Merge branch 'dev' into agent-master

Associate --validate with -V. (#334 )
* Associate --validate with -V. This fixes https://github.com/draios/falco/issues/322. * Pin the version of libvirt-python to < 4.1.0 Evidently a recent libvirt-python has build problems on ubuntu. See https://bugs.launchpad.net/openstack-requirements/+bug/1753539. Pin to releases < 4.1.0 to avoid picking up the newer one that has the build failure.
2026-03-31 17:12:41 +00:00 · 2018-03-08 14:47:06 -08:00 · 2018-03-08 13:03:26 -08:00 · 2018-03-08 12:38:44 -08:00 · 2018-02-27 09:39:13 -08:00 · 2018-02-26 16:59:18 -05:00
14 changed files with 410 additions and 537 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -17,6 +17,7 @@ install:
    - curl -Lo avocado-36.0-tar.gz https://github.com/avocado-framework/avocado/archive/36.0lts.tar.gz
    - tar -zxvf avocado-36.0-tar.gz
    - cd avocado-36.0lts
+    - sed -e 's/libvirt-python>=1.2.9/libvirt-python>=1.2.9,<4.1.0/' < requirements.txt  > /tmp/requirements.txt && mv /tmp/requirements.txt ./requirements.txt
    - sudo -H pip install -r requirements.txt
    - sudo python setup.py install
    - cd ../falco
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,24 @@

 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).

+## v0.9.0
+
+Released 2018-01-18
+
+### Bug Fixes
+
+* Fix driver incompatibility problems with some linux kernel versions that can disable pagefault tracepoints [[#sysdig/1034](https://github.com/draios/sysdig/pull/1034)]
+* Fix OSX Build incompatibility with latest version of libcurl [[#291](https://github.com/draios/falco/pull/291)]
+
+### Minor Changes
+
+* Updated the Kubernetes example to provide an additional example: Daemon Set using RBAC and a ConfigMap for configuration. Also expanded the documentation for both the RBAC and non-RBAC examples. [[#309](https://github.com/draios/falco/pull/309)]
+
+### Rule Changes
+
+* Refactor the shell-related rules to reduce false positives. These changes significantly decrease the scope of the rules so they trigger only for shells spawned below specific processes instead of anywhere. [[#301](https://github.com/draios/falco/pull/301)] [[#304](https://github.com/draios/falco/pull/304)]
+* Lots of rule changes based on feedback from Sysdig Secure community [[#293](https://github.com/draios/falco/pull/293)] [[#298](https://github.com/draios/falco/pull/298)] [[#300](https://github.com/draios/falco/pull/300)] [[#307](https://github.com/draios/falco/pull/307)] [[#315](https://github.com/draios/falco/pull/315)]
+
 ## v0.8.1

 Released 2017-10-10
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -78,7 +78,7 @@ else()
        set(ZLIB_INCLUDE "${ZLIB_SRC}")
        set(ZLIB_LIB "${ZLIB_SRC}/libz.a")
        ExternalProject_Add(zlib
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/zlib-1.2.8.tar.gz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/zlib-1.2.8.tar.gz"
 		URL_MD5 "44d667c142d7cda120332623eab69f40"
 		CONFIGURE_COMMAND "./configure"
 		BUILD_COMMAND ${CMD_MAKE}
@@ -104,7 +104,7 @@ else()
        set(JQ_INCLUDE "${JQ_SRC}")
        set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
        ExternalProject_Add(jq
-                URL "https://s3.amazonaws.com/download.draios.com/dependencies/jq-1.5.tar.gz"
+                URL "http://s3.amazonaws.com/download.draios.com/dependencies/jq-1.5.tar.gz"
                URL_MD5 "0933532b086bd8b6a41c1b162b1731f9"
                CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
                BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
@@ -134,7 +134,7 @@ else()
 	set(CURSES_LIBRARIES "${CURSES_BUNDLE_DIR}/lib/libncurses.a")
 	message(STATUS "Using bundled ncurses in '${CURSES_BUNDLE_DIR}'")
 	ExternalProject_Add(ncurses
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
 		URL_MD5 "32b8913312e738d707ae68da439ca1f4"
 		CONFIGURE_COMMAND ./configure --without-cxx --without-cxx-binding --without-ada --without-manpages --without-progs --without-tests --with-terminfo-dirs=/etc/terminfo:/lib/terminfo:/usr/share/terminfo
 		BUILD_COMMAND ${CMD_MAKE}
@@ -161,7 +161,7 @@ else()
 	set(B64_INCLUDE "${B64_SRC}/include")
 	set(B64_LIB "${B64_SRC}/src/libb64.a")
 	ExternalProject_Add(b64
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
 		URL_MD5 "a609809408327117e2c643bed91b76c5"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ${CMD_MAKE}
@@ -215,7 +215,7 @@ else()
 	message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")

