libsinsp" "${PROJECT_BINARY_DIR}/userspace/libsinsp")
add_dependencies(sinsp tbb b64 luajit)
# explicitly disable the tests of this dependency
set(CREATE_TEST_TARGETS OFF)
if(USE_BUNDLED_DEPS)
add_dependencies(scap jq)
if(NOT MINIMAL_BUILD)
add_dependencies(scap curl grpc)
endif()
endif()

1
cmake/modules/yaml-cpp.cmake
View File

@@ -28,7 +28,6 @@ else()
yamlcpp
URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.2.tar.gz"
URL_HASH "SHA256=e4d8560e163c3d875fd5d9e5542b5fd5bec810febdcba61481fe5fc4e6b1fd05"
BUILD_BYPRODUCTS ${YAMLCPP_LIB}
BUILD_IN_SOURCE 1
INSTALL_COMMAND "")
endif()

13
docker/README.md
View File

@@ -1,16 +1,17 @@
# Falco Dockerfiles
This directory contains various ways to package Falco as a container and related tools.
This directory contains various ways to package Falco as a container and related tools.
## Currently Supported Images
| Name | Directory | Description |
|---|---|---|
| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/getting-started/source/) for more details on building from source. Used to build Falco (CI). |
| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). |
| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
| _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.

2
docker/builder/Dockerfile
View File

@@ -24,7 +24,7 @@ RUN yum -y install centos-release-scl && \
yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
rpm -V $INSTALL_PKGS
ARG CMAKE_VERSION=3.6.3
ARG CMAKE_VERSION=3.5.1
RUN source scl_source enable devtoolset-7 llvm-toolset-7 && \
cd /tmp && \
curl -L https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.tar.gz | tar xz; \

1
docker/builder/root/usr/bin/entrypoint
View File

@@ -34,6 +34,7 @@ case "$CMD" in
-DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
-DCMAKE_INSTALL_PREFIX=/usr \
-DBUILD_DRIVER="$BUILD_DRIVER" \
-DMINIMAL_BUILD="$MINIMAL_BUILD" \
-DBUILD_BPF="$BUILD_BPF" \
-DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
-DFALCO_VERSION="$FALCO_VERSION" \

44
docker/falco/Dockerfile
View File

@@ -18,12 +18,10 @@ RUN apt-get update \
&& apt-get install -y --no-install-recommends \
bash-completion \
bc \
bison \
clang-7 \
ca-certificates \
curl \
dkms \
flex \
gnupg2 \
gcc \
jq \
@@ -41,15 +39,15 @@ RUN apt-get update \
# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
# or so.
RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
@@ -58,13 +56,13 @@ RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/
# version 3, 4, or 5 compiler. So grab copies we've saved from debian
# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
&& curl -L -o libasan2_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
&& curl -L -o libasan2_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
@@ -78,7 +76,7 @@ RUN rm -rf /usr/bin/clang \
&& ln -s /usr/bin/llc-7 /usr/bin/llc
RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
&& apt-get update -y \
&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
&& apt-get clean \
@@ -98,10 +96,10 @@ RUN rm -df /lib/modules \
# debian:stable head contains binutils 2.31, which generates
# binaries that are incompatible with kernels < 4.16. So manually
# forcibly install binutils 2.30-22 instead.
RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
&& dpkg -i *binutils*.deb \
&& rm -f *binutils*.deb

7
docker/falco/docker-entrypoint.sh
View File

@@ -16,9 +16,14 @@
# limitations under the License.
#
# todo(leogr): remove deprecation notice within a couple of releases
if [[ ! -z "${SKIP_MODULE_LOAD}" ]]; then
echo "* SKIP_MODULE_LOAD is deprecated and will be removed soon, use SKIP_DRIVER_LOADER instead"
fi
# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
if [[ -z "${SKIP_DRIVER_LOADER}" ]] && [[ -z "${SKIP_MODULE_LOAD}" ]]; then
echo "* Setting up /usr/src links from host"
for i in "$HOST_ROOT/usr/src"/*

42
docker/local/Dockerfile
View File

@@ -48,15 +48,15 @@ RUN apt-get update \
# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
# or so.
RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
@@ -65,13 +65,13 @@ RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/
# version 3, 4, or 5 compiler. So grab copies we've saved from debian
# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
&& curl -L -o libasan2_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
&& curl -L -o libasan2_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
@@ -96,15 +96,15 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
# Change the falco config within the container to enable ISO 8601
# output.
RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
# debian:stable head contains binutils 2.31, which generates
# binaries that are incompatible with kernels < 4.16. So manually
# forcibly install binutils 2.30-22 instead.
RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
&& dpkg -i *binutils*.deb \
&& rm -f *binutils*.deb

12
docker/no-driver/Dockerfile
View File

@@ -6,16 +6,14 @@ ARG VERSION_BUCKET=bin
ENV FALCO_VERSION=${FALCO_VERSION}
ENV VERSION_BUCKET=${VERSION_BUCKET}
RUN apt-get -y update && apt-get -y install gridsite-clients curl
WORKDIR /
RUN curl -L -o falco.tar.gz \
https://download.falco.org/packages/${VERSION_BUCKET}/x86_64/falco-$(urlencode ${FALCO_VERSION})-x86_64.tar.gz && \
tar -xvf falco.tar.gz && \
rm -f falco.tar.gz && \
ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
RUN tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
mv falco-${FALCO_VERSION}-x86_64 falco && \
rm -rf /falco/usr/src/falco-* /falco/usr/bin/falco-driver-loader
rm -rf falco/usr/src/falco-* falco/usr/bin/falco-driver-loader
RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
&& mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml

2
docker/tester/root/usr/bin/usage
View File

@@ -3,7 +3,7 @@
pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
dockerversion=$(docker --version)
avocadoversion=$(pip show avocado-framework | grep Version)
avocadoversion=$(pip2 show avocado-framework | grep Version)
avocadoversion=${avocadoversion#"Version: "}
cat <<EOF

65
falco.yaml
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -28,10 +28,7 @@
# The files will be read in the order presented here, so make sure if
# you have overrides they appear in later files.
rules_file:
- /etc/falco/falco_rules.yaml
- /etc/falco/falco_rules.local.yaml
- /etc/falco/k8s_audit_rules.yaml
- /etc/falco/rules.d
- /tmp/falco
# If true, the times displayed in log messages and output messages
# will be in ISO 8601. By default, times are displayed in the local
@@ -68,52 +65,24 @@ priority: debug
buffered_outputs: false
# Falco uses a shared buffer between the kernel and userspace to pass
# system call information. When Falco detects that this buffer is
# system call information. When falco detects that this buffer is
# full and system calls have been dropped, it can take one or more of
# the following actions:
# - ignore: do nothing (default when list of actions is empty)
# - log: log a DEBUG message noting that the buffer was full
# - alert: emit a Falco alert noting that the buffer was full
# - exit: exit Falco with a non-zero rc
#
# Notice it is not possible to ignore and log/alert messages at the same time.
# - "ignore": do nothing. If an empty list is provided, ignore is assumed.
# - "log": log a CRITICAL message noting that the buffer was full.
# - "alert": emit a falco alert noting that the buffer was full.
# - "exit": exit falco with a non-zero rc.
#
# The rate at which log/alert messages are emitted is governed by a
# token bucket. The rate corresponds to one message every 30 seconds
# with a burst of one message (by default).
#
# The messages are emitted when the percentage of dropped system calls
# with respect the number of events in the last second
# is greater than the given threshold (a double in the range [0, 1]).
#
# For debugging/testing it is possible to simulate the drops using
# the `simulate_drops: true`. In this case the threshold does not apply.
# with a burst of 10 messages.
syscall_event_drops:
threshold: .1
actions:
- log
- alert
rate: .03333
max_burst: 1
# Falco uses a shared buffer between the kernel and userspace to receive
# the events (eg., system call information) in userspace.
#
# Anyways, the underlying libraries can also timeout for various reasons.
# For example, there could have been issues while reading an event.
# Or the particular event needs to be skipped.
# Normally, it's very unlikely that Falco does not receive events consecutively.
#
# Falco is able to detect such uncommon situation.
#
# Here you can configure the maximum number of consecutive timeouts without an event
# after which you want Falco to alert.
# By default this value is set to 1000 consecutive timeouts without an event at all.
# How this value maps to a time interval depends on the CPU frequency.
syscall_event_timeouts:
max_consecutives: 1000
max_burst: 10
# Falco continuously monitors outputs performance. When an output channel does not allow
# to deliver an alert within a given deadline, an error is reported indicating
@@ -180,14 +149,11 @@ stdout_output:
# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
# $ cat certificate.pem key.pem > falco.pem
# $ sudo cp falco.pem /etc/falco/falco.pem
#
# It also exposes a healthy endpoint that can be used to check if Falco is up and running
# By default the endpoint is /healthz
webserver:
enabled: true
listen_port: 8765
k8s_audit_endpoint: /k8s-audit
k8s_healthz_endpoint: /healthz
ssl_enabled: false
ssl_certificate: /etc/falco/falco.pem
@@ -249,3 +215,14 @@ grpc:
# Make sure to have a consumer for them or leave this disabled.
grpc_output:
enabled: false
# todo(fntlnz): provide a default implementation
# so that users can avoid to input this configuration
# if they don't need to change the default Falco behavior
#extensions:
# - myextension.so
# Rules provider
# Specify a non-default provider.
# Default value is "internal"
rules_provider: internal

167
proposals/20210119-libraries-contribution.md
View File

@@ -1,167 +0,0 @@
# OSS Libraries Contribution Plan
## Summary
Sysdig Inc. intends to donate **libsinsp**, **libscap**, the **kernel module driver** and the **eBPF driver sources** by moving them to the Falco project.
This means that some parts of the [draios/sysdig](https://github.com/draios/sysdig) repository will be moved to a new GitHub repository called [falcosecurity/libs](https://github.com/falcosecurity/libs).
This plan aims to describe and clarify the terms and goals to get the contribution done.
## Motivation
There are two main OSS projects using the libraries and drivers that we are aware of:
- [sysdig](https://github.com/draios/sysdig) the command line tool
- [Falco](https:/github.com/falcosecurity/falco), the CNCF project.
Since the Falco project is a heavy user of the libraries, a lot more than the sysdig cli tool, Sysdig (the company) decided to donate the libraries and the driver to the Falco community.
Sysdig (the command line tool) will continue to use the libraries now provided by the Falco community underneath.
This change is win-win for both parties because of the following reasons:
- The Falco community owns the source code of the three most important parts of the software it distributes.
- Right now it is "only" an engine on top of the libraries. This **contribution** helps in making the scope of the Falco project broader. Having the majority of the source code under an **open governance** in the same organization gives the Falco project more contribution opportunities, helps it in **evolving independently** and makes the whole Falco community a strong owner of the processes and decision making regarding those crucial parts.
- Given the previous point, Sysdig (the command line tool) will benefit from the now **extended contributors base**
- Sysdig (the company) can now focus on the user experience and user space features
- **Contributions** to the libraries and drivers will be **easier** to spread across the Falco community
- By being donated, with their own **release process**, **release artifacts**, and **documentation**, the libraries can now live on their own and possibly be used directly in other projects by becoming fundamental pieces for their success.
## Goals
There are many sub-projects and each of them interacts in a different way in this contribution.
Let's see the goals per sub-project.
### libsinsp
1. Extract libsinsp from `draios/sysdig/userspace/libsinsp` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
2. The migration comes first, then we can do additional PRs for the points below so that we do only one thing at a time and keep the history linear
3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
4. Adapt the CMake and build files
5. Install [poiana](https://github.com/poiana) and its workflows on it
6. Define the `OWNERS`
- Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
7. When possible, migrate issues and PRs to the new repository
8. Distribute the `libsinsp.so` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
9. Distribute the `libsinsp.a` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
10. Creation of the CI scripts using the Falco CI and Falco Infra
11. The CI scripts will need to publish the artifacts in the current falcosecurity artifacts repository
12. Artifacts will be pushed for every tag (release) and for every master merge (development release)
13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
14. This project will go already "Official support" once the contribution is completed
15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
16. Every other additional change will need to have its own process with a proposal
17. Implement the release process as described above
18. Propose a change to Falco repository to use the artifacts produced by the libsinsp release process for the build
19. Document the API
### libscap
1. Extract libscap from `draios/sysdig/userspace/libscap` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
2. The migration comes first, then we can do additional PRs for the points below so that we do only one thing at a time and keep the history linear
3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
4. Adapt the CMake and build files
5. Install [poiana](https://github.com/poiana) and its workflows on it
6. Define the `OWNERS`
- Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
7. When possible, migrate issues and PRs to the new repository
8. Distribute the `libscap.so` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
9. Distribute the `libscap.a` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
10. Creation of the CI scripts using the Falco CI and Falco Infra
11. The CI scripts will need to publish the artifacts in the current falcosecurity artifacts repository
12. Artifacts will be pushed for every tag (release) and for every master merge (development release)
13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
14. This project will go already "Official support" once the contribution is completed
15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
16. Every other additional change will need to have its own process with a proposal
17. Implement the release process as described above
18. Propose a change to Falco repository to use the artifacts produced by the libscap release process for the build
19. Document the API
### Drivers: Kernel module and eBPF probe
1. Extract them from `draios/sysdig/driver` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
2. The migration comes first, then we can do additional PRs for the point below so that we do only one thing at a time and keep the history linear
3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
4. Adapt the Makefiles and build files
5. Install [poiana](https://github.com/poiana) and its workflows on it
6. Define the `OWNERS`
- Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
7. When possible, migrate issues and PRs to the new repository
8. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already. We are just changing maintenance ownership
9. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
10. Every other additional change will need to have its own process with a proposal
11. The Falco community already ships driver artifacts using [driverkit](https://github.com/falcosecurity/driverkit) and the [test-infra repository](https://github.com/falcosecurity/test-infra)
- Adapt the place from which [driverkit](https://github.com/falcosecurity/driverkit) grabs the drivers source
12. This project will go already "Official support" once the migration is completed.
### Falco
1. Adapt the CMake files to point to the new homes for libscap, libsinsp and the drivers
2. When distributing the deb and rpm, libscap and libsinsp will need to be install dependencies and not anymore compiled into Falco
### Driverkit
1. Change the source location for the drivers to point to the new driver repository
### pdig
1. The project will need to be adapted to use libscap and libsinsp and the fillers from their new location

