Use url-safe characters in falco version

In some cases, you might want to host falco packages in a way where they're directly accessible via http. The '+' character that separates the version and the git hash ends up breaking naive solutions that don't properly url-escape the package name before doing the http fetch. Of course, clients can properly url-escape, but switching to a tilde is url safe and I think still preserves the idea of separating the version and hash. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Pocteo as an adopter
2026-04-03 18:42:13 +00:00 · 2021-03-11 14:41:35 -08:00 · 2021-03-11 16:58:59 +01:00 · 2021-03-10 18:00:52 +01:00 · 2021-03-05 12:22:47 +01:00 · 2021-03-05 12:22:47 +01:00
18 changed files with 185 additions and 105 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -462,7 +462,19 @@ jobs:
      - checkout
      - setup_remote_docker
      - run:
-          name: Build and publish falco to AWS
+          name: Build and publish no-driver (dev) to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco-no-driver:master" docker/no-driver
+            docker tag public.ecr.aws/falcosecurity/falco-no-driver:master public.ecr.aws/falcosecurity/falco:master-slim
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco-no-driver:master"
+            docker push "public.ecr.aws/falcosecurity/falco:master-slim"
+      - run:
+          name: Build and publish falco (dev) to AWS
          command: |
            apk update
            apk add --update groff less py-pip
@@ -471,6 +483,15 @@ jobs:
            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco:master" docker/falco
            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
            docker push "public.ecr.aws/falcosecurity/falco:master"
+      - run:
+          name: Build and publish driver-loader (dev) to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg FALCO_IMAGE_TAG=master -t "public.ecr.aws/falcosecurity/falco-driver-loader:master" docker/driver-loader
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:master"
  # Publish the packages
  "publish/packages":
    docker:
@@ -546,6 +567,21 @@ jobs:
          at: /
      - checkout
      - setup_remote_docker
+      - run:
+          name: Build and publish no-driver to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" docker/no-driver
+            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-no-driver:latest
+            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:latest-slim"
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker push "public.ecr.aws/falcosecurity/falco:latest-slim"
+            docker push "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}"
+            docker push "public.ecr.aws/falcosecurity/falco-no-driver:latest"
      - run:
          name: Build and publish falco to AWS
          command: |
@@ -557,6 +593,17 @@ jobs:
            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
            docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}"
            docker push "public.ecr.aws/falcosecurity/falco:latest"
+      - run:
+          name: Build and publish falco-driver-loader to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" docker/driver-loader
+            docker tag "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-driver-loader:latest
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
+            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:latest"
 workflows:
  version: 2
  build_and_test:
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -15,6 +15,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 * [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
  * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/

+* [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
+
 * [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
  * https://hipaa.preferral.com/01-preferral_hipaa_compliance/

@@ -28,4 +30,6 @@ This is a list of production adopters of Falco (in alphabetical order):

 * [Swissblock Technologies](https://swissblock.net/) At Swissblock we connect the dots by combining cutting-edge algorithmic trading strategies with in-depth market analysis. We route all Falco events to our control systems, both monitoring and logging. Being able to deeply analyse alerts, we can understand what is running on our Kubernetes clusters and check against security policies, specifically defined for each workload. A set of alarms notifies us in case of critical events, letting us react fast. In the near future we plan to build a little application to route Kubernetes internal events directly to Falco, fully leveraging Falco PodSecurityPolicies analyses.