 	ExternalProject_Add(openssl
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2j.tar.gz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2j.tar.gz"
 		URL_MD5 "96322138f0b69e61b7212bc53d5e912b"
 		CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
 		BUILD_COMMAND ${CMD_MAKE}
@@ -246,7 +246,7 @@ else()

 	ExternalProject_Add(curl
 		DEPENDS openssl
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.56.0.tar.bz2"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/curl-7.56.0.tar.bz2"
 		URL_MD5 "e0caf257103e0c77cee5be7e9ac66ca4"
 		CONFIGURE_COMMAND ./configure ${CURL_SSL_OPTION} --disable-shared --enable-optimize --disable-curldebug --disable-rt --enable-http --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-winssl --without-darwinssl --without-polarssl --without-cyassl --without-nss --without-axtls --without-ca-path --without-ca-bundle --without-libmetalink --without-librtmp --without-winidn --without-libidn --without-nghttp2 --without-libssh2 --disable-threaded-resolver
 		BUILD_COMMAND ${CMD_MAKE}
@@ -280,7 +280,7 @@ else()
 	set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
 	set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
 	ExternalProject_Add(luajit
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
 		URL_MD5 "f14e9104be513913810cd59c8c658dc0"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ${CMD_MAKE}
@@ -310,7 +310,7 @@ else()
 	endif()
 	ExternalProject_Add(lpeg
 		DEPENDS ${LPEG_DEPENDENCIES}
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
 		URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
 		BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
 		BUILD_IN_SOURCE 1
@@ -345,7 +345,7 @@ else()
 	set(LIBYAML_LIB "${LIBYAML_SRC}/.libs/libyaml.a")
 	message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
 	ExternalProject_Add(libyaml
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
 		URL_MD5 "4a4bced818da0b9ae7fc8ebc690792a7"
 		BUILD_COMMAND ${CMD_MAKE}
 		BUILD_IN_SOURCE 1
@@ -381,7 +381,7 @@ else()
 	endif()
 	ExternalProject_Add(lyaml
 		DEPENDS ${LYAML_DEPENDENCIES}
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
                URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
                BUILD_COMMAND ${CMD_MAKE}
                BUILD_IN_SOURCE 1
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 #### Latest release

-**v0.8.1**
+**v0.9.0**
 Read the [change log](https://github.com/draios/falco/blob/dev/CHANGELOG.md)

 Dev Branch: [![Build Status](https://travis-ci.org/draios/falco.svg?branch=dev)](https://travis-ci.org/draios/falco)<br />
--- a/docker/dev/Dockerfile
+++ b/docker/dev/Dockerfile
@@ -14,8 +14,7 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root

 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/

-RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources.list.d/jessie.list \
- && apt-get update \
+RUN apt-get update \
 && apt-get install -y --no-install-recommends \
 	bash-completion \
 	curl \
@@ -24,18 +23,11 @@ RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources
 	ca-certificates \
 	gcc \
 	gcc-5 \
-	gcc-4.9 && rm -rf /var/lib/apt/lists/*
+	gdb && rm -rf /var/lib/apt/lists/*

-# Since our base Debian image ships with GCC 5.0 which breaks older kernels, revert the
-# default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
-# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7
-# by symlinking it to 4.9
-
-RUN rm -rf /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc

 RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
 && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
--- a/docker/local/Dockerfile
+++ b/docker/local/Dockerfile
@@ -14,8 +14,7 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root

