github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-20 11:42:06 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

merge into: github:allow-unknown-sources
Branches Tags
github:master github:fix/http-output-on-non-linux-platforms github:dependabot/submodules/submodules/falcosecurity-rules-048d2f8 github:feat/capture-events-filesize-limits github:update/libs github:3485_webserver_with_own_uid_gid github:release/0.43.x github:ekoops-patch-1 github:release/0.42.x github:release/0.41.x github:test/wip github:new/musl_static_aarch64 github:release/0.40.x github:release/0.39.x github:wip/test_libs_master github:release/0.38.x github:generalize-indexable-ruleset-polymorphic github:chore/test_pr1803 github:LucaGuerra-patch-1 github:release/0.37.x github:fix_CI_5 github:chore/use_actuated_helper github:fix_CI_4 github:bump_falco_latest_libs github:new/static_aarch64 github:fix/use_plugin_name github:new/mode-in-config github:release/0.36.x github:test_filterchecks github:test_release_0.36.0 github:fix/workaround_glibc_bug_timer_delete github:wip/test github:add-load-files-method github:test/ci github:update/pidfile-usage-doc github:bump_libs_andrea github:release/0.35.x github:remove-source-ruleset-overwrite-when-loading github:mstemm-works-with-latest-libs github:test/PR546 github:test/PR959 github:libs_bump github:release/0.34.x github:release/0.34.0 github:fix/kmod_cleanup github:chore/move-rules-to-their-repo github:enable_maintainers_gh_jobs github:dev_docker github:fix/dev_version github:exec-hashes github:falco_modern_probe github:release/0.33.1 github:test_modern_probe github:fix/docker_img_host_root_runtime github:release/0.33.0 github:test_falco_bump github:chore/falco_lock_file github:fix_falco_service github:test_deb_rpm github:buffer_dimension github:testing/falco-0-32-3/issue/1909 github:test/libs/pr/567 github:test/new_libs github:release/0.32.2 github:update/remove-mesos-support github:remove-fntlnz github:test/libs/pr/213 github:leogr-patch-1 github:build/fix-conffiles github:add-app-actions github:add-app-actions-prerebase-2 github:add-grpc-rules-loading github:fix-plugins-issue-56 github:field-properties-changes github:embed-lua-scripts github:new/plugin-system-api-additions-prerebase github:embeddable-falco-engine github:build/apply-libs-pr-41 github:build/upgrade-driver-version-mid2021 github:build/upgrade-driver-version-for-0-29-0 github:build/update-driver-version-wip github:hotfix/grpc-in-packages github:use-url-safe-chars-version github:rules-fp-fixes-2021-02 github:allow-unknown-sources github:libhawk-rules github:build/docs github:update/cli github:update/logo github:caniszczyk-patch-1 github:new/logger github:new/inspect-per-cpu github:new/ci-build-aarch64 github:release/0.26.2 github:temporary/test-ci-broken-tests github:libhawk github:add-exceptions-support-copy2 github:add-exceptions-support-copy github:chore/remove-time-macrodefs github:update/release-drivers github:rules-bash-history-top-only github:fix/scripts-modprobe github:perf-experiments github:fix/1272 github:fix/1272-test github:readme-update github:proposal/rules-engine-version-scope github:nova-debug github:falco-driver-loader-dockerfile github:chore/integration-grpc-with-event-generator github:feat/grpc-integration-tests github:new/profiler github:falco-arm-support github:falco-on-arm github:feature/inputs-mvp github:adding-install-script github:feat/modulecheck github:falco-release-0-17-0 github:falco-release-0-17-1 github:add-addl-pst-owners github:683-handle-sinsp-errors github:allow-regex-chars-rule-names github:backup-master github:add-context-to-rules-errors
github:0.43.0 github:0.43.0-rc4 github:0.43.0-rc3 github:0.43.0-rc2 github:0.43.0-rc1 github:0.42.1 github:0.42.0 github:0.42.0-rc4 github:0.42.0-rc3 github:0.42.0-rc2 github:0.42.0-rc1 github:0.41.3 github:0.41.2 github:0.41.1 github:0.41.1-rc1 github:0.41.0 github:0.41.0-rc2 github:0.41.0-rc1 github:0.40.0 github:0.40.0-rc1 github:0.39.2 github:0.39.1 github:0.39.1-rc1 github:0.39.0 github:0.39.0-rc3 github:0.39.0-rc2 github:0.39.0-rc1 github:0.38.2 github:0.38.2-rc2 github:0.38.2-rc1 github:0.38.1 github:0.38.1-rc1 github:0.38.0 github:0.38.0-rc5 github:0.38.0-rc4 github:0.38.0-rc3 github:0.38.0-rc2 github:0.38.0-rc1 github:0.37.1 github:0.37.1-rc1 github:0.37.0 github:0.37.0-rc3 github:0.37.0-rc2 github:0.37.0-rc1 github:0.36.2 github:0.36.2-rc1 github:0.36.1 github:0.36.1-rc1 github:0.36.0 github:0.36.0-rc3 github:0.36.0-rc2 github:0.36.0-rc1 github:0.35.1 github:0.35.0 github:0.35.0-rc2 github:0.35.0-rc1 github:0.35.0-alpha5 github:0.35.0-alpha4 github:0.35.0-alpha3 github:0.35.0-alpha2 github:0.35.0-alpha1 github:0.34.1 github:0.34.0 github:0.33.1 github:0.33.0 github:0.32.2 github:0.32.1 github:0.32.0 github:0.31.1 github:0.31.0 github:0.30.0 github:0.29.1 github:0.29.0 github:0.28.1 github:0.28.0 github:0.27.0 github:0.26.2 github:0.26.1 github:0.26.0 github:0.25.0 github:0.24.0 github:0.23.0 github:0.22.1 github:0.22.0 github:0.21.0 github:0.20.0 github:0.19.0 github:0.18.0 github:0.17.1 github:0.17.0 github:0.16.0 github:0.15.3 github:0.15.2 github:0.15.1 github:0.15.0 github:0.14.0 github:0.13.1 github:0.13.0 github:agent/0.85.1 github:0.12.1 github:0.12.0 github:agent/0.85.0 github:agent/0.84.2 github:agent/0.84.3 github:agent/0.84.1 github:agent/0.84.0 github:0.11.1 github:0.11.0 github:agent/0.83.1 github:agent/0.83.0 github:agent/0.81.0 github:agent/0.82.0 github:agent/0.80.2 github:agent/0.80.1 github:0.10.0 github:agent/0.80.0 github:agent/0.79.0 github:agent/0.79.1 github:agent/0.78.0 github:agent/0.78.1 github:agent/0.76.4 github:agent/0.77.0 github:agent/0.76.3 github:0.9.0 github:agent/0.76.0 github:agent/0.76.1 github:agent/0.76.2 github:agent/0.75.0 github:agent/0.74.0 github:agent/0.73.2 github:agent/0.73.1 github:agent/0.73.0 github:agent/0.72.4 github:agent/0.72.0 github:agent/0.72.1 github:agent/0.72.2 github:agent/0.72.3 github:agent/0.71.0 github:agent/0.70.0 github:0.8.1 github:0.8.0 github:agent/0.69.0 github:agent/0.68.0 github:agent/0.66.0 github:agent/0.67.0 github:agent/0.65.0 github:agent/0.65.1 github:agent/0.63.0 github:agent/0.63.1 github:agent/0.64.0 github:agent/0.61.0 github:agent/0.62.0 github:0.7.0 github:0.6.1 github:agent/0.60.0 github:agent/0.59.0 github:agent/0.58.0 github:agent/0.57.0 github:agent/0.56.0 github:0.6.0 github:0.6.0-test github:agent/0.55.0 github:agent/0.54.0 github:agent/0.53.0 github:agent/0.52.0 github:agent/0.51.0 github:agent/0.50.1 github:agent/0.50.0 github:0.5.0 github:agent/0.49.1 github:agent/0.49.0 github:agent/0.48.0 github:agent/0.47.0 github:agent/0.46.0 github:agent/0.45.0 github:agent/0.44.0 github:agent/0.43.0 github:0.4.0 github:agent/0.42.0 github:agent/0.40.0 github:agent/0.41.0 github:0.3.0 github:v0.2.0 github:v0.1.0
...
pull from: github:embeddable-falco-engine
Branches Tags
github:fix/http-output-on-non-linux-platforms github:dependabot/submodules/submodules/falcosecurity-rules-048d2f8 github:master github:feat/capture-events-filesize-limits github:update/libs github:3485_webserver_with_own_uid_gid github:release/0.43.x github:ekoops-patch-1 github:release/0.42.x github:release/0.41.x github:test/wip github:new/musl_static_aarch64 github:release/0.40.x github:release/0.39.x github:wip/test_libs_master github:release/0.38.x github:generalize-indexable-ruleset-polymorphic github:chore/test_pr1803 github:LucaGuerra-patch-1 github:release/0.37.x github:fix_CI_5 github:chore/use_actuated_helper github:fix_CI_4 github:bump_falco_latest_libs github:new/static_aarch64 github:fix/use_plugin_name github:new/mode-in-config github:release/0.36.x github:test_filterchecks github:test_release_0.36.0 github:fix/workaround_glibc_bug_timer_delete github:wip/test github:add-load-files-method github:test/ci github:update/pidfile-usage-doc github:bump_libs_andrea github:release/0.35.x github:remove-source-ruleset-overwrite-when-loading github:mstemm-works-with-latest-libs github:test/PR546 github:test/PR959 github:libs_bump github:release/0.34.x github:release/0.34.0 github:fix/kmod_cleanup github:chore/move-rules-to-their-repo github:enable_maintainers_gh_jobs github:dev_docker github:fix/dev_version github:exec-hashes github:falco_modern_probe github:release/0.33.1 github:test_modern_probe github:fix/docker_img_host_root_runtime github:release/0.33.0 github:test_falco_bump github:chore/falco_lock_file github:fix_falco_service github:test_deb_rpm github:buffer_dimension github:testing/falco-0-32-3/issue/1909 github:test/libs/pr/567 github:test/new_libs github:release/0.32.2 github:update/remove-mesos-support github:remove-fntlnz github:test/libs/pr/213 github:leogr-patch-1 github:build/fix-conffiles github:add-app-actions github:add-app-actions-prerebase-2 github:add-grpc-rules-loading github:fix-plugins-issue-56 github:field-properties-changes github:embed-lua-scripts github:new/plugin-system-api-additions-prerebase github:embeddable-falco-engine github:build/apply-libs-pr-41 github:build/upgrade-driver-version-mid2021 github:build/upgrade-driver-version-for-0-29-0 github:build/update-driver-version-wip github:hotfix/grpc-in-packages github:use-url-safe-chars-version github:rules-fp-fixes-2021-02 github:allow-unknown-sources github:libhawk-rules github:build/docs github:update/cli github:update/logo github:caniszczyk-patch-1 github:new/logger github:new/inspect-per-cpu github:new/ci-build-aarch64 github:release/0.26.2 github:temporary/test-ci-broken-tests github:libhawk github:add-exceptions-support-copy2 github:add-exceptions-support-copy github:chore/remove-time-macrodefs github:update/release-drivers github:rules-bash-history-top-only github:fix/scripts-modprobe github:perf-experiments github:fix/1272 github:fix/1272-test github:readme-update github:proposal/rules-engine-version-scope github:nova-debug github:falco-driver-loader-dockerfile github:chore/integration-grpc-with-event-generator github:feat/grpc-integration-tests github:new/profiler github:falco-arm-support github:falco-on-arm github:feature/inputs-mvp github:adding-install-script github:feat/modulecheck github:falco-release-0-17-0 github:falco-release-0-17-1 github:add-addl-pst-owners github:683-handle-sinsp-errors github:allow-regex-chars-rule-names github:backup-master github:add-context-to-rules-errors
github:0.43.0 github:0.43.0-rc4 github:0.43.0-rc3 github:0.43.0-rc2 github:0.43.0-rc1 github:0.42.1 github:0.42.0 github:0.42.0-rc4 github:0.42.0-rc3 github:0.42.0-rc2 github:0.42.0-rc1 github:0.41.3 github:0.41.2 github:0.41.1 github:0.41.1-rc1 github:0.41.0 github:0.41.0-rc2 github:0.41.0-rc1 github:0.40.0 github:0.40.0-rc1 github:0.39.2 github:0.39.1 github:0.39.1-rc1 github:0.39.0 github:0.39.0-rc3 github:0.39.0-rc2 github:0.39.0-rc1 github:0.38.2 github:0.38.2-rc2 github:0.38.2-rc1 github:0.38.1 github:0.38.1-rc1 github:0.38.0 github:0.38.0-rc5 github:0.38.0-rc4 github:0.38.0-rc3 github:0.38.0-rc2 github:0.38.0-rc1 github:0.37.1 github:0.37.1-rc1 github:0.37.0 github:0.37.0-rc3 github:0.37.0-rc2 github:0.37.0-rc1 github:0.36.2 github:0.36.2-rc1 github:0.36.1 github:0.36.1-rc1 github:0.36.0 github:0.36.0-rc3 github:0.36.0-rc2 github:0.36.0-rc1 github:0.35.1 github:0.35.0 github:0.35.0-rc2 github:0.35.0-rc1 github:0.35.0-alpha5 github:0.35.0-alpha4 github:0.35.0-alpha3 github:0.35.0-alpha2 github:0.35.0-alpha1 github:0.34.1 github:0.34.0 github:0.33.1 github:0.33.0 github:0.32.2 github:0.32.1 github:0.32.0 github:0.31.1 github:0.31.0 github:0.30.0 github:0.29.1 github:0.29.0 github:0.28.1 github:0.28.0 github:0.27.0 github:0.26.2 github:0.26.1 github:0.26.0 github:0.25.0 github:0.24.0 github:0.23.0 github:0.22.1 github:0.22.0 github:0.21.0 github:0.20.0 github:0.19.0 github:0.18.0 github:0.17.1 github:0.17.0 github:0.16.0 github:0.15.3 github:0.15.2 github:0.15.1 github:0.15.0 github:0.14.0 github:0.13.1 github:0.13.0 github:agent/0.85.1 github:0.12.1 github:0.12.0 github:agent/0.85.0 github:agent/0.84.2 github:agent/0.84.3 github:agent/0.84.1 github:agent/0.84.0 github:0.11.1 github:0.11.0 github:agent/0.83.1 github:agent/0.83.0 github:agent/0.81.0 github:agent/0.82.0 github:agent/0.80.2 github:agent/0.80.1 github:0.10.0 github:agent/0.80.0 github:agent/0.79.0 github:agent/0.79.1 github:agent/0.78.0 github:agent/0.78.1 github:agent/0.76.4 github:agent/0.77.0 github:agent/0.76.3 github:0.9.0 github:agent/0.76.0 github:agent/0.76.1 github:agent/0.76.2 github:agent/0.75.0 github:agent/0.74.0 github:agent/0.73.2 github:agent/0.73.1 github:agent/0.73.0 github:agent/0.72.4 github:agent/0.72.0 github:agent/0.72.1 github:agent/0.72.2 github:agent/0.72.3 github:agent/0.71.0 github:agent/0.70.0 github:0.8.1 github:0.8.0 github:agent/0.69.0 github:agent/0.68.0 github:agent/0.66.0 github:agent/0.67.0 github:agent/0.65.0 github:agent/0.65.1 github:agent/0.63.0 github:agent/0.63.1 github:agent/0.64.0 github:agent/0.61.0 github:agent/0.62.0 github:0.7.0 github:0.6.1 github:agent/0.60.0 github:agent/0.59.0 github:agent/0.58.0 github:agent/0.57.0 github:agent/0.56.0 github:0.6.0 github:0.6.0-test github:agent/0.55.0 github:agent/0.54.0 github:agent/0.53.0 github:agent/0.52.0 github:agent/0.51.0 github:agent/0.50.1 github:agent/0.50.0 github:0.5.0 github:agent/0.49.1 github:agent/0.49.0 github:agent/0.48.0 github:agent/0.47.0 github:agent/0.46.0 github:agent/0.45.0 github:agent/0.44.0 github:agent/0.43.0 github:0.4.0 github:agent/0.42.0 github:agent/0.40.0 github:agent/0.41.0 github:0.3.0 github:v0.2.0 github:v0.1.0

175 Commits
allow-unkn ... embeddable

Author SHA1 Message Date
Mark Stemm
0c3fe8a4e7 This version works 
Minimally working version that can link a go program against a so with
the embedded falco engine. Running the program opens the engine for
syscalls and prints any output strings on alert.

It assumes the device already exists and the kernel module is
loaded. Also assumes the lua code is below /user/share--we'll want to
bake that into the shared library.

Lots of memory leaks still, the interface from go to c is still
monolithic, and I had to change the config of openssl crypto and
luajit to compile with -fPIC in order to link into the shared library,
but this version shows its feasible.
 2021-08-11 13:16:29 -07:00
Mark Stemm
5787dfa098 Update libs version 2021-08-11 13:15:37 -07:00
Mark Stemm
2434942bdc Example program using embed engine 
Not working yet
 2021-08-10 16:59:29 -07:00
Mark Stemm
2f7b72d670 Add to cmake 2021-08-10 16:59:06 -07:00
Mark Stemm
50e8da1049 Fix compile errors 2021-08-10 16:57:44 -07:00
Mark Stemm
5c398bd396 Embeddable falco engine experiments 
Still WIP/Experimental
 2021-08-09 14:51:33 -05:00
Leo Di Donato
efbe887d6e docs: CHANGELOG for 0.29.1 cleanup 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-07-30 12:20:10 +02:00
Leonardo Grasso
7dcbeb1f44 build(.circleci): ncurses is not required anymore 
Since `libs` version 13ec67ebd23417273275296813066e07cb85bc91

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-07-29 18:20:47 +02:00
Leonardo Grasso
93667f2d3e build(docker/builder): ncurses-dev is not required anymore 
Since `libs` version 13ec67ebd23417273275296813066e07cb85bc91

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-07-29 18:20:47 +02:00
Leonardo Di Donato
b5b1763d09 docs: CHANGELOG for Falco 0.29.1 changeset 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-30 16:14:26 +02:00
Leonardo Di Donato
d6690313a0 update(rules): bump the required engine version to version 9 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
98ce88f7ef chore(rules): imporve name of the list for userfaultfd exceptions 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
9ff8099501 update(userspace/engine): bump falco engine version 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
7db4778f55 update(rules): introducing list user_known_userfaultfd_activities to exclude processes known to use userfaultfd syscall 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
7f761ade4b update(rules): introducing the macro consider_userfaultfd_activities to act as a gate 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
84257912e0 update(rules): tag rule as syscall 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
9bc942c654 new(rules): detect unprivileged (successful) userfaultfd syscalls 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
8216b435cb update(rules): adding container info to the output of the Lryke detecting kernel module injections from containers 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
maxgio
78f710c706 docs(release.md): update 
Signed-off-by: maxgio92 massimiliano.giovagnoli.1992@gmail.com

Co-authored-by: Leo Di Donato <leodidonato@gmail.com>
 2021-06-22 18:59:28 +02:00
maxgio
1dd97c1b6f docs(release.md): update 
Signed-off-by: maxgio92 massimiliano.giovagnoli.1992@gmail.com

Co-authored-by: Leo Di Donato <leodidonato@gmail.com>
 2021-06-22 18:59:28 +02:00
maxgio92
3ef5716fa2 docs(release.md): document website snapshot for new minor versions 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-06-22 18:59:28 +02:00
maxgio92
64102078c7 docs(release.md): update gh release description template 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-06-22 18:59:28 +02:00
maxgio92
9703853da8 docs(changelog.md): add new non-user facing change 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-06-21 16:55:25 +02:00
maxgio92
96403fa275 docs(changelog.md): fix typo in rules change log 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-06-21 16:55:25 +02:00
Thomas Spear
acd5422b55 Fix link to CONTRIBUTING.md in the Pull Request Template 
Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
 2021-06-21 11:01:38 +02:00
maxgio92
099c79ddde docs(changelog.md): add release 0.29.0 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-06-17 17:43:54 +02:00
Lorenzo Fontana
0f24448d18 rules(list miner_domains): add rx.unmineable.com for anti-miner detection 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-06-17 09:59:25 +02:00
Leonardo Grasso
1b63ad1aed build: upgrade driver version to 17f5d 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-06-16 14:50:07 +02:00
Kaizhe Huang
b268d4d6c3 rule update(Non sudo setuid): check user id as well in case user name info is not available 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2021-06-10 13:44:05 +02:00
Kaizhe Huang
684a5d85ff disable test 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2021-06-07 12:17:21 +02:00
Kaizhe Huang
58cea0c5e7 minor fix 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2021-06-07 12:17:21 +02:00
Kaizhe Huang
38ebc61808 fix tests 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2021-06-07 12:17:21 +02:00
Kaizhe Huang
535db19991 disable change thread namespace test 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2021-06-07 12:17:21 +02:00
Kaizhe Huang
abe46a19a0 minor changes 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-06-07 12:17:21 +02:00
Kaizhe Huang
96fc8d1a27 update test 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-06-07 12:17:21 +02:00
Kaizhe Huang
ad82f66be3 rules update(Change thread namespace and Set Setuid or Setgid bit): disable by default 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-06-07 12:17:21 +02:00
Leonardo Grasso
c60fac9e34 build(test): upgrade urllib3 to 1.26.5 
CVE-2021-33503 has been fixed in urllib3 v1.26.5.
See:
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503
 - https://github.com/urllib3/urllib3/releases/tag/1.26.5

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-06-04 22:15:33 +02:00
Sverre Boschman
35dc315390 add known k8s service accounts 
Signed-off-by: Sverre Boschman
 2021-06-04 10:46:09 +02:00
maxgio92
62c995f309 revert: add notes for 0.28.2 release 
This reverts commit 3432551295.

Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-06-01 15:47:37 +02:00
maxgio92
3432551295 changelog: add notes for 0.28.2 release 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-05-27 14:51:17 +02:00
Kaizhe Huang
09e1604fe0 rule update(Debugfs Launched in Privileged Container): fix typo in description 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2021-05-27 11:21:30 +02:00
Leonardo Grasso
da7279da1d build(cmake/modules): upgrade libs and drivers version to 13ec67ebd23417273275296813066e07cb85bc91 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
05f5aa2af3 chore(cmake/modules): do not build libscap examples 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
53a1be66b0 chore(docker/builder): remove never used MINIMAL_BUILD option 
The option was added but could not work since MINIMAL_BUILD is not declared in this scope (also not currently needed).
Furthermore, it never took effect since the builder image was never built and pushed. For the same reason, we have not noticed it until now.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
f7b572bea5 build(docker/builder): upgrade cmake version 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
ed59f33f3f build(userspace/falco): add GRPC_LIBRARIES when gRPC is bundled 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
b41acdff1c build(cmake/modules): always use bundled jsoncpp 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
4acc089b1f build(userspace/falco): add_depenedency for gRPC when bundled 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
591d4e500e build: always use bundled b64 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
79bdcb030b build: correct yamlcpp dependency for falco 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
f4dba52ee2 build(cmake/modules): ncurses dependency is not required anymore 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
bfc0021cdd build: update build system to support libs cmake modules 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
e616f79bac build: switch to falcosecurity-libs external project 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
Leonardo Grasso
4006452b1f chore(cmake/modules): rename sysdig to falcosecurity-libs 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-05-21 10:24:08 +02:00
maxgio92
59831b077e docs(release.md): update github release template mentioning the release manager 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-05-18 15:34:07 +02:00
maxgio92
0d95beb1e3 docs(release.md): update post-release tasks order 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-05-18 15:34:07 +02:00
maxgio92
2e27d5dded docs(release.md): add blog announcement to post-release tasks 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-05-18 15:34:07 +02:00
Leonardo Di Donato
24f64cab33 docs(proposals): fix libs contribution name 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-05-17 16:24:53 +02:00
Yu Kitazume
0f36ff030e add Yahoo!Japan as an adopter 
Signed-off-by: Yu Kitazume <u.kitazume@gmail.com>
 2021-05-12 11:37:34 +02:00
diamonwiggins
601ec5cf85 add Replicated to adopters 
Signed-off-by: diamonwiggins <diamonw757@gmail.com>
 2021-05-11 11:59:54 +02:00
Carlos Panato
f237f277e7 changelog: add notes for 0.28.1 release 
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
 2021-05-07 14:55:02 +02:00
ismail yenigul
2226a1508c exception to privileged container for EKS images 
Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>
 2021-05-06 02:36:48 +02:00
Carlos Panato
6f64c21ad9 urelease/docs: fix link and small refactor in the text 
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
 2021-04-30 14:27:26 +02:00
maxgio92
fd6a1d0d05 clean(rules/falco_rules.yaml): remove deprecated oci image repositories 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-04-29 11:51:35 +02:00
David Windsor
87438ec723 Add Secureworks to adopters 
Signed-off-by: David Windsor <dwindsor@secureworks.com>
 2021-04-26 10:34:00 +02:00
Leonardo Grasso
d0be6d96d0 build: enable ASLR for statically linked build 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-22 18:12:05 +02:00
Leonardo Grasso
aefd67eb8a build: hardening flags 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-22 18:12:05 +02:00
Leonardo Di Donato
6e94c37399 new(test): regression test for FAL-01-003 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-21 15:11:17 +02:00
Leonardo Di Donato
d3c22d3d0c new(test/trace_files): test fixture for FAL-01-003 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-21 15:11:17 +02:00
natchaphon-r
366975bc3b Adding MathWorks to Falco's adopter list 
Signed-off-by: natchaphon-r <natchaphon.r@gmail.com>
 2021-04-20 09:30:11 +02:00
natchaphon-r
f9692fcb82 Adding MathWorks to Falco's adopter list 
Signed-off-by: natchaphon-r <natchaphon.r@gmail.com>
 2021-04-20 09:30:11 +02:00
Leonardo Grasso
e95ab26f33 update(rules): stricter detection of man-db postinst exception 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-19 17:01:10 +02:00
Leonardo Grasso
23a611b343 chore(rules): remove too week macro python_running_sdchecks 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-19 17:01:10 +02:00
Dan POP
2658d65373 adding known users /and how to add your name 
added list from the survey that allowed mentions of their name publically in the adopters file. 