1396
rules/falco_rules.yaml
View File

File diff suppressed because it is too large Load Diff

142
rules/k8s_audit_rules.yaml
View File

@@ -14,7 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
- required_engine_version: 2
- required_engine_version: 8
# Like always_true/always_false, but works with k8s audit events
- macro: k8s_audit_always_true
@@ -50,14 +50,17 @@
vertical_pod_autoscaler_users,
cluster-autoscaler,
"system:addon-manager",
"cloud-controller-manager",
"eks:node-manager",
"system:kube-controller-manager"
"cloud-controller-manager"
]
- rule: Disallowed K8s User
desc: Detect any k8s operation by users outside of an allowed set of users.
condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users)
condition: kevt and non_system_user
exceptions:
- name: user_names
fields: ka.user.name
comps: in
values: [allowed_k8s_users]
output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
priority: WARNING
source: k8s_audit
@@ -124,6 +127,10 @@
desc: >
Detect an attempt to start a pod with a container image outside of a list of allowed images.
condition: kevt and pod and kcreate and not allowed_k8s_containers
exceptions:
- name: image_repos
fields: ka.req.pod.containers.image.repository
comps: in
output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
priority: WARNING
source: k8s_audit
@@ -132,7 +139,12 @@
- rule: Create Privileged Pod
desc: >
Detect an attempt to start a pod with a privileged container
condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true)
exceptions:
- name: image_repos
fields: ka.req.pod.containers.image.repository
comps: in
values: [falco_privileged_images]
output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
priority: WARNING
source: k8s_audit
@@ -146,7 +158,12 @@
desc: >
Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
Exceptions are made for known trusted images.
condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
condition: kevt and pod and kcreate and sensitive_vol_mount
exceptions:
- name: image_repos
fields: ka.req.pod.containers.image.repository
comps: in
values: [falco_sensitive_mount_images]
output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
priority: WARNING
source: k8s_audit
@@ -155,7 +172,12 @@
# Corresponds to K8s CIS Benchmark 1.7.4
- rule: Create HostNetwork Pod
desc: Detect an attempt to start a pod using the host network.
condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true)
exceptions:
- name: image_repos
fields: ka.req.pod.containers.image.repository
comps: in
values: [falco_hostnetwork_images]
output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
priority: WARNING
source: k8s_audit
@@ -168,6 +190,9 @@
desc: >
Detect an attempt to start a service with a NodePort service type
condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
exceptions:
- name: services
fields: [ka.target.namespace, ka.target.name]
output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
priority: WARNING
source: k8s_audit
@@ -186,6 +211,9 @@
desc: >
Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
condition: kevt and configmap and kmodify and contains_private_credentials
exceptions:
- name: configmaps
fields: [ka.target.namespace, ka.req.configmap.name]
output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
priority: WARNING
source: k8s_audit
@@ -196,6 +224,10 @@
desc: >
Detect any request made by the anonymous user that was allowed
condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
exceptions:
- name: user_names
fields: ka.user.name
comps: in
output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
priority: WARNING
source: k8s_audit
@@ -221,6 +253,10 @@
desc: >
Detect any attempt to attach/exec to a pod
condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
exceptions:
- name: user_names
fields: ka.user.name
comps: in
output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
priority: NOTICE
source: k8s_audit
@@ -230,10 +266,14 @@
condition: (k8s_audit_never_true)
# Only works when feature gate EphemeralContainers is enabled
# Definining empty exceptions just to avoid warnings. There isn't any
# great exception for this kind of object, as you'd expect the images
# to vary wildly.
- rule: EphemeralContainers Created
desc: >
Detect any ephemeral container created
condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
exceptions:
output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
priority: NOTICE
source: k8s_audit
@@ -245,7 +285,12 @@
- rule: Create Disallowed Namespace
desc: Detect any attempt to create a namespace outside of a set of known namespaces
condition: kevt and namespace and kcreate and not ka.target.name in (allowed_namespaces)
condition: kevt and namespace and kcreate
exceptions:
- name: services
fields: ka.target.name
comps: in
values: [allowed_namespaces]
output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name)
priority: WARNING
source: k8s_audit
@@ -285,15 +330,16 @@
k8s_image_list
]
- macro: allowed_kube_namespace_pods
condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
# Detect any new pod created in the kube-system namespace
- rule: Pod Created in Kube Namespace
desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public)
output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
exceptions:
- name: images
fields: ka.req.pod.containers.image.repository
comps: in
values: [user_allowed_kube_namespace_image_list, allowed_kube_namespace_image_list]
priority: WARNING
source: k8s_audit
tags: [k8s]
@@ -301,18 +347,16 @@
- list: user_known_sa_list
items: []
- list: known_sa_list
items: ["pod-garbage-collector","resourcequota-controller","cronjob-controller","generic-garbage-collector",
"daemon-set-controller","endpointslice-controller","deployment-controller", "replicaset-controller",
"endpoint-controller", "namespace-controller", "statefulset-controller", "disruption-controller"]
- macro: trusted_sa
condition: (ka.target.name in (known_sa_list, user_known_sa_list))
condition: (ka.target.name in (user_known_sa_list))
# Detect creating a service account in the kube-system/kube-public namespace
- rule: Service Account Created in Kube Namespace
desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
exceptions:
- name: accounts
fields: [ka.target.namespace, ka.target.name]
output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
priority: WARNING
source: k8s_audit
@@ -325,6 +369,9 @@
desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
not ka.target.name in (system:coredns, system:managed-certificate-controller)
exceptions:
- name: roles
fields: [ka.target.namespace, ka.target.name]
output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
priority: WARNING
source: k8s_audit
@@ -335,6 +382,10 @@
- rule: Attach to cluster-admin Role
desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin
exceptions:
- name: subjects
fields: ka.req.binding.subjects
comps: in
output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects)
priority: WARNING
source: k8s_audit
@@ -343,6 +394,10 @@
- rule: ClusterRole With Wildcard Created
desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
exceptions:
- name: roles
fields: ka.target.name
comps: in
output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
priority: WARNING
source: k8s_audit
@@ -355,6 +410,10 @@
- rule: ClusterRole With Write Privileges Created
desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
condition: kevt and (role or clusterrole) and kcreate and writable_verbs
exceptions:
- name: roles
fields: ka.target.name
comps: in
output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
priority: NOTICE
source: k8s_audit
@@ -363,6 +422,10 @@
- rule: ClusterRole With Pod Exec Created
desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
exceptions:
- name: roles
fields: ka.target.name
comps: in
output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
priority: WARNING
source: k8s_audit
@@ -374,12 +437,16 @@
- macro: consider_activity_events
condition: (k8s_audit_always_true)
# Activity events don't have exceptions. They do define an empty
# exceptions property just to avoid warnings when loading rules.
- macro: kactivity
condition: (kevt and consider_activity_events)
- rule: K8s Deployment Created
desc: Detect any attempt to create a deployment
condition: (kactivity and kcreate and deployment and response_successful)
exceptions:
output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -388,6 +455,7 @@
- rule: K8s Deployment Deleted
desc: Detect any attempt to delete a deployment
condition: (kactivity and kdelete and deployment and response_successful)
exceptions:
output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -396,6 +464,7 @@
- rule: K8s Service Created
desc: Detect any attempt to create a service
condition: (kactivity and kcreate and service and response_successful)
exceptions:
output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -404,6 +473,7 @@
- rule: K8s Service Deleted
desc: Detect any attempt to delete a service
condition: (kactivity and kdelete and service and response_successful)
exceptions:
output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -412,6 +482,7 @@
- rule: K8s ConfigMap Created
desc: Detect any attempt to create a configmap
condition: (kactivity and kcreate and configmap and response_successful)
exceptions:
output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -420,6 +491,7 @@
- rule: K8s ConfigMap Deleted
desc: Detect any attempt to delete a configmap
condition: (kactivity and kdelete and configmap and response_successful)
exceptions:
output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -428,6 +500,7 @@
- rule: K8s Namespace Created
desc: Detect any attempt to create a namespace
condition: (kactivity and kcreate and namespace and response_successful)
exceptions:
output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -436,6 +509,7 @@
- rule: K8s Namespace Deleted
desc: Detect any attempt to delete a namespace
condition: (kactivity and non_system_user and kdelete and namespace and response_successful)
exceptions:
output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -444,6 +518,7 @@
- rule: K8s Serviceaccount Created
desc: Detect any attempt to create a service account
condition: (kactivity and kcreate and serviceaccount and response_successful)
exceptions:
output: K8s Serviceaccount Created (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -452,6 +527,7 @@
- rule: K8s Serviceaccount Deleted
desc: Detect any attempt to delete a service account
condition: (kactivity and kdelete and serviceaccount and response_successful)
exceptions:
output: K8s Serviceaccount Deleted (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -460,6 +536,7 @@
- rule: K8s Role/Clusterrole Created
desc: Detect any attempt to create a cluster role/role
condition: (kactivity and kcreate and (clusterrole or role) and response_successful)
exceptions:
output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -468,6 +545,7 @@
- rule: K8s Role/Clusterrole Deleted
desc: Detect any attempt to delete a cluster role/role
condition: (kactivity and kdelete and (clusterrole or role) and response_successful)
exceptions:
output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -476,6 +554,7 @@
- rule: K8s Role/Clusterrolebinding Created
desc: Detect any attempt to create a clusterrolebinding
condition: (kactivity and kcreate and clusterrolebinding and response_successful)
exceptions:
output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -484,6 +563,7 @@
- rule: K8s Role/Clusterrolebinding Deleted
desc: Detect any attempt to delete a clusterrolebinding
condition: (kactivity and kdelete and clusterrolebinding and response_successful)
exceptions:
output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -492,6 +572,7 @@
- rule: K8s Secret Created
desc: Detect any attempt to create a secret. Service account tokens are excluded.
condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
exceptions:
output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -500,6 +581,7 @@
- rule: K8s Secret Deleted
desc: Detect any attempt to delete a secret Service account tokens are excluded.
condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
exceptions:
output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -518,6 +600,7 @@
- rule: All K8s Audit Events
desc: Match all K8s Audit Events
condition: kall
exceptions:
output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj)
priority: DEBUG
source: k8s_audit
@@ -550,6 +633,10 @@
and non_system_user
and ka.user.name in (full_admin_k8s_users)
and not allowed_full_admin_users
exceptions:
- name: user_names
fields: ka.user.name
comps: in
output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
priority: WARNING
source: k8s_audit
@@ -583,6 +670,9 @@
desc: Detect any attempt to create an ingress without TLS certification.
condition: >
(kactivity and kcreate and ingress and response_successful and not ingress_tls)
exceptions:
- name: ingresses
fields: [ka.target.namespace, ka.target.name]
output: >
K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
namespace=%ka.target.namespace)
@@ -613,7 +703,11 @@
and kcreate
and response_successful
and not allow_all_k8s_nodes
and not ka.target.name in (allowed_k8s_nodes)
exceptions:
- name: nodes
fields: ka.target.name
comps: in
values: [allowed_k8s_nodes]
output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
priority: ERROR
source: k8s_audit
@@ -627,7 +721,11 @@
and kcreate
and not response_successful
and not allow_all_k8s_nodes
and not ka.target.name in (allowed_k8s_nodes)
exceptions:
- name: nodes
fields: ka.target.name
comps: in
values: [allowed_k8s_nodes]
output: Node not in allowed list tried unsuccessfully to join the cluster (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
priority: WARNING
source: k8s_audit

6
scripts/CMakeLists.txt
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,14 +19,14 @@ configure_file(debian/postinst.in debian/postinst)
configure_file(debian/postrm.in debian/postrm)
configure_file(debian/prerm.in debian/prerm)
file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
configure_file(rpm/postinstall.in rpm/postinstall)
configure_file(rpm/postuninstall.in rpm/postuninstall)
configure_file(rpm/preuninstall.in rpm/preuninstall)
file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
configure_file(falco-driver-loader falco-driver-loader @ONLY)

61
scripts/cleanup Executable file
View File

@@ -0,0 +1,61 @@
#!/usr/bin/env bash
usage() {
echo "usage: $0 -p 0987654321 -r <deb-dev|rpm-dev|bin-dev>"
exit 1
}
user=poiana
# Get the versions to delete.
#
# $1: repository to lookup
# $2: number of versions to skip.
get_versions() {
# The API endpoint returns the Falco package versions sort by most recent.
IFS=$'\n' read -r -d '' -a all < <(curl -s --header "Content-Type: application/json" "https://api.bintray.com/packages/falcosecurity/$1/falco" | jq -r '.versions | .[]' | tail -n "+$2")
}
# Remove all the versions (${all[@]} array).
#
# $1: repository containing the versions.
rem_versions() {
for i in "${!all[@]}";
do
JFROG_CLI_LOG_LEVEL=DEBUG jfrog bt vd --quiet --user "${user}" --key "${pass}" "falcosecurity/$1/falco/${all[$i]}"
done
}
while getopts ":p::r:" opt; do
case "${opt}" in
p )
pass=${OPTARG}
;;
r )
repo="${OPTARG}"
[[ "${repo}" == "deb-dev" || "${repo}" == "rpm-dev" || "${repo}" == "bin-dev" ]] || usage
;;
: )
echo "invalid option: ${OPTARG} requires an argument" 1>&2
exit 1
;;
\?)
echo "invalid option: ${OPTARG}" 1>&2
exit 1
;;
esac
done
shift $((OPTIND-1))
if [ -z "${pass}" ] || [ -z "${repo}" ]; then
usage
fi
skip=51
if [[ "${repo}" == "bin-dev" ]]; then
skip=11
fi
get_versions "${repo}" ${skip}
echo "number of versions to delete: ${#all[@]}"
rem_versions "${repo}"

176
scripts/debian/falco Executable file
View File

@@ -0,0 +1,176 @@
#! /bin/sh
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
### BEGIN INIT INFO
# Provides: falco
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Falco syscall activity monitoring agent
# Description: Falco is a system activity monitoring agent
# driven by system calls with support for containers.
### END INIT INFO
# Author: The Falco Authors <cncf-falco-dev@lists.cncf.io>
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="Falco"
NAME=falco
DAEMON=/usr/bin/$NAME
PIDFILE=/var/run/$NAME.pid
DAEMON_ARGS="--daemon --pidfile=$PIDFILE"
SCRIPTNAME=/etc/init.d/$NAME
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
if [ ! -d /sys/module/falco ]; then
/sbin/modprobe falco || exit 1
fi
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
/sbin/rmmod falco
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
:

24
scripts/debian/falco.service
View File

@@ -1,24 +0,0 @@
[Unit]
Description=Falco: Container Native Runtime Security
Documentation=https://falco.org/docs/
[Service]
Type=simple
User=root
ExecStartPre=/sbin/modprobe falco
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
ExecStopPost=/sbin/rmmod falco
UMask=0077
TimeoutSec=30
RestartSec=15s
Restart=on-failure
PrivateTmp=true
NoNewPrivileges=yes
ProtectHome=read-only
ProtectSystem=full
ProtectKernelTunables=true
RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET
[Install]
WantedBy=multi-user.target

7
scripts/debian/postinst.in
View File

@@ -1,6 +1,6 @@
#!/bin/sh
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -41,3 +41,8 @@ case "$1" in
fi
;;
esac
if [ -x "/etc/init.d/$NAME" ]; then
update-rc.d $NAME defaults >/dev/null
fi

9
scripts/debian/postrm.in
View File

@@ -1,6 +1,6 @@
#!/bin/sh
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,3 +15,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
set -e
NAME=falco
if [ "$1" = "purge" ] ; then
update-rc.d $NAME remove >/dev/null
fi

12
scripts/debian/prerm.in
View File

@@ -1,6 +1,6 @@
#!/bin/sh
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,6 +17,16 @@
#
set -e
NAME="@PACKAGE_NAME@"
if [ -x "/etc/init.d/$NAME" ]; then
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
invoke-rc.d $NAME stop || exit $?
else
/etc/init.d/$NAME stop || exit $?
fi
fi
DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
DKMS_VERSION="@PROBE_VERSION@"