 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/

-RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources.list.d/jessie.list \
- && apt-get update \
+RUN apt-get update \
 && apt-get install -y --no-install-recommends \
 	bash-completion \
 	curl \
@@ -24,19 +23,11 @@ RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources
 	ca-certificates \
 	gcc \
 	gcc-5 \
-	gcc-4.9 \
 	dkms && rm -rf /var/lib/apt/lists/*

-# Since our base Debian image ships with GCC 5.0 which breaks older kernels, revert the
-# default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
-# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7
-# by symlinking it to 4.9
-
-RUN rm -rf /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc

 RUN ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules

--- a/docker/stable/Dockerfile
+++ b/docker/stable/Dockerfile
@@ -14,8 +14,7 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root

 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/

-RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources.list.d/jessie.list \
- && apt-get update \
+RUN apt-get update \
 && apt-get install -y --no-install-recommends \
 	bash-completion \
 	curl \
@@ -23,19 +22,11 @@ RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources
 	ca-certificates \
 	gnupg2 \
 	gcc \
-	gcc-5 \
-	gcc-4.9 && rm -rf /var/lib/apt/lists/*
+	gcc-5 && rm -rf /var/lib/apt/lists/*

-# Since our base Debian image ships with GCC 5.0 which breaks older kernels, revert the
-# default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
-# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7
-# by symlinking it to 4.9
-
-RUN rm -rf /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc

 RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
 && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
--- a/examples/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml
+++ b/examples/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml
@@ -19,14 +19,12 @@ spec:
          image: sysdig/falco:latest
          securityContext:
            privileged: true
-          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes", "-pk"]
+          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk"]
          volumeMounts:
            - mountPath: /host/var/run/docker.sock
              name: docker-socket
-              readOnly: true
            - mountPath: /host/dev
              name: dev-fs
-              readOnly: true
            - mountPath: /host/proc
              name: proc-fs
              readOnly: true
--- a/examples/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml
+++ b/examples/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml
@@ -18,14 +18,12 @@ spec:
          image: sysdig/falco:latest
          securityContext:
            privileged: true
-          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"]
+          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"]
          volumeMounts:
            - mountPath: /host/var/run/docker.sock
              name: docker-socket
-              readOnly: true
            - mountPath: /host/dev
              name: dev-fs
-              readOnly: true
            - mountPath: /host/proc
              name: proc-fs
              readOnly: true
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
--- a/test/falco_traces.yaml.in
+++ b/test/falco_traces.yaml.in
@@ -59,44 +59,6 @@ traces: !mux
      - "Modify binary dirs": 2
      - "Change thread namespace": 2

-  installer-fbash-manages-service:
-    trace_file: traces-info/installer-fbash-manages-service.scap
-    detect: True
-    detect_level: INFO
-    detect_counts:
-      - "Installer bash manages service": 4
-
-  installer-bash-non-https-connection:
-    trace_file: traces-positive/installer-bash-non-https-connection.scap
-    detect: True
-    detect_level: NOTICE
-    detect_counts:
-      - "Installer bash non https connection": 1
-
-  installer-fbash-runs-pkgmgmt:
-    trace_file: traces-info/installer-fbash-runs-pkgmgmt.scap
-    detect: True
-    detect_level: [NOTICE, INFO]
-    detect_counts:
-      - "Installer bash runs pkgmgmt program": 4
-      - "Installer bash non https connection": 4
-
-  installer-bash-starts-network-server:
-    trace_file: traces-positive/installer-bash-starts-network-server.scap
-    detect: True
-    detect_level: NOTICE
-    detect_counts:
-      - "Installer bash starts network server": 2
-      - "Installer bash non https connection": 3
-
-  installer-bash-starts-session:
-    trace_file: traces-positive/installer-bash-starts-session.scap
-    detect: True
-    detect_level: NOTICE
-    detect_counts:
-      - "Installer bash starts session": 1
-      - "Installer bash non https connection": 3
-
  mkdir-binary-dirs:
    trace_file: traces-positive/mkdir-binary-dirs.scap
    detect: True
@@ -111,13 +73,6 @@ traces: !mux
    detect_counts:
      - "Modify binary dirs": 1