@jonahjon     --  please approve or change any verbiage to adding AWS as contributors with all you and the teams work on PROW and all the contributions thus far.

Signed-off-by: Dan Papandrea <dan.papandrea@sysdig.com>
 2021-04-19 16:58:59 +02:00
Leonardo Di Donato
600501e141 update(userspace/falco): handle the case there wasn't been any previously processed event 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-19 16:56:53 +02:00
Leonardo Di Donato
0df18fd786 update(userspace/falco): print out current time when a timeouts notification gets emitted 
Also, print out the time of the last processed event in the output
fields of the notification.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-19 16:56:53 +02:00
Leonardo Di Donato
c1da6d21b9 new: syscall_event_timeouts configuration block 
Falco uses a shared buffer between the kernel and userspace to receive
the events (eg., system call information) in userspace.
Anyways, the underlying libraries can also timeout for various reasons.
For example, there could have been issues while reading an event.
Or the particular event needs to be skipped.
Normally, it's very unlikely that Falco does not receive events consecutively.
Falco is able to detect such uncommon situation.
Here you can configure the maximum number of consecutive timeouts without an event
after which you want Falco to alert.
By default this value is set to 1000 consecutive timeouts without an event at all.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-19 16:56:53 +02:00
Leonardo Di Donato
c4a73bdd8e update(userspace/falco): a null event when there's a timeout is unlikely 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-19 16:56:53 +02:00
Leonardo Di Donato
28a339e4bc new(userspace/engine): likely/unlikely macros in utils 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-19 16:56:53 +02:00
Leonardo Di Donato
65a168ab5a new(userspace/falco): output msg when the number of consecutive timeouts without an event is greater than a given threshold 
The rationale is that in case Falco obtains a consistent number of
consecutive timeouts (in a row) without a valid event, something is
going wrong.

This because, normally, the libs send timeouts to Falco (also) to signal events to discard.
In such cases, which are the majority of cases, `ev` exists and is not
`null`.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-19 16:56:53 +02:00
Lorenzo Fontana
46425b392c fix(userspace): handle exceptions for process_k8s_audit_event 
This fix has two major points in it:

- when `std::stoll` is used in parse_as_int64 handle all the exceptions it
can throw (https://en.cppreference.com/w/cpp/string/basic_string/stol)
- when `process_k8s_audit_event` an eventual exception in it does not
stop the webserver process. This is done by doing a catch all handle
outside it and by logging an error message to the caller as well as in
stderr

Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-04-19 12:32:22 +02:00
Leo Di Donato
8b0d22dee9 docs: update link for HackMD community call notes 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-13 15:26:53 +02:00
Mark Stemm
a7e04fe6e6 Add falco engine info to --support output 
In some cases, it might be useful to know what falco engine version a
given falco binary supports. We already have a --support option that
prints info about the system, config, rules files, etc.

Add a engine_info object, with an engine_version property containing the
falco engine version in falco_engine_version.h. In the output, it looks
like this:

...
  "engine_info": {
      "engine_version": 8
   },
...

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-04-13 10:49:19 +02:00
Leonardo Di Donato
c6aa255fc8 docs: update CHANGELOG 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-12 16:45:32 +02:00
Leonardo Di Donato
6b8769c13a ci: add missing infra context to publish stable Falco packages 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-12 16:45:32 +02:00
Leonardo Di Donato
02b5ddd5ab update: CHANGELOG for Falco 0.28.0 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-12 13:30:23 +02:00
Leonardo Di Donato
90a3ded07d update: CHANGELOG (Falco 0.28.0) 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-12 13:30:23 +02:00
Leo Di Donato
ccb7c19b31 chore: RELEASE.md refinements 
While prepping Falco 0.28.0 I noticed the correct date (YYYY-MM-DD) to provide to GitHub filters is not the day before the previous release. Instead, it's the day the latest release happened.

Also added clearer instructions on how to generate the CHANGELOG.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-12 13:30:23 +02:00
Leonardo Di Donato
2e97d0e27c chore(rules): cleanup old macros 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-09 18:17:11 +02:00
Leonardo Di Donato
06086df21e chore(rules): re-enable negation of package_mgmt_procs for Write below binary dir rule 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-09 18:17:11 +02:00
Lorenzo Fontana
bd562a1ed9 update(userspace/engine): remove warnings for missing exceptions 
We want users to continue using rules without having to use exceptions.
Exceptions are an additional feature for more advanced use-cases, having
a warning in there will mean that everyone now adds an empty exception
to avoid the warning.

Co-Authored-By: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-04-09 18:17:11 +02:00
Lorenzo Fontana
194cdf7873 update(rules): revert exceptions in default ruleset for k8s audit 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-04-09 18:17:11 +02:00
Lorenzo Fontana
35fe14e691 rules(list user_known_sa_list): revert as an empty list for user overwrite 
rules(list known_sa_list): list of known sa moved here from user_known_sa_list

Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-04-09 18:17:11 +02:00
Lorenzo Fontana
abc79fb548 update(rules): revert exceptions in default ruleset 
Exceptions have been introduced in commit 64a231b962
The feature itself is very useful for more complex environments where
the simple conditions are difficult to handle.
However, many users reported that they find them difficult to understand so
we are doing a rollback of them in the default ruleset in favor of the
syntax without exceptions.

Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-04-09 18:17:11 +02:00
Leonardo Grasso
b6fc44e304 build(.config): pin awscli version 
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-09 14:29:24 +02:00
Mark Stemm
f14b37984c Add test for some containers being privileged 
Add a test that verifies that a pod where one container has no security
context and the second container has a security context + privileged
properly matches the Create Privileged Pod falco rule.

There's a very similar test case already in
trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json,
but in that case both containers have a securityContext property.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-04-09 10:34:48 +02:00
Mark Stemm
ecccb9f26c Extract array miss as "no value" vs failed extract 
While testing, I found a case when creating a pod where:
1) the first container had no securityContext value
2) the second container had a security context with privileged=true

and this did not match the default rule Create Privileged Pod, when it
should match.

The rule Create Privileged Pod uses the field
ka.req.pod.containers.privileged, which in turn uses
json_event_filter_check::def_extract(). def_extract() iterates
over a set of json_pointers, potentially expanding arrays as they are
returned. Many k8s audit fields use this extract function.

For ka.req.pod.containers.privileged, the first json_pointer is
/requestObject/spec/containers to find the list of containers, and the
second is /securityContext/privileged to extract the privileged property
out of the securityContext object. What's returned is an array of
true/false noting if each container is privileged.

The problem is that def_extract() aborts when iterating over arrays if
extracting a pointer from an array can't be done.

In this case, the first pointer extracts the array of containers, and
then when iterating over the array of containers, the security context
pointer doesn't extract, causing the whole filter field to abort and
return ::no_value.

The fix is to not abort when iterating over arrays, but use ::no_value
for that array item's value instead. This allows def_extract() to
extract the privileged value out of the second container.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-04-09 10:34:48 +02:00
Lorenzo Fontana
f4ff2ed072 chore(test): replace bucket url with official distribution url 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-04-09 10:23:42 +02:00
Santi Friquet
23213ae148 adding asapp as an adopter 
Signed-off-by: Santi Friquet <friquet@gmail.com>
 2021-04-08 21:28:35 +02:00
Leonardo Di Donato
04110b0f4c chore(scripts): restore mount of debugfs (notes below) 
This is needed in systems where raw tracepoints are not available.

Anyways, since this is needed when the inspector open (and actually
loads) the eBPF probe, ideally the mount should not be done by this
script but rather from Falco, or from Falco libs.

Otherwise, users building the eBPF probe theirseleves and not using this script (and having a kernel without raw
tracepoints) may need to mount this fs theirselves.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-08 20:40:39 +02:00
Leonardo Di Donato
17ee409ac6 chore(scripts): better default values in the help message of falco-driver-loader 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-08 20:40:39 +02:00
Leonardo Di Donato
71b2b5adde chore(scripts): remove banner about BPF JIT kernel config option 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-08 20:40:39 +02:00
Leonardo Di Donato
75261d4518 update(scripts): look for a prebuilt Falco eBPF probe before trying to compile one 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-08 20:40:39 +02:00
Leonardo Di Donato
2a7b32e279 update(scripts): look for a prebuilt Falco module before trying to compile it on-the-fly 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-08 20:40:39 +02:00
Leonardo Di Donato
4b0333cc08 update(docker/falco): SKIP_MODULE_LOAD not supported anymore - use SKIP_DRIVER_LOADER 
When we started to implemented 20200506-artifacts-scope-part-2 proposal
, among a million other things, we renamed `SKIP_MODULE_LOAD` to
`SKIP_DRIVER_LOADER`. We reatained compatibility with `SKIP_MODULE_LOAD`
for a bunch of releases.

Now, after 9 months have passed I think it's time to completely
deprecate it.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-08 20:40:39 +02:00
Lorenzo Fontana
cdeafa6fdc docs(test): express that grpcurl and virtualenv are needed 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-04-08 17:32:02 +02:00
Leonardo Grasso
36378371ab update(test): update performance tests fixture URL 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-08 12:36:09 +02:00
Leonardo Grasso
aeca36bdaf update(test): update regression tests fixture URL 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-08 12:36:09 +02:00
Leonardo Grasso
7998560dcb chore(README): correct comments 
Applying suggestions from https://github.com/falcosecurity/falco/pull/1577

Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-07 16:45:50 +02:00
Leonardo Grasso
c587fadbce chore(scripts): typos 
Applying suggestions from
https://github.com/falcosecurity/falco/pull/1577

Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-07 16:45:50 +02:00
Leonardo Grasso
9e50e87ebc chore: remove "cleanup" script and job 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-07 16:45:50 +02:00
Mark Stemm
3da5dfa67b Properly parse numbers in condition fields 
Falco won't properly parse a rule like this:

---
- rule: Some Rule
  desc: Some Desc
  condition: evt.type=execve and container.image.repository = 271931939120.dkr
  output: Some output
  priority: INFO
---

This is the error when validating the rules:

Tue Mar 30 12:00:40 2021: Validating rules file(s):
Tue Mar 30 12:00:40 2021:    /home/mstemm/test.yaml
1 errors:
Compilation error when compiling "evt.type=execve and container.image.repository = 271931939120.dkr": 63: syntax error, unexpected 'dkr', expecting 'or', 'and'

The parsing of the string on the right hand side stops at the period
before the dkr. The dkr then doesn't match the grammar, resulting in the
error.

Looking at the parser implementation more closely, the problem is in the
definition of "Number":

---
-   Number = C(V "Hex" + V "Float" + V "Int") / function(n)
          return tonumber(n)
       end,
---
Note that it stops after the number, but does not have any requirement
about what follows.

This changes the definition of number to require that what follows the
number is not an identifier character. With this change, values that are
only numbers are parsed as numbers, and values that start with numbers
don't match the Number definition and are parsed as BareStrings instead.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-04-07 16:43:44 +02:00
Leo Di Donato
8c9d4f49d5 fix(falco/test): bump pyyaml from 5.3.1 to 5.4 
CVE-2020-14343 affects one of the dependencies the Falco (integration) test suite uses.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-30 14:47:01 +02:00
Leonardo Grasso
f2c12bbf9c fix(.circleci): tar must be present in the image 
Since `amazon/aws-cli` does not include the tar util (which must be present in the image, as per CircleCI requirement) we are switching from `amazon/aws-cli` to `centos`.

See
https://app.circleci.com/pipelines/github/falcosecurity/falco/1391/workflows/c1e1bc39-f008-4644-b8bf-45d1105e1978/jobs/11263

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-29 11:50:09 +02:00
Leonardo Grasso
0b69f210c4 fix(.circleci): correct job dependency 
The `publish/packages-deb-dev` failed because it wrongly required `tests/integration-static` (that has `/build-static` and `/source-static`) instead of `tests/integration` which comes with both `/build` and `/source`.

Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 18:31:11 +01:00
Leonardo Grasso
002a2e34dd fix(.circleci): tar package is required by circleci 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 18:31:11 +01:00
Leonardo Grasso
ef75c63e63 chore(scripts): print versions at the beginning 
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 14:54:53 +01:00
Leonardo Grasso
fb126cb730 feat(scripts): --clean option for falco-driver-loader 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 14:54:53 +01:00
Leonardo Di Donato
645f51b296 new(scripts): falco-driver-loader know the Falco version it has been 
built for

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-26 14:54:53 +01:00
Leonardo Di Donato
d912cf0d94 docs(scripts): falco-driver-loader outputs the Falco version it has been built for, also the driver version in use 
Both in the help/usage message and at running time.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-26 14:54:53 +01:00
Leonardo Di Donato
3f75f27410 docs(scripts): improve help of falco-driver-loader script 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-26 14:54:53 +01:00
Leonardo Di Donato
1504e77f4e update(scripts): falco-driver-loader can now start with a custom driver name 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-26 14:54:53 +01:00
Leonardo Grasso
40edfe66ba fix(docker/no-driver): handle urlencoding 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
Leonardo Grasso
f800d4a101 docs: update links and badges for download.falco.org 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
Leonardo Grasso
4f1a2418fe build(.circleci): publish packages to S3 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
Leonardo Grasso
442011d07e build(.circleci): publish dev packages to S3 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
Leonardo Grasso
70ee1093d8 build(docker): fetch packages from download.falco.org 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
Leonardo Grasso
3936740390 build(scripts): add cloudfront invalidation for publishing scripts 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
Leonardo Grasso
9bc04fd02d build(scripts): publishing script for DEBs 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
Leonardo Grasso
b6ac6de227 build(scripts): publishing script for RPMs 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
Leonardo Grasso
5ebb653977 build(scripts): publishing script for bin packages 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-26 12:55:11 +01:00
stevenshuang
167c5bc691 fix: update rule description 
Signed-off-by: stevenshuang <stevenshuang521@gmail.com>
 2021-03-24 18:47:55 +01:00
Leonardo Di Donato
1ded30f173 update(test): tighten the condition to test the drops thresholds 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
7edd965a08 fix(test/confs): drop log messages are debug, fix the test fixture accordingly 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
920ab6982a new(test): test cases about wrong threshold drop config value 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
3842e07422 update(userspace/falco): drop messages are DEBUG level 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
7bc5fcf047 fix(userspace/falco): validate the drop threshold config value 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
199a1c22c6 fix(userspace/falco): n_evts does not containd the dropped events count 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
5380fe5308 new(test): test case about illogical drop actions 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
e3f7cdab20 update(userspace/falco): pass to sdropmgr the threshold 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
1714926cc6 update(userspace/falco): reduce noisiness 
The threshold governs the noisiness of the drops.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
4774e92bc2 refactor(userspace/falco): refactor the enum of drop actions into an enum class 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
a1b58d70a7 update(userspace/falco): grab the threshold configuration value + do not allow the ignore action to work with any other except the exit one 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Leonardo Di Donato
b8b50932fe update: reduce the max burst of event drops 
This also introduces a threshold configurable value.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-22 19:42:30 +01:00
Kaizhe Huang
7ea80e39b1 rule(Set Setuid or Setgid bit) update: add k3s-agent in the whitelist 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-03-22 11:36:59 +01:00
Kaizhe Huang
b58f76b268 rule (Debugfs Launched in Privileged Container and Mount Launched in Privileged Container): create 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-03-22 11:36:59 +01:00
JenTing Hsiao
b1801c28c7 Bump year to 2021 
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
 2021-03-12 10:45:31 +01:00
JenTing Hsiao
e1d3e68a84 Modprobe/rmmod at systemd service start/stop 
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
 2021-03-12 10:45:31 +01:00
JenTing Hsiao
5661b491af Removes the comments in systemd service files 
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
 2021-03-12 10:45:31 +01:00
JenTing Hsiao
39bb5c28c7 Migrate from init to systemd in debian package 
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
 2021-03-12 10:45:31 +01:00
JenTing Hsiao
3ba62a4031 Migrate from init to systemd in rpm package 
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
 2021-03-12 10:45:31 +01:00
Shane Lawrence
2f0e09b549 rule (Write below monitored dir): Clean up and use glob matching. 
Signed-off-by: Shane Lawrence <shane@lawrence.dev>
 2021-03-12 10:37:16 +01:00
POCTEO
34bbe2984f Pocteo as an adopter 
Signed-off-by: Walid DRIDI <contact@pocteo.co>
 2021-03-11 16:58:59 +01:00
Leonardo Grasso
825e6caf2d build: fetch build deps from download.falco.org 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-03-10 18:00:52 +01:00
jonahjon
96ad761308 adding falco-slim build/push 
Signed-off-by: jonahjon <jonahjones094@gmail.com>
 2021-03-05 12:22:47 +01:00
Leo Di Donato
bb7ce37159 fix(.circleci): correctly publish the falco-driver-loader container image from master to AWS ECR gallery 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-05 12:22:47 +01:00
Leo Di Donato
c66d056f67 fix(.circleci): the falco-driver-loader container images requires FALCO_IMAGE_TAG build arg (release to AWS ECR gallery) 
Signed-off-by: Leonardo Di Donato
 2021-03-05 12:22:47 +01:00
Leo Di Donato
6a2759fe94 update(.circleci): tag falco-no-driver:<tag> image as falco-no-driver:latest, falco:<tag>-slim, and falco:latest-slim 
And publish them too.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-05 12:22:47 +01:00
Leo Di Donato
b91c5b613a update(.circleci): falco-no-driver:latest from bin bucket 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-05 12:22:47 +01:00
Leo Di Donato
6fe9f8da0b fix(.circleci): falco-no-driver container images grabs Falco from the bin[-dev] bucket 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-03-05 12:22:47 +01:00
jonahjon
e888a1d354 adding other alternate AWS builds to circleCI 
Signed-off-by: jonahjon <jonahjones094@gmail.com>
 2021-03-05 12:22:47 +01:00
Isaac Rivera
6e746d71ba fixing typo 
Signed-off-by: Isaac Rivera <irivera007@yahoo.com>
 2021-03-05 12:16:33 +01:00
Isaac Rivera
2de8176c88 adding shapesecurity to adopters 
Signed-off-by: Isaac Rivera <irivera007@yahoo.com>
 2021-03-05 12:16:33 +01:00
Shane Lawrence
74164b1ef8 Use default pip version to get avocado version. 
Signed-off-by: Shane Lawrence <shane@lawrence.dev>
 2021-03-05 10:50:27 +01:00
Shane Lawrence
da8f054043 Fix broken links to docs. 
Signed-off-by: Shane Lawrence <shane@lawrence.dev>
 2021-03-05 10:48:21 +01:00
Bart van der Schans
05545f228d Add flex and bison to docker for building bpf module on recent amazon linux2 
Signed-off-by: Bart van der Schans <bart@vanderschans.nl>
 2021-03-05 10:46:10 +01:00
Spencer Krum
b3693a0b75 chore(rules): Add ibmcloud operator lifecycle manager 
Signed-off-by: Spencer Krum <nibz@spencerkrum.com>
 2021-02-19 12:35:30 +01:00
Spencer Krum
a54f946135 chore(rules): Rule exceptions for ibm cloud 
Whitelist ibm images for connecting to k8s api server

IBM Observability by Sysdig has a vendored sysdig/agent image.

IBM's Kubernetes Service ships with an operator manager. Example:

19:12:45.090908160: Notice Unexpected connection to K8s API Server from
container (command=catalog -namespace ibm-system
-configmapServerImage=registry.ng.bluemix.net/armada-master/configmap-operator-registry:v1.6.1
k8s.ns=ibm-system k8s.pod=catalog-operator-6495d76869-ncl2z
container=4ad7a04fa1e0
image=registry.ng.bluemix.net/armada-master/olm:0.14.1-IKS-1
connection=172.30.108.219:48200->172.21.0.1:443) k8s.ns=ibm-system
k8s.pod=catalog-operator-6495d76869-ncl2z container=4ad7a04fa1e0

IBM's Kubernetes service also ships with a metrics collecting agent

Signed-off-by: Spencer Krum <nibz@spencerkrum.com>
 2021-02-19 12:35:30 +01:00
Leonardo Grasso
85db1aa997 fix(rules): correct indentation 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-02-19 09:24:55 +01:00
ismail yenigul
37a6caae12 remove commercial images to unblock PR 
add endpoint-controller to user_known_sa_list
related event:
    {
        "output": "05:19:25.557989888: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=endpoint-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-16T05:19:25.557989888Z",
        "output_fields": {
            "jevt.time": "05:19:25.557989888",
            "ka.target.name": "endpoint-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>
 2021-02-19 09:24:55 +01:00
ismail yenigul
2d962dfcb0 rebase to master 
update user_known_sa_list with k8s internal sa in kube-system

{
        "output": "10:27:56.539783936: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=replicaset-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-15T10:27:56.539783936Z",
        "output_fields": {
            "jevt.time": "10:27:56.539783936",
            "ka.target.name": "replicaset-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

{
        "output": "17:06:18.267429888: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=deployment-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-15T17:06:18.267429888Z",
        "output_fields": {
            "jevt.time": "17:06:18.267429888",
            "ka.target.name": "deployment-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

and more..

Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>
 2021-02-19 09:24:55 +01:00
Petr Michalec
541845156f rhsm cert updates 
Signed-off-by: Petr Michalec <epcim@apealive.net>
Signed-off-by: Petr Michalec <pmichalec@ves.io>
 2021-02-18 15:42:06 +01:00
darryk5
0879523776 update: add review suggestions for Rule Sudo Potential Privilege Escalation 
Signed-off-by: darryk5 <stefano.chierici@sysdig.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2021-02-17 21:36:51 +01:00
darryk5
81e880b486 Added Rule Sudo Potential Privilege Escalation (CVE-2021-3156) 
See #1540

Signed-off-by: darryk5 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Fontana <lo@linux.com>
 2021-02-17 21:36:51 +01:00
Carlos Panato
f140cdfd68 falco: add healthz endpoint 
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
 2021-02-11 20:29:07 +01:00
83 changed files with 2952 additions and 2126 deletions
Expand all files Collapse all files