236
scripts/falco-driver-loader
View File

@@ -1,6 +1,6 @@
#!/usr/bin/env bash
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,7 +16,7 @@
# limitations under the License.
#
# Simple script that desperately tries to load the kernel instrumentation by
# looking for it in a bunch of ways. Convenient when running Falco inside
# looking for it in a bunch of ways. Convenient when running falco inside
# a container or in other weird environments.
#
@@ -82,7 +82,7 @@ get_kernel_config() {
echo "* Found kernel config at ${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
KERNEL_CONFIG_PATH="${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
elif [ -f "/lib/modules/${KERNEL_RELEASE}/config" ]; then
# This code works both for native host and containers assuming that
# this code works both for native host and agent container assuming that
# Dockerfile sets up the desired symlink /lib/modules -> $HOST_ROOT/lib/modules
echo "* Found kernel config at /lib/modules/${KERNEL_RELEASE}/config"
KERNEL_CONFIG_PATH="/lib/modules/${KERNEL_RELEASE}/config"
@@ -107,14 +107,12 @@ get_target_id() {
source "${HOST_ROOT}/etc/os-release"
OS_ID=$ID
elif [ -f "${HOST_ROOT}/etc/debian_version" ]; then
# Older debian distros
# fixme > Can this happen on older Ubuntu?
# Older Debian
# fixme > can this happen on older Ubuntu?
OS_ID=debian
elif [ -f "${HOST_ROOT}/etc/centos-release" ]; then
# Older CentOS distros
# Older CentOS
OS_ID=centos
elif [ -f "${HOST_ROOT}/etc/VERSION" ]; then
OS_ID=minikube
else
>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
exit 1
@@ -142,25 +140,25 @@ get_target_id() {
}
load_kernel_module_compile() {
# Skip dkms on UEK hosts because it will always fail
# skip dkms on UEK hosts because it will always fail
if [[ $(uname -r) == *uek* ]]; then
>&2 echo "Skipping because the dkms install always fail (on UEK hosts)"
echo "* Skipping dkms install for UEK host"
return
fi
if ! hash dkms >/dev/null 2>&1; then
>&2 echo "This program requires dkms"
if ! hash dkms &>/dev/null; then
echo "* Skipping dkms install (dkms not found)"
return
fi
# Try to compile using all the available gcc versions
# try to compile using all the available gcc versions
for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -r); do
echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
chmod +x /tmp/falco-dkms-make
if dkms install --directive="MAKE='/tmp/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"
echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"
if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
exit 0
@@ -183,6 +181,7 @@ load_kernel_module_compile() {
}
load_kernel_module_download() {
get_target_id
local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
@@ -190,14 +189,14 @@ load_kernel_module_download() {
local URL
URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
echo "* Trying to download a prebuilt ${DRIVER_NAME} module from ${URL}"
echo "* Trying to download prebuilt module from ${URL}"
if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
echo "* Download succeeded"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module loaded"
exit $?
else
>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module"
return
>&2 echo "Download failed, consider compiling your own ${DRIVER_NAME} module and loading it or getting in touch with the Falco community"
exit 1
fi
}
@@ -221,7 +220,7 @@ load_kernel_module() {
rmmod "${DRIVER_NAME}" 2>/dev/null
WAIT_TIME=0
KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
if rmmod "${DRIVER_NAME}" 2>/dev/null; then
echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
break
@@ -238,77 +237,33 @@ load_kernel_module() {
exit 0
fi
echo "* Trying to load a system ${DRIVER_NAME} module, if present"
if [ -n "$ENABLE_COMPILE" ]; then
load_kernel_module_compile
fi
echo "* Trying to load a system ${DRIVER_NAME} driver, if present"
if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
exit 0
fi
fi
echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
echo "* Trying to find locally a prebuilt ${DRIVER_NAME} module for kernel ${KERNEL_RELEASE}, if present"
get_target_id
local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
if [ -f "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
echo "* Found a prebuilt module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module loaded"
exit $?
fi
if [ -n "$ENABLE_DOWNLOAD" ]; then
load_kernel_module_download
fi
if [ -n "$ENABLE_COMPILE" ]; then
load_kernel_module_compile
fi
# Not able to download a prebuilt module nor to compile one on-the-fly
>&2 echo "Consider compiling your own ${DRIVER_NAME} driver and loading it or getting in touch with the Falco community"
exit 1
}
clean_kernel_module() {
if ! hash lsmod > /dev/null 2>&1; then
>&2 echo "This program requires lsmod"
exit 1
fi
if ! hash rmmod > /dev/null 2>&1; then
>&2 echo "This program requires rmmod"
exit 1
fi
KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}"; then
if rmmod "${DRIVER_NAME}" 2>/dev/null; then
echo "* Unloading ${DRIVER_NAME} module succeeded"
else
echo "* Unloading ${DRIVER_NAME} module failed"
fi
else
echo "* There is no ${DRIVER_NAME} module loaded"
fi
if ! hash dkms >/dev/null 2>&1; then
echo "* Skipping dkms remove (dkms not found)"
return
fi
DRIVER_VERSIONS=$(dkms status -m "${DRIVER_NAME}" | cut -d',' -f2 | sed -e 's/^[[:space:]]*//')
if [ -z "${DRIVER_VERSIONS}" ]; then
echo "* There is no ${DRIVER_NAME} module in dkms"
return
fi
for CURRENT_VER in ${DRIVER_VERSIONS}; do
if dkms remove -m "${DRIVER_NAME}" -v "${CURRENT_VER}" --all 2>/dev/null; then
echo "* Removing ${DRIVER_NAME}/${CURRENT_VER} succeeded"
else
echo "* Removing ${DRIVER_NAME}/${CURRENT_VER} failed"
exit 1
fi
done
}
load_bpf_probe_compile() {
@@ -317,14 +272,14 @@ load_bpf_probe_compile() {
customize_kernel_build() {
if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
fi
make olddefconfig > /dev/null
make modules_prepare > /dev/null
}
if [ "${TARGET_ID}" == "cos" ]; then
echo "* COS detected (build ${BUILD_ID}), using COS kernel headers"
if [ -n "${COS}" ]; then
echo "* COS detected (build ${BUILD_ID}), using cos kernel headers"
BPF_KERNEL_SOURCES_URL="https://storage.googleapis.com/cos-tools/${BUILD_ID}/kernel-headers.tgz"
KERNEL_EXTRA_VERSION="+"
@@ -355,8 +310,7 @@ load_bpf_probe_compile() {
}
fi
if [ "${TARGET_ID}" == "minikube" ]; then
MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
if [ -n "${MINIKUBE}" ]; then
echo "* Minikube detected (${MINIKUBE_VERSION}), using linux kernel sources for minikube kernel"
local kernel_version
kernel_version=$(uname -r)
@@ -382,16 +336,14 @@ load_bpf_probe_compile() {
fi
if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
get_kernel_config
echo "* Downloading ${BPF_KERNEL_SOURCES_URL}"
mkdir -p /tmp/kernel
cd /tmp/kernel || exit
cd "$(mktemp -d -p /tmp/kernel)" || exit
if ! curl -L -o kernel-sources.tgz --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
>&2 echo "Unable to download the kernel sources"
return
>&2 echo "Download failed"
exit 1;
fi
echo "* Extracting kernel sources"
@@ -432,22 +384,47 @@ load_bpf_probe_download() {
echo "* Trying to download a prebuilt eBPF probe from ${URL}"
if ! curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}"; then
>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} eBPF probe"
return
>&2 echo "Download failed"
exit 1;
fi
}
load_bpf_probe() {
echo "* Mounting debugfs"
if [ ! -d /sys/kernel/debug/tracing ]; then
mount -t debugfs nodev /sys/kernel/debug
fi
get_kernel_config
if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/os-release" ]; then
# shellcheck source=/dev/null
source "${HOST_ROOT}/etc/os-release"
if [ "${ID}" == "cos" ]; then
COS=1
fi
fi
if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/VERSION" ]; then
MINIKUBE=1
MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
fi
get_target_id
BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
if [ -n "$ENABLE_COMPILE" ]; then
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* Skipping compile, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
else
load_bpf_probe_compile
fi
fi
if [ -n "$ENABLE_DOWNLOAD" ]; then
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* Skipping download, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
@@ -456,22 +433,21 @@ load_bpf_probe() {
fi
fi
if [ -n "$ENABLE_COMPILE" ]; then
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* Skipping compilation, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
else
load_bpf_probe_compile
fi
fi
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* eBPF probe located in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
if [ ! -f /proc/sys/net/core/bpf_jit_enable ]; then
echo "******************************************************************"
echo "** BPF doesn't have JIT enabled, performance might be degraded. **"
echo "** Please ensure to run on a kernel with CONFIG_BPF_JIT on. **"
echo "******************************************************************"
fi
ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o" \
&& echo "* Success: eBPF probe symlinked to ${HOME}/.falco/${DRIVER_NAME}-bpf.o"
exit $?
else
>&2 echo "Unable to load the ${DRIVER_NAME} eBPF probe"
>&2 echo "Failure to find an eBPF probe"
exit 1
fi
}
@@ -487,32 +463,15 @@ print_usage() {
echo ""
echo "Options:"
echo " --help show brief help"
echo " --clean try to remove an already present driver installation"
echo " --compile try to compile the driver locally (default true)"
echo " --download try to download a prebuilt driver (default true)"
echo " --compile try to compile the driver locally"
echo " --download try to download a prebuilt driver"
echo " --source-only skip execution and allow sourcing in another script"
echo ""
echo "Environment variables:"
echo " DRIVER_REPO specify a different URL where to look for prebuilt Falco drivers"
echo " DRIVER_NAME specify a different name for the driver"
echo " DRIVER_INSECURE_DOWNLOAD whether you want to allow insecure downloads or not"
echo ""
echo "Versions:"
echo " Falco version ${FALCO_VERSION}"
echo " Driver version ${DRIVER_VERSION}"
echo ""
}
ARCH=$(uname -m)
KERNEL_RELEASE=$(uname -r)
if ! hash sed > /dev/null 2>&1; then
>&2 echo "This program requires sed"
exit 1
fi
KERNEL_VERSION=$(uname -v | sed 's/#\([[:digit:]]\+\).*/\1/')
DRIVERS_REPO=${DRIVERS_REPO:-"@DRIVERS_REPO@"}
if [ -n "$DRIVER_INSECURE_DOWNLOAD" ]
@@ -527,8 +486,7 @@ if [[ -z "$MAX_RMMOD_WAIT" ]]; then
fi
DRIVER_VERSION="@PROBE_VERSION@"
DRIVER_NAME=${DRIVER_NAME:-"@PROBE_NAME@"}
FALCO_VERSION="@FALCO_VERSION@"
DRIVER_NAME="@PROBE_NAME@"
DRIVER="module"
if [ -v FALCO_BPF_PROBE ]; then
@@ -538,7 +496,6 @@ fi
ENABLE_COMPILE=
ENABLE_DOWNLOAD=
clean=
has_args=
has_opts=
source_only=
@@ -546,7 +503,7 @@ while test $# -gt 0; do
case "$1" in
module|bpf)
if [ -n "$has_args" ]; then
>&2 echo "Only one driver per invocation"
>&2 echo "Only one driver can be passed"
print_usage
exit 1
else
@@ -559,10 +516,6 @@ while test $# -gt 0; do
print_usage
exit 0
;;
--clean)
clean="true"
shift
;;
--compile)
ENABLE_COMPILE="yes"
has_opts="true"
@@ -596,42 +549,23 @@ if [ -z "$has_opts" ]; then
fi
if [ -z "$source_only" ]; then
echo "* Running falco-driver-loader for: falco version=${FALCO_VERSION}, driver version=${DRIVER_VERSION}"
if [ "$(id -u)" != 0 ]; then
>&2 echo "This program must be run as root (or with sudo)"
exit 1
fi
if [ -n "$clean" ]; then
if [ -n "$has_opts" ]; then
>&2 echo "Cannot use --clean with other options"
exit 1
fi
if ! hash curl > /dev/null 2>&1; then
>&2 echo "This program requires curl"
exit 1
fi
echo "* Running falco-driver-loader with: driver=$DRIVER, clean=yes"
case $DRIVER in
echo "* Running falco-driver-loader with: driver=$DRIVER, compile=${ENABLE_COMPILE:-"no"}, download=${ENABLE_DOWNLOAD:-"no"}"
case $DRIVER in
module)
clean_kernel_module
load_kernel_module
;;
bpf)
>&2 echo "--clean not supported for driver=bpf"
exit 1
esac
else
if ! hash curl > /dev/null 2>&1; then
>&2 echo "This program requires curl"
exit 1
fi
echo "* Running falco-driver-loader with: driver=$DRIVER, compile=${ENABLE_COMPILE:-"no"}, download=${ENABLE_DOWNLOAD:-"no"}"
case $DRIVER in
module)
load_kernel_module
;;
bpf)
load_bpf_probe
;;
esac
fi
fi
load_bpf_probe
;;
esac
fi

6
scripts/ignored-calls.sh
View File

@@ -17,9 +17,9 @@
#
scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
parentdir="$(dirname "$scriptdir")"
libsdir="${parentdir}/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs"
cat "${libsdir}/userspace/libscap/syscall_info_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/.*\"\(.*\)\".*/\1/' | sort > /tmp/ignored_syscall_info_table.txt
cat "${libsdir}/driver/event_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > /tmp/ignored_driver_event_table.txt
sysdigdir="${parentdir}/build/sysdig-repo/sysdig-prefix/src/sysdig"
cat "${sysdigdir}/userspace/libscap/syscall_info_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/.*\"\(.*\)\".*/\1/' | sort > /tmp/ignored_syscall_info_table.txt
cat "${sysdigdir}/driver/event_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > /tmp/ignored_driver_event_table.txt
cat /tmp/ignored_driver_event_table.txt /tmp/ignored_syscall_info_table.txt | sort | uniq | tr '\n' ', '

47
scripts/publish-bin
View File

@@ -1,47 +0,0 @@
#!/usr/bin/env bash
set -e
usage() {
echo "usage: $0 -f <package.tar.gz> -r <bin|bin-dev> -a <arch>"
exit 1
}
# parse options
while getopts ":f::r::a:" opt; do
case "${opt}" in
f )
file=${OPTARG}
;;
r )
repo="${OPTARG}"
[[ "${repo}" == "bin" || "${repo}" == "bin-dev" ]] || usage
;;
a )
arch=${OPTARG}
;;
: )
echo "invalid option: ${OPTARG} requires an argument" 1>&2
exit 1
;;
\?)
echo "invalid option: ${OPTARG}" 1>&2
exit 1
;;
esac
done
shift $((OPTIND-1))
if [ -z "${file}" ] || [ -z "${repo}" ] || [ -z "${arch}" ]; then
usage
fi
# settings
s3_bucket_repo="s3://falco-distribution/packages/${repo}/${arch}"
cloudfront_path="/packages/${repo}/${arch}"
# publish
package=$(basename -- ${file})
echo "Publishing ${package} to ${s3_bucket_repo}..."
aws s3 cp ${file} ${s3_bucket_repo}/${package} --acl public-read
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}

132
scripts/publish-deb
View File

@@ -1,132 +0,0 @@
#!/usr/bin/env bash
set -e
usage() {
echo "usage: $0 -f <package.deb> -r <deb|deb-dev>"
exit 1
}
check_program() {
if ! command -v $1 &> /dev/null
then
echo "$1 is required and could not be found"
exit
fi
}
# Add a package to the local DEB repository
#
# $1: path of the repository.
# $2: suite (eg. "stable")
# $3: path of the DEB file.
add_deb() {
cp -f $3 $1/$2
pushd $1/$2 > /dev/null
rm -f $(basename -- $3).asc
gpg --detach-sign --armor $(basename -- $3)
popd > /dev/null
}
# Update the local DEB repository
#
# $1: path of the repository
# $2: suite (eg. "stable")
update_repo() {
# fixme(leogr): we cannot use apt-ftparchive --arch packages ...
# since our .deb files ends with "_x86_64" instead of "amd64".
# See https://manpages.debian.org/jessie/apt-utils/apt-ftparchive.1.en.html
#
# As a workaround, we temporarily stick here with "amd64"
# (the only supported arch at the moment)
local arch=amd64
local component=main
local debs_dir=$2
local release_dir=dists/$2
local packages_dir=${release_dir}/${component}/binary-${arch}
pushd $1 > /dev/null
# packages metadata
apt-ftparchive packages ${debs_dir} > ${packages_dir}/Packages
gzip -c ${packages_dir}/Packages > ${packages_dir}/Packages.gz
bzip2 -z -c ${packages_dir}/Packages > ${packages_dir}/Packages.bz2
# release metadata
apt-ftparchive release \
-o APT::FTPArchive::Release::Origin=Falco \
-o APT::FTPArchive::Release::Label=Falco \
-o APT::FTPArchive::Release::Suite=$2 \
-o APT::FTPArchive::Release::Codename=$2 \
-o APT::FTPArchive::Release::Components=${component} \
-o APT::FTPArchive::Release::Architectures=${arch} \
${release_dir} > ${release_dir}/Release
# release signature
gpg --detach-sign --armor ${release_dir}/Release
rm -f ${release_dir}/Release.gpg
mv ${release_dir}/Release.asc ${release_dir}/Release.gpg
popd > /dev/null
}
# parse options
while getopts ":f::r:" opt; do
case "${opt}" in
f )
file=${OPTARG}
;;
r )
repo="${OPTARG}"
[[ "${repo}" == "deb" || "${repo}" == "deb-dev" ]] || usage
;;
: )
echo "invalid option: ${OPTARG} requires an argument" 1>&2
exit 1
;;
\?)
echo "invalid option: ${OPTARG}" 1>&2
exit 1
;;
esac
done
shift $((OPTIND-1))
# check options
if [ -z "${file}" ] || [ -z "${repo}" ]; then
usage
fi
# check prerequisites
check_program apt-ftparchive
check_program gzip
check_program bzip2
check_program gpg
check_program aws
# settings
debSuite=stable
s3_bucket_repo="s3://falco-distribution/packages/${repo}"
cloudfront_path="/packages/${repo}"
tmp_repo_path=/tmp/falco-$repo
# prepare repository local copy
echo "Fetching ${s3_bucket_repo}..."
mkdir -p ${tmp_repo_path}
aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
# update the repo
echo "Adding ${file}..."
add_deb ${tmp_repo_path} ${debSuite} ${file}
update_repo ${tmp_repo_path} ${debSuite}
# publish
package=$(basename -- ${file})
echo "Publishing ${package} to ${s3_bucket_repo}..."
aws s3 cp ${tmp_repo_path}/${debSuite}/${package} ${s3_bucket_repo}/${debSuite}/${package} --acl public-read
aws s3 cp ${tmp_repo_path}/${debSuite}/${package}.asc ${s3_bucket_repo}/${debSuite}/${package}.asc --acl public-read
aws s3 sync ${tmp_repo_path}/dists ${s3_bucket_repo}/dists --delete --acl public-read
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}.asc
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/dists/*