-  modify-package-repo-list-installer:
-    trace_file: traces-info/modify-package-repo-list-installer.scap
-    detect: True
-    detect_level: INFO
-    detect_counts:
-      - "Write below etc in installer": 1
-
  non-sudo-setuid:
    trace_file: traces-positive/non-sudo-setuid.scap
    detect: True
@@ -131,6 +86,7 @@ traces: !mux
    detect_level: WARNING
    detect_counts:
      - "Read sensitive file untrusted": 1
+      - "Read sensitive file trusted after startup": 1

  read-sensitive-file-untrusted:
    trace_file: traces-positive/read-sensitive-file-untrusted.scap
@@ -181,13 +137,6 @@ traces: !mux
    detect_counts:
      - "Write below etc": 1

-  write-etc-installer:
-    trace_file: traces-info/write-etc-installer.scap
-    detect: True
-    detect_level: INFO
-    detect_counts:
-      - "Write below etc in installer": 1
-
  write-rpm-database:
    trace_file: traces-positive/write-rpm-database.scap
    detect: True
--- a/userspace/engine/lua/compiler.lua
+++ b/userspace/engine/lua/compiler.lua
@@ -76,7 +76,8 @@ function expand_macros(ast, defs, changed)
         if (defs[ast.value.value] == nil) then
            error("Undefined macro '".. ast.value.value .. "' used in filter.")
         end
-         ast.value = copy_ast_obj(defs[ast.value.value])
+	 defs[ast.value.value].used = true
+         ast.value = copy_ast_obj(defs[ast.value.value].ast)
         changed = true
 	 return changed
      end
@@ -88,7 +89,8 @@ function expand_macros(ast, defs, changed)
         if (defs[ast.left.value] == nil) then
            error("Undefined macro '".. ast.left.value .. "' used in filter.")
         end
-         ast.left = copy_ast_obj(defs[ast.left.value])
+	 defs[ast.left.value].used = true
+         ast.left = copy_ast_obj(defs[ast.left.value].ast)
         changed = true
      end

@@ -96,7 +98,8 @@ function expand_macros(ast, defs, changed)
         if (defs[ast.right.value] == nil) then
            error("Undefined macro ".. ast.right.value .. " used in filter.")
         end
-         ast.right = copy_ast_obj(defs[ast.right.value])
+	 defs[ast.right.value].used = true
+         ast.right = copy_ast_obj(defs[ast.right.value].ast)
         changed = true
      end

@@ -109,7 +112,8 @@ function expand_macros(ast, defs, changed)
         if (defs[ast.argument.value] == nil) then
            error("Undefined macro ".. ast.argument.value .. " used in filter.")
         end
-         ast.argument = copy_ast_obj(defs[ast.argument.value])
+	 defs[ast.argument.value].used = true
+         ast.argument = copy_ast_obj(defs[ast.argument.value].ast)
         changed = true
      end
      return expand_macros(ast.argument, defs, changed)
@@ -283,11 +287,28 @@ function get_evttypes(name, ast, source)
   return evttypes
 end

+function compiler.expand_lists_in(source, list_defs)
+
+   for name, def in pairs(list_defs) do
+      local begin_name_pat = "^("..name..")([%s(),=])"
+      local mid_name_pat = "([%s(),=])("..name..")([%s(),=])"
+      local end_name_pat = "([%s(),=])("..name..")$"
+
+      source, subcount1 = string.gsub(source, begin_name_pat, table.concat(def.items, ", ").."%2")
+      source, subcount2 = string.gsub(source, mid_name_pat, "%1"..table.concat(def.items, ", ").."%3")
+      source, subcount3 = string.gsub(source, end_name_pat, "%1"..table.concat(def.items, ", "))
+
+      if (subcount1 + subcount2 + subcount3) > 0 then
+	 def.used = true
+      end
+   end
+
+   return source
+end
+
 function compiler.compile_macro(line, macro_defs, list_defs)