188
.circleci/config.yml
View File

@@ -13,7 +13,7 @@ jobs:
command: apk update
- run:
name: Install build dependencies
command: apk add g++ gcc cmake cmake make ncurses-dev git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
command: apk add g++ gcc cmake cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
- run:
name: Prepare project
command: |
@@ -60,7 +60,7 @@ jobs:
command: apt update -y
- run:
name: Install dependencies
command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libncurses-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
- run:
name: Prepare project
command: |
@@ -92,7 +92,7 @@ jobs:
command: apt update -y
- run:
name: Install dependencies
command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
- run:
name: Prepare project
command: |
@@ -124,7 +124,7 @@ jobs:
command: apt update -y
- run:
name: Install dependencies
command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
- run:
name: Prepare project
command: |
@@ -156,7 +156,7 @@ jobs:
command: apt update -y
- run:
name: Install dependencies
command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic libncurses-dev pkg-config autoconf libtool libelf-dev -y
command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic pkg-config autoconf libtool libelf-dev -y
- run:
name: Prepare project
command: |
@@ -188,7 +188,7 @@ jobs:
command: dnf update -y
- run:
name: Install dependencies
command: dnf install gcc gcc-c++ git make cmake autoconf automake pkg-config patch ncurses-devel libtool elfutils-libelf-devel diffutils kernel-devel kernel-headers kernel-core clang llvm which -y
command: dnf install gcc gcc-c++ git make cmake autoconf automake pkg-config patch libtool elfutils-libelf-devel diffutils kernel-devel kernel-headers kernel-core clang llvm which -y
- run:
name: Prepare project
command: |
@@ -368,59 +368,49 @@ jobs:
root: /
paths:
- build/release/*.rpm
# Publish the packages
# Publish the dev packages
"publish/packages-dev":
docker:
- image: docker.bintray.io/jfrog/jfrog-cli-go:latest
- image: docker.io/centos:7
steps:
- attach_workspace:
at: /
- run:
name: Create versions
name: Setup
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt vs falcosecurity/deb-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
jfrog bt vs falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
jfrog bt vs falcosecurity/bin-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
- run:
name: Publish deb-dev
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
yum install epel-release -y
yum update -y
yum install createrepo gpg python python-pip -y
pip install awscli==1.19.47
echo $GPG_KEY | base64 -d | gpg --import
- run:
name: Publish rpm-dev
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
/source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -r rpm-dev
- run:
name: Publish bin-dev
command: |
FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
# Clenup the Falco development release packages
"cleanup/packages-dev":
/source/falco/scripts/publish-bin -f /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin-dev -a x86_64
"publish/packages-deb-dev":
docker:
- image: docker.bintray.io/jfrog/jfrog-cli-go:latest
- image: docker.io/debian:stable
steps:
- checkout:
path: /source/falco
- attach_workspace:
at: /
- run:
name: Prepare env
name: Setup
command: |
apk add --no-cache --update
apk add curl jq
apt update -y
apt-get install apt-utils bzip2 gpg python python-pip -y
pip install awscli
echo $GPG_KEY | base64 -d | gpg --import
- run:
name: Only keep the 10 most recent Falco development release tarballs
name: Publish deb-dev
command: |
/source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r bin-dev
- run:
name: Only keep the 50 most recent Falco development release RPMs
command: |
/source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r rpm-dev
- run:
name: Only keep the 50 most recent Falco development release DEBs
command: |
/source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r deb-dev
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
/source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -r deb-dev
# Publish docker packages
"publish/docker-dev":
docker:
@@ -462,7 +452,19 @@ jobs:
- checkout
- setup_remote_docker
- run:
name: Build and publish falco to AWS
name: Build and publish no-driver (dev) to AWS
command: |
apk update
apk add --update groff less py-pip
pip install awscli
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco-no-driver:master" docker/no-driver
docker tag public.ecr.aws/falcosecurity/falco-no-driver:master public.ecr.aws/falcosecurity/falco:master-slim
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco-no-driver:master"
docker push "public.ecr.aws/falcosecurity/falco:master-slim"
- run:
name: Build and publish falco (dev) to AWS
command: |
apk update
apk add --update groff less py-pip
@@ -471,35 +473,58 @@ jobs:
docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco:master" docker/falco
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco:master"
- run:
name: Build and publish driver-loader (dev) to AWS
command: |
apk update
apk add --update groff less py-pip
pip install awscli
docker build --build-arg FALCO_IMAGE_TAG=master -t "public.ecr.aws/falcosecurity/falco-driver-loader:master" docker/driver-loader
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco-driver-loader:master"
# Publish the packages
"publish/packages":
docker:
- image: docker.bintray.io/jfrog/jfrog-cli-go:latest
- image: docker.io/centos:7
steps:
- attach_workspace:
at: /
- run:
name: Create versions
name: Setup
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt vs falcosecurity/deb/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
jfrog bt vs falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
jfrog bt vs falcosecurity/bin/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
- run:
name: Publish deb
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
yum install epel-release -y
yum update -y
yum install createrepo gpg python python-pip -y
pip install awscli==1.19.47
echo $GPG_KEY | base64 -d | gpg --import
- run:
name: Publish rpm
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
/source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -r rpm
- run:
name: Publish bin
command: |
FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
/source/falco/scripts/publish-bin -f /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin -a x86_64
"publish/packages-deb":
docker:
- image: docker.io/debian:stable
steps:
- attach_workspace:
at: /
- run:
name: Setup
command: |
apt update -y
apt-get install apt-utils bzip2 gpg python python-pip -y
pip install awscli
echo $GPG_KEY | base64 -d | gpg --import
- run:
name: Publish deb
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
/source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -r deb
# Publish docker packages
"publish/docker":
docker:
@@ -546,6 +571,21 @@ jobs:
at: /
- checkout
- setup_remote_docker
- run:
name: Build and publish no-driver to AWS
command: |
apk update
apk add --update groff less py-pip
pip install awscli
docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" docker/no-driver
docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-no-driver:latest
docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:latest-slim"
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
docker push "public.ecr.aws/falcosecurity/falco:latest-slim"
docker push "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}"
docker push "public.ecr.aws/falcosecurity/falco-no-driver:latest"
- run:
name: Build and publish falco to AWS
command: |
@@ -557,6 +597,17 @@ jobs:
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}"
docker push "public.ecr.aws/falcosecurity/falco:latest"
- run:
name: Build and publish falco-driver-loader to AWS
command: |
apk update
apk add --update groff less py-pip
pip install awscli
docker build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" docker/driver-loader
docker tag "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-driver-loader:latest
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
docker push "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
docker push "public.ecr.aws/falcosecurity/falco-driver-loader:latest"
workflows:
version: 2
build_and_test:
@@ -588,7 +639,9 @@ workflows:
requires:
- "tests/integration"
- "publish/packages-dev":
context: falco
context:
- falco
- test-infra
filters:
tags:
ignore: /.*/
@@ -597,15 +650,17 @@ workflows:
requires:
- "rpm/sign"
- "tests/integration-static"
- "cleanup/packages-dev":
context: falco
- "publish/packages-deb-dev":
context:
- falco
- test-infra
filters:
tags:
ignore: /.*/
branches:
only: master
requires:
- "publish/packages-dev"
- "tests/integration"
- "publish/docker-dev":
context: falco
filters:
@@ -615,6 +670,7 @@ workflows:
only: master
requires:
- "publish/packages-dev"
- "publish/packages-deb-dev"
- "tests/driver-loader/integration"
- "publish/container-images-aws-dev":
context: test-infra # contains Falco AWS credentials
@@ -650,7 +706,9 @@ workflows:
branches:
ignore: /.*/
- "publish/packages":
context: falco
context:
- falco
- test-infra
requires:
- "build/musl"
- "rpm/sign"
@@ -659,10 +717,24 @@ workflows:
only: /.*/
branches:
ignore: /.*/
- "publish/packages-deb":
context:
- falco
- test-infra
requires:
- "build/centos7"
filters:
tags:
only: /.*/
branches:
ignore: /.*/
- "publish/docker":
context: falco
context:
- falco
- test-infra
requires:
- "publish/packages"
- "publish/packages-deb"
filters:
tags:
only: /.*/

2
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@@ -1,6 +1,6 @@
<!-- Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
2. Please label this pull request according to what type of issue you are addressing.
3. . Please add a release note!
4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"

34
ADOPTERS.md
View File

@@ -1,7 +1,25 @@
# Adopters
Known end users with notable contributions to the project include:
* AWS
* IBM
* Red Hat
Falco is being used by numerous other companies, both large and small, to build higher layer products and services. The list includes but is not limited to:
* Equinix Metal
* IEEE
* Lowes
* Reckrut
* Yellow Pepper
* CTx
* Utikal
* Discrete Events
* Agritech Infra
This is a list of production adopters of Falco (in alphabetical order):
* [ASAPP](https://www.asapp.com/) - ASAPP is a pushing the boundaries of fundamental artificial intelligence research. We apply our research into AI-Native® products that make organizations, in the customer experience industry, highly productive, efficient, and effective—by augmenting human activity and automating workflows. We constantly monitor our workloads against different hazards and FALCO helps us extend our threat monitoring boundaries.
* [Booz Allen Hamilton](https://www.boozallen.com/) - BAH leverages Falco as part of their Kubernetes environment to verify that work loads behave as they did in their CD DevSecOps pipelines. BAH offers a solution to internal developers to easily build DevSecOps pipelines for projects. This makes it easy for developers to incorporate Security principles early on in the development cycle. In production, Falco is used to verify that the code the developer ships does not violate any of the production security requirements. BAH [are speaking at Kubecon NA 2019](https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig) on their use of Falco.
* [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.
@@ -15,9 +33,17 @@ This is a list of production adopters of Falco (in alphabetical order):
* [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
* https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
* [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).
* [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
* https://hipaa.preferral.com/01-preferral_hipaa_compliance/
* [Replicated](https://www.replicated.com/) - Replicated is the modern way to ship on-prem software. Replicated gives software vendors a container-based platform for easily deploying cloud native applications inside customers' environments to provide greater security and control. Replicated uses Falco as runtime security to detect threats in the Kubernetes clusters which host our critical SaaS services.
* [Secureworks](https://www.secureworks.com/) - Secureworks is a leading worldwide cybersecurity company with a cloud-native security product that combines the power of human intellect with security analytics to unify detection and response across cloud, network, and endpoint environments for improved security operations and outcomes. Our Taegis XDR platform and detection system processes petabytes of security relevant data to expose active threats amongst the billions of daily events from our customers. We are proud to protect our platforms Kubernetes deployments, as well as help our customers protect their own Linux and container environments, using Falco.
* [Shopify](https://www.shopify.com) - Shopify is the leading multi-channel commerce platform. Merchants use Shopify to design, set up, and manage their stores across multiple sales channels, including mobile, web, social media, marketplaces, brick-and-mortar locations, and pop-up shops. The platform also provides merchants with a powerful back-office and a single view of their business, from payments to shipping. The Shopify platform was engineered for reliability and scale, making enterprise-level technology available to businesses of all sizes. Shopify uses Falco to complement its Host and Network Intrusion Detection Systems.
* [Sight Machine](https://www.sightmachine.com) - Sight Machine is the category leader for manufacturing analytics and used by Global 500 companies to make better, faster decisions about their operations. Sight Machine uses Falco to help enforce SOC2 compliance as well as a tool for real time security monitoring and alerting in Kubernetes.
@@ -28,4 +54,12 @@ This is a list of production adopters of Falco (in alphabetical order):
* [Swissblock Technologies](https://swissblock.net/) At Swissblock we connect the dots by combining cutting-edge algorithmic trading strategies with in-depth market analysis. We route all Falco events to our control systems, both monitoring and logging. Being able to deeply analyse alerts, we can understand what is running on our Kubernetes clusters and check against security policies, specifically defined for each workload. A set of alarms notifies us in case of critical events, letting us react fast. In the near future we plan to build a little application to route Kubernetes internal events directly to Falco, fully leveraging Falco PodSecurityPolicies analyses.
* [Shapesecurity/F5] (https://www.shapesecurity.com/) Shapesecurity defends against application fraud attacks like Account Take Over, Credential Stuffing, Fake Accounts, etc. Required by FedRamp certification, we needed to find a FIM solution to help monitor and protect our Kubernetes clusters. Traditional FIM solutions were not scalable and not working for our environment, but with Falco we found the solution we needed. Falco's detection capabilities have helped us identify anomalous behaviour within our clusters. We leverage Sidekick (https://github.com/falcosecurity/charts/tree/master/falcosidekick) to send Falco alerts to a PubSub which in turn publishes those alerts to our SIEM (SumoLogic)
* [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
* [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
## Adding a name
If you would like to add your name to this file, submit a pull request with your change.

186
CHANGELOG.md
View File

@@ -1,5 +1,191 @@
# Change Log
## v0.29.1
Released on 2021-06-29
### Minor Changes
* update: bump the Falco engine version to version 9 [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
### Rule Changes
* rule(list user_known_userfaultfd_processes): list to exclude processes known to use userfaultfd syscall [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
* rule(macro consider_userfaultfd_activities): macro to gate the "Unprivileged Delegation of Page Faults Handling to a Userspace Process" rule [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
* rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process): new rule to detect successful unprivileged userfaultfd syscalls [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
* rule(Linux Kernel Module Injection Detected): adding container info to the output of the rule [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
### Non user-facing changes
* docs(release.md): update steps [[#1684](https://github.com/falcosecurity/falco/pull/1684)] - [@maxgio92](https://github.com/maxgio92)
## v0.29.0
Released on 2021-06-21
### Minor Changes
* update: driver version is 17f5df52a7d9ed6bb12d3b1768460def8439936d now [[#1669](https://github.com/falcosecurity/falco/pull/1669)] - [@leogr](https://github.com/leogr)
### Rule Changes
* rule(list miner_domains): add rx.unmineable.com for anti-miner detection [[#1676](https://github.com/falcosecurity/falco/pull/1676)] - [@fntlnz](https://github.com/fntlnz)
* rule(Change thread namespace and Set Setuid or Setgid bit): disable by default [[#1632](https://github.com/falcosecurity/falco/pull/1632)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(list known_sa_list): add namespace-controller, statefulset-controller, disruption-controller, job-controller, horizontal-pod-autoscaler and persistent-volume-binder as allowed service accounts in the kube-system namespace [[#1659](https://github.com/falcosecurity/falco/pull/1659)] - [@sboschman](https://github.com/sboschman)
* rule(Non sudo setuid): check user id as well in case user name info is not available [[#1665](https://github.com/falcosecurity/falco/pull/1665)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(Debugfs Launched in Privileged Container): fix typo in description [[#1657](https://github.com/falcosecurity/falco/pull/1657)] - [@Kaizhe](https://github.com/Kaizhe)
### Non user-facing changes
* Fix link to CONTRIBUTING.md in the Pull Request Template [[#1679](https://github.com/falcosecurity/falco/pull/1679)] - [@tspearconquest](https://github.com/tspearconquest)
* fetch libs and drivers from the new repo [[#1552](https://github.com/falcosecurity/falco/pull/1552)] - [@leogr](https://github.com/leogr)
* build(test): upgrade urllib3 to 1.26.5 [[#1666](https://github.com/falcosecurity/falco/pull/1666)] - [@leogr](https://github.com/leogr)
* revert: add notes for 0.28.2 release [[#1663](https://github.com/falcosecurity/falco/pull/1663)] - [@maxgio92](https://github.com/maxgio92)
* changelog: add notes for 0.28.2 release [[#1661](https://github.com/falcosecurity/falco/pull/1661)] - [@maxgio92](https://github.com/maxgio92)
* docs(release.md): add blog announcement to post-release tasks [[#1652](https://github.com/falcosecurity/falco/pull/1652)] - [@maxgio92](https://github.com/maxgio92)
* add Yahoo!Japan as an adopter [[#1651](https://github.com/falcosecurity/falco/pull/1651)] - [@ukitazume](https://github.com/ukitazume)
* Add Replicated to adopters [[#1649](https://github.com/falcosecurity/falco/pull/1649)] - [@diamonwiggins](https://github.com/diamonwiggins)
* docs(proposals): fix libs contribution name [[#1641](https://github.com/falcosecurity/falco/pull/1641)] - [@leodido](https://github.com/leodido)
## v0.28.1
Released on 2021-05-07
### Major Changes
* new: `--support` output now includes info about the Falco engine version [[#1581](https://github.com/falcosecurity/falco/pull/1581)] - [@mstemm](https://github.com/mstemm)
* new: Falco outputs an alert in the unlikely situation it's receiving too many consecutive timeouts without an event [[#1622](https://github.com/falcosecurity/falco/pull/1622)] - [@leodido](https://github.com/leodido)
* new: configuration field `syscall_event_timeouts.max_consecutive` to configure after how many consecutive timeouts without an event Falco must alert [[#1622](https://github.com/falcosecurity/falco/pull/1622)] - [@leodido](https://github.com/leodido)
### Minor Changes
* build: enforcing hardening flags by default [[#1604](https://github.com/falcosecurity/falco/pull/1604)] - [@leogr](https://github.com/leogr)
### Bug Fixes
* fix: do not stop the webserver for k8s audit logs when invalid data is coming in the event to be processed [[#1617](https://github.com/falcosecurity/falco/pull/1617)] - [@fntlnz](https://github.com/fntlnz)
### Rule Changes
* rule(macro: allowed_aws_ecr_registry_root_for_eks): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [[#1640](https://github.com/falcosecurity/falco/pull/1640)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(macro: aws_eks_core_images): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [[#1640](https://github.com/falcosecurity/falco/pull/1640)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(macro: aws_eks_image_sensitive_mount): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [[#1640](https://github.com/falcosecurity/falco/pull/1640)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(list `falco_privileged_images`): remove deprecated Falco's OCI image repositories [[#1634](https://github.com/falcosecurity/falco/pull/1634)] - [@maxgio92](https://github.com/maxgio92)
* rule(list `falco_sensitive_mount_images`): remove deprecated Falco's OCI image repositories [[#1634](https://github.com/falcosecurity/falco/pull/1634)] - [@maxgio92](https://github.com/maxgio92)
* rule(macro `k8s_containers`): remove deprecated Falco's OCI image repositories [[#1634](https://github.com/falcosecurity/falco/pull/1634)] - [@maxgio92](https://github.com/maxgio92)
* rule(macro: python_running_sdchecks): macro removed [[#1620](https://github.com/falcosecurity/falco/pull/1620)] - [@leogr](https://github.com/leogr)
* rule(Change thread namespace): remove python_running_sdchecks exception [[#1620](https://github.com/falcosecurity/falco/pull/1620)] - [@leogr](https://github.com/leogr)
### Non user-facing changes
* urelease/docs: fix link and small refactor in the text [[#1636](https://github.com/falcosecurity/falco/pull/1636)] - [@cpanato](https://github.com/cpanato)
* Add Secureworks to adopters [[#1629](https://github.com/falcosecurity/falco/pull/1629)] - [@dwindsor-scwx](https://github.com/dwindsor-scwx)
* regression test for malformed k8s audit input (FAL-01-003) [[#1624](https://github.com/falcosecurity/falco/pull/1624)] - [@leodido](https://github.com/leodido)
* Add mathworks to adopterlist [[#1621](https://github.com/falcosecurity/falco/pull/1621)] - [@natchaphon-r](https://github.com/natchaphon-r)
* adding known users [[#1623](https://github.com/falcosecurity/falco/pull/1623)] - [@danpopSD](https://github.com/danpopSD)
* docs: update link for HackMD community call notes [[#1614](https://github.com/falcosecurity/falco/pull/1614)] - [@leodido](https://github.com/leodido)
## v0.28.0
Released on 2021-04-12
### Major Changes
* BREAKING CHANGE: Bintray is deprecated, no new packages will be published at https://dl.bintray.com/falcosecurity/ [[#1577](https://github.com/falcosecurity/falco/pull/1577)] - [@leogr](https://github.com/leogr)
* BREAKING CHANGE: SKIP_MODULE_LOAD env variable no more disables the driver loading (use SKIP_DRIVER_LOADER env variable introduced in Falco 0.24) [[#1599](https://github.com/falcosecurity/falco/pull/1599)] - [@leodido](https://github.com/leodido)
* BREAKING CHANGE: the init.d service unit is not shipped anymore in deb/rpm packages in favor of a systemd service file [[#1448](https://github.com/falcosecurity/falco/pull/1448)] - [@jenting](https://github.com/jenting)
* new: add support for exceptions as rule attributes to provide a compact way to add exceptions to Falco rules [[#1427](https://github.com/falcosecurity/falco/pull/1427)] - [@mstemm](https://github.com/mstemm)
* new: falco-no-driver container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-no-driver) [[#1519](https://github.com/falcosecurity/falco/pull/1519)] - [@jonahjon](https://github.com/jonahjon)
* new: falco-driver-loader container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-driver-loader) [[#1519](https://github.com/falcosecurity/falco/pull/1519)] - [@jonahjon](https://github.com/jonahjon)
* new: add healthz endpoint to the webserver [[#1546](https://github.com/falcosecurity/falco/pull/1546)] - [@cpanato](https://github.com/cpanato)
* new: introduce a new configuration field `syscall_event_drops.threshold` to tune the drop noisiness [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
* new: falco-driver-loader script can get a custom driver name from DRIVER_NAME env variable [[#1488](https://github.com/falcosecurity/falco/pull/1488)] - [@leodido](https://github.com/leodido)
* new: falco-driver-loader know the Falco version [[#1488](https://github.com/falcosecurity/falco/pull/1488)] - [@leodido](https://github.com/leodido)
### Minor Changes
* docs(proposals): libraries and drivers donation [[#1530](https://github.com/falcosecurity/falco/pull/1530)] - [@leodido](https://github.com/leodido)
* docs(docker): update links to the new Falco website URLs [[#1545](https://github.com/falcosecurity/falco/pull/1545)] - [@cpanato](https://github.com/cpanato)
* docs(test): update links to new Falco website URLs [[#1563](https://github.com/falcosecurity/falco/pull/1563)] - [@shane-lawrence](https://github.com/shane-lawrence)
* build: now Falco packages are published at https://download.falco.org [[#1577](https://github.com/falcosecurity/falco/pull/1577)] - [@leogr](https://github.com/leogr)
* update: lower the `syscall_event_drops.max_burst` default value to 1 [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
* update: falco-driver-loader tries to download a Falco driver before then compiling it on the fly for the host [[#1599](https://github.com/falcosecurity/falco/pull/1599)] - [@leodido](https://github.com/leodido)
* docs(test): document the prerequisites for running the integration test suite locally [[#1609](https://github.com/falcosecurity/falco/pull/1609)] - [@fntlnz](https://github.com/fntlnz)
* update: Debian/RPM package migrated from init to systemd [[#1448](https://github.com/falcosecurity/falco/pull/1448)] - [@jenting](https://github.com/jenting)
### Bug Fixes
* fix(userspace/engine): properly handle field extraction over lists of containers when not all containers match the specified sub-properties [[#1601](https://github.com/falcosecurity/falco/pull/1601)] - [@mstemm](https://github.com/mstemm)
* fix(docker/falco): add flex and bison dependency to container image [[#1562](https://github.com/falcosecurity/falco/pull/1562)] - [@schans](https://github.com/schans)
* fix: ignore action can not be used with log and alert ones (`syscall_event_drops` config) [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
* fix(userspace/engine): allows fields starting with numbers to be parsed properly [[#1598](https://github.com/falcosecurity/falco/pull/1598)] - [@mstemm](https://github.com/mstemm)
### Rule Changes
* rule(Write below monitored dir): improve rule description [[#1588](https://github.com/falcosecurity/falco/pull/1588)] - [@stevenshuang](https://github.com/stevenshuang)
* rule(macro allowed_aws_eks_registry_root): macro to match the official eks registry [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(macro aws_eks_image): match aws image repository for eks [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(macro aws_eks_image_sensitive_mount): match aws cni images [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(macro k8s_containers): include fluent/fluentd-kubernetes-daemonset and prom/prometheus [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(Launch Privileged Container): exclude aws_eks_image [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(Launch Sensitive Mount Container): exclude aws_eks_image_sensitive_mount [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(Debugfs Launched in Privileged Container): new rule [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(Mount Launched in Privileged Container): new rule [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(Set Setuid or Setgid bit): add k3s-agent in the whitelist [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
* rule(macro user_ssh_directory): using glob operator [[#1560](https://github.com/falcosecurity/falco/pull/1560)] - [@shane-lawrence](https://github.com/shane-lawrence)
* rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud [[#1337](https://github.com/falcosecurity/falco/pull/1337)] - [@nibalizer](https://github.com/nibalizer)
* rule(list rpm_binaries): add rhsmcertd [[#1385](https://github.com/falcosecurity/falco/pull/1385)] - [@epcim](https://github.com/epcim)
* rule(list deb_binaries): add apt.systemd.daily [[#1385](https://github.com/falcosecurity/falco/pull/1385)] - [@epcim](https://github.com/epcim)
* rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156 [[#1543](https://github.com/falcosecurity/falco/pull/1543)] - [@darryk10](https://github.com/darryk10)
* rule(list allowed_k8s_users): add `eks:node-manager` [[#1536](https://github.com/falcosecurity/falco/pull/1536)] - [@ismailyenigul](https://github.com/ismailyenigul)
* rule(list mysql_mgmt_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list db_mgmt_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_ansible_running_python): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_bro_running_python): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_python_running_denyhosts): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_linux_image_upgrade_script): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_java_running_echo): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_scripting_running_builds): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_Xvfb_running_xkbcomp): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_nginx_running_serf): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_node_running_npm): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_java_running_sbt): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list known_container_shell_spawn_cmdlines): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list known_shell_spawn_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro run_by_puppet): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro user_privileged_containers): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list rancher_images): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list images_allow_network_outside_subnet): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro parent_python_running_sdchecks): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(macro trusted_containers): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
* rule(list authorized_server_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
### Non user-facing changes
* chore(test): replace bucket url with official distribution url [[#1608](https://github.com/falcosecurity/falco/pull/1608)] - [@fntlnz](https://github.com/fntlnz)
* adding asapp as an adopter [[#1611](https://github.com/falcosecurity/falco/pull/1611)] - [@Stuxend](https://github.com/Stuxend)
* update: fixtures URLs [[#1603](https://github.com/falcosecurity/falco/pull/1603)] - [@leogr](https://github.com/leogr)
* cleanup publishing jobs [[#1596](https://github.com/falcosecurity/falco/pull/1596)] - [@leogr](https://github.com/leogr)
* fix(falco/test): bump pyyaml from 5.3.1 to 5.4 [[#1595](https://github.com/falcosecurity/falco/pull/1595)] - [@leodido](https://github.com/leodido)
* fix(.circleci): tar must be present in the image [[#1594](https://github.com/falcosecurity/falco/pull/1594)] - [@leogr](https://github.com/leogr)
* fix: publishing jobs [[#1591](https://github.com/falcosecurity/falco/pull/1591)] - [@leogr](https://github.com/leogr)
* Pocteo as an adopter [[#1574](https://github.com/falcosecurity/falco/pull/1574)] - [@pocteo-labs](https://github.com/pocteo-labs)
* build: fetch build deps from download.falco.org [[#1572](https://github.com/falcosecurity/falco/pull/1572)] - [@leogr](https://github.com/leogr)
* adding shapesecurity to adopters [[#1566](https://github.com/falcosecurity/falco/pull/1566)] - [@irivera007](https://github.com/irivera007)
* Use default pip version to get avocado version [[#1565](https://github.com/falcosecurity/falco/pull/1565)] - [@shane-lawrence](https://github.com/shane-lawrence)
* Added Swissblock to list of adopters [[#1551](https://github.com/falcosecurity/falco/pull/1551)] - [@bygui86](https://github.com/bygui86)
* Fix various typos in markdown files. [[#1514](https://github.com/falcosecurity/falco/pull/1514)] - [@didier-durand](https://github.com/didier-durand)
* docs: move governance to falcosecurity/.github [[#1524](https://github.com/falcosecurity/falco/pull/1524)] - [@leogr](https://github.com/leogr)
* ci: fix missing infra context to publish stable Falco packages [[#1615](https://github.com/falcosecurity/falco/pull/1615)] - [@leodido](https://github.com/leodido)
## v0.27.0
Released on 2021-01-18

54
CMakeLists.txt
View File

@@ -66,10 +66,17 @@ if(MINIMAL_BUILD)
endif()
if(MUSL_OPTIMIZED_BUILD)
set(MUSL_FLAGS "-static -Os")
set(MUSL_FLAGS "-static -Os -fPIE -pie")
endif()
set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
# explicitly set hardening flags
set(CMAKE_POSITION_INDEPENDENT_CODE ON)
set(FALCO_SECURITY_FLAGS "-Wl,-z,relro,-z,now -fstack-protector-strong")
if(CMAKE_BUILD_TYPE STREQUAL "release")
set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2")
endif()
set(CMAKE_COMMON_FLAGS "${FALCO_SECURITY_FLAGS} -Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
if(BUILD_WARNINGS_AS_ERRORS)
set(CMAKE_SUPPRESSED_WARNINGS
@@ -103,6 +110,12 @@ set(CMD_MAKE make)
include(ExternalProject)
# LuaJIT
include(luajit)
# libs
include(falcosecurity-libs)
# jq
include(jq)
@@ -118,12 +131,6 @@ ExternalProject_Add(
BUILD_COMMAND ""
INSTALL_COMMAND "")
# curses
# We pull this in because libsinsp won't build without it
set(CURSES_NEED_NCURSES TRUE)
find_package(Curses REQUIRED)
message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")
# b64
include(b64)
@@ -132,15 +139,12 @@ include(yaml-cpp)
if(NOT MINIMAL_BUILD)
# OpenSSL
include(OpenSSL)
include(openssl)
# libcurl
include(cURL)
include(curl)
endif()
# LuaJIT
include(luajit)
# Lpeg
include(lpeg)
@@ -151,21 +155,7 @@ include(libyaml)
include(lyaml)
# One TBB
set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
message(STATUS "Using bundled tbb in '${TBB_SRC}'")
set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
ExternalProject_Add(
tbb
URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz"
URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372"
CONFIGURE_COMMAND ""
BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${TBB_LIB}
INSTALL_COMMAND "")
include(tbb)
if(NOT MINIMAL_BUILD)
# civetweb
@@ -189,13 +179,13 @@ endif()
include(DownloadStringViewLite)
if(NOT MINIMAL_BUILD)
include(zlib)
include(cares)
include(protobuf)
# gRPC
include(gRPC)
include(grpc)
endif()
# sysdig
include(sysdig)
# Installation
install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")