+* [Shapesecurity/F5] (https://www.shapesecurity.com/) Shapesecurity defends against application fraud attacks like Account Take Over, Credential Stuffing, Fake Accounts, etc. Required by FedRamp certification, we needed to find a FIM solution to help monitor and protect our Kubernetes clusters. Traditional FIM solutions were not scalable and not working for our environment, but with Falco we found the solution we needed. Falco's detection capabilities have helped us identify anomalous behaviour within our clusters. We leverage Sidekick (https://github.com/falcosecurity/charts/tree/master/falcosidekick) to send Falco alerts to a PubSub which in turn publishes those alerts to our SIEM (SumoLogic)
+
 * [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
--- a/cmake/modules/GetFalcoVersion.cmake
+++ b/cmake/modules/GetFalcoVersion.cmake
@@ -27,7 +27,7 @@ if(NOT FALCO_VERSION)
      set(FALCO_VERSION "0.0.0")
    endif()
    # Format FALCO_VERSION to be semver with prerelease and build part
-    string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
+    string(REPLACE "-g" "~" FALCO_VERSION "${FALCO_VERSION}")
  else()
    # A tag has been found: use it as the Falco version
    set(FALCO_VERSION "${FALCO_TAG}")
--- a/cmake/modules/jq.cmake
+++ b/cmake/modules/jq.cmake
@@ -45,7 +45,7 @@ else ()
    #   https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
    ExternalProject_Add(
            jq
-            URL "https://dl.bintray.com/falcosecurity/dependencies/jq-1.6.tar.gz"
+            URL "https://download.falco.org/dependencies/jq-1.6.tar.gz"
            URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
            CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
            BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
--- a/docker/falco/Dockerfile
+++ b/docker/falco/Dockerfile
@@ -18,10 +18,12 @@ RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \
 	bc \
+	bison \
 	clang-7 \
 	ca-certificates \
 	curl \
 	dkms \
+	flex \
 	gnupg2 \
 	gcc \
 	jq \
@@ -39,15 +41,15 @@ RUN apt-get update \
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.

-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb

@@ -56,13 +58,13 @@ RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dep
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.

-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb

@@ -96,10 +98,10 @@ RUN rm -df /lib/modules \
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb

--- a/docker/local/Dockerfile
+++ b/docker/local/Dockerfile
@@ -48,15 +48,15 @@ RUN apt-get update \
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.

-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb

@@ -65,13 +65,13 @@ RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dep
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.

-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb

@@ -96,15 +96,15 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
 # Change the falco config within the container to enable ISO 8601
 # output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml

 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb

--- a/docker/tester/root/usr/bin/usage
+++ b/docker/tester/root/usr/bin/usage
@@ -3,7 +3,7 @@
 pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
 pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
 dockerversion=$(docker --version)
-avocadoversion=$(pip2 show avocado-framework | grep Version)
+avocadoversion=$(pip show avocado-framework | grep Version)
 avocadoversion=${avocadoversion#"Version: "}

 cat <<EOF
--- a/falco.yaml
+++ b/falco.yaml
@@ -152,11 +152,14 @@ stdout_output:
 # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
 # $ cat certificate.pem key.pem > falco.pem
 # $ sudo cp falco.pem /etc/falco/falco.pem
-
+#
+# It also exposes a healthy endpoint that can be used to check if Falco is up and running
+# By default the endpoint is /healthz
 webserver:
  enabled: true
  listen_port: 8765
  k8s_audit_endpoint: /k8s-audit
+  k8s_healthz_endpoint: /healthz
  ssl_enabled: false
  ssl_certificate: /etc/falco/falco.pem

--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -201,7 +201,7 @@
 # The explicit quotes are needed to avoid the - characters being
 # interpreted by the filter expression.
 - list: rpm_binaries
-  items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma,
+  items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, rhsmcertd, subscription-ma,
          repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump,
          abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb]

@@ -211,7 +211,7 @@
 - list: deb_binaries
  items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude,
    frontend, preinst, add-apt-reposit, apt-auto-remova, apt-key,
-    apt-listchanges, unattended-upgr, apt-add-reposit, apt-config, apt-cache
+    apt-listchanges, unattended-upgr, apt-add-reposit, apt-config, apt-cache, apt.systemd.dai
    ]

 # The truncated dpkg-preconfigu is intentional, process names are
@@ -1724,6 +1724,25 @@
       container.image.repository endswith /prometheus-node-exporter or
       container.image.repository endswith /image-inspector))