-   for name, items in pairs(list_defs) do
-      line = string.gsub(line, name, table.concat(items, ", "))
-   end
+   line = compiler.expand_lists_in(line, list_defs)

   local ast, error_msg = parser.parse_filter(line)

@@ -325,14 +346,7 @@ end
 --]]
 function compiler.compile_filter(name, source, macro_defs, list_defs)

-   for name, items in pairs(list_defs) do
-      local begin_name_pat = "^("..name..")([%s(),=])"
-      local mid_name_pat = "([%s(),=])("..name..")([%s(),=])"
-      local end_name_pat = "([%s(),=])("..name..")$"
-      source = string.gsub(source, begin_name_pat, table.concat(items, ", ").."%2")
-      source = string.gsub(source, mid_name_pat, "%1"..table.concat(items, ", ").."%3")
-      source = string.gsub(source, end_name_pat, "%1"..table.concat(items, ", "))
-   end
+   source = compiler.expand_lists_in(source, list_defs)

   local ast, error_msg = parser.parse_filter(source)

--- a/userspace/engine/lua/rule_loader.lua
+++ b/userspace/engine/lua/rule_loader.lua
@@ -347,13 +347,13 @@ function load_rules(rules_content, rules_mgr, verbose, all_events, extra, replac
 	 if (state.lists[item] == nil) then
 	    items[#items+1] = item
 	 else
-	    for i, exp_item in ipairs(state.lists[item]) do
+	    for i, exp_item in ipairs(state.lists[item].items) do
 	       items[#items+1] = exp_item
 	    end
 	 end
      end

-      state.lists[v['list']] = items
+      state.lists[v['list']] = {["items"] = items, ["used"] = false}
   end

   for i, name in ipairs(state.ordered_macro_names) do
@@ -361,7 +361,7 @@ function load_rules(rules_content, rules_mgr, verbose, all_events, extra, replac
      local v = state.macros_by_name[name]

      local ast = compiler.compile_macro(v['condition'], state.macros, state.lists)
-      state.macros[v['macro']] = ast.filter.value
+      state.macros[v['macro']] = {["ast"] = ast.filter.value, ["used"] = false}
   end

   for i, name in ipairs(state.ordered_rule_names) do
@@ -443,6 +443,21 @@ function load_rules(rules_content, rules_mgr, verbose, all_events, extra, replac
      end
   end

+   if verbose then
+      -- Print info on any dangling lists or macros that were not used anywhere
+      for name, macro in pairs(state.macros) do
+	 if macro.used == false then
+	    print("Warning: macro "..name.." not refered to by any rule/macro")
+	 end
+      end
+
+      for name, list in pairs(state.lists) do
+	 if list.used == false then
+	    print("Warning: list "..name.." not refered to by any rule/macro/list")
+	 end
+      end
+   end
+
   io.flush()
 end

--- a/userspace/falco/falco.cpp
+++ b/userspace/falco/falco.cpp
@@ -111,7 +111,8 @@ static void usage()
 	   "                               single line emitted by falco to be flushed, which generates higher CPU\n"
 	   "                               usage but is useful when piping those outputs into another process\n"
 	   "                               or into a script.\n"
-	   " -V,--validate <rules_file>    Read the contents of the specified rules file and exit\n"
+	   " -V,--validate <rules_file>    Read the contents of the specified rules(s) file and exit\n"
+	   "                               Can be specified multiple times to validate multiple files.\n"
 	   " -v                            Verbose output.\n"
           " --version                     Print version number.\n"
 	   "\n"
@@ -245,7 +246,7 @@ int falco_init(int argc, char **argv)
 	string pidfilename = "/var/run/falco.pid";
 	bool describe_all_rules = false;
 	string describe_rule = "";
-	string validate_rules_file = "";
+	list<string> validate_rules_filenames;
 	string stats_filename = "";
 	bool verbose = false;
 	bool all_events = false;
@@ -282,7 +283,7 @@ int falco_init(int argc, char **argv)
 		{"pidfile", required_argument, 0, 'P' },
 		{"unbuffered", no_argument, 0, 'U' },
 		{"version", no_argument, 0, 0 },
-		{"validate", required_argument, 0, 0 },
+		{"validate", required_argument, 0, 'V' },
 		{"writefile", required_argument, 0, 'w' },