96
scripts/publish-rpm
View File

@@ -1,96 +0,0 @@
#!/usr/bin/env bash
set -e
usage() {
echo "usage: $0 -f <package.rpm> -r <rpm|rpm-dev>"
exit 1
}
check_program() {
if ! command -v $1 &> /dev/null
then
echo "$1 is required and could not be found"
exit
fi
}
# Add a package to the local RPM repository
#
# $1: path of the repository.
# $2: path of the RPM file.
add_rpm() {
cp -f $2 $1
pushd $1 > /dev/null
rm -f $(basename -- $2).asc
gpg --detach-sign --armor $(basename -- $2)
popd > /dev/null
}
# Update the local RPM repository
#
# $1: path of the repository.
update_repo() {
pushd $1 > /dev/null
createrepo --update --no-database .
rm -f repodata/repomd.xml.asc
gpg --detach-sign --armor repodata/repomd.xml
popd > /dev/null
}
# parse options
while getopts ":f::r:" opt; do
case "${opt}" in
f )
file=${OPTARG}
;;
r )
repo="${OPTARG}"
[[ "${repo}" == "rpm" || "${repo}" == "rpm-dev" ]] || usage
;;
: )
echo "invalid option: ${OPTARG} requires an argument" 1>&2
exit 1
;;
\?)
echo "invalid option: ${OPTARG}" 1>&2
exit 1
;;
esac
done
shift $((OPTIND-1))
if [ -z "${file}" ] || [ -z "${repo}" ]; then
usage
fi
# check prerequisites
check_program createrepo
check_program gpg
check_program aws
# settings
s3_bucket_repo="s3://falco-distribution/packages/${repo}"
cloudfront_path="/packages/${repo}"
tmp_repo_path=/tmp/falco-$repo
# prepare repository local copy
echo "Fetching ${s3_bucket_repo}..."
mkdir -p ${tmp_repo_path}
aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
# update the repo
echo "Adding ${file}..."
add_rpm ${tmp_repo_path} ${file}
update_repo ${tmp_repo_path}
# publish
package=$(basename -- ${file})
echo "Publishing ${package} to ${s3_bucket_repo}..."
aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
aws s3 sync ${tmp_repo_path}/repodata ${s3_bucket_repo}/repodata --delete --acl public-read
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}.asc
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/repodata/*

127
scripts/rpm/falco Executable file
View File

@@ -0,0 +1,127 @@
#!/bin/sh
#
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
# falco syscall monitoring agent
#
# chkconfig: 2345 55 45
# description: Falco syscall monitoring agent
#
### BEGIN INIT INFO
# Provides:
# Required-Start:
# Required-Stop:
# Should-Start:
# Should-Stop:
# Default-Start:
# Default-Stop:
# Short-Description:
# Description:
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
exec="/usr/bin/falco"
prog="falco"
# config="<path to major config file>"
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
lockfile=/var/lock/subsys/$prog
pidfile="/var/run/falco.pid"
start() {
[ -x $exec ] || exit 5
# [ -f $config ] || exit 6
echo -n $"Starting $prog: "
daemon $exec --daemon --pidfile=$pidfile
if [ ! -d /sys/module/falco ]; then
/sbin/modprobe falco || return $?
fi
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc -p $pidfile
retval=$?
echo
/sbin/rmmod falco
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
stop
start
}
reload() {
restart
}
force_reload() {
restart
}
rh_status() {
status -p $pidfile $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?

24
scripts/rpm/falco.service
View File

@@ -1,24 +0,0 @@
[Unit]
Description=Falco: Container Native Runtime Security
Documentation=https://falco.org/docs/
[Service]
Type=simple
User=root
ExecStartPre=/sbin/modprobe falco
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
ExecStopPost=/sbin/rmmod falco
UMask=0077
TimeoutSec=30
RestartSec=15s
Restart=on-failure
PrivateTmp=true
NoNewPrivileges=yes
ProtectHome=read-only
ProtectSystem=full
ProtectKernelTunables=true
RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET
[Install]
WantedBy=multi-user.target

4
scripts/rpm/postinstall.in
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -29,3 +29,5 @@ else
echo -e "Module build for the currently running kernel was skipped since the"
echo -e "kernel source for this kernel does not seem to be installed."
fi
/sbin/chkconfig --add falco

6
scripts/rpm/postuninstall.in
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,3 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
if [ "$1" -ge "1" ]; then
/sbin/service falco condrestart > /dev/null 2>&1
fi

7
scripts/rpm/preuninstall.in
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2021 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,5 +15,10 @@
# limitations under the License.
#
if [ $1 = 0 ]; then
/sbin/service falco stop > /dev/null 2>&1
/sbin/chkconfig --del falco
fi
mod_version="@PROBE_VERSION@"
dkms remove -m falco -v $mod_version --all --rpm_safe_upgrade