56
README.md
View File

@@ -11,11 +11,49 @@ Want to talk? Join us on the [#falco](https://kubernetes.slack.com/archives/CMWH
Read the [change log](CHANGELOG.md).
<!--
Badges in the following table are constructed by using the
https://img.shields.io/badge/dynamic/xml endpoint.
Parameters are configured for fetching packages from S3 before
(filtered by prefix, sorted in ascending order) and for picking
the latest package by using an XPath selector after.
- Common query parameters:
color=#300aec7
style=flat-square
label=Falco
- DEB packages parameters:
url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/deb/stable/falco-
query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
- RPM packages parameters:
url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/rpm/falco-
query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
- BIN packages parameters:
url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/bin/x86_64/falco-
query=substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'], "falco-")
Notes:
- if more than 1000 items are present under as S3 prefix,
the actual latest package will be not picked;
see https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html
- for `-dev` packages, the S3 prefix is modified accordingly
- finally, all parameters are URL encoded and appended to the badge endpoint
-->
| | development | stable |
|--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
| rpm | [![rpm-dev](https://img.shields.io/bintray/v/falcosecurity/rpm-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][1] | [![rpm](https://img.shields.io/bintray/v/falcosecurity/rpm/falco?label=Falco&color=%23005763&style=flat-square)][2] |
| deb | [![deb-dev](https://img.shields.io/bintray/v/falcosecurity/deb-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][3] | [![deb](https://img.shields.io/bintray/v/falcosecurity/deb/falco?label=Falco&color=%23005763&style=flat-square)][4] |
| binary | [![bin-dev](https://img.shields.io/bintray/v/falcosecurity/bin-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][5] | [![bin](https://img.shields.io/bintray/v/falcosecurity/bin/falco?label=Falco&color=%23005763&style=flat-square)][6] |
| rpm | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-)][1] | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-)][2] |
| deb | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-)][3] | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-)][4] |
| binary | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Fx86_64%2Ffalco-)][5] | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Fx86_64%2Ffalco-)][6] |
---
@@ -99,9 +137,9 @@ Please report security vulnerabilities following the community process documente
Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
[1]: https://dl.bintray.com/falcosecurity/rpm-dev
[2]: https://dl.bintray.com/falcosecurity/rpm
[3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
[4]: https://dl.bintray.com/falcosecurity/deb/stable
[5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
[1]: https://download.falco.org/?prefix=packages/rpm-dev/
[2]: https://download.falco.org/?prefix=packages/rpm/
[3]: https://download.falco.org/?prefix=packages/deb-dev/stable/
[4]: https://download.falco.org/?prefix=packages/deb/stable/
[5]: https://download.falco.org/?prefix=packages/bin-dev/x86_64/
[6]: https://download.falco.org/?prefix=packages/bin/x86_64/

33
RELEASE.md
View File

@@ -13,12 +13,12 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
### 1. Release notes
- Find the LAST release (-1) and use `YYYY-MM-DD` as the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
- Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
- Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
- Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
- Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
- If the PR has no milestone, assign it to the milestone currently undergoing release
- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYY-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) filter) and add them to the milestone currently undergoing release
- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, fix them
- Check issues without a milestone (using `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) ) and add them to the milestone currently undergoing release
- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, update those missing
### 2. Milestones
@@ -29,8 +29,9 @@ Before cutting a release we need to do some homework in the Falco repository. Th
- Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
- If any, manually correct it then open an issue to automate version number bumping later
- Versions table in the `README.md` updates itself automatically
- Generate the change log https://github.com/leodido/rn2md:
- If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
- Generate the change log using [rn2md](https://github.com/leodido/rn2md):
- Execute `rn2md -o falcosecurity -m <version> -r falco`
- In case `rn2md` emits error try to generate an GitHub OAuth access token and provide it with the `-t` flag
- Add the latest changes on top the previous `CHANGELOG.md`
- Submit a PR with the above modifications
- Await PR approval
@@ -51,7 +52,7 @@ Now assume `x.y.z` is the new version.
git push origin x.y.z
```
> **N.B.**: do NOT use an annotated tag
> **N.B.**: do NOT use an annotated tag. For reference https://git-scm.com/book/en/v2/Git-Basics-Tagging
- Wait for the CI to complete
@@ -65,9 +66,9 @@ Now assume `x.y.z` is the new version.
| Packages | Download |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| rpm | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/rpm/falco-x.y.z-x86_64.rpm) |
| deb | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
| tgz | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
| rpm | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-x.y.z-x86_64.rpm) |
| deb | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-x.y.z-x86_64.deb) |
| tgz | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-x.y.z-x86_64.tar.gz) |
| Images |
| --------------------------------------------------------------------------- |
@@ -76,6 +77,10 @@ Now assume `x.y.z` is the new version.
| `docker pull docker.io/falcosecurity/falco-driver-loader:x.y.z` |
| `docker pull docker.io/falcosecurity/falco-no-driver:x.y.z` |
<changelog>
<!-- Substitute <changelog> with the one generated by [rn2md](https://github.com/leodido/rn2md) -->
### Statistics
| Merged PRs | Number |
@@ -85,6 +90,10 @@ Now assume `x.y.z` is the new version.
| Total | x |
<!-- Calculate stats and fill the above table -->
#### Release Manager <github handle>
<!-- Substitute Github handle with the release manager's one -->
```
- Finally, publish the release!
@@ -93,7 +102,7 @@ Now assume `x.y.z` is the new version.
For each release we archive the meeting notes in git for historical purposes.
- The notes from the Falco meetings can be [found here](https://hackmd.io/6sEAlInlSaGnLz2FnFz21A).
- The notes from the Falco meetings can be [found here](https://hackmd.io/3qYPnZPUQLGKCzR14va_qg).
- Note: There may be other notes from working groups that can optionally be added as well as needed.
- Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-x.y.z.md`
- Open up a pull request with the new change.
@@ -103,5 +112,7 @@ For each release we archive the meeting notes in git for historical purposes.
Announce the new release to the world!
- Publish a blog on [Falco website](https://github.com/falcosecurity/falco-website) ([example](https://github.com/falcosecurity/falco-website/blob/master/content/en/blog/falco-0-28-1.md))
- Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
- Let folks in the slack #falco channel know about a new release came out
- IFF the on going release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)

8
cmake/cpack/CMakeCPackOptions.cmake
View File

@@ -1,11 +1,11 @@
if(CPACK_GENERATOR MATCHES "DEB")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d/")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
endif()
if(CPACK_GENERATOR MATCHES "RPM")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d/")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
endif()
if(CPACK_GENERATOR MATCHES "TGZ")

9
cmake/modules/CPackConfig.cmake
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2021 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
@@ -46,8 +46,9 @@ set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
)
set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
set(CPACK_RPM_PACKAGE_ARCHITECTURE, "amd64")
set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, systemd")
set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
@@ -59,9 +60,7 @@ set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
/etc
/usr
/usr/bin
/usr/share
/etc/rc.d
/etc/rc.d/init.d)
/usr/share)
set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")
include(CPack)

45
cmake/modules/OpenSSL.cmake
View File

@@ -1,45 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
mark_as_advanced(OPENSSL_BINARY)
if(NOT USE_BUNDLED_DEPS)
find_package(OpenSSL REQUIRED)
message(STATUS "Found openssl: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
find_program(OPENSSL_BINARY openssl)
if(NOT OPENSSL_BINARY)
message(FATAL_ERROR "Couldn't find the openssl command line in PATH")
else()
message(STATUS "Found openssl: binary: ${OPENSSL_BINARY}")
endif()
else()
mark_as_advanced(OPENSSL_BUNDLE_DIR OPENSSL_INSTALL_DIR OPENSSL_INCLUDE_DIR
OPENSSL_LIBRARY_SSL OPENSSL_LIBRARY_CRYPTO)
set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include")
set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl.a")
set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto.a")
set(OPENSSL_BINARY "${OPENSSL_INSTALL_DIR}/bin/openssl")
message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
ExternalProject_Add(
openssl
# START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
URL "https://github.com/openssl/openssl/archive/OpenSSL_1_0_2n.tar.gz"
URL_HASH "SHA256=4f4bc907caff1fee6ff8593729e5729891adcee412049153a3bb4db7625e8364"
# END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
CONFIGURE_COMMAND ./config no-shared --prefix=${OPENSSL_INSTALL_DIR}
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
INSTALL_COMMAND ${CMD_MAKE} install)
endif()

27
cmake/modules/b64.cmake
View File

@@ -1,27 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
message(STATUS "Using bundled b64 in '${B64_SRC}'")
set(B64_INCLUDE "${B64_SRC}/include")
set(B64_LIB "${B64_SRC}/src/libb64.a")
externalproject_add(
b64
URL "https://github.com/libb64/libb64/archive/ce864b17ea0e24a91e77c7dd3eb2d1ac4175b3f0.tar.gz"
URL_HASH "SHA256=d07173e66f435e5c77dbf81bd9313f8d0e4a3b4edd4105a62f4f8132ba932811"
CONFIGURE_COMMAND ""
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${B64_LIB}
INSTALL_COMMAND ""
)

76
cmake/modules/cURL.cmake
View File

@@ -1,76 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
if(NOT USE_BUNDLED_DEPS)
find_package(CURL REQUIRED)
message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIR}, lib: ${CURL_LIBRARIES}")
else()
set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")
set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
externalproject_add(
curl
DEPENDS openssl
# START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
URL "https://github.com/curl/curl/releases/download/curl-7_61_0/curl-7.61.0.tar.bz2"
URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
# END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
CONFIGURE_COMMAND
./configure
${CURL_SSL_OPTION}
--disable-shared
--enable-optimize
--disable-curldebug
--disable-rt
--enable-http
--disable-ftp
--disable-file
--disable-ldap
--disable-ldaps
--disable-rtsp
--disable-telnet
--disable-tftp
--disable-pop3
--disable-imap
--disable-smb
--disable-smtp
--disable-gopher
--disable-sspi
--disable-ntlm-wb
--disable-tls-srp
--without-winssl
--without-darwinssl
--without-polarssl
--without-cyassl
--without-nss
--without-axtls
--without-ca-path
--without-ca-bundle
--without-libmetalink
--without-librtmp
--without-winidn
--without-libidn2
--without-libpsl
--without-nghttp2
--without-libssh2
--disable-threaded-resolver
--without-brotli
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
INSTALL_COMMAND "")
endif()

10
cmake/modules/sysdig-repo/CMakeLists.txt → cmake/modules/falcosecurity-libs-repo/CMakeLists.txt
View File

@@ -12,15 +12,15 @@
#
cmake_minimum_required(VERSION 3.5.1)
project(sysdig-repo NONE)
project(falcosecurity-libs-repo NONE)
include(ExternalProject)
message(STATUS "Driver version: ${SYSDIG_VERSION}")
message(STATUS "Driver version: ${FALCOSECURITY_LIBS_VERSION}")
ExternalProject_Add(
sysdig
URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
URL_HASH "${SYSDIG_CHECKSUM}"
falcosecurity-libs
URL "https://github.com/falcosecurity/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND ""

0
cmake/modules/sysdig-repo/patch/libscap.patch → cmake/modules/falcosecurity-libs-repo/patch/libscap.patch
View File

18
cmake/modules/sysdig-repo/patch/luajit.patch → cmake/modules/falcosecurity-libs-repo/patch/luajit.patch
View File

@@ -1,7 +1,7 @@
diff --git a/userspace/libsinsp/chisel.cpp b/userspace/libsinsp/chisel.cpp
diff --git a/userspace/chisel/chisel.cpp b/userspace/chisel/chisel.cpp
index 0a6e3cf8..0c2e255a 100644
--- a/userspace/libsinsp/chisel.cpp
+++ b/userspace/libsinsp/chisel.cpp
--- a/userspace/chisel/chisel.cpp
+++ b/userspace/chisel/chisel.cpp
@@ -98,7 +98,7 @@ void lua_stackdump(lua_State *L)
// Lua callbacks
///////////////////////////////////////////////////////////////////////////////
@@ -29,10 +29,10 @@ index 0a6e3cf8..0c2e255a 100644
{
{"field", &lua_cbacks::field},
{"get_num", &lua_cbacks::get_num},
diff --git a/userspace/libsinsp/lua_parser.cpp b/userspace/libsinsp/lua_parser.cpp
diff --git a/userspace/chisel/lua_parser.cpp b/userspace/chisel/lua_parser.cpp
index 0e26617d..78810d96 100644
--- a/userspace/libsinsp/lua_parser.cpp
+++ b/userspace/libsinsp/lua_parser.cpp
--- a/userspace/chisel/lua_parser.cpp
+++ b/userspace/chisel/lua_parser.cpp
@@ -32,7 +32,7 @@ extern "C" {
#include "lauxlib.h"
}
@@ -42,10 +42,10 @@ index 0e26617d..78810d96 100644
{
{"rel_expr", &lua_parser_cbacks::rel_expr},
{"bool_op", &lua_parser_cbacks::bool_op},
diff --git a/userspace/libsinsp/lua_parser_api.cpp b/userspace/libsinsp/lua_parser_api.cpp
diff --git a/userspace/chisel/lua_parser_api.cpp b/userspace/chisel/lua_parser_api.cpp
index c89e9126..c3d8008a 100644
--- a/userspace/libsinsp/lua_parser_api.cpp
+++ b/userspace/libsinsp/lua_parser_api.cpp
--- a/userspace/chisel/lua_parser_api.cpp
+++ b/userspace/chisel/lua_parser_api.cpp
@@ -266,7 +266,7 @@ int lua_parser_cbacks::rel_expr(lua_State *ls)
string err = "Got non-table as in-expression operand\n";
throw sinsp_exception("parser API error");

67
cmake/modules/falcosecurity-libs.cmake Normal file
View File

@@ -0,0 +1,67 @@
#
# Copyright (C) 2021 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
set(FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/falcosecurity-libs-repo")
set(FALCOSECURITY_LIBS_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/falcosecurity-libs-repo")
file(MAKE_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
# The falcosecurity/libs git reference (branch name, commit hash, or tag) To update falcosecurity/libs version for the next release, change the
# default below In case you want to test against another falcosecurity/libs version just pass the variable - ie., `cmake
# -DFALCOSECURITY_LIBS_VERSION=dev ..`
if(NOT FALCOSECURITY_LIBS_VERSION)
set(FALCOSECURITY_LIBS_VERSION "new/plugin-system-api-additions")
set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=ba0ea2e22121b8543cb1ebe616090097c4dc3f093db8f0bb5cf2ce5a7e0425a0")
endif()
# cd /path/to/build && cmake /path/to/source
execute_process(COMMAND "${CMAKE_COMMAND}" -DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION} -DFALCOSECURITY_LIBS_CHECKSUM=${FALCOSECURITY_LIBS_CHECKSUM}
${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
# todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
# execute_process(COMMAND "${CMAKE_COMMAND}" -B ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR} WORKING_DIRECTORY
# "${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR}")
execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}")
set(FALCOSECURITY_LIBS_SOURCE_DIR "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}/falcosecurity-libs-prefix/src/falcosecurity-libs")
add_definitions(-D_GNU_SOURCE)
add_definitions(-DHAS_CAPTURE)
if(MUSL_OPTIMIZED_BUILD)
add_definitions(-DMUSL_OPTIMIZED)
endif()
set(PROBE_VERSION "${FALCOSECURITY_LIBS_VERSION}")
if(NOT LIBSCAP_DIR)
set(LIBSCAP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
endif()
set(LIBSINSP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
# explicitly disable the tests/examples of this dependency
set(CREATE_TEST_TARGETS OFF CACHE BOOL "")
set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "")
# todo(leogr): although Falco does not actually depend on chisels, we need this for the lua_parser.
# Hopefully, we can switch off this in the future
set(WITH_CHISEL ON CACHE BOOL "")
set(USE_BUNDLED_TBB ON CACHE BOOL "")
set(USE_BUNDLED_B64 ON CACHE BOOL "")
set(USE_BUNDLED_JSONCPP ON CACHE BOOL "")
list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")
include(libscap)
include(libsinsp)

145
cmake/modules/gRPC.cmake
View File

@@ -1,145 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
if(NOT USE_BUNDLED_DEPS)
# zlib
include(FindZLIB)
set(ZLIB_INCLUDE "${ZLIB_INCLUDE_DIRS}")
set(ZLIB_LIB "${ZLIB_LIBRARIES}")
if(ZLIB_INCLUDE AND ZLIB_LIB)
message(STATUS "Found zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}")
endif()
# c-ares
mark_as_advanced(CARES_INCLUDE CARES_LIB)
find_path(CARES_INCLUDE NAMES ares.h)
find_library(CARES_LIB NAMES libcares.so)
if(CARES_INCLUDE AND CARES_LIB)
message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
else()
message(FATAL_ERROR "Couldn't find system c-ares")
endif()
# protobuf
mark_as_advanced(PROTOC PROTOBUF_INCLUDE PROTOBUF_LIB)
find_program(PROTOC NAMES protoc)
find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
find_library(PROTOBUF_LIB NAMES libprotobuf.so)
if(PROTOC
AND PROTOBUF_INCLUDE
AND PROTOBUF_LIB)
message(STATUS "Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
else()
message(FATAL_ERROR "Couldn't find system protobuf")
endif()
# gpr
mark_as_advanced(GPR_LIB)
find_library(GPR_LIB NAMES gpr)
if(GPR_LIB)
message(STATUS "Found gpr lib: ${GPR_LIB}")
else()
message(FATAL_ERROR "Couldn't find system gpr")
endif()
# gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
mark_as_advanced(GRPC_INCLUDE GRPC_SRC
GRPC_LIB GRPC_LIBS_ABSOLUTE GRPCPP_LIB GRPC_CPP_PLUGIN)
find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
if(GRPCXX_INCLUDE)
set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
unset(GRPCXX_INCLUDE CACHE)
else()
find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
unset(GRPCPP_INCLUDE CACHE)
add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
endif()
find_library(GRPC_LIB NAMES grpc)
find_library(GRPCPP_LIB NAMES grpc++)
if(GRPC_INCLUDE
AND GRPC_LIB
AND GRPCPP_LIB)
message(STATUS "Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}")
else()
message(FATAL_ERROR "Couldn't find system grpc")
endif()
find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
if(NOT GRPC_CPP_PLUGIN)
message(FATAL_ERROR "System grpc_cpp_plugin not found")
endif()
else()
find_package(PkgConfig)
if(NOT PKG_CONFIG_FOUND)
message(FATAL_ERROR "pkg-config binary not found")
endif()
message(STATUS "Found pkg-config executable: ${PKG_CONFIG_EXECUTABLE}")
set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
set(GRPC_INCLUDE "${GRPC_SRC}/include")
set(GRPC_LIBS_ABSOLUTE "${GRPC_SRC}/libs/opt")
set(GRPC_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc.a")
set(GRPCPP_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc++.a")
set(GRPC_CPP_PLUGIN "${GRPC_SRC}/bins/opt/grpc_cpp_plugin")
# we tell gRPC to compile protobuf for us because when a gRPC package is not available, like on CentOS, it's very
# likely that protobuf will be very outdated
set(PROTOBUF_INCLUDE "${GRPC_SRC}/third_party/protobuf/src")
set(PROTOC "${PROTOBUF_INCLUDE}/protoc")
set(PROTOBUF_LIB "${GRPC_LIBS_ABSOLUTE}/protobuf/libprotobuf.a")
# we tell gRPC to compile zlib for us because when a gRPC package is not available, like on CentOS, it's very likely
# that zlib will be very outdated
set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
# we tell gRPC to compile c-ares for us because when a gRPC package is not available, like on CentOS, it's very likely
# that c-ares will be very outdated
set(CARES_INCLUDE "${GRPC_SRC}/third_party/cares" "${GRPC_SRC}/third_party/cares/cares")
set(CARES_LIB "${GRPC_LIBS_ABSOLUTE}/libares.a")
message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
message(
STATUS
"Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
message(STATUS "Bundled gRPC comes with cares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}}")
message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")
get_filename_component(PROTOC_DIR ${PROTOC} PATH)
ExternalProject_Add(
grpc
DEPENDS openssl
GIT_REPOSITORY https://github.com/grpc/grpc.git
GIT_TAG v1.32.0
GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares third_party/abseil-cpp third_party/re2"
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
INSTALL_COMMAND ""
CONFIGURE_COMMAND ""
BUILD_COMMAND
CFLAGS=-Wno-implicit-fallthrough
HAS_SYSTEM_ZLIB=false
HAS_SYSTEM_PROTOBUF=false
HAS_SYSTEM_CARES=false
HAS_EMBEDDED_OPENSSL_ALPN=false
HAS_SYSTEM_OPENSSL_ALPN=true
PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}
PKG_CONFIG=${PKG_CONFIG_EXECUTABLE}
PATH=${PROTOC_DIR}:$ENV{PATH}
make
static_cxx
static_c
grpc_cpp_plugin)
endif()

54
cmake/modules/jq.cmake
View File

@@ -1,54 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
mark_as_advanced(JQ_INCLUDE JQ_LIB)
if (NOT USE_BUNDLED_DEPS)
find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
find_library(JQ_LIB NAMES jq)
if (JQ_INCLUDE AND JQ_LIB)
message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
else ()
message(FATAL_ERROR "Couldn't find system jq")
endif ()
else ()
set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
message(STATUS "Using bundled jq in '${JQ_SRC}'")
set(JQ_INCLUDE "${JQ_SRC}/target/include")
set(JQ_INSTALL_DIR "${JQ_SRC}/target")
set(JQ_LIB "${JQ_INSTALL_DIR}/lib/libjq.a")
set(ONIGURUMA_LIB "${JQ_INSTALL_DIR}/lib/libonig.a")
message(STATUS "Bundled jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
# Why we mirror jq here?
#
# In their readme, jq claims that you don't have
# to do autoreconf -fi when downloading a released tarball.
#
# However, they forgot to push the released makefiles
# into their release tarbal.
#
# For this reason, we have to mirror their release after
# doing the configuration ourselves.
#
# This is needed because many distros do not ship the right
# version of autoreconf, making virtually impossible to build Falco on them.
# Read more about it here:
# https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
ExternalProject_Add(
jq
URL "https://dl.bintray.com/falcosecurity/dependencies/jq-1.6.tar.gz"
URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
BUILD_IN_SOURCE 1
INSTALL_COMMAND ${CMD_MAKE} install)
endif ()

31
cmake/modules/luajit.cmake
View File

@@ -11,17 +11,20 @@
# specific language governing permissions and limitations under the License.
#
set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
externalproject_add(
luajit
GIT_REPOSITORY "https://github.com/LuaJIT/LuaJIT"
GIT_TAG "1d8b747c161db457e032a023ebbff511f5de5ec2"
CONFIGURE_COMMAND ""
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${LUAJIT_LIB}
INSTALL_COMMAND ""
)
if(NOT LUAJIT_INCLUDE)
set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
externalproject_add(
luajit
GIT_REPOSITORY "https://github.com/LuaJIT/LuaJIT"
GIT_TAG "1d8b747c161db457e032a023ebbff511f5de5ec2"
CONFIGURE_COMMAND ""
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${LUAJIT_LIB}
INSTALL_COMMAND ""
)
endif()
include_directories("${LUAJIT_INCLUDE}")

78
cmake/modules/sysdig.cmake
View File

@@ -1,78 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
set(SYSDIG_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/sysdig-repo")
set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
# this needs to be here at the top
if(USE_BUNDLED_DEPS)
# explicitly force this dependency to use the bundled OpenSSL
if(NOT MINIMAL_BUILD)
set(USE_BUNDLED_OPENSSL ON)
endif()
set(USE_BUNDLED_JQ ON)
endif()
file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
# The sysdig git reference (branch name, commit hash, or tag) To update sysdig version for the next release, change the
# default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
# -DSYSDIG_VERSION=dev ..`
if(NOT SYSDIG_VERSION)
set(SYSDIG_VERSION "5c0b863ddade7a45568c0ac97d037422c9efb750")
set(SYSDIG_CHECKSUM "SHA256=9de717b3a4b611ea6df56afee05171860167112f74bb7717b394bcc88ac843cd")
endif()
set(PROBE_VERSION "${SYSDIG_VERSION}")
# cd /path/to/build && cmake /path/to/source
execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM}
${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
# todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
# execute_process(COMMAND "${CMAKE_COMMAND}" -B ${SYSDIG_CMAKE_WORKING_DIR} WORKING_DIRECTORY
# "${SYSDIG_CMAKE_SOURCE_DIR}")
execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${SYSDIG_CMAKE_WORKING_DIR}")
set(SYSDIG_SOURCE_DIR "${SYSDIG_CMAKE_WORKING_DIR}/sysdig-prefix/src/sysdig")
# jsoncpp
set(JSONCPP_SRC "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp")
set(JSONCPP_INCLUDE "${JSONCPP_SRC}")
set(JSONCPP_LIB_SRC "${JSONCPP_SRC}/jsoncpp.cpp")
# Add driver directory
add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
# Add libscap directory
add_definitions(-D_GNU_SOURCE)
add_definitions(-DHAS_CAPTURE)
add_definitions(-DNOCURSESUI)
if(MUSL_OPTIMIZED_BUILD)
add_definitions(-DMUSL_OPTIMIZED)
endif()
add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
# Add libsinsp directory
add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libsinsp" "${PROJECT_BINARY_DIR}/userspace/libsinsp")
add_dependencies(sinsp tbb b64 luajit)
# explicitly disable the tests of this dependency
set(CREATE_TEST_TARGETS OFF)
if(USE_BUNDLED_DEPS)
add_dependencies(scap jq)
if(NOT MINIMAL_BUILD)
add_dependencies(scap curl grpc)
endif()
endif()