 		{0, 0, 0, 0}
@@ -396,7 +397,7 @@ int falco_init(int argc, char **argv)
 				verbose = true;
 				break;
 			case 'V':
-				validate_rules_file = optarg;
+				validate_rules_filenames.push_back(optarg);
 				break;
 			case 'w':
 				outfile = optarg;
@@ -460,10 +461,17 @@ int falco_init(int argc, char **argv)
 			}
 		}

-		if(validate_rules_file != "")
+		if(validate_rules_filenames.size() > 0)
 		{
-			falco_logger::log(LOG_INFO, "Validating rules file: " + validate_rules_file + "...\n");
-			engine->load_rules_file(validate_rules_file, verbose, all_events);
+			falco_logger::log(LOG_INFO, "Validating rules file(s):\n");
+			for(auto file : validate_rules_filenames)
+			{
+				falco_logger::log(LOG_INFO, "   " + file + "\n");
+			}
+			for(auto file : validate_rules_filenames)
+			{
+				engine->load_rules_file(file, verbose, all_events);
+			}
 			falco_logger::log(LOG_INFO, "Ok\n");
 			goto exit;
 		}
Author	SHA1	Message	Date
Brett Bertocci	05c4ba1842	Merge branch 'dev' into agent-master	2018-03-08 14:47:06 -08:00
Mark Stemm	eb4feed1b6	Associate --validate with -V. (#334 ) * Associate --validate with -V. This fixes https://github.com/draios/falco/issues/322. * Pin the version of libvirt-python to < 4.1.0 Evidently a recent libvirt-python has build problems on ubuntu. See https://bugs.launchpad.net/openstack-requirements/+bug/1753539. Pin to releases < 4.1.0 to avoid picking up the newer one that has the build failure.	2018-03-08 13:03:26 -08:00
Brett Bertocci	45d467656f	Merge branch 'dev' into agent-master	2018-03-08 12:38:44 -08:00
Luca Marturana	ba6d6dbf9d	Use gcc 5 by default to compile properly on Ubuntu Xenial, remove gcc 4.9 since CentOS does not work anyway due to glibc	2018-02-27 09:39:13 -08:00
Mark Stemm	38eb5b8741	Add more validations (#329 ) * Add the ability to validate multiple rules files Allow multiple -V arguments just as we do with multiple -r arguments. * With verbose output, print dangling macros/lists Start tracking whether or not a given macro/list is actually used when compiling the set of rules. Every macro/list has an attribute used, which defaults to false and is set to true whenever it is referred to in a macro/rule/list. When run with -v, any macro/list that still has used=false results in a warning message. Also, it turns out the fix for https://github.com/draios/falco/issues/197 wasn't being applied to macros. Fix that.	2018-02-26 16:59:18 -05:00
Mark Stemm	947faca334	Rule updates 2018 02.v2 (#326 ) * Let OMS agent for linux write config Programs are omiagent/omsagent/PerformInventor/in_heartbeat_r* and files are below /etc/opt/omi and /etc/opt/microsoft/omsagent. * Handle really long classpath lines for cassandra Some cassandra cmdlines are so long the classpath truncates the cmdline before the actual entry class gets named. In those cases also look for cassandra-specific config options. * Let postgres binaries read sensitive files Also add a couple of postgres cluster management programs. * Add apt-add-reposit(ory) as a debian mgmt program * Add addl info to debug writing sensitive files Add parent/grandparent process info. * Requrire root directory files to contain / In some cases, a file below root might be detected but the file itself has no directory component at all. This might be a bug with dropped events. Make the test more strict by requiring that the file actually contains a "/". * Let updmap read sensitive files Part of texlive (https://www.tug.org/texlive/) * For selected rules, require proc name to exist Some rules such as reading sensitive files and writing below etc have many exceptions that depend on the process name. In very busy environments, system call events might end up being dropped, which causes the process name to be missing. In these cases, we'll let the sensitive file read/write below etc to occur. That's handled by a macro proc_name_exists, which ensures that proc.name is not "<NA>" (the placeholder when it doesn't exist). * Let ucf write generally below /etc ucf is a general purpose config copying program, so let it generally write below /etc, as long as it in turn is run by the apt program "frontend". * Add new conf writers for couchdb/texmf/slapadd Each has specific subdirectories below /etc * Let sed write to addl temp files below /etc Let sed write to additional temporary files (some directory + "sed") below /etc. All generally related to package installation scripts. * Let rabbitmq(ctl) spawn limited shells Let rabbitmq spawn limited shells that perform read-only tasks like reading processes/ifaces. Let rabbitmqctl generally spawn shells. * Let redis run startup/shutdown scripts Let redis run specific startup/shutdown scripts that trigger at start/stop. They generally reside below /etc/redis, but just looking for the names redis-server.