14
test/README.md
View File

@@ -2,7 +2,7 @@
This folder contains the Regression tests suite for Falco.
You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/getting-started/source/#run-regression-tests).
You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/source/#run-regression-tests).
## Test suites
@@ -16,7 +16,7 @@ You can find instructions on how to run this test suite on the Falco website [he
This step assumes you already built Falco.
Note that the tests are intended to be run against a [release build](https://falco.org/docs/getting-started/source/#specify-the-build-type) of Falco, at the moment.
Note that the tests are intended to be run against a [release build](https://falco.org/docs/source/#specify-the-build-type) of Falco, at the moment.
Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:
@@ -26,15 +26,7 @@ make test-trace-files
It prepares the fixtures (`json` and `scap` files) needed by the integration tests.
**Requirements**
- Python 3.x
- [Virtualenv](https://virtualenv.pypa.io/en/latest/)
- [grpcurl](https://github.com/fullstorydev/grpcurl)
**Setup and execution**
Using `virtualenv` the steps to locally run a specific test suite are the following ones (**from this directory**):
Using `virtualenv` the steps to locally run a specific test suite are the following ones (from this directory):
```console
virtualenv venv

12
test/confs/drops_ignore_log.yaml
View File

@@ -1,12 +0,0 @@
syscall_event_drops:
actions:
- ignore
- log
rate: .03333
max_burst: 10
simulate_drops: true
stdout_output:
enabled: true
log_stderr: true

2
test/confs/drops_log.yaml
View File

@@ -9,5 +9,3 @@ stdout_output:
enabled: true
log_stderr: true
log_level: debug

12
test/confs/drops_threshold_neg.yaml
View File

@@ -1,12 +0,0 @@
syscall_event_drops:
threshold: -1
actions:
- ignore
rate: .03333
max_burst: 10
simulate_drops: true
stdout_output:
enabled: true
log_stderr: true

12
test/confs/drops_threshold_oor.yaml
View File

@@ -1,12 +0,0 @@
syscall_event_drops:
threshold: 1.1
actions:
- ignore
rate: .03333
max_burst: 10
simulate_drops: true
stdout_output:
enabled: true
log_stderr: true

21
test/falco_k8s_audit_tests.yaml
View File

@@ -128,16 +128,6 @@ trace_files: !mux
- Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
create_privileged_no_secctx_1st_container_2nd_container_pod:
detect: True
detect_level: WARNING
rules_file:
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
create_privileged_2nd_container_pod:
detect: True
detect_level: WARNING
@@ -622,13 +612,4 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Secret Deleted: 1
trace_file: trace_files/k8s_audit/delete_secret.json
fal_01_003:
detect: False
detect_level: INFO
rules_file:
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/fal_01_003.json
stderr_contains: 'Could not read k8s audit event line #1, "{"kind": 0}": Data not recognized as a k8s audit event, stopping'
trace_file: trace_files/k8s_audit/delete_secret.json

59
test/falco_tests.yaml
View File

@@ -356,6 +356,8 @@ trace_files: !mux
condition: evt.type=fork
priority: INFO
---
1 warnings:
Rule no output rule: consider adding an exceptions property to define supported exceptions fields
validate_rules_file:
- rules/invalid_rule_without_output.yaml
trace_file: trace_files/cat_write.scap
@@ -411,6 +413,8 @@ trace_files: !mux
condition: evt.type=open
append: true
---
1 warnings:
Rule my_rule: consider adding an exceptions property to define supported exceptions fields
validate_rules_file:
- rules/rule_append_failure.yaml
trace_file: trace_files/cat_write.scap
@@ -538,6 +542,9 @@ trace_files: !mux
priority: INFO
append: false
---
2 warnings:
Rule some rule: consider adding an exceptions property to define supported exceptions fields
Rule some rule: consider adding an exceptions property to define supported exceptions fields
validate_rules_file:
- rules/invalid_overwrite_rule_multiple_docs.yaml
trace_file: trace_files/cat_write.scap
@@ -560,6 +567,9 @@ trace_files: !mux
priority: INFO
append: true
---
2 warnings:
Rule some rule: consider adding an exceptions property to define supported exceptions fields
Rule some rule: consider adding an exceptions property to define supported exceptions fields
validate_rules_file:
- rules/invalid_append_rule_multiple_docs.yaml
trace_file: trace_files/cat_write.scap
@@ -617,6 +627,8 @@ trace_files: !mux
output: "An open was seen %not_a_real_field"
priority: WARNING
---
1 warnings:
Rule rule_with_invalid_output: consider adding an exceptions property to define supported exceptions fields
validate_rules_file:
- rules/invalid_rule_output.yaml
trace_file: trace_files/cat_write.scap
@@ -763,7 +775,7 @@ trace_files: !mux
- "Non sudo setuid": 1
- "Create files below dev": 1
- "Modify binary dirs": 2
- "Change thread namespace": 0
- "Change thread namespace": 1
disabled_tags_a:
detect: True
@@ -1215,51 +1227,6 @@ trace_files: !mux
stdout_not_contains:
- "Falco internal: syscall event drop"
monitor_syscall_drops_ignore_and_log:
exit_status: 1
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_ignore_log.yaml
trace_file: trace_files/ping_sendto.scap
stderr_not_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
stderr_contains:
- "syscall event drop action \"log\" does not make sense with the \"ignore\" action"
monitor_syscall_drops_threshold_oor:
exit_status: 1
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_threshold_oor.yaml
trace_file: trace_files/ping_sendto.scap
stderr_not_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
stderr_contains:
- "syscall event drops threshold must be a double in the range"
monitor_syscall_drops_threshold_neg:
exit_status: 1
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_threshold_neg.yaml
trace_file: trace_files/ping_sendto.scap
stderr_not_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
stderr_contains:
- "syscall event drops threshold must be a double in the range"
monitor_syscall_drops_log:
exit_status: 0
rules_file:

9
test/falco_tests_exceptions.yaml
View File

@@ -185,6 +185,15 @@ trace_files: !mux
- rules/exceptions/append_item_not_in_rule.yaml
trace_file: trace_files/cat_write.scap
rule_without_exception:
exit_status: 0
stderr_contains: |+
1 warnings:
Rule My Rule: consider adding an exceptions property to define supported exceptions fields
validate_rules_file:
- rules/exceptions/rule_without_exception.yaml
trace_file: trace_files/cat_write.scap
rule_exception_no_values:
detect: True
detect_level: WARNING

6
test/falco_traces.yaml.in
View File

@@ -23,10 +23,10 @@ has_json_output: !mux
traces: !mux
change-thread-namespace:
trace_file: traces-positive/change-thread-namespace.scap
detect: False
detect: True
detect_level: NOTICE
detect_counts:
- "Change thread namespace": 0
- "Change thread namespace": 1
container-privileged:
trace_file: traces-positive/container-privileged.scap
@@ -73,7 +73,7 @@ traces: !mux
- "Non sudo setuid": 1
- "Create files below dev": 1
- "Modify binary dirs": 2
- "Change thread namespace": 0
- "Change thread namespace": 1
mkdir-binary-dirs:
trace_file: traces-positive/mkdir-binary-dirs.scap

6
test/requirements.txt
View File

@@ -5,9 +5,9 @@ chardet==3.0.4
idna==2.9
pathtools==0.1.2
pbr==5.4.5
PyYAML==5.4
PyYAML==5.3.1
requests==2.23.0
six==1.14.0
stevedore==1.32.0
urllib3==1.26.5
watchdog==0.10.2
urllib3==1.25.9
watchdog==0.10.2

21
test/rules/exceptions/rule_without_exception.yaml Normal file
View File

@@ -0,0 +1,21 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
priority: error

4
test/run_performance_tests.sh Executable file → Normal file
View File

@@ -20,11 +20,9 @@
trap "cleanup; exit" SIGHUP SIGINT SIGTERM
TRACE_FILES_BASE_URL=${TRACE_FILES_BASE_URL:-"https://download.falco.org/fixtures/trace-files/"}
function download_trace_files() {
(mkdir -p $TRACEDIR && rm -rf $TRACEDIR/traces-perf && curl -fo $TRACEDIR/traces-perf.zip "${TRACE_FILES_BASE_URL}traces-perf.zip" && unzip -d $TRACEDIR $TRACEDIR/traces-perf.zip && rm -f $TRACEDIR/traces-perf.zip) || exit 1
(mkdir -p $TRACEDIR && rm -rf $TRACEDIR/traces-perf && curl -fo $TRACEDIR/traces-perf.zip https://s3.amazonaws.com/download.draios.com/falco-tests/traces-perf.zip && unzip -d $TRACEDIR $TRACEDIR/traces-perf.zip && rm -f $TRACEDIR/traces-perf.zip) || exit 1
}

5
test/run_regression_tests.sh
View File

@@ -20,7 +20,6 @@ set -euo pipefail
SCRIPT=$(readlink -f $0)
SCRIPTDIR=$(dirname "$SCRIPT")
SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
TRACE_FILES_BASE_URL=${TRACE_FILES_BASE_URL:-"https://download.falco.org/fixtures/trace-files/"}
# Trace file tarballs are now versioned. Any time a substantial change
# is made that affects the interaction of rules+engine and the trace
@@ -32,9 +31,9 @@ function download_trace_files() {
for TRACE in traces-positive traces-negative traces-info ; do
if [ ! -e "$TRACE_DIR/$TRACE" ]; then
if [ "$OPT_BRANCH" != "none" ]; then
curl -fso "$TRACE_DIR/$TRACE.zip" "$TRACE_FILES_BASE_URL$TRACE-$OPT_BRANCH.zip"
curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$OPT_BRANCH.zip
else
curl -fso "$TRACE_DIR/$TRACE.zip" "$TRACE_FILES_BASE_URL$TRACE-$TRACE_FILES_VERSION.zip"
curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$TRACE_FILES_VERSION.zip
fi
unzip -d "$TRACE_DIR" "$TRACE_DIR/$TRACE.zip"
rm -rf "$TRACE_DIR/$TRACE.zip"

1
test/trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
View File

@@ -1 +0,0 @@
{"annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""},"auditID":"f83ecd50-5bf4-4fe7-a419-dea22852ca49","kind":"Event","level":"RequestResponse","metadata":{"creationTimestamp":"2018-10-25T17:53:07Z"},"objectRef":{"apiVersion":"v1","namespace":"default","resource":"pods"},"requestObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":null,"generateName":"nginx-deployment-544b59f8b8-","labels":{"app":"nginx","pod-template-hash":"1006159464"},"ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-544b59f8b8","uid":"d40b40e1-d87e-11e8-a473-080027728ac4"}]},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx1","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"},{"image":"mysql:latest","imagePullPolicy":"Always","name":"mysql","resources":{},"securityContext":{"privileged":true},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30},"status":{}},"requestReceivedTimestamp":"2018-10-25T17:53:06.995407Z","requestURI":"/api/v1/namespaces/default/pods","responseObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":"2018-10-25T17:53:06Z","generateName":"nginx-deployment-544b59f8b8-","labels":{"app":"nginx","pod-template-hash":"1006159464"},"name":"nginx-deployment-544b59f8b8-ffkxm","namespace":"default","ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-544b59f8b8","uid":"d40b40e1-d87e-11e8-a473-080027728ac4"}],"resourceVersion":"246302","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-544b59f8b8-ffkxm","uid":"d40dfcd7-d87e-11e8-a473-080027728ac4"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx1","resources":{},"securityContext":{"privileged":false},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]},{"image":"mysql:latest","imagePullPolicy":"Always","name":"mysql","resources":{},"securityContext":{"privileged":true},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300}],"volumes":[{"name":"default-token-g2sp7","secret":{"defaultMode":420,"secretName":"default-token-g2sp7"}}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"responseStatus":{"code":201,"metadata":{}},"sourceIPs":["::1"],"stage":"ResponseComplete","stageTimestamp":"2018-10-25T17:53:07.006845Z","timestamp":"2018-10-25T17:53:06Z","user":{"groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","username":"system:serviceaccount:kube-system:replicaset-controller"},"verb":"create"}

1
test/trace_files/k8s_audit/fal_01_003.json
View File

@@ -1 +0,0 @@
{"kind": 0}

10
userspace/engine/CMakeLists.txt
View File

@@ -35,8 +35,9 @@ if(MINIMAL_BUILD)
"${NJSON_INCLUDE}"
"${TBB_INCLUDE_DIR}"
"${STRING_VIEW_LITE_INCLUDE}"
"${LIBSCAP_INCLUDE_DIRS}"
"${LIBSINSP_INCLUDE_DIRS}"
"${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
"${SYSDIG_SOURCE_DIR}/userspace/libscap"
"${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
"${PROJECT_BINARY_DIR}/userspace/engine")
else()
target_include_directories(
@@ -47,8 +48,9 @@ else()
"${CURL_INCLUDE_DIR}"
"${TBB_INCLUDE_DIR}"
"${STRING_VIEW_LITE_INCLUDE}"
"${LIBSCAP_INCLUDE_DIRS}"
"${LIBSINSP_INCLUDE_DIRS}"
"${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
"${SYSDIG_SOURCE_DIR}/userspace/libscap"
"${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
"${PROJECT_BINARY_DIR}/userspace/engine")
endif()

30
userspace/engine/falco_engine.cpp
View File

@@ -45,6 +45,7 @@ nlohmann::json::json_pointer falco_engine::k8s_audit_time = "/stageTimestamp"_js
falco_engine::falco_engine(bool seed_rng, const std::string& alternate_lua_dir)
: m_rules(NULL), m_next_ruleset_id(0),
m_min_priority(falco_common::PRIORITY_DEBUG),
m_alternate_lua_dir(alternate_lua_dir),
m_sampling_ratio(1), m_sampling_multiplier(0),
m_replace_container_info(false)
{
@@ -68,6 +69,35 @@ falco_engine::falco_engine(bool seed_rng, const std::string& alternate_lua_dir)
m_json_factory = make_shared<json_event_filter_factory>();
}
falco_engine::falco_engine(const falco_engine &orig_engine)
: m_rules(NULL), m_next_ruleset_id(0),
m_min_priority(falco_common::PRIORITY_DEBUG),
m_sampling_ratio(1), m_sampling_multiplier(0),
m_replace_container_info(false)
{
luaopen_lpeg(m_ls);
luaopen_yaml(m_ls);
m_alternate_lua_dir = orig_engine.m_alternate_lua_dir;
falco_common::init(m_lua_main_filename.c_str(), m_alternate_lua_dir.c_str());
falco_rules::init(m_ls);
m_sinsp_rules.reset(new falco_sinsp_ruleset());
m_k8s_audit_rules.reset(new falco_ruleset());
m_default_ruleset_id = find_ruleset_id(m_default_ruleset);
// Create this now so we can potentially list filters and exit
m_json_factory = make_shared<json_event_filter_factory>();
set_inspector(orig_engine.m_inspector);
std::string extra = orig_engine.m_extra;
set_extra(extra, orig_engine.m_replace_container_info);
set_min_priority(orig_engine.m_min_priority);
set_sampling_multiplier(orig_engine.m_sampling_multiplier);
set_sampling_ratio(orig_engine.m_sampling_ratio);
}
falco_engine::~falco_engine()
{
if (m_rules)

4
userspace/engine/falco_engine.h
View File

@@ -47,7 +47,8 @@ limitations under the License.
class falco_engine : public falco_common
{
public:
falco_engine(bool seed_rng=true, const std::string& alternate_lua_dir=FALCO_ENGINE_SOURCE_LUA_DIR);
explicit falco_engine(bool seed_rng=true, const std::string& alternate_lua_dir=FALCO_ENGINE_SOURCE_LUA_DIR);
falco_engine(const falco_engine &orig_engine);
virtual ~falco_engine();
// A given engine has a version which identifies the fields
@@ -264,6 +265,7 @@ private:
std::unique_ptr<falco_ruleset> m_k8s_audit_rules;
void populate_rule_result(unique_ptr<struct rule_result> &res, gen_event *ev);
std::string m_alternate_lua_dir;
//
// Here's how the sampling ratio and multiplier influence

10
userspace/engine/falco_utils.h
View File

@@ -17,8 +17,6 @@ limitations under the License.
*/
#pragma once
#include <sstream>
#include <fstream>
#include <iostream>
@@ -26,13 +24,7 @@ limitations under the License.
#include <thread>
#include <nonstd/string_view.hpp>
#ifdef __GNUC__
#define likely(x) __builtin_expect(!!(x), 1)
#define unlikely(x) __builtin_expect(!!(x), 0)
#else
#define likely(x) (x)
#define unlikely(x) (x)
#endif
#pragma once
namespace falco
{

8
userspace/engine/json_evt.cpp
View File

@@ -281,11 +281,7 @@ bool json_event_value::parse_as_int64(int64_t &intval, const std::string &val)
return false;
}
}
catch(std::out_of_range &)
{
return false;
}
catch (std::invalid_argument &)
catch (std::invalid_argument &e)
{
return false;
}
@@ -316,7 +312,7 @@ bool json_event_filter_check::def_extract(const nlohmann::json &root,
{
if(!def_extract(item, ptrs, std::next(it, 1)))
{
add_extracted_value(no_value);
return false;
}
}
}

2
userspace/engine/lua/parser.lua
View File

@@ -204,7 +204,7 @@ local G = {
Hex = (P("0x") + P("0X")) * xdigit ^ 1,
Expo = S("eE") * S("+-") ^ -1 * digit ^ 1,
Float = (((digit ^ 1 * P(".") * digit ^ 0) + (P(".") * digit ^ 1)) * V "Expo" ^ -1) + (digit ^ 1 * V "Expo"),
Number = C(V "Hex" + V "Float" + V "Int") * - V "idStart" / function(n)
Number = C(V "Hex" + V "Float" + V "Int") / function(n)
return tonumber(n)
end,
String = (P '"' * C(((P "\\" * P(1)) + (P(1) - P '"')) ^ 0) * P '"' +

4
userspace/engine/lua/rule_loader.lua
View File

@@ -522,8 +522,10 @@ function load_rules_doc(rules_mgr, doc, load_state)
v['source'] = "syscall"
end
-- Add an empty exceptions property to the rule if not defined
-- Add an empty exceptions property to the rule if not
-- defined, but add a warning about defining one
if v['exceptions'] == nil then
warnings[#warnings + 1] = "Rule "..v['rule']..": consider adding an exceptions property to define supported exceptions fields"
v['exceptions'] = {}
end

30
userspace/falco/CMakeLists.txt
View File

@@ -25,10 +25,12 @@ set(
event_drops.cpp
statsfilewriter.cpp
falco.cpp
"${SYSDIG_SOURCE_DIR}/userspace/libsinsp/fields_info.cpp"
)
set(
FALCO_INCLUDE_DIRECTORIES
"${LIBHAWK_INCLUDE_DIRECTORY}"
"${PROJECT_SOURCE_DIR}/userspace/engine"
"${PROJECT_BINARY_DIR}/userspace/falco"
"${PROJECT_BINARY_DIR}/driver/src"
@@ -51,6 +53,7 @@ set(
set(
FALCO_LIBRARIES
falco_engine
libhawk
sinsp
"${LIBYAML_LIB}"
"${YAMLCPP_LIB}"
@@ -60,6 +63,8 @@ if(USE_BUNDLED_DEPS)
list(APPEND FALCO_DEPENDENCIES yamlcpp)
endif()
if(NOT MINIMAL_BUILD)
list(
APPEND FALCO_SOURCES
@@ -86,23 +91,16 @@ if(NOT MINIMAL_BUILD)
"${GRPC_INCLUDE}"
"${GRPCPP_INCLUDE}"
"${PROTOBUF_INCLUDE}"
"${CARES_INCLUDE}"
)
if(USE_BUNDLED_GRPC)
list(APPEND FALCO_DEPENDENCIES grpc)
list(APPEND FALCO_LIBRARIES "${GRPC_LIBRARIES}")
endif()
list(APPEND FALCO_DEPENDENCIES civetweb)
list(
APPEND FALCO_LIBRARIES
"${GRPCPP_LIB}"
"${GRPC_LIB}"
"${GPR_LIB}"
"${GRPC_LIB}"
"${GRPCPP_LIB}"