+# 602401143452.dkr.ecr is official AWS EKS registry. AWS has different ECR repo per region
+# 602401143452.dkr.ecr.eu-west-1.amazonaws.com/eks/kube-proxy
+# 602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/kube-proxy
+# For this reason we use two macro to match all regions 
+- macro: allowed_aws_eks_registry_root
+  condition: >
+        (container.image.repository startswith "602401143452.dkr.ecr")
+
+- macro: aws_eks_image
+  condition: >
+        (allowed_aws_eks_registry_root and
+        (container.image.repository endswith ".amazonaws.com/amazon-k8s-cni" or
+        container.image.repository endswith ".amazonaws.com/eks/kube-proxy"))
+
+- macro: aws_eks_image_sensitive_mount
+  condition: >
+        (allowed_aws_eks_registry_root and container.image.repository endswith ".amazonaws.com/amazon-k8s-cni")
+
+
 # These images are allowed both to run with --privileged and to mount
 # sensitive paths from the host filesystem.
 #
@@ -1780,7 +1799,7 @@
    docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
    docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
    docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
-    amazon/amazon-ecs-agent
+    amazon/amazon-ecs-agent, prom/node-exporter, amazon/cloudwatch-agent
    ]

 # These container images are allowed to run with hostnetwork=true
@@ -1811,6 +1830,7 @@
    container_started and container
    and container.privileged=true
    and not openshift_image
+    and not aws_eks_image
  exceptions:
    - name: image_repo
      fields: container.image.repository
@@ -1865,6 +1885,7 @@
    container_started and container
    and sensitive_mount
    and not user_sensitive_mount_containers
+    and not aws_eks_image_sensitive_mount
  exceptions:
    - name: image_repo
      fields: container.image.repository
@@ -2334,6 +2355,13 @@
  tags: [network, container, mitre_discovery]


+# Containers from IBM Cloud
+- list: ibm_cloud_containers
+  items:
+    - icr.io/ext/sysdig/agent
+    - registry.ng.bluemix.net/armada-master/metrics-server-amd64
+    - registry.ng.bluemix.net/armada-master/olm
+
 # In a local/user rules file, list the namespace or container images that are
 # allowed to contact the K8s API Server from within a container. This
 # might cover cases where the K8s infrastructure itself is running
@@ -2343,7 +2371,10 @@
    (container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
     gcr.io/google_containers/kube2sky, docker.io/sysdig/falco,
     docker.io/sysdig/sysdig, docker.io/falcosecurity/falco,
-     sysdig/falco, sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system"))
+     sysdig/falco, sysdig/sysdig, falcosecurity/falco, 
+     fluent/fluentd-kubernetes-daemonset, prom/prometheus,
+     ibm_cloud_containers)
+     or (k8s.ns.name = "kube-system"))

 - macro: k8s_api_server
  condition: (fd.sip.name="kubernetes.default.svc.cluster.local")
@@ -3114,7 +3145,17 @@
  output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority: INFO
  tags: [container, process]
+  
+#This rule helps detect CVE-2021-3156:
+#A privilege escalation to root through heap-based buffer overflow
+- rule: Sudo Potential Privilege Escalation
+  desc: Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root.
+  condition: spawned_process and user.uid!= 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \)
+  output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"
+  priority: CRITICAL
+  tags: [filesystem, mitre_privilege_escalation]

 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.
+
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -51,7 +51,8 @@
    cluster-autoscaler,
    "system:addon-manager",
    "cloud-controller-manager",
-    "eks:node-manager"
+    "eks:node-manager",
+    "system:kube-controller-manager"
    ]

 - rule: Disallowed K8s User
@@ -346,7 +347,9 @@
  tags: [k8s]

 - list: user_known_sa_list
-  items: []
+  items: ["pod-garbage-collector","resourcequota-controller","cronjob-controller","generic-garbage-collector", 
+          "daemon-set-controller","endpointslice-controller","deployment-controller", "replicaset-controller",
+          "endpoint-controller"]

 - macro: trusted_sa
  condition: (ka.target.name in (user_known_sa_list))
--- a/test/README.md
+++ b/test/README.md
@@ -2,7 +2,7 @@

 This folder contains the Regression tests suite for Falco.