1
cmake/modules/yaml-cpp.cmake
View File

@@ -28,6 +28,7 @@ else()
yamlcpp
URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.2.tar.gz"
URL_HASH "SHA256=e4d8560e163c3d875fd5d9e5542b5fd5bec810febdcba61481fe5fc4e6b1fd05"
BUILD_BYPRODUCTS ${YAMLCPP_LIB}
BUILD_IN_SOURCE 1
INSTALL_COMMAND "")
endif()

4
docker/builder/Dockerfile
View File

@@ -20,11 +20,11 @@ ENV FALCO_VERSION=${FALCO_VERSION}
# build toolchain
RUN yum -y install centos-release-scl && \
INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel ncurses-devel rpm-build libyaml-devel" && \
INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel rpm-build libyaml-devel" && \
yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
rpm -V $INSTALL_PKGS
ARG CMAKE_VERSION=3.5.1
ARG CMAKE_VERSION=3.6.3
RUN source scl_source enable devtoolset-7 llvm-toolset-7 && \
cd /tmp && \
curl -L https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.tar.gz | tar xz; \

1
docker/builder/root/usr/bin/entrypoint
View File

@@ -34,7 +34,6 @@ case "$CMD" in
-DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
-DCMAKE_INSTALL_PREFIX=/usr \
-DBUILD_DRIVER="$BUILD_DRIVER" \
-DMINIMAL_BUILD="$MINIMAL_BUILD" \
-DBUILD_BPF="$BUILD_BPF" \
-DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
-DFALCO_VERSION="$FALCO_VERSION" \

44
docker/falco/Dockerfile
View File

@@ -18,10 +18,12 @@ RUN apt-get update \
&& apt-get install -y --no-install-recommends \
bash-completion \
bc \
bison \
clang-7 \
ca-certificates \
curl \
dkms \
flex \
gnupg2 \
gcc \
jq \
@@ -39,15 +41,15 @@ RUN apt-get update \
# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
# or so.
RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
@@ -56,13 +58,13 @@ RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dep
# version 3, 4, or 5 compiler. So grab copies we've saved from debian
# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
&& curl -L -o libasan2_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
&& curl -L -o libasan2_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
@@ -76,7 +78,7 @@ RUN rm -rf /usr/bin/clang \
&& ln -s /usr/bin/llc-7 /usr/bin/llc
RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
&& apt-get update -y \
&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
&& apt-get clean \
@@ -96,10 +98,10 @@ RUN rm -df /lib/modules \
# debian:stable head contains binutils 2.31, which generates
# binaries that are incompatible with kernels < 4.16. So manually
# forcibly install binutils 2.30-22 instead.
RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
&& dpkg -i *binutils*.deb \
&& rm -f *binutils*.deb

7
docker/falco/docker-entrypoint.sh
View File

@@ -16,14 +16,9 @@
# limitations under the License.
#
# todo(leogr): remove deprecation notice within a couple of releases
if [[ ! -z "${SKIP_MODULE_LOAD}" ]]; then
echo "* SKIP_MODULE_LOAD is deprecated and will be removed soon, use SKIP_DRIVER_LOADER instead"
fi
# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
if [[ -z "${SKIP_DRIVER_LOADER}" ]] && [[ -z "${SKIP_MODULE_LOAD}" ]]; then
if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
echo "* Setting up /usr/src links from host"
for i in "$HOST_ROOT/usr/src"/*

42
docker/local/Dockerfile
View File

@@ -48,15 +48,15 @@ RUN apt-get update \
# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
# or so.
RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
@@ -65,13 +65,13 @@ RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dep
# version 3, 4, or 5 compiler. So grab copies we've saved from debian
# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
&& curl -L -o libasan2_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
&& curl -L -o libasan2_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
@@ -96,15 +96,15 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
# Change the falco config within the container to enable ISO 8601
# output.
RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
# debian:stable head contains binutils 2.31, which generates
# binaries that are incompatible with kernels < 4.16. So manually
# forcibly install binutils 2.30-22 instead.
RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
&& dpkg -i *binutils*.deb \
&& rm -f *binutils*.deb

12
docker/no-driver/Dockerfile
View File

@@ -6,14 +6,16 @@ ARG VERSION_BUCKET=bin
ENV FALCO_VERSION=${FALCO_VERSION}
ENV VERSION_BUCKET=${VERSION_BUCKET}
RUN apt-get -y update && apt-get -y install gridsite-clients curl
WORKDIR /
ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
RUN tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
RUN curl -L -o falco.tar.gz \
https://download.falco.org/packages/${VERSION_BUCKET}/x86_64/falco-$(urlencode ${FALCO_VERSION})-x86_64.tar.gz && \
tar -xvf falco.tar.gz && \
rm -f falco.tar.gz && \
mv falco-${FALCO_VERSION}-x86_64 falco && \
rm -rf falco/usr/src/falco-* falco/usr/bin/falco-driver-loader
rm -rf /falco/usr/src/falco-* /falco/usr/bin/falco-driver-loader
RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
&& mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml

2
docker/tester/root/usr/bin/usage
View File

@@ -3,7 +3,7 @@
pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
dockerversion=$(docker --version)
avocadoversion=$(pip2 show avocado-framework | grep Version)
avocadoversion=$(pip show avocado-framework | grep Version)
avocadoversion=${avocadoversion#"Version: "}
cat <<EOF

49
falco.yaml
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2021 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -68,24 +68,52 @@ priority: debug
buffered_outputs: false
# Falco uses a shared buffer between the kernel and userspace to pass
# system call information. When falco detects that this buffer is
# system call information. When Falco detects that this buffer is
# full and system calls have been dropped, it can take one or more of
# the following actions:
# - "ignore": do nothing. If an empty list is provided, ignore is assumed.
# - "log": log a CRITICAL message noting that the buffer was full.
# - "alert": emit a falco alert noting that the buffer was full.
# - "exit": exit falco with a non-zero rc.
# - ignore: do nothing (default when list of actions is empty)
# - log: log a DEBUG message noting that the buffer was full
# - alert: emit a Falco alert noting that the buffer was full
# - exit: exit Falco with a non-zero rc
#
# Notice it is not possible to ignore and log/alert messages at the same time.
#
# The rate at which log/alert messages are emitted is governed by a
# token bucket. The rate corresponds to one message every 30 seconds
# with a burst of 10 messages.
# with a burst of one message (by default).
#
# The messages are emitted when the percentage of dropped system calls
# with respect the number of events in the last second
# is greater than the given threshold (a double in the range [0, 1]).
#
# For debugging/testing it is possible to simulate the drops using
# the `simulate_drops: true`. In this case the threshold does not apply.
syscall_event_drops:
threshold: .1
actions:
- log
- alert
rate: .03333
max_burst: 10
max_burst: 1
# Falco uses a shared buffer between the kernel and userspace to receive
# the events (eg., system call information) in userspace.
#
# Anyways, the underlying libraries can also timeout for various reasons.
# For example, there could have been issues while reading an event.
# Or the particular event needs to be skipped.
# Normally, it's very unlikely that Falco does not receive events consecutively.
#
# Falco is able to detect such uncommon situation.
#
# Here you can configure the maximum number of consecutive timeouts without an event
# after which you want Falco to alert.
# By default this value is set to 1000 consecutive timeouts without an event at all.
# How this value maps to a time interval depends on the CPU frequency.
syscall_event_timeouts:
max_consecutives: 1000
# Falco continuously monitors outputs performance. When an output channel does not allow
# to deliver an alert within a given deadline, an error is reported indicating
@@ -152,11 +180,14 @@ stdout_output:
# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
# $ cat certificate.pem key.pem > falco.pem
# $ sudo cp falco.pem /etc/falco/falco.pem
#
# It also exposes a healthy endpoint that can be used to check if Falco is up and running
# By default the endpoint is /healthz
webserver:
enabled: true
listen_port: 8765
k8s_audit_endpoint: /k8s-audit
k8s_healthz_endpoint: /healthz
ssl_enabled: false
ssl_certificate: /etc/falco/falco.pem

12
proposals/2021019-libraries-donation.md → proposals/20210119-libraries-contribution.md
View File

@@ -1,4 +1,4 @@
# OSS Libraries Donation Plan
# OSS Libraries Contribution Plan
## Summary
@@ -6,7 +6,7 @@ Sysdig Inc. intends to donate **libsinsp**, **libscap**, the **kernel module dri
This means that some parts of the [draios/sysdig](https://github.com/draios/sysdig) repository will be moved to a new GitHub repository called [falcosecurity/libs](https://github.com/falcosecurity/libs).
This plan aims to describe and clarify the terms and goals to get the donation done.
This plan aims to describe and clarify the terms and goals to get the contribution done.
## Motivation
@@ -22,7 +22,7 @@ Sysdig (the command line tool) will continue to use the libraries now provided b
This change is win-win for both parties because of the following reasons:
- The Falco community owns the source code of the three most important parts of the software it distributes.
- Right now it is "only" an engine on top of the libraries. This **donation** helps in making the scope of the Falco project broader. Having the majority of the source code under an **open governance** in the same organization gives the Falco project more contribution opportunities, helps it in **evolving independently** and makes the whole Falco community a strong owner of the processes and decision making regarding those crucial parts.
- Right now it is "only" an engine on top of the libraries. This **contribution** helps in making the scope of the Falco project broader. Having the majority of the source code under an **open governance** in the same organization gives the Falco project more contribution opportunities, helps it in **evolving independently** and makes the whole Falco community a strong owner of the processes and decision making regarding those crucial parts.
- Given the previous point, Sysdig (the command line tool) will benefit from the now **extended contributors base**
@@ -34,7 +34,7 @@ This change is win-win for both parties because of the following reasons:
## Goals
There are many sub-projects and each of them interacts in a different way in this donation.
There are many sub-projects and each of them interacts in a different way in this contribution.
Let's see the goals per sub-project.
@@ -68,7 +68,7 @@ Let's see the goals per sub-project.
13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
14. This project will go already "Official support" once the donation is completed
14. This project will go already "Official support" once the contribution is completed
15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
@@ -110,7 +110,7 @@ Let's see the goals per sub-project.
13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
14. This project will go already "Official support" once the donation is completed
14. This project will go already "Official support" once the contribution is completed
15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)

1416
rules/falco_rules.yaml
View File

File diff suppressed because it is too large Load Diff

141
rules/k8s_audit_rules.yaml
View File

@@ -14,7 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
- required_engine_version: 8
- required_engine_version: 2
# Like always_true/always_false, but works with k8s audit events
- macro: k8s_audit_always_true
@@ -51,17 +51,13 @@
cluster-autoscaler,
"system:addon-manager",
"cloud-controller-manager",
"eks:node-manager"
"eks:node-manager",
"system:kube-controller-manager"
]
- rule: Disallowed K8s User
desc: Detect any k8s operation by users outside of an allowed set of users.
condition: kevt and non_system_user
exceptions:
- name: user_names
fields: ka.user.name
comps: in
values: [allowed_k8s_users]
condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users)
output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
priority: WARNING
source: k8s_audit
@@ -128,10 +124,6 @@
desc: >
Detect an attempt to start a pod with a container image outside of a list of allowed images.
condition: kevt and pod and kcreate and not allowed_k8s_containers
exceptions:
- name: image_repos
fields: ka.req.pod.containers.image.repository
comps: in
output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
priority: WARNING
source: k8s_audit
@@ -140,12 +132,7 @@
- rule: Create Privileged Pod
desc: >
Detect an attempt to start a pod with a privileged container
condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true)
exceptions:
- name: image_repos
fields: ka.req.pod.containers.image.repository
comps: in
values: [falco_privileged_images]
condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
priority: WARNING
source: k8s_audit
@@ -159,12 +146,7 @@
desc: >
Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
Exceptions are made for known trusted images.
condition: kevt and pod and kcreate and sensitive_vol_mount
exceptions:
- name: image_repos
fields: ka.req.pod.containers.image.repository
comps: in
values: [falco_sensitive_mount_images]
condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
priority: WARNING
source: k8s_audit
@@ -173,12 +155,7 @@
# Corresponds to K8s CIS Benchmark 1.7.4
- rule: Create HostNetwork Pod
desc: Detect an attempt to start a pod using the host network.
condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true)
exceptions:
- name: image_repos
fields: ka.req.pod.containers.image.repository
comps: in
values: [falco_hostnetwork_images]
condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
priority: WARNING
source: k8s_audit
@@ -191,9 +168,6 @@
desc: >
Detect an attempt to start a service with a NodePort service type
condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
exceptions:
- name: services
fields: [ka.target.namespace, ka.target.name]
output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
priority: WARNING
source: k8s_audit
@@ -212,9 +186,6 @@
desc: >
Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
condition: kevt and configmap and kmodify and contains_private_credentials
exceptions:
- name: configmaps
fields: [ka.target.namespace, ka.req.configmap.name]
output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
priority: WARNING
source: k8s_audit
@@ -225,10 +196,6 @@
desc: >
Detect any request made by the anonymous user that was allowed
condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
exceptions:
- name: user_names
fields: ka.user.name
comps: in
output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
priority: WARNING
source: k8s_audit
@@ -254,10 +221,6 @@
desc: >
Detect any attempt to attach/exec to a pod
condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
exceptions:
- name: user_names
fields: ka.user.name
comps: in
output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
priority: NOTICE
source: k8s_audit
@@ -267,14 +230,10 @@
condition: (k8s_audit_never_true)
# Only works when feature gate EphemeralContainers is enabled
# Definining empty exceptions just to avoid warnings. There isn't any
# great exception for this kind of object, as you'd expect the images
# to vary wildly.
- rule: EphemeralContainers Created
desc: >
Detect any ephemeral container created
condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
exceptions:
output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
priority: NOTICE
source: k8s_audit
@@ -286,12 +245,7 @@
- rule: Create Disallowed Namespace
desc: Detect any attempt to create a namespace outside of a set of known namespaces
condition: kevt and namespace and kcreate
exceptions:
- name: services
fields: ka.target.name
comps: in
values: [allowed_namespaces]
condition: kevt and namespace and kcreate and not ka.target.name in (allowed_namespaces)
output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name)
priority: WARNING
source: k8s_audit
@@ -331,16 +285,15 @@
k8s_image_list
]
- macro: allowed_kube_namespace_pods
condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
# Detect any new pod created in the kube-system namespace
- rule: Pod Created in Kube Namespace
desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public)
condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
exceptions:
- name: images
fields: ka.req.pod.containers.image.repository
comps: in
values: [user_allowed_kube_namespace_image_list, allowed_kube_namespace_image_list]
priority: WARNING
source: k8s_audit
tags: [k8s]
@@ -348,16 +301,18 @@
- list: user_known_sa_list
items: []
- list: known_sa_list
items: ["pod-garbage-collector","resourcequota-controller","cronjob-controller","generic-garbage-collector",
"daemon-set-controller","endpointslice-controller","deployment-controller", "replicaset-controller",
"endpoint-controller", "namespace-controller", "statefulset-controller", "disruption-controller"]
- macro: trusted_sa
condition: (ka.target.name in (user_known_sa_list))
condition: (ka.target.name in (known_sa_list, user_known_sa_list))
# Detect creating a service account in the kube-system/kube-public namespace
- rule: Service Account Created in Kube Namespace
desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
exceptions:
- name: accounts
fields: [ka.target.namespace, ka.target.name]
output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
priority: WARNING
source: k8s_audit
@@ -370,9 +325,6 @@
desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
not ka.target.name in (system:coredns, system:managed-certificate-controller)
exceptions:
- name: roles
fields: [ka.target.namespace, ka.target.name]
output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
priority: WARNING
source: k8s_audit
@@ -383,10 +335,6 @@
- rule: Attach to cluster-admin Role
desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin
exceptions:
- name: subjects
fields: ka.req.binding.subjects
comps: in
output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects)
priority: WARNING
source: k8s_audit
@@ -395,10 +343,6 @@
- rule: ClusterRole With Wildcard Created
desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
exceptions:
- name: roles
fields: ka.target.name
comps: in
output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
priority: WARNING
source: k8s_audit
@@ -411,10 +355,6 @@
- rule: ClusterRole With Write Privileges Created
desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
condition: kevt and (role or clusterrole) and kcreate and writable_verbs
exceptions:
- name: roles
fields: ka.target.name
comps: in
output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
priority: NOTICE
source: k8s_audit
@@ -423,10 +363,6 @@
- rule: ClusterRole With Pod Exec Created
desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
exceptions:
- name: roles
fields: ka.target.name
comps: in
output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
priority: WARNING
source: k8s_audit
@@ -438,16 +374,12 @@
- macro: consider_activity_events
condition: (k8s_audit_always_true)
# Activity events don't have exceptions. They do define an empty
# exceptions property just to avoid warnings when loading rules.
- macro: kactivity
condition: (kevt and consider_activity_events)
- rule: K8s Deployment Created
desc: Detect any attempt to create a deployment
condition: (kactivity and kcreate and deployment and response_successful)
exceptions:
output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -456,7 +388,6 @@
- rule: K8s Deployment Deleted
desc: Detect any attempt to delete a deployment
condition: (kactivity and kdelete and deployment and response_successful)
exceptions:
output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -465,7 +396,6 @@
- rule: K8s Service Created
desc: Detect any attempt to create a service
condition: (kactivity and kcreate and service and response_successful)
exceptions:
output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -474,7 +404,6 @@
- rule: K8s Service Deleted
desc: Detect any attempt to delete a service
condition: (kactivity and kdelete and service and response_successful)
exceptions:
output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -483,7 +412,6 @@
- rule: K8s ConfigMap Created
desc: Detect any attempt to create a configmap
condition: (kactivity and kcreate and configmap and response_successful)
exceptions:
output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -492,7 +420,6 @@
- rule: K8s ConfigMap Deleted
desc: Detect any attempt to delete a configmap
condition: (kactivity and kdelete and configmap and response_successful)
exceptions:
output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -501,7 +428,6 @@
- rule: K8s Namespace Created
desc: Detect any attempt to create a namespace
condition: (kactivity and kcreate and namespace and response_successful)
exceptions:
output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -510,7 +436,6 @@
- rule: K8s Namespace Deleted
desc: Detect any attempt to delete a namespace
condition: (kactivity and non_system_user and kdelete and namespace and response_successful)
exceptions:
output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -519,7 +444,6 @@
- rule: K8s Serviceaccount Created
desc: Detect any attempt to create a service account
condition: (kactivity and kcreate and serviceaccount and response_successful)
exceptions:
output: K8s Serviceaccount Created (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -528,7 +452,6 @@
- rule: K8s Serviceaccount Deleted
desc: Detect any attempt to delete a service account
condition: (kactivity and kdelete and serviceaccount and response_successful)
exceptions:
output: K8s Serviceaccount Deleted (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -537,7 +460,6 @@
- rule: K8s Role/Clusterrole Created
desc: Detect any attempt to create a cluster role/role
condition: (kactivity and kcreate and (clusterrole or role) and response_successful)
exceptions:
output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -546,7 +468,6 @@
- rule: K8s Role/Clusterrole Deleted
desc: Detect any attempt to delete a cluster role/role
condition: (kactivity and kdelete and (clusterrole or role) and response_successful)
exceptions:
output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -555,7 +476,6 @@
- rule: K8s Role/Clusterrolebinding Created
desc: Detect any attempt to create a clusterrolebinding
condition: (kactivity and kcreate and clusterrolebinding and response_successful)
exceptions:
output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -564,7 +484,6 @@
- rule: K8s Role/Clusterrolebinding Deleted
desc: Detect any attempt to delete a clusterrolebinding
condition: (kactivity and kdelete and clusterrolebinding and response_successful)
exceptions:
output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -573,7 +492,6 @@
- rule: K8s Secret Created
desc: Detect any attempt to create a secret. Service account tokens are excluded.
condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
exceptions:
output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -582,7 +500,6 @@
- rule: K8s Secret Deleted
desc: Detect any attempt to delete a secret Service account tokens are excluded.
condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
exceptions:
output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
@@ -601,7 +518,6 @@
- rule: All K8s Audit Events
desc: Match all K8s Audit Events
condition: kall
exceptions:
output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj)
priority: DEBUG
source: k8s_audit
@@ -634,10 +550,6 @@
and non_system_user
and ka.user.name in (full_admin_k8s_users)
and not allowed_full_admin_users
exceptions:
- name: user_names
fields: ka.user.name
comps: in
output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
priority: WARNING
source: k8s_audit
@@ -671,9 +583,6 @@
desc: Detect any attempt to create an ingress without TLS certification.
condition: >
(kactivity and kcreate and ingress and response_successful and not ingress_tls)
exceptions:
- name: ingresses
fields: [ka.target.namespace, ka.target.name]
output: >
K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
namespace=%ka.target.namespace)
@@ -704,11 +613,7 @@
and kcreate
and response_successful
and not allow_all_k8s_nodes
exceptions:
- name: nodes
fields: ka.target.name
comps: in
values: [allowed_k8s_nodes]
and not ka.target.name in (allowed_k8s_nodes)
output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
priority: ERROR
source: k8s_audit
@@ -722,11 +627,7 @@
and kcreate
and not response_successful
and not allow_all_k8s_nodes
exceptions:
- name: nodes
fields: ka.target.name
comps: in
values: [allowed_k8s_nodes]
and not ka.target.name in (allowed_k8s_nodes)
output: Node not in allowed list tried unsuccessfully to join the cluster (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
priority: WARNING
source: k8s_audit

6
scripts/CMakeLists.txt
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2021 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,14 +19,14 @@ configure_file(debian/postinst.in debian/postinst)
configure_file(debian/postrm.in debian/postrm)
configure_file(debian/prerm.in debian/prerm)
file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco"
file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
configure_file(rpm/postinstall.in rpm/postinstall)
configure_file(rpm/postuninstall.in rpm/postuninstall)
configure_file(rpm/preuninstall.in rpm/preuninstall)
file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco"
file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
configure_file(falco-driver-loader falco-driver-loader @ONLY)

61
scripts/cleanup
View File

@@ -1,61 +0,0 @@
#!/usr/bin/env bash
usage() {
echo "usage: $0 -p 0987654321 -r <deb-dev|rpm-dev|bin-dev>"
exit 1
}
user=poiana
# Get the versions to delete.
#
# $1: repository to lookup
# $2: number of versions to skip.
get_versions() {
# The API endpoint returns the Falco package versions sort by most recent.
IFS=$'\n' read -r -d '' -a all < <(curl -s --header "Content-Type: application/json" "https://api.bintray.com/packages/falcosecurity/$1/falco" | jq -r '.versions | .[]' | tail -n "+$2")
}
# Remove all the versions (${all[@]} array).
#
# $1: repository containing the versions.
rem_versions() {
for i in "${!all[@]}";
do
JFROG_CLI_LOG_LEVEL=DEBUG jfrog bt vd --quiet --user "${user}" --key "${pass}" "falcosecurity/$1/falco/${all[$i]}"
done
}
while getopts ":p::r:" opt; do
case "${opt}" in
p )
pass=${OPTARG}
;;
r )
repo="${OPTARG}"
[[ "${repo}" == "deb-dev" || "${repo}" == "rpm-dev" || "${repo}" == "bin-dev" ]] || usage
;;
: )
echo "invalid option: ${OPTARG} requires an argument" 1>&2
exit 1
;;
\?)
echo "invalid option: ${OPTARG}" 1>&2
exit 1
;;
esac
done
shift $((OPTIND-1))
if [ -z "${pass}" ] || [ -z "${repo}" ]; then
usage
fi
skip=51
if [[ "${repo}" == "bin-dev" ]]; then
skip=11
fi
get_versions "${repo}" ${skip}
echo "number of versions to delete: ${#all[@]}"
rem_versions "${repo}"

176
scripts/debian/falco
View File

@@ -1,176 +0,0 @@
#! /bin/sh
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
### BEGIN INIT INFO
# Provides: falco
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Falco syscall activity monitoring agent
# Description: Falco is a system activity monitoring agent
# driven by system calls with support for containers.
### END INIT INFO
# Author: The Falco Authors <cncf-falco-dev@lists.cncf.io>
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="Falco"
NAME=falco
DAEMON=/usr/bin/$NAME
PIDFILE=/var/run/$NAME.pid
DAEMON_ARGS="--daemon --pidfile=$PIDFILE"
SCRIPTNAME=/etc/init.d/$NAME
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
if [ ! -d /sys/module/falco ]; then
/sbin/modprobe falco || exit 1
fi
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
/sbin/rmmod falco
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
:

24
scripts/debian/falco.service Normal file
View File

@@ -0,0 +1,24 @@
[Unit]
Description=Falco: Container Native Runtime Security
Documentation=https://falco.org/docs/
[Service]
Type=simple
User=root
ExecStartPre=/sbin/modprobe falco
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
ExecStopPost=/sbin/rmmod falco
UMask=0077
TimeoutSec=30
RestartSec=15s
Restart=on-failure
PrivateTmp=true
NoNewPrivileges=yes
ProtectHome=read-only
ProtectSystem=full
ProtectKernelTunables=true
RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET
[Install]
WantedBy=multi-user.target

7
scripts/debian/postinst.in
View File

@@ -1,6 +1,6 @@
#!/bin/sh
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2021 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -41,8 +41,3 @@ case "$1" in
fi
;;
esac
if [ -x "/etc/init.d/$NAME" ]; then
update-rc.d $NAME defaults >/dev/null
fi

9
scripts/debian/postrm.in
View File

@@ -1,6 +1,6 @@
#!/bin/sh
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2021 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,10 +15,3 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
set -e
NAME=falco
if [ "$1" = "purge" ] ; then
update-rc.d $NAME remove >/dev/null
fi