"${PROTOBUF_LIB}"
"${CARES_LIB}"
"${OPENSSL_LIBRARY_SSL}"
"${OPENSSL_LIBRARY_CRYPTO}"
"${LIBYAML_LIB}"
@@ -130,12 +128,14 @@ target_include_directories(
)
if(NOT MINIMAL_BUILD)
add_custom_command(
TARGET falco
COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields"
)
# todo(fntlnz): restore this before merge, after the command for compare is refactored
# to work with the new way the engine is passed around
# add_custom_command(
# TARGET falco
# COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
# WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
# COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields"
# )
else()
message(STATUS "Skipping engine fields checksum when building the minimal Falco.")
endif()

45
userspace/falco/configuration.cpp
View File

@@ -1,5 +1,5 @@
/*
Copyright (C) 2021 The Falco Authors.
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -34,7 +34,6 @@ falco_configuration::falco_configuration():
m_webserver_enabled(false),
m_webserver_listen_port(8765),
m_webserver_k8s_audit_endpoint("/k8s-audit"),
m_webserver_k8s_healthz_endpoint("/healthz"),
m_webserver_ssl_enabled(false),
m_config(NULL)
{
@@ -138,6 +137,11 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
m_outputs.push_back(http_output);
}
// extension related configuration
m_config->get_sequence<list<string>>(m_extensions_filenames , string("extensions"));
m_rules_provider = m_config->get_scalar<string>("rules_provider", "internal");
// gRPC related configuration
m_grpc_enabled = m_config->get_scalar<bool>("grpc", "enabled", false);
m_grpc_bind_address = m_config->get_scalar<string>("grpc", "bind_address", "0.0.0.0:5060");
m_grpc_threadiness = m_config->get_scalar<uint32_t>("grpc", "threadiness", 0);
@@ -194,7 +198,6 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
m_webserver_enabled = m_config->get_scalar<bool>("webserver", "enabled", false);
m_webserver_listen_port = m_config->get_scalar<uint32_t>("webserver", "listen_port", 8765);
m_webserver_k8s_audit_endpoint = m_config->get_scalar<string>("webserver", "k8s_audit_endpoint", "/k8s-audit");
m_webserver_k8s_healthz_endpoint = m_config->get_scalar<string>("webserver", "k8s_healthz_endpoint", "/healthz");
m_webserver_ssl_enabled = m_config->get_scalar<bool>("webserver", "ssl_enabled", false);
m_webserver_ssl_certificate = m_config->get_scalar<string>("webserver", "ssl_certificate", "/etc/falco/falco.pem");
@@ -205,53 +208,35 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
{
if(act == "ignore")
{
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::IGNORE);
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_IGNORE);
}
else if(act == "log")
{
if(m_syscall_evt_drop_actions.count(syscall_evt_drop_action::IGNORE))
{
throw logic_error("Error reading config file (" + m_config_file + "): syscall event drop action \"" + act + "\" does not make sense with the \"ignore\" action");
}
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::LOG);
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_LOG);
}
else if(act == "alert")
{
if(m_syscall_evt_drop_actions.count(syscall_evt_drop_action::IGNORE))
{
throw logic_error("Error reading config file (" + m_config_file + "): syscall event drop action \"" + act + "\" does not make sense with the \"ignore\" action");
}
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::ALERT);
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_ALERT);
}
else if(act == "exit")
{
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::EXIT);
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_EXIT);
}
else
{
throw logic_error("Error reading config file (" + m_config_file + "): available actions for syscall event drops are \"ignore\", \"log\", \"alert\", and \"exit\"");
throw logic_error("Error reading config file (" + m_config_file + "): syscall event drop action " + act + " must be one of \"ignore\", \"log\", \"alert\", or \"exit\"");
}
}
if(m_syscall_evt_drop_actions.empty())
{
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::IGNORE);
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_IGNORE);
}
m_syscall_evt_drop_threshold = m_config->get_scalar<double>("syscall_event_drops", "threshold", .1);
if(m_syscall_evt_drop_threshold < 0 || m_syscall_evt_drop_threshold > 1)
{
throw logic_error("Error reading config file (" + m_config_file + "): syscall event drops threshold must be a double in the range [0, 1]");
}
m_syscall_evt_drop_rate = m_config->get_scalar<double>("syscall_event_drops", "rate", .03333);
m_syscall_evt_drop_max_burst = m_config->get_scalar<double>("syscall_event_drops", "max_burst", 1);
m_syscall_evt_drop_rate = m_config->get_scalar<double>("syscall_event_drops", "rate", 0.3333);
m_syscall_evt_drop_max_burst = m_config->get_scalar<double>("syscall_event_drops", "max_burst", 10);
m_syscall_evt_simulate_drops = m_config->get_scalar<bool>("syscall_event_drops", "simulate_drops", false);
m_syscall_evt_timeout_max_consecutives = m_config->get_scalar<uint32_t>("syscall_event_timeouts", "max_consecutives", 1000);
if(m_syscall_evt_timeout_max_consecutives == 0)
{
throw logic_error("Error reading config file(" + m_config_file + "): the maximum consecutive timeouts without an event must be an unsigned integer > 0");
}
}
void falco_configuration::read_rules_file_directory(const string &path, list<string> &rules_filenames)

17
userspace/falco/configuration.h
View File

@@ -1,5 +1,5 @@
/*
Copyright (C) 2021 The Falco Authors.
Copyright (C) 2019 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -111,7 +111,7 @@ public:
}
catch(const YAML::BadConversion& ex)
{
std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "." + subkey + "\n";
std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "\n";
throw;
}
@@ -172,7 +172,7 @@ public:
}
catch(const YAML::BadConversion& ex)
{
std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "." + subkey +"\n";
std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "\n";
throw;
}
}
@@ -216,19 +216,18 @@ public:
bool m_webserver_enabled;
uint32_t m_webserver_listen_port;
std::string m_webserver_k8s_audit_endpoint;
std::string m_webserver_k8s_healthz_endpoint;
bool m_webserver_ssl_enabled;
std::string m_webserver_ssl_certificate;
syscall_evt_drop_actions m_syscall_evt_drop_actions;
double m_syscall_evt_drop_threshold;
std::set<syscall_evt_drop_mgr::action> m_syscall_evt_drop_actions;
double m_syscall_evt_drop_rate;
double m_syscall_evt_drop_max_burst;
std::list<std::string> m_extensions_filenames;
std::string m_rules_provider;
// Only used for testing
bool m_syscall_evt_simulate_drops;
uint32_t m_syscall_evt_timeout_max_consecutives;
private:
void init_cmdline_options(std::list<std::string>& cmdline_options);

72
userspace/falco/event_drops.cpp
View File

@@ -1,5 +1,5 @@
/*
Copyright (C) 2021 The Falco Authors.
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -34,8 +34,7 @@ syscall_evt_drop_mgr::~syscall_evt_drop_mgr()
void syscall_evt_drop_mgr::init(sinsp *inspector,
falco_outputs *outputs,
syscall_evt_drop_actions &actions,
double threshold,
std::set<action> &actions,
double rate,
double max_tokens,
bool simulate_drops)
@@ -44,15 +43,10 @@ void syscall_evt_drop_mgr::init(sinsp *inspector,
m_outputs = outputs;
m_actions = actions;
m_bucket.init(rate, max_tokens);
m_threshold = threshold;
m_inspector->get_capture_stats(&m_last_stats);
m_simulate_drops = simulate_drops;
if(m_simulate_drops)
{
m_threshold = 0;
}
}
bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt)
@@ -89,27 +83,19 @@ bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt)
if(delta.n_drops > 0)
{
double ratio = delta.n_drops;
// Assuming the number of event does not contains the dropped ones
ratio /= delta.n_drops + delta.n_evts;
m_num_syscall_evt_drops++;
// When simulating drops the threshold is always zero
if(ratio > m_threshold)
// There were new drops in the last second. If
// the token bucket allows, perform actions.
if(m_bucket.claim(1, evt->get_ts()))
{
m_num_syscall_evt_drops++;
m_num_actions++;
// There were new drops in the last second.
// If the token bucket allows, perform actions.
if(m_bucket.claim(1, evt->get_ts()))
{
m_num_actions++;
return perform_actions(evt->get_ts(), delta, inspector->is_bpf_enabled());
}
else
{
falco_logger::log(LOG_DEBUG, "Syscall event drop but token bucket depleted, skipping actions");
}
return perform_actions(evt->get_ts(), delta, inspector->is_bpf_enabled());
}
else
{
falco_logger::log(LOG_DEBUG, "Syscall event drop but token bucket depleted, skipping actions");
}
}
}
@@ -129,32 +115,36 @@ bool syscall_evt_drop_mgr::perform_actions(uint64_t now, scap_stats &delta, bool
std::string rule = "Falco internal: syscall event drop";
std::string msg = rule + ". " + std::to_string(delta.n_drops) + " system calls dropped in last second.";
std::map<std::string, std::string> output_fields;
output_fields["n_evts"] = std::to_string(delta.n_evts);
output_fields["n_drops"] = std::to_string(delta.n_drops);
output_fields["n_drops_buffer"] = std::to_string(delta.n_drops_buffer);
output_fields["n_drops_pf"] = std::to_string(delta.n_drops_pf);
output_fields["n_drops_bug"] = std::to_string(delta.n_drops_bug);
output_fields["ebpf_enabled"] = std::to_string(bpf_enabled);
bool should_exit = false;
for(auto &act : m_actions)
{
switch(act)
{
case syscall_evt_drop_action::IGNORE:
case ACT_IGNORE:
break;
case syscall_evt_drop_action::LOG:
falco_logger::log(LOG_DEBUG, msg);
case ACT_LOG:
falco_logger::log(LOG_ERR, msg);
break;
case syscall_evt_drop_action::ALERT:
{
std::map<std::string, std::string> output_fields;
output_fields["n_evts"] = std::to_string(delta.n_evts);
output_fields["n_drops"] = std::to_string(delta.n_drops);
output_fields["n_drops_buffer"] = std::to_string(delta.n_drops_buffer);
output_fields["n_drops_pf"] = std::to_string(delta.n_drops_pf);
output_fields["n_drops_bug"] = std::to_string(delta.n_drops_bug);
output_fields["ebpf_enabled"] = std::to_string(bpf_enabled);
m_outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, output_fields);
case ACT_ALERT:
m_outputs->handle_msg(now,
falco_common::PRIORITY_CRITICAL,
msg,
rule,
output_fields);
break;
}
case syscall_evt_drop_action::EXIT:
case ACT_EXIT:
should_exit = true;
break;

30
userspace/falco/event_drops.h
View File

@@ -1,5 +1,5 @@
/*
Copyright (C) 2021 The Falco Authors.
Copyright (C) 2019 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -23,28 +23,25 @@ limitations under the License.
#include "logger.h"
#include "falco_outputs.h"
// The possible actions that this class can take upon
// detecting a syscall event drop.
enum class syscall_evt_drop_action : uint8_t
{
IGNORE = 0,
LOG,
ALERT,
EXIT
};
using syscall_evt_drop_actions = std::set<syscall_evt_drop_action>;
class syscall_evt_drop_mgr
{
public:
// The possible actions that this class can take upon
// detecting a syscall event drop.
enum action
{
ACT_IGNORE = 0,
ACT_LOG,
ACT_ALERT,
ACT_EXIT,
};
syscall_evt_drop_mgr();
virtual ~syscall_evt_drop_mgr();
void init(sinsp *inspector,
falco_outputs *outputs,
syscall_evt_drop_actions &actions,
double threshold,
std::set<action> &actions,
double rate,
double max_tokens,
bool simulate_drops);
@@ -66,10 +63,9 @@ protected:
uint64_t m_num_actions;
sinsp *m_inspector;
falco_outputs *m_outputs;
syscall_evt_drop_actions m_actions;
std::set<action> m_actions;
token_bucket m_bucket;
uint64_t m_next_check_ts;
scap_stats m_last_stats;
bool m_simulate_drops;
double m_threshold;
};

493
userspace/falco/falco.cpp
View File

@@ -23,7 +23,6 @@ limitations under the License.
#include <vector>
#include <algorithm>
#include <string>
#include <chrono>
#include <functional>
#include <signal.h>
#include <fcntl.h>
@@ -31,18 +30,19 @@ limitations under the License.
#include <sys/stat.h>
#include <unistd.h>
#include <getopt.h>
#include <condition_variable>
#include <sinsp.h>
#include "logger.h"
#include "utils.h"
#include "fields_info.h"
#include "falco_utils.h"
#include "lifecycle.h"
#include "library.h"
#include "event_drops.h"
#include "configuration.h"
#include "falco_engine.h"
#include "falco_engine_version.h"
#include "config_falco.h"
#include "statsfilewriter.h"
#ifndef MINIMAL_BUILD
@@ -51,13 +51,24 @@ limitations under the License.
#endif
#include "banned.h" // This raises a compilation error when certain functions are used
typedef function<void(sinsp* inspector)> open_t;
typedef function<void(sinsp *inspector)> open_t;
bool g_terminate = false;
bool g_reopen_outputs = false;
bool g_restart = false;
bool g_daemonized = false;
// g_engine is the current loaded Falco engine
std::atomic<falco_engine *> g_engine;
// g_engine_transaction is the Falco engine that is
// being modified under a transaction started by a libhawk plugin
// This engine might become the current g_engine if the transaction is committed
std::atomic<falco_engine *> g_engine_transaction;
// g_engine_blueprint is the engine we use as a template to create new engines
falco_engine *g_engine_blueprint;
//
// Helper functions
//
@@ -176,7 +187,6 @@ static void usage()
"\n"
);
}
static void display_fatal_err(const string &msg)
{
falco_logger::log(LOG_ERR, msg);
@@ -185,7 +195,7 @@ static void display_fatal_err(const string &msg)
* If stderr logging is not enabled, also log to stderr. When
* daemonized this will simply write to /dev/null.
*/
if (! falco_logger::log_stderr)
if(!falco_logger::log_stderr)
{
std::cerr << msg;
}
@@ -237,45 +247,50 @@ static std::string read_file(std::string filename)
//
// Event processing loop
//
uint64_t do_inspect(falco_engine *engine,
falco_outputs *outputs,
sinsp* inspector,
falco_configuration &config,
syscall_evt_drop_mgr &sdropmgr,
uint64_t duration_to_tot_ns,
string &stats_filename,
uint64_t stats_interval,
bool all_events,
int &result)
uint64_t do_inspect(falco_outputs *outputs,
sinsp *inspector,
falco_configuration &config,
syscall_evt_drop_mgr &sdropmgr,
uint64_t duration_to_tot_ns,
string &stats_filename,
uint64_t stats_interval,
bool all_events,
int &result)
{
uint64_t num_evts = 0;
int32_t rc;
sinsp_evt* ev;
sinsp_evt *ev;
StatsFileWriter writer;
uint64_t duration_start = 0;
uint32_t timeouts_since_last_success_or_msg = 0;
sdropmgr.init(inspector,
outputs,
config.m_syscall_evt_drop_actions,
config.m_syscall_evt_drop_threshold,
config.m_syscall_evt_drop_rate,
config.m_syscall_evt_drop_max_burst,
config.m_syscall_evt_simulate_drops);
if (stats_filename != "")
if(stats_filename != "")
{
string errstr;
if (!writer.init(inspector, stats_filename, stats_interval, errstr))
if(!writer.init(inspector, stats_filename, stats_interval, errstr))
{
throw falco_exception(errstr);
}
}
//
// Loop through the events
//
falco_engine *current_engine = g_engine.exchange(nullptr);
// If we didn't get a set of rules yet from the rules plugin, we load
// an engine with an empty ruleset to let Falco do the processing without blocking
// the driver.
if(current_engine == nullptr)
{
current_engine = new falco_engine((const falco_engine)*g_engine_blueprint);
current_engine->load_rules("", false, false);
}
while(1)
{
@@ -294,35 +309,13 @@ uint64_t do_inspect(falco_engine *engine,
falco_logger::log(LOG_INFO, "SIGINT received, exiting...\n");
break;
}
else if (g_restart)
else if(g_restart)
{
falco_logger::log(LOG_INFO, "SIGHUP received, restarting...\n");
break;
}
else if(rc == SCAP_TIMEOUT)
{
if(unlikely(ev == nullptr))
{
timeouts_since_last_success_or_msg++;
if(timeouts_since_last_success_or_msg > config.m_syscall_evt_timeout_max_consecutives)
{
std::string rule = "Falco internal: timeouts notification";
std::string msg = rule + ". " + std::to_string(config.m_syscall_evt_timeout_max_consecutives) + " consecutive timeouts without event.";
std::string last_event_time_str = "none";
if(duration_start > 0)
{
sinsp_utils::ts_to_string(duration_start, &last_event_time_str, false, true);
}
std::map<std::string, std::string> o = {
{"last_event_time", last_event_time_str},
};
auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(std::chrono::system_clock::now().time_since_epoch()).count();
outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, o);
// Reset the timeouts counter, Falco alerted
timeouts_since_last_success_or_msg = 0;
}
}
continue;
}
else if(rc == SCAP_EOF)
@@ -333,13 +326,12 @@ uint64_t do_inspect(falco_engine *engine,
{
//
// Event read error.
// Notify the chisels that we're exiting, and then die with an error.
//
cerr << "rc = " << rc << endl;
throw sinsp_exception(inspector->getlasterr().c_str());
}
// Reset the timeouts counter, Falco succesfully got an event to process
timeouts_since_last_success_or_msg = 0;
if(duration_start == 0)
{
duration_start = ev->get_ts();
@@ -363,12 +355,14 @@ uint64_t do_inspect(falco_engine *engine,
continue;
}
// As the inspector has no filter at its level, all
// events are returned here. Pass them to the falco
// engine, which will match the event against the set
// of rules. If a match is found, pass the event to
// the outputs.
unique_ptr<falco_engine::rule_result> res = engine->process_sinsp_event(ev);
auto engine_replacement = g_engine.exchange(nullptr);
if(engine_replacement != nullptr)
{
delete current_engine;
current_engine = engine_replacement;
falco_logger::log(LOG_DEBUG, "falco_engine replacement found and swapped");
}
unique_ptr<falco_engine::rule_result> res = current_engine->process_sinsp_event(ev);
if(res)
{
outputs->handle_event(res->evt, res->rule, res->source, res->priority_num, res->format);
@@ -382,9 +376,9 @@ uint64_t do_inspect(falco_engine *engine,
static void print_all_ignored_events(sinsp *inspector)
{
sinsp_evttables* einfo = inspector->get_event_info_tables();
const struct ppm_event_info* etable = einfo->m_event_info;
const struct ppm_syscall_desc* stable = einfo->m_syscall_info_table;
sinsp_evttables *einfo = inspector->get_event_info_tables();
const struct ppm_event_info *etable = einfo->m_event_info;
const struct ppm_syscall_desc *stable = einfo->m_syscall_info_table;