{pre,post}-up in the commandline. * Let erlexec spawn shells https://github.com/saleyn/erlexec, "Execute and control OS processes from Erlang/OTP." * Handle updated trace files As a part of these changes, we updated some of the positive trace files to properly include a process name. These newer trace files have additional opens, so update the expected event counts to match. * Let yum-debug-dump write to rpm database * Additional config writers Symantec AV for Linux, sosreport, semodule (selinux), all with their config files. * Tidy up comments a bit. * Try protecting node apps again Try improving coverage of run shell untrusted by looking for shells below node processes again. Want to see how many FPs this causes before fully committing to it. * Let node run directly by docker count as a service Generally, we don't want to consider all uses of node as a service wrt spawned shells. But we might be able to consider node run directly by docker as a "service". So add that to protected_shell_spawner. * Also add PM2 as a protected shell spawner This should handle cases where PM2 manages node apps. * Remove dangling macros/lists Do a pass over the set of macros/lists, removing most of those that are no longer referred to by any macro/list. The bulk of the macros/lists were related to the rule Run Shell Untrusted, which was refactored to only detect shells run below specific programs. With that change, many of these exceptions were no longer neeeded. * Add a "never_true" macro Add a never_true macro that will never match any event. Useful if you want to disable a rule/macro/etc. * Add missing case to write_below_etc Add the macro veritas_writing_config to write_below_etc, which was mistakenly not added before. * Make tracking shells spawned by node optional The change to generally consider node run directly in a container as a protected shell spawner was too permissive, causing false positives. However, there are some deployments that want to track shells spawned by node as suspect. To address this, create a macro possibly_node_in_container which defaults to never matching (via the never_true) macro. In a user rules file, you can override the macro to remove the never_true clause, reverting to the old behavior. * Add some dangling macros/lists back Some macros/lists are still referred to by some widely used user rules files, so add them back temporarily.	2018-02-26 13:26:28 -05:00
Mark Stemm	0a66bc554a	Improvements to falco daemonset configuration (#325 ) * Use kubernetes.default to reach k8s api server Originally raised in #296, but since then we documented rbac and without-rbac methods, so mirroring the change here. * Mount docker socket/dev read-write This matches the direct docker run commands, which also mount those resources read-write.	2018-02-20 12:57:59 -05:00
Jean-Philippe Lachance	4d8e982f78	+ Add gdb in the development Docker image to help debugging (#323 ) sysdig-CLA-1.0-signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>	2018-02-20 11:54:13 -05:00
Jean-Philippe Lachance	52e8c16903	+ Add the user_known_change_thread_namespace_binaries list to simplify "Change thread namespace" rule tweaks (#324 ) sysdig-CLA-1.0-signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>	2018-02-20 11:53:25 -05:00