12
scripts/debian/prerm.in
View File

@@ -1,6 +1,6 @@
#!/bin/sh
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2021 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,16 +17,6 @@
#
set -e
NAME="@PACKAGE_NAME@"
if [ -x "/etc/init.d/$NAME" ]; then
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
invoke-rc.d $NAME stop || exit $?
else
/etc/init.d/$NAME stop || exit $?
fi
fi
DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
DKMS_VERSION="@PROBE_VERSION@"

236
scripts/falco-driver-loader
View File

@@ -1,6 +1,6 @@
#!/usr/bin/env bash
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2021 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,7 +16,7 @@
# limitations under the License.
#
# Simple script that desperately tries to load the kernel instrumentation by
# looking for it in a bunch of ways. Convenient when running falco inside
# looking for it in a bunch of ways. Convenient when running Falco inside
# a container or in other weird environments.
#
@@ -82,7 +82,7 @@ get_kernel_config() {
echo "* Found kernel config at ${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
KERNEL_CONFIG_PATH="${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
elif [ -f "/lib/modules/${KERNEL_RELEASE}/config" ]; then
# this code works both for native host and agent container assuming that
# This code works both for native host and containers assuming that
# Dockerfile sets up the desired symlink /lib/modules -> $HOST_ROOT/lib/modules
echo "* Found kernel config at /lib/modules/${KERNEL_RELEASE}/config"
KERNEL_CONFIG_PATH="/lib/modules/${KERNEL_RELEASE}/config"
@@ -107,12 +107,14 @@ get_target_id() {
source "${HOST_ROOT}/etc/os-release"
OS_ID=$ID
elif [ -f "${HOST_ROOT}/etc/debian_version" ]; then
# Older Debian
# fixme > can this happen on older Ubuntu?
# Older debian distros
# fixme > Can this happen on older Ubuntu?
OS_ID=debian
elif [ -f "${HOST_ROOT}/etc/centos-release" ]; then
# Older CentOS
# Older CentOS distros
OS_ID=centos
elif [ -f "${HOST_ROOT}/etc/VERSION" ]; then
OS_ID=minikube
else
>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
exit 1
@@ -140,25 +142,25 @@ get_target_id() {
}
load_kernel_module_compile() {
# skip dkms on UEK hosts because it will always fail
# Skip dkms on UEK hosts because it will always fail
if [[ $(uname -r) == *uek* ]]; then
echo "* Skipping dkms install for UEK host"
>&2 echo "Skipping because the dkms install always fail (on UEK hosts)"
return
fi
if ! hash dkms &>/dev/null; then
echo "* Skipping dkms install (dkms not found)"
if ! hash dkms >/dev/null 2>&1; then
>&2 echo "This program requires dkms"
return
fi
# try to compile using all the available gcc versions
# Try to compile using all the available gcc versions
for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -r); do
echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
chmod +x /tmp/falco-dkms-make
if dkms install --directive="MAKE='/tmp/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"
echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"
if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
exit 0
@@ -181,7 +183,6 @@ load_kernel_module_compile() {
}
load_kernel_module_download() {
get_target_id
local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
@@ -189,14 +190,14 @@ load_kernel_module_download() {
local URL
URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
echo "* Trying to download prebuilt module from ${URL}"
echo "* Trying to download a prebuilt ${DRIVER_NAME} module from ${URL}"
if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
echo "* Download succeeded"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module loaded"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
exit $?
else
>&2 echo "Download failed, consider compiling your own ${DRIVER_NAME} module and loading it or getting in touch with the Falco community"
exit 1
>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module"
return
fi
}
@@ -220,7 +221,7 @@ load_kernel_module() {
rmmod "${DRIVER_NAME}" 2>/dev/null
WAIT_TIME=0
KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
if rmmod "${DRIVER_NAME}" 2>/dev/null; then
echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
break
@@ -237,33 +238,77 @@ load_kernel_module() {
exit 0
fi
if [ -n "$ENABLE_COMPILE" ]; then
load_kernel_module_compile
fi
echo "* Trying to load a system ${DRIVER_NAME} driver, if present"
echo "* Trying to load a system ${DRIVER_NAME} module, if present"
if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
exit 0
fi
fi
echo "* Trying to find locally a prebuilt ${DRIVER_NAME} module for kernel ${KERNEL_RELEASE}, if present"
echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
get_target_id
local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
if [ -f "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
echo "* Found a prebuilt module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module loaded"
echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
exit $?
fi
if [ -n "$ENABLE_DOWNLOAD" ]; then
load_kernel_module_download
fi
if [ -n "$ENABLE_COMPILE" ]; then
load_kernel_module_compile
fi
# Not able to download a prebuilt module nor to compile one on-the-fly
>&2 echo "Consider compiling your own ${DRIVER_NAME} driver and loading it or getting in touch with the Falco community"
exit 1
}
clean_kernel_module() {
if ! hash lsmod > /dev/null 2>&1; then
>&2 echo "This program requires lsmod"
exit 1
fi
if ! hash rmmod > /dev/null 2>&1; then
>&2 echo "This program requires rmmod"
exit 1
fi
KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}"; then
if rmmod "${DRIVER_NAME}" 2>/dev/null; then
echo "* Unloading ${DRIVER_NAME} module succeeded"
else
echo "* Unloading ${DRIVER_NAME} module failed"
fi
else
echo "* There is no ${DRIVER_NAME} module loaded"
fi
if ! hash dkms >/dev/null 2>&1; then
echo "* Skipping dkms remove (dkms not found)"
return
fi
DRIVER_VERSIONS=$(dkms status -m "${DRIVER_NAME}" | cut -d',' -f2 | sed -e 's/^[[:space:]]*//')
if [ -z "${DRIVER_VERSIONS}" ]; then
echo "* There is no ${DRIVER_NAME} module in dkms"
return
fi
for CURRENT_VER in ${DRIVER_VERSIONS}; do
if dkms remove -m "${DRIVER_NAME}" -v "${CURRENT_VER}" --all 2>/dev/null; then
echo "* Removing ${DRIVER_NAME}/${CURRENT_VER} succeeded"
else
echo "* Removing ${DRIVER_NAME}/${CURRENT_VER} failed"
exit 1
fi
done
}
load_bpf_probe_compile() {
@@ -272,14 +317,14 @@ load_bpf_probe_compile() {
customize_kernel_build() {
if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
fi
make olddefconfig > /dev/null
make modules_prepare > /dev/null
}
if [ -n "${COS}" ]; then
echo "* COS detected (build ${BUILD_ID}), using cos kernel headers"
if [ "${TARGET_ID}" == "cos" ]; then
echo "* COS detected (build ${BUILD_ID}), using COS kernel headers"
BPF_KERNEL_SOURCES_URL="https://storage.googleapis.com/cos-tools/${BUILD_ID}/kernel-headers.tgz"
KERNEL_EXTRA_VERSION="+"
@@ -310,7 +355,8 @@ load_bpf_probe_compile() {
}
fi
if [ -n "${MINIKUBE}" ]; then
if [ "${TARGET_ID}" == "minikube" ]; then
MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
echo "* Minikube detected (${MINIKUBE_VERSION}), using linux kernel sources for minikube kernel"
local kernel_version
kernel_version=$(uname -r)
@@ -336,14 +382,16 @@ load_bpf_probe_compile() {
fi
if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
get_kernel_config
echo "* Downloading ${BPF_KERNEL_SOURCES_URL}"
mkdir -p /tmp/kernel
cd /tmp/kernel || exit
cd "$(mktemp -d -p /tmp/kernel)" || exit
if ! curl -L -o kernel-sources.tgz --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
>&2 echo "Download failed"
exit 1;
>&2 echo "Unable to download the kernel sources"
return
fi
echo "* Extracting kernel sources"
@@ -384,47 +432,22 @@ load_bpf_probe_download() {
echo "* Trying to download a prebuilt eBPF probe from ${URL}"
if ! curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}"; then
>&2 echo "Download failed"
exit 1;
>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} eBPF probe"
return
fi
}
load_bpf_probe() {
echo "* Mounting debugfs"
if [ ! -d /sys/kernel/debug/tracing ]; then
mount -t debugfs nodev /sys/kernel/debug
fi
get_kernel_config
if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/os-release" ]; then
# shellcheck source=/dev/null
source "${HOST_ROOT}/etc/os-release"
if [ "${ID}" == "cos" ]; then
COS=1
fi
fi
if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/VERSION" ]; then
MINIKUBE=1
MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
fi
get_target_id
BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
if [ -n "$ENABLE_COMPILE" ]; then
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* Skipping compile, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
else
load_bpf_probe_compile
fi
fi
if [ -n "$ENABLE_DOWNLOAD" ]; then
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* Skipping download, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
@@ -433,21 +456,22 @@ load_bpf_probe() {
fi
fi
if [ -n "$ENABLE_COMPILE" ]; then
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* Skipping compilation, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
else
load_bpf_probe_compile
fi
fi
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* eBPF probe located in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
if [ ! -f /proc/sys/net/core/bpf_jit_enable ]; then
echo "******************************************************************"
echo "** BPF doesn't have JIT enabled, performance might be degraded. **"
echo "** Please ensure to run on a kernel with CONFIG_BPF_JIT on. **"
echo "******************************************************************"
fi
ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o" \
&& echo "* Success: eBPF probe symlinked to ${HOME}/.falco/${DRIVER_NAME}-bpf.o"
exit $?
else
>&2 echo "Failure to find an eBPF probe"
>&2 echo "Unable to load the ${DRIVER_NAME} eBPF probe"
exit 1
fi
}
@@ -463,15 +487,32 @@ print_usage() {
echo ""
echo "Options:"
echo " --help show brief help"
echo " --compile try to compile the driver locally"
echo " --download try to download a prebuilt driver"
echo " --clean try to remove an already present driver installation"
echo " --compile try to compile the driver locally (default true)"
echo " --download try to download a prebuilt driver (default true)"
echo " --source-only skip execution and allow sourcing in another script"
echo ""
echo "Environment variables:"
echo " DRIVER_REPO specify a different URL where to look for prebuilt Falco drivers"
echo " DRIVER_NAME specify a different name for the driver"
echo " DRIVER_INSECURE_DOWNLOAD whether you want to allow insecure downloads or not"
echo ""
echo "Versions:"
echo " Falco version ${FALCO_VERSION}"
echo " Driver version ${DRIVER_VERSION}"
echo ""
}
ARCH=$(uname -m)
KERNEL_RELEASE=$(uname -r)
if ! hash sed > /dev/null 2>&1; then
>&2 echo "This program requires sed"
exit 1
fi
KERNEL_VERSION=$(uname -v | sed 's/#\([[:digit:]]\+\).*/\1/')
DRIVERS_REPO=${DRIVERS_REPO:-"@DRIVERS_REPO@"}
if [ -n "$DRIVER_INSECURE_DOWNLOAD" ]
@@ -486,7 +527,8 @@ if [[ -z "$MAX_RMMOD_WAIT" ]]; then
fi
DRIVER_VERSION="@PROBE_VERSION@"
DRIVER_NAME="@PROBE_NAME@"
DRIVER_NAME=${DRIVER_NAME:-"@PROBE_NAME@"}
FALCO_VERSION="@FALCO_VERSION@"
DRIVER="module"
if [ -v FALCO_BPF_PROBE ]; then
@@ -496,6 +538,7 @@ fi
ENABLE_COMPILE=
ENABLE_DOWNLOAD=
clean=
has_args=
has_opts=
source_only=
@@ -503,7 +546,7 @@ while test $# -gt 0; do
case "$1" in
module|bpf)
if [ -n "$has_args" ]; then
>&2 echo "Only one driver can be passed"
>&2 echo "Only one driver per invocation"
print_usage
exit 1
else
@@ -516,6 +559,10 @@ while test $# -gt 0; do
print_usage
exit 0
;;
--clean)
clean="true"
shift
;;
--compile)
ENABLE_COMPILE="yes"
has_opts="true"
@@ -549,23 +596,42 @@ if [ -z "$has_opts" ]; then
fi
if [ -z "$source_only" ]; then
echo "* Running falco-driver-loader for: falco version=${FALCO_VERSION}, driver version=${DRIVER_VERSION}"
if [ "$(id -u)" != 0 ]; then
>&2 echo "This program must be run as root (or with sudo)"
exit 1
fi
if ! hash curl > /dev/null 2>&1; then
>&2 echo "This program requires curl"
exit 1
fi
if [ -n "$clean" ]; then
if [ -n "$has_opts" ]; then
>&2 echo "Cannot use --clean with other options"
exit 1
fi
echo "* Running falco-driver-loader with: driver=$DRIVER, compile=${ENABLE_COMPILE:-"no"}, download=${ENABLE_DOWNLOAD:-"no"}"
case $DRIVER in
echo "* Running falco-driver-loader with: driver=$DRIVER, clean=yes"
case $DRIVER in
module)
load_kernel_module
clean_kernel_module
;;
bpf)
load_bpf_probe
;;
esac
fi
>&2 echo "--clean not supported for driver=bpf"
exit 1
esac
else
if ! hash curl > /dev/null 2>&1; then
>&2 echo "This program requires curl"
exit 1
fi
echo "* Running falco-driver-loader with: driver=$DRIVER, compile=${ENABLE_COMPILE:-"no"}, download=${ENABLE_DOWNLOAD:-"no"}"
case $DRIVER in
module)
load_kernel_module
;;
bpf)
load_bpf_probe
;;
esac
fi
fi

6
scripts/ignored-calls.sh
View File

@@ -17,9 +17,9 @@
#
scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
parentdir="$(dirname "$scriptdir")"
sysdigdir="${parentdir}/build/sysdig-repo/sysdig-prefix/src/sysdig"
cat "${sysdigdir}/userspace/libscap/syscall_info_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/.*\"\(.*\)\".*/\1/' | sort > /tmp/ignored_syscall_info_table.txt
cat "${sysdigdir}/driver/event_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > /tmp/ignored_driver_event_table.txt
libsdir="${parentdir}/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs"
cat "${libsdir}/userspace/libscap/syscall_info_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/.*\"\(.*\)\".*/\1/' | sort > /tmp/ignored_syscall_info_table.txt
cat "${libsdir}/driver/event_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > /tmp/ignored_driver_event_table.txt
cat /tmp/ignored_driver_event_table.txt /tmp/ignored_syscall_info_table.txt | sort | uniq | tr '\n' ', '

47
scripts/publish-bin Executable file
View File

@@ -0,0 +1,47 @@
#!/usr/bin/env bash
set -e
usage() {
echo "usage: $0 -f <package.tar.gz> -r <bin|bin-dev> -a <arch>"
exit 1
}
# parse options
while getopts ":f::r::a:" opt; do
case "${opt}" in
f )
file=${OPTARG}
;;
r )
repo="${OPTARG}"
[[ "${repo}" == "bin" || "${repo}" == "bin-dev" ]] || usage
;;
a )
arch=${OPTARG}
;;
: )
echo "invalid option: ${OPTARG} requires an argument" 1>&2
exit 1
;;
\?)
echo "invalid option: ${OPTARG}" 1>&2
exit 1
;;
esac
done
shift $((OPTIND-1))
if [ -z "${file}" ] || [ -z "${repo}" ] || [ -z "${arch}" ]; then
usage
fi
# settings
s3_bucket_repo="s3://falco-distribution/packages/${repo}/${arch}"
cloudfront_path="/packages/${repo}/${arch}"
# publish
package=$(basename -- ${file})
echo "Publishing ${package} to ${s3_bucket_repo}..."
aws s3 cp ${file} ${s3_bucket_repo}/${package} --acl public-read
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}

132
scripts/publish-deb Executable file
View File

@@ -0,0 +1,132 @@
#!/usr/bin/env bash
set -e
usage() {
echo "usage: $0 -f <package.deb> -r <deb|deb-dev>"
exit 1
}
check_program() {
if ! command -v $1 &> /dev/null
then
echo "$1 is required and could not be found"
exit
fi
}
# Add a package to the local DEB repository
#
# $1: path of the repository.
# $2: suite (eg. "stable")
# $3: path of the DEB file.
add_deb() {
cp -f $3 $1/$2
pushd $1/$2 > /dev/null
rm -f $(basename -- $3).asc
gpg --detach-sign --armor $(basename -- $3)
popd > /dev/null
}
# Update the local DEB repository
#
# $1: path of the repository
# $2: suite (eg. "stable")
update_repo() {
# fixme(leogr): we cannot use apt-ftparchive --arch packages ...
# since our .deb files ends with "_x86_64" instead of "amd64".
# See https://manpages.debian.org/jessie/apt-utils/apt-ftparchive.1.en.html
#
# As a workaround, we temporarily stick here with "amd64"
# (the only supported arch at the moment)
local arch=amd64
local component=main
local debs_dir=$2
local release_dir=dists/$2
local packages_dir=${release_dir}/${component}/binary-${arch}
pushd $1 > /dev/null
# packages metadata
apt-ftparchive packages ${debs_dir} > ${packages_dir}/Packages
gzip -c ${packages_dir}/Packages > ${packages_dir}/Packages.gz
bzip2 -z -c ${packages_dir}/Packages > ${packages_dir}/Packages.bz2
# release metadata
apt-ftparchive release \
-o APT::FTPArchive::Release::Origin=Falco \
-o APT::FTPArchive::Release::Label=Falco \
-o APT::FTPArchive::Release::Suite=$2 \
-o APT::FTPArchive::Release::Codename=$2 \
-o APT::FTPArchive::Release::Components=${component} \
-o APT::FTPArchive::Release::Architectures=${arch} \
${release_dir} > ${release_dir}/Release
# release signature
gpg --detach-sign --armor ${release_dir}/Release
rm -f ${release_dir}/Release.gpg
mv ${release_dir}/Release.asc ${release_dir}/Release.gpg
popd > /dev/null
}
# parse options
while getopts ":f::r:" opt; do
case "${opt}" in
f )
file=${OPTARG}
;;
r )
repo="${OPTARG}"
[[ "${repo}" == "deb" || "${repo}" == "deb-dev" ]] || usage
;;
: )
echo "invalid option: ${OPTARG} requires an argument" 1>&2
exit 1
;;
\?)
echo "invalid option: ${OPTARG}" 1>&2
exit 1
;;
esac
done
shift $((OPTIND-1))
# check options
if [ -z "${file}" ] || [ -z "${repo}" ]; then
usage
fi
# check prerequisites
check_program apt-ftparchive
check_program gzip
check_program bzip2
check_program gpg
check_program aws
# settings
debSuite=stable
s3_bucket_repo="s3://falco-distribution/packages/${repo}"
cloudfront_path="/packages/${repo}"
tmp_repo_path=/tmp/falco-$repo
# prepare repository local copy
echo "Fetching ${s3_bucket_repo}..."
mkdir -p ${tmp_repo_path}
aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
# update the repo
echo "Adding ${file}..."
add_deb ${tmp_repo_path} ${debSuite} ${file}
update_repo ${tmp_repo_path} ${debSuite}
# publish
package=$(basename -- ${file})
echo "Publishing ${package} to ${s3_bucket_repo}..."
aws s3 cp ${tmp_repo_path}/${debSuite}/${package} ${s3_bucket_repo}/${debSuite}/${package} --acl public-read
aws s3 cp ${tmp_repo_path}/${debSuite}/${package}.asc ${s3_bucket_repo}/${debSuite}/${package}.asc --acl public-read
aws s3 sync ${tmp_repo_path}/dists ${s3_bucket_repo}/dists --delete --acl public-read
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}.asc
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/dists/*

96
scripts/publish-rpm Executable file
View File

@@ -0,0 +1,96 @@
#!/usr/bin/env bash
set -e
usage() {
echo "usage: $0 -f <package.rpm> -r <rpm|rpm-dev>"
exit 1
}
check_program() {
if ! command -v $1 &> /dev/null
then
echo "$1 is required and could not be found"
exit
fi
}
# Add a package to the local RPM repository
#
# $1: path of the repository.
# $2: path of the RPM file.
add_rpm() {
cp -f $2 $1
pushd $1 > /dev/null
rm -f $(basename -- $2).asc
gpg --detach-sign --armor $(basename -- $2)
popd > /dev/null
}
# Update the local RPM repository
#
# $1: path of the repository.
update_repo() {
pushd $1 > /dev/null
createrepo --update --no-database .
rm -f repodata/repomd.xml.asc
gpg --detach-sign --armor repodata/repomd.xml
popd > /dev/null
}
# parse options
while getopts ":f::r:" opt; do
case "${opt}" in
f )
file=${OPTARG}
;;
r )
repo="${OPTARG}"
[[ "${repo}" == "rpm" || "${repo}" == "rpm-dev" ]] || usage
;;
: )
echo "invalid option: ${OPTARG} requires an argument" 1>&2
exit 1
;;
\?)
echo "invalid option: ${OPTARG}" 1>&2
exit 1
;;
esac
done
shift $((OPTIND-1))
if [ -z "${file}" ] || [ -z "${repo}" ]; then
usage
fi
# check prerequisites
check_program createrepo
check_program gpg
check_program aws
# settings
s3_bucket_repo="s3://falco-distribution/packages/${repo}"
cloudfront_path="/packages/${repo}"
tmp_repo_path=/tmp/falco-$repo
# prepare repository local copy
echo "Fetching ${s3_bucket_repo}..."
mkdir -p ${tmp_repo_path}
aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
# update the repo
echo "Adding ${file}..."
add_rpm ${tmp_repo_path} ${file}
update_repo ${tmp_repo_path}
# publish
package=$(basename -- ${file})
echo "Publishing ${package} to ${s3_bucket_repo}..."
aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
aws s3 sync ${tmp_repo_path}/repodata ${s3_bucket_repo}/repodata --delete --acl public-read
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}.asc
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/repodata/*

127
scripts/rpm/falco
View File

@@ -1,127 +0,0 @@
#!/bin/sh
#
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
# falco syscall monitoring agent
#
# chkconfig: 2345 55 45
# description: Falco syscall monitoring agent
#
### BEGIN INIT INFO
# Provides:
# Required-Start:
# Required-Stop:
# Should-Start:
# Should-Stop:
# Default-Start:
# Default-Stop:
# Short-Description:
# Description:
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
exec="/usr/bin/falco"
prog="falco"
# config="<path to major config file>"
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
lockfile=/var/lock/subsys/$prog
pidfile="/var/run/falco.pid"
start() {
[ -x $exec ] || exit 5
# [ -f $config ] || exit 6
echo -n $"Starting $prog: "
daemon $exec --daemon --pidfile=$pidfile
if [ ! -d /sys/module/falco ]; then
/sbin/modprobe falco || return $?
fi
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc -p $pidfile
retval=$?
echo
/sbin/rmmod falco
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
stop
start
}
reload() {
restart
}
force_reload() {
restart
}
rh_status() {
status -p $pidfile $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?