std::set<string> ignored_event_names;
for(uint32_t j = 0; j < PPM_EVENT_MAX; j++)
@@ -438,15 +432,67 @@ static void list_source_fields(falco_engine *engine, bool verbose, bool names_on
}
}
static void rules_insert_cb(char *rules_content)
{
try
{
auto engine = g_engine_transaction.load();
if(engine == nullptr)
{
// todo: inform the caller about this error, maybe stderr and return code?
falco_logger::log(LOG_ERR, std::string("can't insert rules, no transaction in progress"));
return;
}
engine->load_rules(rules_content, false, true);
g_engine_transaction.store(engine);
}
catch(const falco_exception &e)
{
// todo: inform the caller about this error, maybe stderr and return code?
falco_logger::log(LOG_WARNING, std::string("rules load failed: ") + e.what());
return;
}
}
static void rules_begin_cb()
{
if(g_engine_transaction.load() != nullptr)
{
// todo: inform the caller about this error, maybe stderr and return code?
falco_logger::log(LOG_ERR, std::string("a transaction is already in progress"));
return;
}
auto engine_replacement = new falco_engine((const falco_engine)*g_engine_blueprint);
g_engine_transaction.store(engine_replacement);
}
static void rules_commit_cb()
{
auto engine = g_engine_transaction.load();
if(engine == nullptr)
{
// todo: inform the caller about this error, maybe stderr and return code?
falco_logger::log(LOG_ERR, std::string("can't commit rules, no transaction in progress"));
return;
}
delete g_engine.exchange(g_engine_transaction.load());
g_engine_transaction.store(nullptr);
}
static void rules_rollback_cb()
{
g_engine_transaction.store(nullptr);
}
//
// ARGUMENT PARSING AND PROGRAM SETUP
//
int falco_init(int argc, char **argv)
{
int result = EXIT_SUCCESS;
sinsp* inspector = NULL;
sinsp *inspector = NULL;
sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
falco_engine *engine = NULL;
std::thread watchrules_thread;
falco_outputs *outputs = NULL;
syscall_evt_drop_mgr sdropmgr;
int op;
@@ -467,9 +513,9 @@ int falco_init(int argc, char **argv)
bool names_only = false;
bool all_events = false;
#ifndef MINIMAL_BUILD
string* k8s_api = 0;
string* k8s_api_cert = 0;
string* mesos_api = 0;
string *k8s_api = 0;
string *k8s_api_cert = 0;
string *mesos_api = 0;
#endif
string output_format = "";
uint32_t snaplen = 0;
@@ -494,7 +540,7 @@ int falco_init(int argc, char **argv)
bool compress = false;
bool buffered_outputs = true;
bool buffered_cmdline = false;
std::map<string,uint64_t> required_engine_versions;
std::map<string, uint64_t> required_engine_versions;
// Used for stats
double duration;
@@ -546,8 +592,8 @@ int falco_init(int argc, char **argv)
// Parse the args
//
while((op = getopt_long(argc, argv,
"hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UuvV:w:",
long_options, &long_index)) != -1)
"hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UuvV:w:",
long_options, &long_index)) != -1)
{
switch(op)
{
@@ -682,18 +728,18 @@ int falco_init(int argc, char **argv)
printf("Driver version: %s\n", DRIVER_VERSION);
return EXIT_SUCCESS;
}
else if (string(long_options[long_index].name) == "cri")
else if(string(long_options[long_index].name) == "cri")
{
if(optarg != NULL)
{
cri_socket_path = optarg;
}
}
else if (string(long_options[long_index].name) == "disable-cri-async")
else if(string(long_options[long_index].name) == "disable-cri-async")
{
cri_async = false;
cri_async = false;
}
else if (string(long_options[long_index].name) == "list")
else if(string(long_options[long_index].name) == "list")
{
list_flds = true;
if(optarg != NULL)
@@ -701,27 +747,28 @@ int falco_init(int argc, char **argv)
list_flds_source = optarg;
}
}
else if (string(long_options[long_index].name) == "stats-interval")
else if(string(long_options[long_index].name) == "stats-interval")
{
stats_interval = atoi(optarg);
}
else if (string(long_options[long_index].name) == "support")
else if(string(long_options[long_index].name) == "support")
{
print_support = true;
}
else if (string(long_options[long_index].name) == "disable-source")
else if(string(long_options[long_index].name) == "disable-source")
{
if(optarg != NULL)
{
disable_sources.insert(optarg);
}
}
else if (string(long_options[long_index].name)== "alternate-lua-dir")
else if(string(long_options[long_index].name) == "alternate-lua-dir")
{
if(optarg != NULL)
{
alternate_lua_dir = optarg;
if (alternate_lua_dir.back() != '/') {
if(alternate_lua_dir.back() != '/')
{
alternate_lua_dir += '/';
}
}
@@ -731,7 +778,6 @@ int falco_init(int argc, char **argv)
default:
break;
}
}
inspector = new sinsp();
@@ -761,13 +807,14 @@ int falco_init(int argc, char **argv)
return EXIT_SUCCESS;
}
engine = new falco_engine(true, alternate_lua_dir);
engine->set_inspector(inspector);
engine->set_extra(output_format, replace_container_info);
auto initial_engine = new falco_engine(true, alternate_lua_dir);
initial_engine->set_inspector(inspector);
initial_engine->set_extra(output_format, replace_container_info);
g_engine_blueprint = initial_engine;
if(list_flds)
{
list_source_fields(engine, verbose, names_only, list_flds_source);
// list_source_fields(engine, verbose, names_only, list_flds_source);
return EXIT_SUCCESS;
}
@@ -785,21 +832,23 @@ int falco_init(int argc, char **argv)
}
disable_syscall = disable_sources.count("syscall") > 0;
disable_k8s_audit = disable_sources.count("k8s_audit") > 0;
if (disable_syscall && disable_k8s_audit) {
if(disable_syscall && disable_k8s_audit)
{
throw std::invalid_argument("The event source \"syscall\" and \"k8s_audit\" can not be disabled together");
}
}
// Some combinations of arguments are not allowed.
if (daemon && pidfilename == "") {
if(daemon && pidfilename == "")
{
throw std::invalid_argument("If -d is provided, a pid file must also be provided");
}
ifstream conf_stream;
if (conf_filename.size())
if(conf_filename.size())
{
conf_stream.open(conf_filename);
if (!conf_stream.is_open())
if(!conf_stream.is_open())
{
throw std::runtime_error("Could not find configuration file at " + conf_filename);
}
@@ -807,14 +856,14 @@ int falco_init(int argc, char **argv)
else
{
conf_stream.open(FALCO_SOURCE_CONF_FILE);
if (conf_stream.is_open())
if(conf_stream.is_open())
{
conf_filename = FALCO_SOURCE_CONF_FILE;
}
else
{
conf_stream.open(FALCO_INSTALL_CONF_FILE);
if (conf_stream.is_open())
if(conf_stream.is_open())
{
conf_filename = FALCO_INSTALL_CONF_FILE;
}
@@ -825,33 +874,35 @@ int falco_init(int argc, char **argv)
}
}
if(validate_rules_filenames.size() > 0)
{
falco_logger::log(LOG_INFO, "Validating rules file(s):\n");
for(auto file : validate_rules_filenames)
{
falco_logger::log(LOG_INFO, " " + file + "\n");
}
for(auto file : validate_rules_filenames)
{
// Only include the prefix if there is more than one file
std::string prefix = (validate_rules_filenames.size() > 1 ? file + ": " : "");
try {
engine->load_rules_file(file, verbose, all_events);
}
catch(falco_exception &e)
{
printf("%s%s", prefix.c_str(), e.what());
throw;
}
printf("%sOk\n", prefix.c_str());
}
falco_logger::log(LOG_INFO, "Ok\n");
goto exit;
}
// validate the rules files and exit
// if(validate_rules_filenames.size() > 0)
// {
// falco_logger::log(LOG_INFO, "Validating rules file(s):\n");
// for(auto file : validate_rules_filenames)
// {
// falco_logger::log(LOG_INFO, " " + file + "\n");
// }
// for(auto file : validate_rules_filenames)
// {
// // Only include the prefix if there is more than one file
// std::string prefix = (validate_rules_filenames.size() > 1 ? file + ": " : "");
// try
// {
// engine->load_rules_file(file, verbose, all_events);
// }
// catch(falco_exception &e)
// {
// printf("%s%s", prefix.c_str(), e.what());
// throw;
// }
// printf("%sOk\n", prefix.c_str());
// }
// falco_logger::log(LOG_INFO, "Ok\n");
// goto exit;
// }
falco_configuration config;
if (conf_filename.size())
if(conf_filename.size())
{
config.init(conf_filename, cmdline_options);
falco_logger::set_time_format_iso_8601(config.m_time_format_iso_8601);
@@ -865,12 +916,20 @@ int falco_init(int argc, char **argv)
throw std::runtime_error("Could not find configuration file at " + conf_filename);
}
if (rules_filenames.size())
for(auto extension : config.m_extensions_filenames)
{
auto lib = new libhawk::library(extension);
lib->load();
}
libhawk::lifecycle::start();
if(rules_filenames.size())
{
config.m_rules_filenames = rules_filenames;
}
engine->set_min_priority(config.m_min_priority);
g_engine_blueprint->set_min_priority(config.m_min_priority);
if(buffered_cmdline)
{
@@ -879,42 +938,35 @@ int falco_init(int argc, char **argv)
if(config.m_rules_filenames.size() == 0)
{
throw std::invalid_argument("You must specify at least one rules file/directory via -r or a rules_file entry in falco.yaml");
// throw std::invalid_argument("You must specify at least one rules file/directory via -r or a rules_file entry in falco.yaml");
}
falco_logger::log(LOG_DEBUG, "Configured rules filenames:\n");
for (auto filename : config.m_rules_filenames)
for(auto filename : config.m_rules_filenames)
{
falco_logger::log(LOG_DEBUG, string(" ") + filename + "\n");
}
for (auto filename : config.m_rules_filenames)
for(auto filename : config.m_rules_filenames)
{
falco_logger::log(LOG_INFO, "Loading rules from file " + filename + ":\n");
uint64_t required_engine_version;
try {
engine->load_rules_file(filename, verbose, all_events, required_engine_version);
}
catch(falco_exception &e)
{
std::string prefix = "Could not load rules file " + filename + ": ";
throw falco_exception(prefix + e.what());
}
// engine->load_rules_file(filename, verbose, all_events, required_engine_version);
required_engine_versions[filename] = required_engine_version;
}
// You can't both disable and enable rules
if((disabled_rule_substrings.size() + disabled_rule_tags.size() > 0) &&
enabled_rule_tags.size() > 0) {
enabled_rule_tags.size() > 0)
{
throw std::invalid_argument("You can not specify both disabled (-D/-T) and enabled (-t) rules");
}
for (auto substring : disabled_rule_substrings)
for(auto substring : disabled_rule_substrings)
{
falco_logger::log(LOG_INFO, "Disabling rules matching substring: " + substring + "\n");
engine->enable_rule(substring, false);
// engine->enable_rule(substring, false);
}
if(disabled_rule_tags.size() > 0)
@@ -923,7 +975,7 @@ int falco_init(int argc, char **argv)
{
falco_logger::log(LOG_INFO, "Disabling rules with tag: " + tag + "\n");
}
engine->enable_rule_by_tag(disabled_rule_tags, false);
// engine->enable_rule_by_tag(disabled_rule_tags, false);
}
if(enabled_rule_tags.size() > 0)
@@ -931,14 +983,87 @@ int falco_init(int argc, char **argv)
// Since we only want to enable specific
// rules, first disable all rules.
engine->enable_rule(all_rules, false);
// engine->enable_rule(all_rules, false);
for(auto tag : enabled_rule_tags)
{
falco_logger::log(LOG_INFO, "Enabling rules with tag: " + tag + "\n");
}
engine->enable_rule_by_tag(enabled_rule_tags, true);
// engine->enable_rule_by_tag(enabled_rule_tags, true);
}
watchrules_thread = std::thread([&] {
libhawk::lifecycle::watch_rules(
(hawk_rules_begin_cb)rules_begin_cb,
(hawk_rules_insert_cb)rules_insert_cb,
(hawk_rules_commit_cb)rules_commit_cb,
(hawk_rules_rollback_cb)rules_rollback_cb,
config.m_rules_provider);
});
falco_logger::log(LOG_INFO, "DOPO\n");
// if(config.m_rules_filenames.size() == 0)
// {
// throw std::invalid_argument("You must specify at least one rules file/directory via -r or a rules_file entry in falco.yaml");
// }
// falco_logger::log(LOG_DEBUG, "Configured rules filenames:\n");
// for (auto filename : config.m_rules_filenames)
// {
// falco_logger::log(LOG_DEBUG, string(" ") + filename + "\n");
// }
// for (auto filename : config.m_rules_filenames)
// {
// falco_logger::log(LOG_INFO, "Loading rules from file " + filename + ":\n");
// uint64_t required_engine_version;
// try {
// engine->load_rules_file(filename, verbose, all_events, required_engine_version);
// }
// catch(falco_exception &e)
// {
// std::string prefix = "Could not load rules file " + filename + ": ";
// throw falco_exception(prefix + e.what());
// }
// required_engine_versions[filename] = required_engine_version;
// }
// // You can't both disable and enable rules
// if((disabled_rule_substrings.size() + disabled_rule_tags.size() > 0) &&
// enabled_rule_tags.size() > 0) {
// throw std::invalid_argument("You can not specify both disabled (-D/-T) and enabled (-t) rules");
// }
// for (auto substring : disabled_rule_substrings)
// {
// falco_logger::log(LOG_INFO, "Disabling rules matching substring: " + substring + "\n");
// engine->enable_rule(substring, false);
// }
// if(disabled_rule_tags.size() > 0)
// {
// for(auto tag : disabled_rule_tags)
// {
// falco_logger::log(LOG_INFO, "Disabling rules with tag: " + tag + "\n");
// }
// engine->enable_rule_by_tag(disabled_rule_tags, false);
// }
// if(enabled_rule_tags.size() > 0)
// {
// // Since we only want to enable specific
// // rules, first disable all rules.
// engine->enable_rule(all_rules, false);
// for(auto tag : enabled_rule_tags)
// {
// falco_logger::log(LOG_INFO, "Enabling rules with tag: " + tag + "\n");
// }
// engine->enable_rule_by_tag(enabled_rule_tags, true);
// }
if(print_support)
{
nlohmann::json support;
@@ -966,7 +1091,6 @@ int falco_init(int argc, char **argv)
support["system_info"]["version"] = sysinfo.version;
support["system_info"]["machine"] = sysinfo.machine;
support["cmdline"] = cmdline;
support["engine_info"]["engine_version"] = FALCO_ENGINE_VERSION;
support["config"] = read_file(conf_filename);
support["rules_files"] = nlohmann::json::array();
for(auto filename : config.m_rules_filenames)
@@ -985,7 +1109,7 @@ int falco_init(int argc, char **argv)
// read hostname
string hostname;
if(char* env_hostname = getenv("FALCO_GRPC_HOSTNAME"))
if(char *env_hostname = getenv("FALCO_GRPC_HOSTNAME"))
{
hostname = env_hostname;
}
@@ -1005,15 +1129,15 @@ int falco_init(int argc, char **argv)
inspector->set_drop_event_flags(EF_DROP_SIMPLE_CONS);
}
if (describe_all_rules)
if(describe_all_rules)
{
engine->describe_rule(NULL);
// engine->describe_rule(NULL);
goto exit;
}
if (describe_rule != "")
if(describe_rule != "")
{
engine->describe_rule(&describe_rule);
// engine->describe_rule(&describe_rule);
goto exit;
}
@@ -1049,21 +1173,25 @@ int falco_init(int argc, char **argv)
// If daemonizing, do it here so any init errors will
// be returned in the foreground process.
if (daemon && !g_daemonized) {
if(daemon && !g_daemonized)
{
pid_t pid, sid;
pid = fork();
if (pid < 0) {
if(pid < 0)
{
// error
falco_logger::log(LOG_ERR, "Could not fork. Exiting.\n");
result = EXIT_FAILURE;
goto exit;
} else if (pid > 0) {
}
else if(pid > 0)
{
// parent. Write child pid to pidfile and exit
std::ofstream pidfile;
pidfile.open(pidfilename);
if (!pidfile.good())
if(!pidfile.good())
{
falco_logger::log(LOG_ERR, "Could not write pid to pid file " + pidfilename + ". Exiting.\n");
result = EXIT_FAILURE;
@@ -1077,7 +1205,8 @@ int falco_init(int argc, char **argv)
// Become own process group.
sid = setsid();
if (sid < 0) {
if(sid < 0)
{
falco_logger::log(LOG_ERR, "Could not set session id. Exiting.\n");
result = EXIT_FAILURE;
goto exit;
@@ -1087,7 +1216,8 @@ int falco_init(int argc, char **argv)
umask(027);
// Change working directory to '/'
if ((chdir("/")) < 0) {
if((chdir("/")) < 0)
{
falco_logger::log(LOG_ERR, "Could not change working directory to '/'. Exiting.\n");
result = EXIT_FAILURE;
goto exit;
@@ -1123,14 +1253,15 @@ int falco_init(int argc, char **argv)
{
// Try to open the trace file as a sysdig
// capture file first.
try {
try
{
inspector->open(trace_filename);
falco_logger::log(LOG_INFO, "Reading system call events from file: " + trace_filename + "\n");
}
catch(sinsp_exception &e)
{
falco_logger::log(LOG_DEBUG, "Could not read trace file \"" + trace_filename + "\": " + string(e.what()));
trace_is_scap=false;
trace_is_scap = false;
}
if(!trace_is_scap)
@@ -1141,7 +1272,8 @@ int falco_init(int argc, char **argv)
result = EXIT_FAILURE;
goto exit;
#else
try {
try
{
string line;
nlohmann::json j;
@@ -1153,13 +1285,13 @@ int falco_init(int argc, char **argv)
falco_logger::log(LOG_INFO, "Reading k8s audit events from file: " + trace_filename + "\n");
}
catch (nlohmann::json::parse_error& e)
catch(nlohmann::json::parse_error &e)
{
fprintf(stderr, "Trace filename %s not recognized as system call events or k8s audit events\n", trace_filename.c_str());
result = EXIT_FAILURE;
goto exit;
}
catch (exception &e)
catch(exception &e)
{
fprintf(stderr, "Could not open trace filename %s for reading: %s\n", trace_filename.c_str(), e.what());
result = EXIT_FAILURE;
@@ -1170,8 +1302,7 @@ int falco_init(int argc, char **argv)
}
else
{
open_t open_cb = [&userspace](sinsp* inspector)
{
open_t open_cb = [&userspace](sinsp *inspector) {
if(userspace)
{
// open_udig() is the underlying method used in the capture code to parse userspace events from the kernel.
@@ -1183,19 +1314,22 @@ int falco_init(int argc, char **argv)
}
inspector->open();
};
open_t open_nodriver_cb = [](sinsp* inspector) {
open_t open_nodriver_cb = [](sinsp *inspector) {
inspector->open_nodriver();
};
open_t open_f;
// Default mode: both event sources enabled
if (!disable_syscall && !disable_k8s_audit) {
if(!disable_syscall && !disable_k8s_audit)
{
open_f = open_cb;
}
if (disable_syscall) {
if(disable_syscall)
{
open_f = open_nodriver_cb;
}
if (disable_k8s_audit) {
if(disable_k8s_audit)
{
open_f = open_cb;
}
@@ -1206,7 +1340,7 @@ int falco_init(int argc, char **argv)
catch(sinsp_exception &e)
{
// If syscall input source is enabled and not through userspace instrumentation
if (!disable_syscall && !userspace)
if(!disable_syscall && !userspace)
{
// Try to insert the Falco kernel module
if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null"))
@@ -1244,7 +1378,7 @@ int falco_init(int argc, char **argv)
{
if(!k8s_api_cert)
{
if(char* k8s_cert_env = getenv("FALCO_K8S_API_CERT"))