Mark Stemm	414c9a0eed	Rule updates 2018 02.v1 (#321 ) * Add additional allowed files below root. These are related to node.js apps. * Let yum-config-mana(ger) write to rpm database. * Let gugent write to (root) + GuestAgent.log vRA7 Guest Agent writes to GuestAgent.log with a cwd of root. * Let cron-start write to pam_env.conf * Add additional root files and directories All seen in legitimate cases. * Let nginx run aws s3 cp Possibly seen as a part of consul deployments and/or openresty. * Add rule for disallowed ssh connections New rule "Disallowed SSH Connection" detects ssh connection attempts other than those allowed by the macro allowed_ssh_hosts. The default version of the macro allows any ssh connection, so the rule never triggers by default. The macro could be overridden in a local/user rules file, though. * Detect contacting NodePort svcs in containers New rule "Unexpected K8s NodePort Connection" detects attempts to contact K8s NodePort services (i.e. ports >=30000) from within containers. It requires overridding a macro nodeport_containers which specifies a set of containers that are allowed to use these port ranges. By default every container is allowed.	2018-02-20 10:06:13 -05:00
Thom van Os	3912e6e44b	Merge branch 'dev' into agent-master	2018-01-30 14:51:13 -08:00
Mark Stemm	1564e87177	Rule updates 2018.01.v1 (#319 ) * Remove remaining fbash references. No longer relevant after all the installer rules were removed. * Detect contacting EC2 metadata svc from containers Add a rule that detects attempts to contact the ec2 metadata service from containers. By default, the rule does not trigger unless a list of explicitly allowed containers is provided. * Detect contacting K8S API Server from container New rule "Contact K8S API Server From Container" looks for connections to the K8s API Server. The ip/port for the K8s API Server is in the macro k8s_api_server and contains an ip/port that's not likely to occur in practice, so the rule is effectively disabled by default.	2018-01-25 16:06:15 -08:00
Anoop Gupta	958c0461bb	Merge remote-tracking branch 'origin/dev' into agent-master	2018-01-25 15:05:25 -08:00
Mark Stemm	070a67d069	Use http dependencies (#317 ) Some versions of cmake include a libcurl that don't have ssl support, and verifying the md5sums should be enough.	2018-01-18 09:04:08 -08:00
Mark Stemm	1feae90c74	Rule updates vdec2 (#315 ) * Additional rpm writers, root directories salt-minion can also touch the rpm database, and some node packages write below /root/.config/configstore. * Add smbd as a protected shell spawner. It's a server-like program. * Also handle .ash_history default shell for alpine linux * Add exceptions for veritas Let many veritas programs write below /etc/vx. Let one veritas-related perl script read sensitive files. * Allow postgres to run wal-e https://github.com/wal-e/wal-e, archiving program for postgres. * Let consul (agent) run addl scripts Also let consul (agent, but the distinction is in the command line args) to run nc in addition to curl. Also rename the macro. * Let postgres setuid to itself Let postgres setuid to itself. Seen by archiving programs like wal-e. * Also allow consul to run alert check scripts "sh -c /bin/consul-alerts watch checks --alert-addr 0.0.0.0:9000 ..." * Add additional privileged containers. Openshift's logging support containers generally run privileged. * Let addl progs write below /etc/lvm Add lvcreate as a program that can write below /etc/lvm and rename the macro to lvprogs_writing_lvm_archive. * Let glide write below root https://glide.sh/, package management for go. * Let sosreport read sensitive files. * Let scom server read sensitive files. Microsoft System Center Operations Manager (SCOM). * Let kube-router run privileged. https://github.com/cloudnativelabs/kube-router * Let needrestart_binaries spawns shells Was included in prior version of shell rules, adding back. * Let splunk spawn shells below /opt/splunkforwarder * Add yum-cron as a rpm binary * Add a different way to run denyhosts. Strange that the program is denyhosts.py but observed in actual environments. * Let nrpe setuid to nagios. * Also let postgres run wal-e wrt shells Previously added as an exception for db program spawned process, need to add as an exception for run shell untrusted. * Remove installer shell-related rules They aren't used that often and removing them cleans up space for new rules we want to add soon.	2018-01-17 20:29:45 -08:00
Mark Stemm	8aeef034a6	Remove installer-related traces We removed the installer-related rules, so remove the installer-related traces as well.	2018-01-17 17:40:38 -08:00
Mark Stemm	c7bcc2dce0	Addl CHANGELOG changes for 0.9.0	2018-01-17 17:00:42 -08:00
Mark Stemm	3e2f9f63d3	Update changelog/README for 0.9.0 (#316 )	2018-01-17 16:58:44 -08:00