24
scripts/rpm/falco.service Normal file
View File

@@ -0,0 +1,24 @@
[Unit]
Description=Falco: Container Native Runtime Security
Documentation=https://falco.org/docs/
[Service]
Type=simple
User=root
ExecStartPre=/sbin/modprobe falco
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
ExecStopPost=/sbin/rmmod falco
UMask=0077
TimeoutSec=30
RestartSec=15s
Restart=on-failure
PrivateTmp=true
NoNewPrivileges=yes
ProtectHome=read-only
ProtectSystem=full
ProtectKernelTunables=true
RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET
[Install]
WantedBy=multi-user.target

4
scripts/rpm/postinstall.in
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2021 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -29,5 +29,3 @@ else
echo -e "Module build for the currently running kernel was skipped since the"
echo -e "kernel source for this kernel does not seem to be installed."
fi
/sbin/chkconfig --add falco

6
scripts/rpm/postuninstall.in
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2021 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,7 +14,3 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
if [ "$1" -ge "1" ]; then
/sbin/service falco condrestart > /dev/null 2>&1
fi

7
scripts/rpm/preuninstall.in
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2021 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,10 +15,5 @@
# limitations under the License.
#
if [ $1 = 0 ]; then
/sbin/service falco stop > /dev/null 2>&1
/sbin/chkconfig --del falco
fi
mod_version="@PROBE_VERSION@"
dkms remove -m falco -v $mod_version --all --rpm_safe_upgrade