if(char *k8s_cert_env = getenv("FALCO_K8S_API_CERT"))
{
k8s_api_cert = new string(k8s_cert_env);
}
@@ -1253,13 +1387,13 @@ int falco_init(int argc, char **argv)
k8s_api = 0;
k8s_api_cert = 0;
}
else if(char* k8s_api_env = getenv("FALCO_K8S_API"))
else if(char *k8s_api_env = getenv("FALCO_K8S_API"))
{
if(k8s_api_env != NULL)
{
if(!k8s_api_cert)
{
if(char* k8s_cert_env = getenv("FALCO_K8S_API_CERT"))
if(char *k8s_cert_env = getenv("FALCO_K8S_API_CERT"))
{
k8s_api_cert = new string(k8s_cert_env);
}
@@ -1283,7 +1417,7 @@ int falco_init(int argc, char **argv)
{
inspector->init_mesos_client(mesos_api, verbose);
}
else if(char* mesos_api_env = getenv("FALCO_MESOS_API"))
else if(char *mesos_api_env = getenv("FALCO_MESOS_API"))
{
if(mesos_api_env != NULL)
{
@@ -1296,10 +1430,10 @@ int falco_init(int argc, char **argv)
if(trace_filename.empty() && config.m_webserver_enabled && !disable_k8s_audit)
{
std::string ssl_option = (config.m_webserver_ssl_enabled ? " (SSL)" : "");
falco_logger::log(LOG_INFO, "Starting internal webserver, listening on port " + to_string(config.m_webserver_listen_port) + ssl_option + "\n");
webserver.init(&config, engine, outputs);
webserver.start();
// std::string ssl_option = (config.m_webserver_ssl_enabled ? " (SSL)" : "");
// falco_logger::log(LOG_INFO, "Starting internal webserver, listening on port " + to_string(config.m_webserver_listen_port) + ssl_option + "\n");
// webserver.init(&config, engine, outputs);
// webserver.start();
}
// gRPC server
@@ -1314,8 +1448,7 @@ int falco_init(int argc, char **argv)
config.m_grpc_private_key,
config.m_grpc_cert_chain,
config.m_grpc_root_certs,
config.m_log_level
);
config.m_log_level);
grpc_server_thread = std::thread([&grpc_server] {
grpc_server.run();
});
@@ -1325,21 +1458,20 @@ int falco_init(int argc, char **argv)
if(!trace_filename.empty() && !trace_is_scap)
{
#ifndef MINIMAL_BUILD
read_k8s_audit_trace_file(engine,
outputs,
trace_filename);
// read_k8s_audit_trace_file(engine,
// outputs,
// trace_filename);
#endif
}
else
{
uint64_t num_evts;
num_evts = do_inspect(engine,
outputs,
num_evts = do_inspect(outputs,
inspector,
config,
sdropmgr,
uint64_t(duration_to_tot*ONE_SECOND_IN_NS),
uint64_t(duration_to_tot * ONE_SECOND_IN_NS),
stats_filename,
stats_interval,
all_events,
@@ -1360,20 +1492,25 @@ int falco_init(int argc, char **argv)
num_evts,
num_evts / duration);
}
}
// Honor -M also when using a trace file.
// Since inspection stops as soon as all events have been consumed
// just await the given duration is reached, if needed.
if(!trace_filename.empty() && duration_to_tot>0)
if(!trace_filename.empty() && duration_to_tot > 0)
{
std::this_thread::sleep_for(std::chrono::seconds(duration_to_tot));
}
inspector->close();
engine->print_stats();
// engine->print_stats();
sdropmgr.print_stats();
libhawk::lifecycle::stop();
if(watchrules_thread.joinable())
{
watchrules_thread.join();
}
#ifndef MINIMAL_BUILD
webserver.stop();
if(grpc_server_thread.joinable())
@@ -1386,7 +1523,11 @@ int falco_init(int argc, char **argv)
catch(exception &e)
{
display_fatal_err("Runtime error: " + string(e.what()) + ". Exiting.\n");
libhawk::lifecycle::stop();
if(watchrules_thread.joinable())
{
watchrules_thread.join();
}
result = EXIT_FAILURE;
#ifndef MINIMAL_BUILD
@@ -1402,9 +1543,7 @@ int falco_init(int argc, char **argv)
exit:
delete inspector;
delete engine;
delete outputs;
return result;
}

26
userspace/falco/webserver.cpp
View File

@@ -34,15 +34,6 @@ k8s_audit_handler::~k8s_audit_handler()
{
}
bool k8s_healthz_handler::handleGet(CivetServer *server, struct mg_connection *conn)
{
const std::string status_body = "{\"status\": \"ok\"}";
mg_send_http_ok(conn, "application/json", status_body.size());
mg_printf(conn, "%s", status_body.c_str());
return true;
}
bool k8s_audit_handler::accept_data(falco_engine *engine,
falco_outputs *outputs,
std::string &data,
@@ -84,17 +75,7 @@ bool k8s_audit_handler::accept_data(falco_engine *engine,
for(auto &jev : jevts)
{
std::unique_ptr<falco_engine::rule_result> res;
try
{
res = engine->process_k8s_audit_event(&jev);
}
catch(...)
{
errstr = string("unkown error processing audit event");
fprintf(stderr, "%s\n", errstr.c_str());
return false;
}
res = engine->process_k8s_audit_event(&jev);
if(res)
{
@@ -167,7 +148,7 @@ bool k8s_audit_handler::handlePost(CivetServer *server, struct mg_connection *co
return true;
}
const std::string ok_body = "<html><body>Ok</body></html>";
std::string ok_body = "<html><body>Ok</body></html>";
mg_send_http_ok(conn, "text/html", ok_body.size());
mg_printf(conn, "%s", ok_body.c_str());
@@ -252,8 +233,6 @@ void falco_webserver::start()
m_k8s_audit_handler = make_unique<k8s_audit_handler>(m_engine, m_outputs);
m_server->addHandler(m_config->m_webserver_k8s_audit_endpoint, *m_k8s_audit_handler);
m_k8s_healthz_handler = make_unique<k8s_healthz_handler>();
m_server->addHandler(m_config->m_webserver_k8s_healthz_endpoint, *m_k8s_healthz_handler);
}
void falco_webserver::stop()
@@ -262,6 +241,5 @@ void falco_webserver::stop()
{
m_server = NULL;
m_k8s_audit_handler = NULL;
m_k8s_healthz_handler = NULL;
}
}

15
userspace/falco/webserver.h
View File

@@ -41,20 +41,6 @@ private:
bool accept_uploaded_data(std::string &post_data, std::string &errstr);
};
class k8s_healthz_handler : public CivetHandler
{
public:
k8s_healthz_handler()
{
}
virtual ~k8s_healthz_handler()
{
}
bool handleGet(CivetServer *server, struct mg_connection *conn);
};
class falco_webserver
{
public:
@@ -74,5 +60,4 @@ private:
falco_outputs *m_outputs;
unique_ptr<CivetServer> m_server;
unique_ptr<k8s_audit_handler> m_k8s_audit_handler;
unique_ptr<k8s_healthz_handler> m_k8s_healthz_handler;
};

37
userspace/libhawk/CMakeLists.txt Normal file
View File

@@ -0,0 +1,37 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
include(CheckSymbolExists)
set(
LIBHAWK_SOURCES
lifecycle.cpp
library.cpp
)
set(
LIBHAWK_PUBLIC_INCLUDES
hawk.h
)
set(LIBHAWK_INCLUDE_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR} PARENT_SCOPE)
add_library(libhawk STATIC ${LIBHAWK_SOURCES})
target_link_options(libhawk PUBLIC "LINKER:--export-dynamic-symbol=plugin_registry")
#todo: we want to provide a default version of the libhawk plugin functions
# we need to manage the situation where the user only provides parts of it and not others
install(
FILES ${LIBHAWK_PUBLIC_INCLUDES}
${PROJECT_BINARY_DIR}/userspace/libhawk/libhawk_export.h
DESTINATION "${FALCO_SHARE_DIR}"
)

143
userspace/libhawk/README.md Normal file
View File

@@ -0,0 +1,143 @@
# Libhawk
Libhawk is a plugin system that can be used to enrich Falco
functionalities via external, user-defined libraries.
## Glossary:
- library: a bundle (e.g: an ELF shared library) containing one or more plugins
- plugin: an hawk plugin. Libraries can register one or more plugins using the `HAWK_REGISTER_PLUGIN` macro
- plugin function: a specific function inside the plugin definition of each plugin. `hawk_init`, `hawk_destroy`
- extension: it's the user facing term to define a library that contains one or more plugin.
## Plugin definitions and lifecycle
Plugins are all loaded when Falco starts.
Falco provides a default plugin for the main functionalities.
### hawk_init
On start, the `hawk_init` function of every plugin is called.
You can use that function to create any resource you might need
for your plugin's lifecycle.
### hawk_destroy
When Falco is stopped, the `hawk_destroy` function gets called.
Implementors have the last chance to free any resources here.
### hawk_watch_rules
`hawk_watch_rules` implements a transactional interface for updating rules.
Its signature takes four arguments, one for each state of the transaction.
An implementation looks like this
```C
void hawk_watch_rules(hawk_rules_begin_cb begin_cb,
hawk_rules_insert_cb insert_cb,
hawk_rules_commit_cb commit_cb,
hawk_rules_rollback_cb rollback_cb)
{
printf("starting rules transaction\n");
begin_cb(); // start the rules loading transaction
printf("insert rules\n");
insert_cb(""); // todo: pass the rules as a string here, this is empty
insert_cb(""); // you can do this as many times you want
commit_cb(); // commit rules
printf("rules committed");
}
```
As you can see, we have a `begin_cb` that is telling the Falco engine to start the transactiont o load rules.
Then we have an `insert_cb` which takes Falco rules as a yaml string, it can be called as many times you want.
Finally we can either commit the transaction with `commit_cb` or we can rollback it with `rollback_cb`.
**Important note**: `hawk_watch_rules` gets called in a thread by Falco.
This means that it is not blocking and executing in parallel with the rest of Falco.
Practically, you can implement things like a for loop to update rules **live** from a database or an external resource.
After you load the extension, you will need to change the `rules_provider` configuration in `falco.yaml` to the
name you gave to the extension you are writing if you want to use the watch rules implementation you just wrote.
<a name="extension-loading"></a>
## Extension Loading
To tell falco to load a library containing one or more plugins
you have to add the path to the shared object into the `extensions`
configuration in `falco.yaml`:
The path can be either absolute, relative or specified into the `ldconfig` search path.
See `/etc/ld.so.conf` for reference.
examples:
```
extensions:
- ./mylocalextension.so
- myextension.so
- /usr/share/falco/extensions/kubernetes.so
```
TODO: when shipping Falco with this feature, we probably want to ship a ld config file to allow dynamic
loading from `/usr/share/falco/extensions` for example.
## Plugin configuration
TODO
This can be explained once this feature is developed.
## Plugin example
A plugin can define one or more definitions.
Here's an example of plugin that is registered and defines
`hawk_init`, `hawk_destroy` and `hawk_watch_rules`
```c
#include "hawk.h"
#include <stdio.h>
void hawk_init() { printf("hawk_example init!\n"); }
void hawk_destroy() { printf("hawk example destroy\n"); }
// note: this function gets called in a thread.
// this means that it is non blocking for the rest of falco.
// You can start your own lifecycle here to fetch rules from
// the outside and begin/commit as many transactions you want in a loop.
void hawk_watch_rules(hawk_rules_begin_cb begin_cb,
hawk_rules_insert_cb insert_cb,
hawk_rules_commit_cb commit_cb,
hawk_rules_rollback_cb rollback_cb)
{
printf("starting rules transaction\n");
begin_cb(); // start the rules loading transaction
printf("insert rules\n");
insert_cb(""); // todo: pass the rules as a string here, this is empty
insert_cb(""); // you can do this as many times you want
commit_cb(); // commit rules
printf("rules committed");
}
hawk_plugin_definition plugin_definition = {
.hawk_init = &hawk_init,
.hawk_destroy = &hawk_destroy,
.hawk_watch_rules = &hawk_watch_rules,
};
HAWK_REGISTER_PLUGIN(hawk_example_c, plugin_definition)
```
To compile the plugin, save it in a file `plugin.c` and then:
```bash
FALCO=/source/falco
gcc -o libhawk.so -fPIC -shared -I$FALCO/userspace/libhawk plugin.c
```
Remember to change the `FALCO` variable to point to where you have the Falco sources.
This should produce shared object called `libhawk.so`, you can now use this library to load the plugin in Falco.
See the [Extension loading](#extension-loading) section.

44
userspace/libhawk/exception.h Normal file
View File

@@ -0,0 +1,44 @@
#pragma once
#include <stdexcept>
#include <stdexcept>
#include <string>
namespace libhawk
{
class hawk_exception : public std::runtime_error
{
public:
hawk_exception(const std::string& message):
std::runtime_error(message) {}
};
class hawk_plugin_exception : public hawk_exception
{
public:
hawk_plugin_exception(const std::string& plugin_name, const std::string& message):
hawk_exception("plugin: " + plugin_name + ", error: " + message) {}
};
class hawk_library_exception : public hawk_exception
{
public:
hawk_library_exception(const std::string& message):
hawk_exception(message) {}
};
class hawk_library_load_exception : public hawk_library_exception
{
public:
hawk_library_load_exception(const std::string&library_name, const std::string&message):
hawk_library_exception("library loading error, library: " + library_name + " error: " + message) {}
};
class hawk_library_unload_exception : public hawk_library_exception
{
public:
hawk_library_unload_exception(const std::string&library_name, const std::string&message):
hawk_library_exception("library unloading error, library: " + library_name + " error: " + message) {}
};
} // namespace libhawk

43
userspace/libhawk/hawk.h Normal file
View File

@@ -0,0 +1,43 @@
#ifndef HAWK_H
#define HAWK_H
// TODO(fntlnz): decide what to do with versioning here
#define HAWK_VERSION_CODE 0x000001
#define HAWK_VERSION_BITS(x, y, z) ((x) << 16 | (y) << 8 | (z))
#define HAWK_AT_LEAST_VERSION(x, y, z) \
(HAWK_VERSION_CODE >= HAWK_VERSION_BITS(x, y, z))
// Rules update follows a transactional pattern
// - begin the transaction with `hawk_rules_begin_cb`
// - add rules as many times you want with `hawk_rules_insert_cb`
// - commit the rules with `hawk_rules_commit_cb`
// - if anything went wrong, you can rollback with hawk_rules_rollback_cb
typedef void (*hawk_rules_begin_cb)();
typedef void (*hawk_rules_insert_cb)(char* rules_content);
typedef void (*hawk_rules_commit_cb)();
typedef void (*hawk_rules_rollback_cb)();
typedef struct
{
void (*hawk_init)(void);
void (*hawk_destroy)(void);
void (*hawk_watch_rules)(hawk_rules_begin_cb, hawk_rules_insert_cb, hawk_rules_commit_cb, hawk_rules_rollback_cb);
} hawk_plugin_definition;
typedef void(register_plugin_cb)(const char*, hawk_plugin_definition);
typedef struct
{
register_plugin_cb* register_plugin;
} hawk_plugin_registry;
extern hawk_plugin_registry plugin_registry;
#define HAWK_REGISTER_PLUGIN(name, definition) \
void name##_hawk_plugin_init(void) __attribute__((constructor)); \
void name##_hawk_plugin_init(void) \
{ \
plugin_registry.register_plugin(#name, definition); \
}
#endif //HAWK_H

59
userspace/libhawk/library.cpp Normal file
View File

@@ -0,0 +1,59 @@
/*
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include "library.h"
#include "exception.h"
#include <dlfcn.h>
libhawk::library::library(const std::string &filename):
m_library_filename(filename){};
bool libhawk::library::load()
{
library_handle handler = nullptr;
handler = dlopen(m_library_filename.c_str(), RTLD_LAZY);
if(!handler)
{
std::string errmsg(dlerror());
throw hawk_library_load_exception(m_library_filename, errmsg);
}
m_library_handle.store(handler);
return (handler != nullptr);
}
bool libhawk::library::unload()
{
if(!m_library_handle.load())
{
return false;
}
library_handle handler = m_library_handle.load();
if(!dlclose(handler))
{
std::string errmsg(dlerror());
throw hawk_library_unload_exception(m_library_filename, errmsg);
return false;
}
m_library_handle.store(nullptr);
return true;
}
bool libhawk::library::is_loaded() const
{
return m_library_handle && m_library_handle.load();
}

38
userspace/libhawk/library.h Normal file
View File

@@ -0,0 +1,38 @@
/*
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#pragma once
#include <string>
#include <atomic>
namespace libhawk
{
class library
{
public:
using library_handle = void *;
library(const std::string &filename);
bool load();
bool unload();
bool is_loaded() const;
~library();
private:
const std::string m_library_filename;
std::atomic<library_handle> m_library_handle;
};
}; // namespace libhawk

86
userspace/libhawk/lifecycle.cpp Normal file
View File

@@ -0,0 +1,86 @@
/*
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include "lifecycle.h"
#include "exception.h"
std::map<std::string, hawk_plugin_definition> *libhawk::g_plugins;
void libhawk_register_plugin(const char *name, hawk_plugin_definition def)
{
if(libhawk::g_plugins == nullptr)
{
libhawk::g_plugins = new std::map<std::string, hawk_plugin_definition>();
}
auto name_str = std::string(name);
auto plugin = libhawk::g_plugins->find(name_str);
if(plugin != libhawk::g_plugins->end())
{
throw libhawk::hawk_exception("cannot register an already registered plugin: " + name_str);
}
libhawk::g_plugins->insert(std::make_pair(name_str, def));
};
hawk_plugin_registry plugin_registry = {
.register_plugin = &libhawk_register_plugin,
};
void libhawk::lifecycle::start()
{
if(g_plugins == nullptr)
{
throw hawk_exception("no libhawk plugins registered");
}
for(const auto &plugin : *g_plugins)
{
if(plugin.second.hawk_init != nullptr)
{
plugin.second.hawk_init();
}
}
}
void libhawk::lifecycle::stop()
{
for(const auto &plugin : *g_plugins)
{
if(plugin.second.hawk_destroy != nullptr)
{
plugin.second.hawk_destroy();
}
}
}
void libhawk::lifecycle::watch_rules(
hawk_rules_begin_cb begin_cb,
hawk_rules_insert_cb insert_cb,
hawk_rules_commit_cb commit_cb,
hawk_rules_rollback_cb rollback_cb,
const std::string &plugin_name)
{
auto plugin = g_plugins->find(plugin_name);
if(plugin == g_plugins->end())
{
throw hawk_plugin_exception(plugin_name, "cannot watch_rules on a non existing plugin");
}
if(plugin->second.hawk_watch_rules == nullptr)
{
throw hawk_plugin_exception(plugin_name, "plugin does not implement hawk_watch_rules");
}
plugin->second.hawk_watch_rules(begin_cb, insert_cb, commit_cb, rollback_cb);
}

39
userspace/libhawk/lifecycle.h Normal file
View File

@@ -0,0 +1,39 @@
/*
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#pragma once
#include <map>
#include <string>
#include <vector>
#include "hawk.h"
namespace libhawk
{
extern std::map<std::string, hawk_plugin_definition>* g_plugins;
namespace lifecycle
{
void start();
void stop();
void watch_rules(hawk_rules_begin_cb begin_cb,
hawk_rules_insert_cb insert_cb,
hawk_rules_commit_cb commit_cb,
hawk_rules_rollback_cb rollback_cb,
const std::string& plugin_name);
} // namespace lifecycle
} // namespace libhawk