14
test/README.md
View File

@@ -2,7 +2,7 @@
This folder contains the Regression tests suite for Falco.
You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/source/#run-regression-tests).
You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/getting-started/source/#run-regression-tests).
## Test suites
@@ -16,7 +16,7 @@ You can find instructions on how to run this test suite on the Falco website [he
This step assumes you already built Falco.
Note that the tests are intended to be run against a [release build](https://falco.org/docs/source/#specify-the-build-type) of Falco, at the moment.
Note that the tests are intended to be run against a [release build](https://falco.org/docs/getting-started/source/#specify-the-build-type) of Falco, at the moment.
Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:
@@ -26,7 +26,15 @@ make test-trace-files
It prepares the fixtures (`json` and `scap` files) needed by the integration tests.
Using `virtualenv` the steps to locally run a specific test suite are the following ones (from this directory):
**Requirements**
- Python 3.x
- [Virtualenv](https://virtualenv.pypa.io/en/latest/)
- [grpcurl](https://github.com/fullstorydev/grpcurl)
**Setup and execution**
Using `virtualenv` the steps to locally run a specific test suite are the following ones (**from this directory**):
```console
virtualenv venv

12
test/confs/drops_ignore_log.yaml Normal file
View File

@@ -0,0 +1,12 @@
syscall_event_drops:
actions:
- ignore
- log
rate: .03333
max_burst: 10
simulate_drops: true
stdout_output:
enabled: true
log_stderr: true

2
test/confs/drops_log.yaml
View File

@@ -9,3 +9,5 @@ stdout_output:
enabled: true
log_stderr: true
log_level: debug

12
test/confs/drops_threshold_neg.yaml Normal file
View File

@@ -0,0 +1,12 @@
syscall_event_drops:
threshold: -1
actions:
- ignore
rate: .03333
max_burst: 10
simulate_drops: true
stdout_output:
enabled: true
log_stderr: true

12
test/confs/drops_threshold_oor.yaml Normal file
View File

@@ -0,0 +1,12 @@
syscall_event_drops:
threshold: 1.1
actions:
- ignore
rate: .03333
max_burst: 10
simulate_drops: true
stdout_output:
enabled: true
log_stderr: true

21
test/falco_k8s_audit_tests.yaml
View File

@@ -128,6 +128,16 @@ trace_files: !mux
- Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
create_privileged_no_secctx_1st_container_2nd_container_pod:
detect: True
detect_level: WARNING
rules_file:
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
create_privileged_2nd_container_pod:
detect: True
detect_level: WARNING
@@ -612,4 +622,13 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Secret Deleted: 1
trace_file: trace_files/k8s_audit/delete_secret.json
trace_file: trace_files/k8s_audit/delete_secret.json
fal_01_003:
detect: False
detect_level: INFO
rules_file:
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/fal_01_003.json
stderr_contains: 'Could not read k8s audit event line #1, "{"kind": 0}": Data not recognized as a k8s audit event, stopping'

59
test/falco_tests.yaml
View File

@@ -356,8 +356,6 @@ trace_files: !mux
condition: evt.type=fork
priority: INFO
---
1 warnings:
Rule no output rule: consider adding an exceptions property to define supported exceptions fields
validate_rules_file:
- rules/invalid_rule_without_output.yaml
trace_file: trace_files/cat_write.scap
@@ -413,8 +411,6 @@ trace_files: !mux
condition: evt.type=open
append: true
---
1 warnings:
Rule my_rule: consider adding an exceptions property to define supported exceptions fields
validate_rules_file:
- rules/rule_append_failure.yaml
trace_file: trace_files/cat_write.scap
@@ -542,9 +538,6 @@ trace_files: !mux
priority: INFO
append: false
---
2 warnings:
Rule some rule: consider adding an exceptions property to define supported exceptions fields
Rule some rule: consider adding an exceptions property to define supported exceptions fields
validate_rules_file:
- rules/invalid_overwrite_rule_multiple_docs.yaml
trace_file: trace_files/cat_write.scap
@@ -567,9 +560,6 @@ trace_files: !mux
priority: INFO
append: true
---
2 warnings:
Rule some rule: consider adding an exceptions property to define supported exceptions fields
Rule some rule: consider adding an exceptions property to define supported exceptions fields
validate_rules_file:
- rules/invalid_append_rule_multiple_docs.yaml
trace_file: trace_files/cat_write.scap
@@ -627,8 +617,6 @@ trace_files: !mux
output: "An open was seen %not_a_real_field"
priority: WARNING
---
1 warnings:
Rule rule_with_invalid_output: consider adding an exceptions property to define supported exceptions fields
validate_rules_file:
- rules/invalid_rule_output.yaml
trace_file: trace_files/cat_write.scap
@@ -775,7 +763,7 @@ trace_files: !mux
- "Non sudo setuid": 1
- "Create files below dev": 1
- "Modify binary dirs": 2
- "Change thread namespace": 1
- "Change thread namespace": 0
disabled_tags_a:
detect: True
@@ -1227,6 +1215,51 @@ trace_files: !mux
stdout_not_contains:
- "Falco internal: syscall event drop"
monitor_syscall_drops_ignore_and_log:
exit_status: 1
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_ignore_log.yaml
trace_file: trace_files/ping_sendto.scap
stderr_not_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
stderr_contains:
- "syscall event drop action \"log\" does not make sense with the \"ignore\" action"
monitor_syscall_drops_threshold_oor:
exit_status: 1
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_threshold_oor.yaml
trace_file: trace_files/ping_sendto.scap
stderr_not_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
stderr_contains:
- "syscall event drops threshold must be a double in the range"
monitor_syscall_drops_threshold_neg:
exit_status: 1
rules_file:
- rules/single_rule.yaml
conf_file: confs/drops_threshold_neg.yaml
trace_file: trace_files/ping_sendto.scap
stderr_not_contains:
- "event drop detected: 9 occurrences"
- "num times actions taken: 9"
- "Falco internal: syscall event drop"
stdout_not_contains:
- "Falco internal: syscall event drop"
stderr_contains:
- "syscall event drops threshold must be a double in the range"
monitor_syscall_drops_log:
exit_status: 0
rules_file:

9
test/falco_tests_exceptions.yaml
View File

@@ -185,15 +185,6 @@ trace_files: !mux
- rules/exceptions/append_item_not_in_rule.yaml
trace_file: trace_files/cat_write.scap
rule_without_exception:
exit_status: 0
stderr_contains: |+
1 warnings:
Rule My Rule: consider adding an exceptions property to define supported exceptions fields
validate_rules_file:
- rules/exceptions/rule_without_exception.yaml
trace_file: trace_files/cat_write.scap
rule_exception_no_values:
detect: True
detect_level: WARNING

6
test/falco_traces.yaml.in
View File

@@ -23,10 +23,10 @@ has_json_output: !mux
traces: !mux
change-thread-namespace:
trace_file: traces-positive/change-thread-namespace.scap
detect: True
detect: False
detect_level: NOTICE
detect_counts:
- "Change thread namespace": 1
- "Change thread namespace": 0
container-privileged:
trace_file: traces-positive/container-privileged.scap
@@ -73,7 +73,7 @@ traces: !mux
- "Non sudo setuid": 1
- "Create files below dev": 1
- "Modify binary dirs": 2
- "Change thread namespace": 1
- "Change thread namespace": 0
mkdir-binary-dirs:
trace_file: traces-positive/mkdir-binary-dirs.scap

6
test/requirements.txt
View File

@@ -5,9 +5,9 @@ chardet==3.0.4
idna==2.9
pathtools==0.1.2
pbr==5.4.5
PyYAML==5.3.1
PyYAML==5.4
requests==2.23.0
six==1.14.0
stevedore==1.32.0
urllib3==1.25.9
watchdog==0.10.2
urllib3==1.26.5
watchdog==0.10.2

21
test/rules/exceptions/rule_without_exception.yaml
View File

@@ -1,21 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
- rule: My Rule
desc: Some desc
condition: evt.type=open and proc.name=cat
output: Some output
priority: error

4
test/run_performance_tests.sh Normal file → Executable file
View File

@@ -20,9 +20,11 @@
trap "cleanup; exit" SIGHUP SIGINT SIGTERM
TRACE_FILES_BASE_URL=${TRACE_FILES_BASE_URL:-"https://download.falco.org/fixtures/trace-files/"}
function download_trace_files() {
(mkdir -p $TRACEDIR && rm -rf $TRACEDIR/traces-perf && curl -fo $TRACEDIR/traces-perf.zip https://s3.amazonaws.com/download.draios.com/falco-tests/traces-perf.zip && unzip -d $TRACEDIR $TRACEDIR/traces-perf.zip && rm -f $TRACEDIR/traces-perf.zip) || exit 1
(mkdir -p $TRACEDIR && rm -rf $TRACEDIR/traces-perf && curl -fo $TRACEDIR/traces-perf.zip "${TRACE_FILES_BASE_URL}traces-perf.zip" && unzip -d $TRACEDIR $TRACEDIR/traces-perf.zip && rm -f $TRACEDIR/traces-perf.zip) || exit 1
}

5
test/run_regression_tests.sh
View File

@@ -20,6 +20,7 @@ set -euo pipefail
SCRIPT=$(readlink -f $0)
SCRIPTDIR=$(dirname "$SCRIPT")
SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
TRACE_FILES_BASE_URL=${TRACE_FILES_BASE_URL:-"https://download.falco.org/fixtures/trace-files/"}
# Trace file tarballs are now versioned. Any time a substantial change
# is made that affects the interaction of rules+engine and the trace
@@ -31,9 +32,9 @@ function download_trace_files() {
for TRACE in traces-positive traces-negative traces-info ; do
if [ ! -e "$TRACE_DIR/$TRACE" ]; then
if [ "$OPT_BRANCH" != "none" ]; then
curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$OPT_BRANCH.zip
curl -fso "$TRACE_DIR/$TRACE.zip" "$TRACE_FILES_BASE_URL$TRACE-$OPT_BRANCH.zip"
else
curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$TRACE_FILES_VERSION.zip
curl -fso "$TRACE_DIR/$TRACE.zip" "$TRACE_FILES_BASE_URL$TRACE-$TRACE_FILES_VERSION.zip"
fi
unzip -d "$TRACE_DIR" "$TRACE_DIR/$TRACE.zip"
rm -rf "$TRACE_DIR/$TRACE.zip"

1
test/trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json Normal file
View File

@@ -0,0 +1 @@
{"annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""},"auditID":"f83ecd50-5bf4-4fe7-a419-dea22852ca49","kind":"Event","level":"RequestResponse","metadata":{"creationTimestamp":"2018-10-25T17:53:07Z"},"objectRef":{"apiVersion":"v1","namespace":"default","resource":"pods"},"requestObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":null,"generateName":"nginx-deployment-544b59f8b8-","labels":{"app":"nginx","pod-template-hash":"1006159464"},"ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-544b59f8b8","uid":"d40b40e1-d87e-11e8-a473-080027728ac4"}]},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx1","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"},{"image":"mysql:latest","imagePullPolicy":"Always","name":"mysql","resources":{},"securityContext":{"privileged":true},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30},"status":{}},"requestReceivedTimestamp":"2018-10-25T17:53:06.995407Z","requestURI":"/api/v1/namespaces/default/pods","responseObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":"2018-10-25T17:53:06Z","generateName":"nginx-deployment-544b59f8b8-","labels":{"app":"nginx","pod-template-hash":"1006159464"},"name":"nginx-deployment-544b59f8b8-ffkxm","namespace":"default","ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-544b59f8b8","uid":"d40b40e1-d87e-11e8-a473-080027728ac4"}],"resourceVersion":"246302","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-544b59f8b8-ffkxm","uid":"d40dfcd7-d87e-11e8-a473-080027728ac4"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx1","resources":{},"securityContext":{"privileged":false},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]},{"image":"mysql:latest","imagePullPolicy":"Always","name":"mysql","resources":{},"securityContext":{"privileged":true},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300}],"volumes":[{"name":"default-token-g2sp7","secret":{"defaultMode":420,"secretName":"default-token-g2sp7"}}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"responseStatus":{"code":201,"metadata":{}},"sourceIPs":["::1"],"stage":"ResponseComplete","stageTimestamp":"2018-10-25T17:53:07.006845Z","timestamp":"2018-10-25T17:53:06Z","user":{"groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","username":"system:serviceaccount:kube-system:replicaset-controller"},"verb":"create"}

1
test/trace_files/k8s_audit/fal_01_003.json Normal file
View File

@@ -0,0 +1 @@
{"kind": 0}

12
userspace/engine/CMakeLists.txt
View File

@@ -35,9 +35,8 @@ if(MINIMAL_BUILD)
"${NJSON_INCLUDE}"
"${TBB_INCLUDE_DIR}"
"${STRING_VIEW_LITE_INCLUDE}"
"${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
"${SYSDIG_SOURCE_DIR}/userspace/libscap"
"${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
"${LIBSCAP_INCLUDE_DIRS}"
"${LIBSINSP_INCLUDE_DIRS}"
"${PROJECT_BINARY_DIR}/userspace/engine")
else()
target_include_directories(
@@ -48,9 +47,8 @@ else()
"${CURL_INCLUDE_DIR}"
"${TBB_INCLUDE_DIR}"
"${STRING_VIEW_LITE_INCLUDE}"
"${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
"${SYSDIG_SOURCE_DIR}/userspace/libscap"
"${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
"${LIBSCAP_INCLUDE_DIRS}"
"${LIBSINSP_INCLUDE_DIRS}"
"${PROJECT_BINARY_DIR}/userspace/engine")
endif()
@@ -72,3 +70,5 @@ else()
FILES_MATCHING
PATTERN *.lua)
endif()
add_subdirectory(embeddable)

43
userspace/engine/embeddable/CMakeLists.txt Normal file
View File

@@ -0,0 +1,43 @@
#
# Copyright (C) 2021 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
set(FALCO_ENGINE_EMBEDDABLE_SOURCE_FILES
falco_engine_embeddable.cpp)
set(
FALCO_LIBRARIES
falco_engine
sinsp
"${LIBYAML_LIB}"
"${YAMLCPP_LIB}"
)
add_library(falco_engine_embeddable SHARED ${FALCO_ENGINE_EMBEDDABLE_SOURCE_FILES})
add_dependencies(falco_engine_embeddable falco_engine)
target_include_directories(
falco_engine_embeddable
PUBLIC
"${PROJECT_SOURCE_DIR}/userspace/engine"
"${LUAJIT_INCLUDE}"
"${NJSON_INCLUDE}"
"${TBB_INCLUDE_DIR}"
"${STRING_VIEW_LITE_INCLUDE}"
"${LIBSCAP_INCLUDE_DIRS}"
"${LIBSINSP_INCLUDE_DIRS}"
"${PROJECT_BINARY_DIR}/userspace/engine")
target_link_libraries(falco_engine_embeddable ${FALCO_LIBRARIES})
#add_custom_target(example ALL DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/example)
#add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/example COMMAND go build ${CMAKE_CURRENT_SOURCE_DIR}/example.go -o ${CMAKE_CURRENT_BINARY_DIR}/example)

102
userspace/engine/embeddable/example/example.go Normal file
View File

@@ -0,0 +1,102 @@
package main
//#cgo CFLAGS: -I../
//#cgo LDFLAGS: -L/home/mstemm/work/falco-build/userspace/engine/embeddable -lfalco_engine_embeddable -Wl,-rpath=/home/mstemm/work/falco-build/userspace/engine/embeddable
/*
#include "stdio.h"
#include "falco_engine_embeddable.h"
int open_engine(void **engine, void *rules_content)
{
int32_t rc;
*engine = falco_engine_embed_init(&rc);
if (rc != 0)
{
return rc;
}
char *errstr;
rc = falco_engine_embed_load_rules_content(*engine, (const char *) rules_content, &errstr);
if (rc != 0)
{
fprintf(stderr, "%s", errstr);
return rc;
}
rc = falco_engine_embed_open(*engine, &errstr);
if (rc != 0)
{
fprintf(stderr, "%s", errstr);
return rc;
}
return rc;
}
int next_result(void *engine, char **output)
{
int32_t rc;
falco_engine_embed_result *res;
char *errstr;
rc = falco_engine_embed_next_result(engine, &res, &errstr);
if (rc != 0)
{
fprintf(stderr, "NEXT ERROR %s", errstr);
return rc;
}
*output = res->output_str;
return rc;
}
*/
import "C"
import (
"fmt"
"io/ioutil"
"os"
"unsafe"
)
func doMain(rules_filename string) int {
rules_content, err := ioutil.ReadFile(rules_filename)
if err != nil {
fmt.Printf("Could not open rules file %s: %v", rules_filename, err)
return 1
}
var handle unsafe.Pointer
rc := C.open_engine(&handle, C.CBytes(rules_content))
if rc != 0 {
fmt.Printf("Could not open falco engine")
return 1
}
for true {
var output *C.char
rc := C.next_result(handle, &output)
if rc != 0 {
fmt.Printf("Could not get next result")
return 1
}
fmt.Printf("GOT RESULT %s\n", C.GoString(output))
}
return 0
}
func main() {
os.Exit(doMain(os.Args[1]))
}

6
userspace/engine/embeddable/example/go.mod Normal file
View File

@@ -0,0 +1,6 @@
module github.com/falcosecurity/falco/embedded/example
go 1.16
require (
)

356
userspace/engine/embeddable/falco_engine_embeddable.cpp Normal file
View File

@@ -0,0 +1,356 @@
/*
Copyright (C) 2021 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include <memory>
#include <atomic>
#include <sinsp.h>
#include <event.h>
#include <falco_engine.h>
#include "falco_engine_embeddable.h"
using namespace std;
class falco_engine_embed_int {
public:
falco_engine_embed_int();
virtual ~falco_engine_embed_int();
bool load_rules_content(const char *rules_content, string &err);
bool is_open();
bool open(string &err);
bool close(string &err);
falco_engine_embed_rc next_result(falco_engine_embed_result **result, string &err);
private:
falco_engine_embed_result *rule_result_to_embed_result(sinsp_evt *ev,
unique_ptr<falco_engine::rule_result> &res);
static void add_output_pair(const string &field, const string &val,
char **&fields, char **&vals,
uint32_t &len);
unique_ptr<sinsp_evt_formatter_cache> m_formatters;
bool m_open;
unique_ptr<sinsp> m_inspector;
unique_ptr<falco_engine> m_falco_engine;
atomic<bool> m_shutdown;
};
falco_engine_embed_int::falco_engine_embed_int()
: m_open(false),
m_shutdown(false)
{
m_inspector.reset(new sinsp());
m_falco_engine.reset(new falco_engine());
m_falco_engine->set_inspector(m_inspector.get());
m_formatters.reset(new sinsp_evt_formatter_cache(m_inspector.get()));
}
falco_engine_embed_int::~falco_engine_embed_int()
{
}
bool falco_engine_embed_int::load_rules_content(const char *rules_content, string &err)
{
bool verbose = false;
bool all_events = true;
try {
m_falco_engine->load_rules(string(rules_content), verbose, all_events);
}
catch(falco_exception &e)
{
err = e.what();
return false;
}
return true;
}
bool falco_engine_embed_int::is_open()
{
return m_open;
}
bool falco_engine_embed_int::open(string &err)
{
try {
m_inspector->open();
}
catch(exception &e)
{
err = e.what();
return false;
}
m_open = true;
return true;
}
bool falco_engine_embed_int::close(string &err)
{
m_shutdown = true;
m_open = false;
return true;
}
falco_engine_embed_rc falco_engine_embed_int::next_result(falco_engine_embed_result **result, string &err)
{
*result = NULL;
while(!m_shutdown)
{
sinsp_evt* ev;
int32_t rc = m_inspector->next(&ev);
if (rc == SCAP_TIMEOUT)
{
continue;
}
else if (rc == SCAP_EOF)
{
break;
}
else if (rc != SCAP_SUCCESS)
{
err = m_inspector->getlasterr();
return FE_EMB_RC_ERROR;
}
if(!ev->simple_consumer_consider())
{
continue;
}
unique_ptr<falco_engine::rule_result> res = m_falco_engine->process_sinsp_event(ev);
if(!res)
{
continue;
}
*result = rule_result_to_embed_result(ev, res);
return FE_EMB_RC_OK;
}
// Can only get here if shut down/eof.
return FE_EMB_RC_EOF;
}
falco_engine_embed_result * falco_engine_embed_int::rule_result_to_embed_result(sinsp_evt *ev,
unique_ptr<falco_engine::rule_result> &res)
{
falco_engine_embed_result *result;
result = (falco_engine_embed_result *) malloc(sizeof(falco_engine_embed_result));
result->rule = strdup(res->rule.c_str());
result->event_source = strdup(res->source.c_str());
result->priority_num = res->priority_num;
// Copy output format string without resolving fields.
result->output_format_str = strdup(res->format.c_str());
// Resolve output format string into resolved output
string output;
m_formatters->tostring(ev, res->format, &output);
result->output_str = strdup(output.c_str());
result->output_fields = NULL;
result->output_values = NULL;
result->num_output_values = 0;
map<string, string> rule_output_fields;
m_formatters->resolve_tokens(ev, res->format, rule_output_fields);
for(auto &pair : rule_output_fields)
{
add_output_pair(pair.first, pair.second,
result->output_fields, result->output_values,
result->num_output_values);
}
// Preceding * makes the formatting permissive (not ending at first empty value)
std::string exformat = "*";
for (const auto& exfield : res->exception_fields)
{
exformat += " %" + exfield;
}
map<string, string> exception_output_fields;
m_formatters->resolve_tokens(ev, exformat, exception_output_fields);
for(auto &pair : exception_output_fields)
{
add_output_pair(pair.first, pair.second,
result->output_fields, result->output_values,
result->num_output_values);
}
return result;
}
void falco_engine_embed_int::add_output_pair(const string &field, const string &val,
char **&fields, char **&vals,
uint32_t &len)
{
len++;
fields = (char **) realloc(fields, len*sizeof(char *));
vals = (char **) realloc(vals, len*sizeof(char *));
fields[len-1] = strdup(field.c_str());
vals[len-1] = strdup(val.c_str());
}
static const char *FALCO_ENGINE_EMBED_VERSION = "1.0.0";
char *falco_engine_embed_get_version()
{
return strdup(FALCO_ENGINE_EMBED_VERSION);
}
void falco_engine_embed_free_result(falco_engine_embed_result *result)
{
free(result->rule);
free(result->event_source);
free(result->output_format_str);
free(result->output_str);
for(int32_t i; i < result->num_output_values; i++)
{
free(result->output_fields[i]);
free(result->output_values[i]);
}
free(result->output_fields);
free(result->output_values);
free(result);
}
falco_engine_embed_t* falco_engine_embed_init(int32_t *rc)
{
falco_engine_embed_int *eengine = new falco_engine_embed_int();
*rc = FE_EMB_RC_OK;
return eengine;
}
int32_t falco_engine_embed_destroy(falco_engine_embed_t *engine, char *errstr)
{
falco_engine_embed_int *eengine = (falco_engine_embed_int *) engine;
if(eengine->is_open())
{
errstr = strdup("Engine is open--must call close() first");
return FE_EMB_RC_ERROR;
}
delete(eengine);
return FE_EMB_RC_OK;
}
int32_t falco_engine_embed_load_plugin(falco_engine_embed_t *engine,
const char *path,
const char* init_config,
const char* open_params,
char **errstr)
{
falco_engine_embed_int *eengine = (falco_engine_embed_int *) engine;
// XXX/mstemm fill in
return FE_EMB_RC_OK;
}
int32_t falco_engine_embed_load_rules_content(falco_engine_embed_t *engine,
const char *rules_content,
char **errstr)
{
falco_engine_embed_int *eengine = (falco_engine_embed_int *) engine;
std::string err;
if (!eengine->load_rules_content(rules_content, err))
{
*errstr = strdup(err.c_str());
return FE_EMB_RC_ERROR;
}
return FE_EMB_RC_OK;
}
int32_t falco_engine_embed_enable_source(falco_engine_embed_t *engine,
int32_t source,
bool enabled,
char **errstr)
{
falco_engine_embed_int *eengine = (falco_engine_embed_int *) engine;
// XXX/mstemm fill in
return FE_EMB_RC_OK;
}
int32_t falco_engine_embed_open(falco_engine_embed_t *engine,
char **errstr)
{
falco_engine_embed_int *eengine = (falco_engine_embed_int *) engine;
std::string err;
if (!eengine->open(err))
{
*errstr = strdup(err.c_str());
return FE_EMB_RC_ERROR;
}
return FE_EMB_RC_OK;
}
int32_t falco_engine_embed_close(falco_engine_embed_t *engine,
char **errstr)
{
falco_engine_embed_int *eengine = (falco_engine_embed_int *) engine;
std::string err;
if (!eengine->close(err))
{
*errstr = strdup(err.c_str());
return FE_EMB_RC_ERROR;
}
return FE_EMB_RC_OK;
}
int32_t falco_engine_embed_next_result(falco_engine_embed_t *engine,
falco_engine_embed_result **result,
char **errstr)
{
falco_engine_embed_int *eengine = (falco_engine_embed_int *) engine;
std::string err;
falco_engine_embed_rc rc;
rc = eengine->next_result(result, err);
if(rc == FE_EMB_RC_ERROR)
{
*errstr = strdup(err.c_str());
}
return rc;
}

268
userspace/engine/embeddable/falco_engine_embeddable.h Normal file
View File

@@ -0,0 +1,268 @@
/*
Copyright (C) 2021 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
/*
This header file provides a C-only interface to the falco engine,
suitable for embedding in other programs as a shared library. This
interface handles:
- Loading Rules Content
- Enabling/Disabling syscall/k8s_audit event sources.
- Loading and configuring source/extractor plugins
- Starting/Stopping the event processing loop.
After setup, the main interface involves receiving "results" when
syscall/k8s_audit/plugin events match rules.
This interface does not provide as many features as the c++
falco_engine interface, such as interfaces to list rules, segregate
rules by "ruleset", enabling/disabling specific rules etc.
Output handling (e.g. routing alerts to files, stdout, webhook,
slack, etc) is not covered by this interface. After receiving a
result, a program could use a program like falcosidekick for a rich
set of output handling methods.
*/
#pragma once
#include <stdint.h>
#include <stdbool.h>
#ifdef __cplusplus
extern "C" {
#endif
/* A handle to an embeddable falco engine */
typedef void falco_engine_embed_t;
/* Defined return values from API functions. */
enum falco_engine_embed_rc
{
/* No Error */
FE_EMB_RC_OK = 0,
FE_EMB_RC_ERROR = 1,
FE_EMB_RC_EOF = 2,
};
/* Defined event sources. */
enum falco_engine_embed_evt_source
{
FE_EMB_SRC_NONE = 0,
FE_EMB_SRC_SYSCALL = 1,
FE_EMB_K8S_AUDIT = 2,
FE_EMB_PLUGINS = 3, // This includes any event from any plugin
};
/* Represents a result (e.g. an event matching a falco rule)
When returned by a call to next_result(), the struct, as well as
every allocated char * within the struct, is allocated via a call
to malloc() and must be freed via a call to free().
*/
typedef struct falco_engine_embed_result
{
// The rule that matched the event
char *rule;
// The event source of the event that matched the rule
char *event_source;
// An int containing a falco_common::priority_type value of
// the priority of the matching rule.
int32_t priority_num;
// A copy of the rule's output string, *without* any
// fields (e.g. %proc.name, ...) resolved to values.
char *output_format_str;
// An output string, starting with the rule's output string
// with all fields resolved to values.
char *output_str;
// An allocated array of allocated field names from the output
// string. Additional fields + values may be included in
// addition to those in the output string, to aid in
// debugging. Item i in this array maps to item i in
// output_values.
char **output_fields;
// An allocated array of allocated field values from the
// output string. Additional fields + values may be included in
// addition to those in the output string, to aid in
// debugging. Item i in this array maps to item i in
// output_fields.
char **output_values;
// The length of output_fields/output_values
uint32_t num_output_values;
} falco_engine_embed_result;
/* A utility function to free a falco_engine_embed_result struct and
* its allocated strings returned by a call to next_result() */
void falco_engine_embed_free_result(falco_engine_embed_result *result);
// Interface to interact with an embeddable falco engine.
// NOTE: For all functions below that return a char *, the memory
// pointed to by the char * is allocated using malloc() and should be
// freed by the caller using free().
// Return the embedded engine version.
//
// Return value: a version string, in the following format:
// "<major>.<minor>.<patch>", e.g. "1.2.3".
// This interface is compatible following semver conventions:
// <major> changes for incompatible api changes, <minor> for
// backwards-compatible additions, <patch> for compatible bug
// fixes.
char* falco_engine_embed_get_version();
// Initialize a falco engine.
//
// Arguments:
// - rc: pointer to an integer containing a falco_engine_embed_rc value.
//
// Return value: pointer to the engine state that is passed to
// other API functions.
falco_engine_embed_t* falco_engine_embed_init(int32_t *rc);
// Destroy a falco engine. This frees any resources allocated in
// init(). If open() has been called, close() should be called before
// destroy().
//
// Arguments:
// - engine: returned by a prior succesful call to init().
// - errstr: on error, errstr will point to an allocated
// string with additional details on the errror. The string
// must be freed via a call to free().
//
// Return value: an integer containing a falco_engine_embed_rc
// value.
int32_t falco_engine_embed_destroy(falco_engine_embed_t *engine, char *errstr);
// Load either a falco source or extractor plugin.
//
// Arguments:
// - engine: returned by a prior succesful call to init().
// - path: a file path pointing to a dynamic library that
// can be dlopen()ed.
// - init_config: a string that will be passed to the plugin's
// init() function.
// - open_params: a string that will be passed to the
// plugin's open() function.
// - errstr: on error, errstr will point to an allocated
// string with additional details on the errror. The string
// must be freed via a call to free().
//
// Return value: an integer containing a falco_engine_embed_rc
// value.
int32_t falco_engine_embed_load_plugin(falco_engine_embed_t *engine,
const char *path,
const char* init_config,
const char* open_params,
char **errstr);
// Load the provided rules content. These rules are applied on
// top of any previously loaded rules content
// (e.g. appending/overriding rule/macro/list objects as
// specified via "append:" properties)
//
// NOTE: Plugins should be loaded before any rules are loaded.
//
// Arguments:
// - engine: returned by a prior succesful call to init().
// - rules_content: a null-terminated string containing
// yaml rules content.
// - errstr: on error, errstr will point to an allocated
// string with additional details on the errror. The string
// must be freed via a call to free().
//
// Return value: an integer containing a falco_engine_embed_rc
// value.
int32_t falco_engine_embed_load_rules_content(falco_engine_embed_t *engine,
const char *rules_content,
char **errstr);
// Enable/disable an event source.
// By default all event sources are enabled. This function
// enables/disables specific event sources.
//
// Arguments:
// - engine: returned by a prior succesful call to init().
// - source: an int containing a falco_engine_embed_evt_source value.
// - enabled: whether to enable or disable the provided source
// - errstr: on error, errstr will point to an allocated
// string with additional details on the errror. The string
// must be freed via a call to free().
//
// Return value: an integer containing a falco_engine_embed_rc
// value.
int32_t falco_engine_embed_enable_source(falco_engine_embed_t *engine,
int32_t source,
bool enabled,
char **errstr);
// Open the engine, which starts event processing and matching
// against the loaded set of rules.
//
// Arguments:
// - engine: returned by a prior succesful call to init().
// - errstr: on error, errstr will point to an allocated
// string with additional details on the errror. The string
// must be freed via a call to free().
//
// Return value: an integer containing a falco_engine_embed_rc
// value.
int32_t falco_engine_embed_open(falco_engine_embed_t *engine,
char **errstr);
// Close the engine, which stops event processing.
//
// Arguments:
// - engine: returned by a prior succesful call to init().
// - errstr: on error, errstr will point to an allocated
// string with additional details on the errror. The string
// must be freed via a call to free().
//
// Return value: an integer containing a falco_engine_embed_rc
// value.
int32_t falco_engine_embed_close(falco_engine_embed_t *engine,
char **errstr);
// Receive the next result (e.g. an event that matched a
// rule). This function blocks until the next result is
// available. close() is called, or an error occurs.
//
// Arguments:
// - engine: returned by a prior succesful call to init().
// - result: a pointer to a falco_engine_embed_result struct
// pointer. On success, a struct will be allocated, and filled in
// with allocated char* values, and the pointer updated to point to
// the allocated struct.
// - errstr: on error, errstr will point to an allocated
// string with additional details on the errror. The string
// must be freed via a call to free().
//
// Return value: an integer containing a falco_engine_embed_rc
// value.
int32_t falco_engine_embed_next_result(falco_engine_embed_t *engine,
falco_engine_embed_result **result,
char **errstr);
#ifdef __cplusplus
} // extern "C"
#endif

4
userspace/engine/falco_engine_version.h
View File

@@ -16,9 +16,9 @@ limitations under the License.
// The version of rules/filter fields/etc supported by this falco
// engine.
#define FALCO_ENGINE_VERSION (8)
#define FALCO_ENGINE_VERSION (9)
// This is the result of running "falco --list -N | sha256sum" and
// represents the fields supported by this version of falco. It's used
// at build time to detect a changed set of fields.
#define FALCO_FIELDS_CHECKSUM "2f324e2e66d4b423f53600e7e0fcf2f0ff72e4a87755c490f2ae8f310aba9386"
#define FALCO_FIELDS_CHECKSUM "8183621f52451d842036eee409e2ed920d9c91bab33e0c4a44e4a871378d103f"

10
userspace/engine/falco_utils.h
View File

@@ -17,6 +17,8 @@ limitations under the License.
*/
#pragma once
#include <sstream>
#include <fstream>
#include <iostream>
@@ -24,7 +26,13 @@ limitations under the License.
#include <thread>
#include <nonstd/string_view.hpp>
#pragma once
#ifdef __GNUC__
#define likely(x) __builtin_expect(!!(x), 1)
#define unlikely(x) __builtin_expect(!!(x), 0)
#else
#define likely(x) (x)
#define unlikely(x) (x)
#endif
namespace falco
{

8
userspace/engine/json_evt.cpp
View File

@@ -281,7 +281,11 @@ bool json_event_value::parse_as_int64(int64_t &intval, const std::string &val)
return false;
}
}
catch (std::invalid_argument &e)
catch(std::out_of_range &)
{
return false;
}
catch (std::invalid_argument &)
{
return false;
}
@@ -312,7 +316,7 @@ bool json_event_filter_check::def_extract(const nlohmann::json &root,
{
if(!def_extract(item, ptrs, std::next(it, 1)))
{
return false;
add_extracted_value(no_value);
}
}
}

2
userspace/engine/lua/parser.lua
View File

@@ -204,7 +204,7 @@ local G = {
Hex = (P("0x") + P("0X")) * xdigit ^ 1,
Expo = S("eE") * S("+-") ^ -1 * digit ^ 1,
Float = (((digit ^ 1 * P(".") * digit ^ 0) + (P(".") * digit ^ 1)) * V "Expo" ^ -1) + (digit ^ 1 * V "Expo"),
Number = C(V "Hex" + V "Float" + V "Int") / function(n)
Number = C(V "Hex" + V "Float" + V "Int") * - V "idStart" / function(n)
return tonumber(n)
end,
String = (P '"' * C(((P "\\" * P(1)) + (P(1) - P '"')) ^ 0) * P '"' +

4
userspace/engine/lua/rule_loader.lua
View File

@@ -522,10 +522,8 @@ function load_rules_doc(rules_mgr, doc, load_state)
v['source'] = "syscall"
end
-- Add an empty exceptions property to the rule if not
-- defined, but add a warning about defining one
-- Add an empty exceptions property to the rule if not defined
if v['exceptions'] == nil then
warnings[#warnings + 1] = "Rule "..v['rule']..": consider adding an exceptions property to define supported exceptions fields"
v['exceptions'] = {}
end

12
userspace/falco/CMakeLists.txt
View File

@@ -25,7 +25,6 @@ set(
event_drops.cpp
statsfilewriter.cpp
falco.cpp
"${SYSDIG_SOURCE_DIR}/userspace/libsinsp/fields_info.cpp"
)
set(
@@ -87,16 +86,23 @@ if(NOT MINIMAL_BUILD)
"${GRPC_INCLUDE}"
"${GRPCPP_INCLUDE}"
"${PROTOBUF_INCLUDE}"
"${CARES_INCLUDE}"
)
if(USE_BUNDLED_GRPC)
list(APPEND FALCO_DEPENDENCIES grpc)
list(APPEND FALCO_LIBRARIES "${GRPC_LIBRARIES}")
endif()
list(APPEND FALCO_DEPENDENCIES civetweb)
list(
APPEND FALCO_LIBRARIES
"${GPR_LIB}"
"${GRPC_LIB}"
"${GRPCPP_LIB}"
"${GRPC_LIB}"
"${GPR_LIB}"
"${PROTOBUF_LIB}"
"${CARES_LIB}"
"${OPENSSL_LIBRARY_SSL}"
"${OPENSSL_LIBRARY_CRYPTO}"
"${LIBYAML_LIB}"

40
userspace/falco/configuration.cpp
View File

@@ -1,5 +1,5 @@
/*
Copyright (C) 2020 The Falco Authors.
Copyright (C) 2021 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -34,6 +34,7 @@ falco_configuration::falco_configuration():
m_webserver_enabled(false),
m_webserver_listen_port(8765),
m_webserver_k8s_audit_endpoint("/k8s-audit"),
m_webserver_k8s_healthz_endpoint("/healthz"),
m_webserver_ssl_enabled(false),
m_config(NULL)
{
@@ -193,6 +194,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
m_webserver_enabled = m_config->get_scalar<bool>("webserver", "enabled", false);
m_webserver_listen_port = m_config->get_scalar<uint32_t>("webserver", "listen_port", 8765);
m_webserver_k8s_audit_endpoint = m_config->get_scalar<string>("webserver", "k8s_audit_endpoint", "/k8s-audit");
m_webserver_k8s_healthz_endpoint = m_config->get_scalar<string>("webserver", "k8s_healthz_endpoint", "/healthz");
m_webserver_ssl_enabled = m_config->get_scalar<bool>("webserver", "ssl_enabled", false);
m_webserver_ssl_certificate = m_config->get_scalar<string>("webserver", "ssl_certificate", "/etc/falco/falco.pem");
@@ -203,35 +205,53 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
{
if(act == "ignore")
{
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_IGNORE);
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::IGNORE);
}
else if(act == "log")
{
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_LOG);
if(m_syscall_evt_drop_actions.count(syscall_evt_drop_action::IGNORE))
{
throw logic_error("Error reading config file (" + m_config_file + "): syscall event drop action \"" + act + "\" does not make sense with the \"ignore\" action");
}
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::LOG);
}
else if(act == "alert")
{
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_ALERT);
if(m_syscall_evt_drop_actions.count(syscall_evt_drop_action::IGNORE))
{
throw logic_error("Error reading config file (" + m_config_file + "): syscall event drop action \"" + act + "\" does not make sense with the \"ignore\" action");
}
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::ALERT);
}
else if(act == "exit")
{
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_EXIT);
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::EXIT);
}
else
{
throw logic_error("Error reading config file (" + m_config_file + "): syscall event drop action " + act + " must be one of \"ignore\", \"log\", \"alert\", or \"exit\"");
throw logic_error("Error reading config file (" + m_config_file + "): available actions for syscall event drops are \"ignore\", \"log\", \"alert\", and \"exit\"");
}
}
if(m_syscall_evt_drop_actions.empty())
{
m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_IGNORE);
m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::IGNORE);
}
m_syscall_evt_drop_rate = m_config->get_scalar<double>("syscall_event_drops", "rate", 0.3333);
m_syscall_evt_drop_max_burst = m_config->get_scalar<double>("syscall_event_drops", "max_burst", 10);
m_syscall_evt_drop_threshold = m_config->get_scalar<double>("syscall_event_drops", "threshold", .1);
if(m_syscall_evt_drop_threshold < 0 || m_syscall_evt_drop_threshold > 1)
{
throw logic_error("Error reading config file (" + m_config_file + "): syscall event drops threshold must be a double in the range [0, 1]");
}
m_syscall_evt_drop_rate = m_config->get_scalar<double>("syscall_event_drops", "rate", .03333);
m_syscall_evt_drop_max_burst = m_config->get_scalar<double>("syscall_event_drops", "max_burst", 1);
m_syscall_evt_simulate_drops = m_config->get_scalar<bool>("syscall_event_drops", "simulate_drops", false);
m_syscall_evt_timeout_max_consecutives = m_config->get_scalar<uint32_t>("syscall_event_timeouts", "max_consecutives", 1000);
if(m_syscall_evt_timeout_max_consecutives == 0)
{
throw logic_error("Error reading config file(" + m_config_file + "): the maximum consecutive timeouts without an event must be an unsigned integer > 0");
}
}
void falco_configuration::read_rules_file_directory(const string &path, list<string> &rules_filenames)

14
userspace/falco/configuration.h
View File

@@ -1,5 +1,5 @@
/*
Copyright (C) 2019 The Falco Authors.
Copyright (C) 2021 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -111,7 +111,7 @@ public:
}
catch(const YAML::BadConversion& ex)
{
std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "\n";
std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "." + subkey + "\n";
throw;
}
@@ -172,7 +172,7 @@ public:
}
catch(const YAML::BadConversion& ex)
{
std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "\n";
std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "." + subkey +"\n";
throw;
}
}
@@ -216,15 +216,19 @@ public:
bool m_webserver_enabled;
uint32_t m_webserver_listen_port;
std::string m_webserver_k8s_audit_endpoint;
std::string m_webserver_k8s_healthz_endpoint;
bool m_webserver_ssl_enabled;
std::string m_webserver_ssl_certificate;
std::set<syscall_evt_drop_mgr::action> m_syscall_evt_drop_actions;
syscall_evt_drop_actions m_syscall_evt_drop_actions;
double m_syscall_evt_drop_threshold;
double m_syscall_evt_drop_rate;
double m_syscall_evt_drop_max_burst;
// Only used for testing
bool m_syscall_evt_simulate_drops;
uint32_t m_syscall_evt_timeout_max_consecutives;
private:
void init_cmdline_options(std::list<std::string>& cmdline_options);

72
userspace/falco/event_drops.cpp
View File

@@ -1,5 +1,5 @@
/*
Copyright (C) 2020 The Falco Authors.
Copyright (C) 2021 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -34,7 +34,8 @@ syscall_evt_drop_mgr::~syscall_evt_drop_mgr()
void syscall_evt_drop_mgr::init(sinsp *inspector,
falco_outputs *outputs,
std::set<action> &actions,
syscall_evt_drop_actions &actions,
double threshold,
double rate,
double max_tokens,
bool simulate_drops)
@@ -43,10 +44,15 @@ void syscall_evt_drop_mgr::init(sinsp *inspector,
m_outputs = outputs;
m_actions = actions;
m_bucket.init(rate, max_tokens);
m_threshold = threshold;
m_inspector->get_capture_stats(&m_last_stats);
m_simulate_drops = simulate_drops;
if(m_simulate_drops)
{
m_threshold = 0;
}
}
bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt)
@@ -83,19 +89,27 @@ bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt)
if(delta.n_drops > 0)
{
m_num_syscall_evt_drops++;
double ratio = delta.n_drops;
// Assuming the number of event does not contains the dropped ones
ratio /= delta.n_drops + delta.n_evts;
// There were new drops in the last second. If
// the token bucket allows, perform actions.
if(m_bucket.claim(1, evt->get_ts()))
// When simulating drops the threshold is always zero
if(ratio > m_threshold)
{
m_num_actions++;
m_num_syscall_evt_drops++;
return perform_actions(evt->get_ts(), delta, inspector->is_bpf_enabled());
}
else
{
falco_logger::log(LOG_DEBUG, "Syscall event drop but token bucket depleted, skipping actions");
// There were new drops in the last second.
// If the token bucket allows, perform actions.
if(m_bucket.claim(1, evt->get_ts()))
{
m_num_actions++;
return perform_actions(evt->get_ts(), delta, inspector->is_bpf_enabled());
}
else
{
falco_logger::log(LOG_DEBUG, "Syscall event drop but token bucket depleted, skipping actions");
}
}
}
}
@@ -115,36 +129,32 @@ bool syscall_evt_drop_mgr::perform_actions(uint64_t now, scap_stats &delta, bool
std::string rule = "Falco internal: syscall event drop";
std::string msg = rule + ". " + std::to_string(delta.n_drops) + " system calls dropped in last second.";
std::map<std::string, std::string> output_fields;
output_fields["n_evts"] = std::to_string(delta.n_evts);
output_fields["n_drops"] = std::to_string(delta.n_drops);
output_fields["n_drops_buffer"] = std::to_string(delta.n_drops_buffer);
output_fields["n_drops_pf"] = std::to_string(delta.n_drops_pf);
output_fields["n_drops_bug"] = std::to_string(delta.n_drops_bug);
output_fields["ebpf_enabled"] = std::to_string(bpf_enabled);
bool should_exit = false;
for(auto &act : m_actions)
{
switch(act)
{
case ACT_IGNORE:
case syscall_evt_drop_action::IGNORE:
break;
case ACT_LOG:
falco_logger::log(LOG_ERR, msg);
case syscall_evt_drop_action::LOG:
falco_logger::log(LOG_DEBUG, msg);
break;
case ACT_ALERT:
m_outputs->handle_msg(now,
falco_common::PRIORITY_CRITICAL,
msg,
rule,
output_fields);
case syscall_evt_drop_action::ALERT:
{
std::map<std::string, std::string> output_fields;
output_fields["n_evts"] = std::to_string(delta.n_evts);
output_fields["n_drops"] = std::to_string(delta.n_drops);
output_fields["n_drops_buffer"] = std::to_string(delta.n_drops_buffer);
output_fields["n_drops_pf"] = std::to_string(delta.n_drops_pf);
output_fields["n_drops_bug"] = std::to_string(delta.n_drops_bug);
output_fields["ebpf_enabled"] = std::to_string(bpf_enabled);
m_outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, output_fields);
break;
case ACT_EXIT:
}
case syscall_evt_drop_action::EXIT:
should_exit = true;
break;

30
userspace/falco/event_drops.h
View File

@@ -1,5 +1,5 @@
/*
Copyright (C) 2019 The Falco Authors.
Copyright (C) 2021 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -23,25 +23,28 @@ limitations under the License.
#include "logger.h"
#include "falco_outputs.h"
// The possible actions that this class can take upon
// detecting a syscall event drop.
enum class syscall_evt_drop_action : uint8_t
{
IGNORE = 0,
LOG,
ALERT,
EXIT
};
using syscall_evt_drop_actions = std::set<syscall_evt_drop_action>;
class syscall_evt_drop_mgr
{
public:
// The possible actions that this class can take upon
// detecting a syscall event drop.
enum action
{
ACT_IGNORE = 0,
ACT_LOG,
ACT_ALERT,
ACT_EXIT,
};
syscall_evt_drop_mgr();
virtual ~syscall_evt_drop_mgr();
void init(sinsp *inspector,
falco_outputs *outputs,
std::set<action> &actions,
syscall_evt_drop_actions &actions,
double threshold,
double rate,
double max_tokens,
bool simulate_drops);
@@ -63,9 +66,10 @@ protected:
uint64_t m_num_actions;
sinsp *m_inspector;
falco_outputs *m_outputs;
std::set<action> m_actions;
syscall_evt_drop_actions m_actions;
token_bucket m_bucket;
uint64_t m_next_check_ts;
scap_stats m_last_stats;
bool m_simulate_drops;
double m_threshold;
};

37
userspace/falco/falco.cpp
View File

@@ -23,6 +23,7 @@ limitations under the License.
#include <vector>
#include <algorithm>
#include <string>
#include <chrono>
#include <functional>
#include <signal.h>
#include <fcntl.h>
@@ -35,12 +36,13 @@ limitations under the License.
#include "logger.h"
#include "utils.h"
#include "chisel.h"
#include "fields_info.h"
#include "falco_utils.h"
#include "event_drops.h"
#include "configuration.h"
#include "falco_engine.h"
#include "falco_engine_version.h"
#include "config_falco.h"
#include "statsfilewriter.h"
#ifndef MINIMAL_BUILD
@@ -251,10 +253,12 @@ uint64_t do_inspect(falco_engine *engine,
sinsp_evt* ev;
StatsFileWriter writer;
uint64_t duration_start = 0;
uint32_t timeouts_since_last_success_or_msg = 0;
sdropmgr.init(inspector,
outputs,
config.m_syscall_evt_drop_actions,
config.m_syscall_evt_drop_threshold,
config.m_syscall_evt_drop_rate,
config.m_syscall_evt_drop_max_burst,
config.m_syscall_evt_simulate_drops);
@@ -297,6 +301,28 @@ uint64_t do_inspect(falco_engine *engine,
}
else if(rc == SCAP_TIMEOUT)
{
if(unlikely(ev == nullptr))
{
timeouts_since_last_success_or_msg++;
if(timeouts_since_last_success_or_msg > config.m_syscall_evt_timeout_max_consecutives)
{
std::string rule = "Falco internal: timeouts notification";
std::string msg = rule + ". " + std::to_string(config.m_syscall_evt_timeout_max_consecutives) + " consecutive timeouts without event.";
std::string last_event_time_str = "none";
if(duration_start > 0)
{
sinsp_utils::ts_to_string(duration_start, &last_event_time_str, false, true);
}
std::map<std::string, std::string> o = {
{"last_event_time", last_event_time_str},
};
auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(std::chrono::system_clock::now().time_since_epoch()).count();
outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, o);
// Reset the timeouts counter, Falco alerted
timeouts_since_last_success_or_msg = 0;
}
}
continue;
}
else if(rc == SCAP_EOF)
@@ -307,16 +333,18 @@ uint64_t do_inspect(falco_engine *engine,
{
//
// Event read error.
// Notify the chisels that we're exiting, and then die with an error.
//
cerr << "rc = " << rc << endl;
throw sinsp_exception(inspector->getlasterr().c_str());
}
if (duration_start == 0)
// Reset the timeouts counter, Falco succesfully got an event to process
timeouts_since_last_success_or_msg = 0;
if(duration_start == 0)
{
duration_start = ev->get_ts();
} else if(duration_to_tot_ns > 0)
}
else if(duration_to_tot_ns > 0)
{
if(ev->get_ts() - duration_start >= duration_to_tot_ns)
{
@@ -938,6 +966,7 @@ int falco_init(int argc, char **argv)
support["system_info"]["version"] = sysinfo.version;
support["system_info"]["machine"] = sysinfo.machine;
support["cmdline"] = cmdline;
support["engine_info"]["engine_version"] = FALCO_ENGINE_VERSION;
support["config"] = read_file(conf_filename);
support["rules_files"] = nlohmann::json::array();
for(auto filename : config.m_rules_filenames)

26
userspace/falco/webserver.cpp
View File

@@ -34,6 +34,15 @@ k8s_audit_handler::~k8s_audit_handler()
{
}
bool k8s_healthz_handler::handleGet(CivetServer *server, struct mg_connection *conn)
{
const std::string status_body = "{\"status\": \"ok\"}";
mg_send_http_ok(conn, "application/json", status_body.size());
mg_printf(conn, "%s", status_body.c_str());
return true;
}
bool k8s_audit_handler::accept_data(falco_engine *engine,
falco_outputs *outputs,
std::string &data,
@@ -75,7 +84,17 @@ bool k8s_audit_handler::accept_data(falco_engine *engine,
for(auto &jev : jevts)
{
std::unique_ptr<falco_engine::rule_result> res;
res = engine->process_k8s_audit_event(&jev);
try
{
res = engine->process_k8s_audit_event(&jev);
}
catch(...)
{
errstr = string("unkown error processing audit event");
fprintf(stderr, "%s\n", errstr.c_str());
return false;
}
if(res)
{
@@ -148,7 +167,7 @@ bool k8s_audit_handler::handlePost(CivetServer *server, struct mg_connection *co
return true;
}
std::string ok_body = "<html><body>Ok</body></html>";
const std::string ok_body = "<html><body>Ok</body></html>";
mg_send_http_ok(conn, "text/html", ok_body.size());
mg_printf(conn, "%s", ok_body.c_str());
@@ -233,6 +252,8 @@ void falco_webserver::start()
m_k8s_audit_handler = make_unique<k8s_audit_handler>(m_engine, m_outputs);
m_server->addHandler(m_config->m_webserver_k8s_audit_endpoint, *m_k8s_audit_handler);
m_k8s_healthz_handler = make_unique<k8s_healthz_handler>();
m_server->addHandler(m_config->m_webserver_k8s_healthz_endpoint, *m_k8s_healthz_handler);
}
void falco_webserver::stop()
@@ -241,5 +262,6 @@ void falco_webserver::stop()
{
m_server = NULL;
m_k8s_audit_handler = NULL;
m_k8s_healthz_handler = NULL;
}
}

15
userspace/falco/webserver.h
View File

@@ -41,6 +41,20 @@ private:
bool accept_uploaded_data(std::string &post_data, std::string &errstr);
};
class k8s_healthz_handler : public CivetHandler
{
public:
k8s_healthz_handler()
{
}
virtual ~k8s_healthz_handler()
{
}
bool handleGet(CivetServer *server, struct mg_connection *conn);
};
class falco_webserver
{
public:
@@ -60,4 +74,5 @@ private:
falco_outputs *m_outputs;
unique_ptr<CivetServer> m_server;
unique_ptr<k8s_audit_handler> m_k8s_audit_handler;
unique_ptr<k8s_healthz_handler> m_k8s_healthz_handler;
};