-You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/source/#run-regression-tests).
+You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/getting-started/source/#run-regression-tests).

 ## Test suites

@@ -16,7 +16,7 @@ You can find instructions on how to run this test suite on the Falco website [he

 This step assumes you already built Falco.

-Note that the tests are intended to be run against a [release build](https://falco.org/docs/source/#specify-the-build-type) of Falco, at the moment.
+Note that the tests are intended to be run against a [release build](https://falco.org/docs/getting-started/source/#specify-the-build-type) of Falco, at the moment.

 Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:

--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -1277,10 +1277,3 @@ trace_files: !mux
    trace_file: trace_files/cat_write.scap
    stdout_contains: "2016-08-04T16:17:57.882054739\\+0000: Warning An open was seen"
    stderr_contains: "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\d\\+0000"
-
-  unknown_source:
-    detect: True
-    detect_level: WARNING
-    rules_file:
-      - rules/unknown_source.yaml
-    trace_file: trace_files/cat_write.scap
--- a/test/rules/unknown_source.yaml
+++ b/test/rules/unknown_source.yaml
@@ -1,31 +0,0 @@
-#
-# Copyright (C) 2021 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
- macro: Macro with unknown source
-  condition: some other unknown filter
-  source: unknown-source
-
- rule: Rule with unknown source
-  condition: some unknown filter
-  output: some unknown output
-  priority: INFO
-  source: unknown-source
-
- rule: open_from_cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  priority: WARNING
--- a/userspace/engine/lua/rule_loader.lua
+++ b/userspace/engine/lua/rule_loader.lua
@@ -436,11 +436,6 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    v['source'] = "syscall"
 	 end

-	 -- Ignore macros with unknown sources
-	 if (v['source'] ~= "syscall" and v['source'] ~= "k8s_audit") then
-	    goto next_object
-	 end
-
 	 if state.macros_by_name[v['macro']] == nil then
 	    state.ordered_macro_names[#state.ordered_macro_names+1] = v['macro']
 	 end
@@ -527,11 +522,6 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    v['source'] = "syscall"
 	 end

-	 -- Ignore rules with unknown sources
-	 if (v['source'] ~= "syscall" and v['source'] ~= "k8s_audit") then
-	    goto next_object
-	 end
-
 	 -- Add an empty exceptions property to the rule if not
 	 -- defined, but add a warning about defining one
 	 if v['exceptions'] == nil then
@@ -678,8 +668,6 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	 arr = build_error_with_context(context, "Unknown top level object: "..table.tostring(v))
 	 warnings[#warnings + 1] = arr[1]
      end
-
-      ::next_object::
   end

   return true, {}, warnings
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@@ -34,6 +34,7 @@ falco_configuration::falco_configuration():
 	m_webserver_enabled(false),
 	m_webserver_listen_port(8765),
 	m_webserver_k8s_audit_endpoint("/k8s-audit"),
+	m_webserver_k8s_healthz_endpoint("/healthz"),
 	m_webserver_ssl_enabled(false),
 	m_config(NULL)
 {
@@ -193,6 +194,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 	m_webserver_enabled = m_config->get_scalar<bool>("webserver", "enabled", false);
 	m_webserver_listen_port = m_config->get_scalar<uint32_t>("webserver", "listen_port", 8765);
 	m_webserver_k8s_audit_endpoint = m_config->get_scalar<string>("webserver", "k8s_audit_endpoint", "/k8s-audit");
+	m_webserver_k8s_healthz_endpoint = m_config->get_scalar<string>("webserver", "k8s_healthz_endpoint", "/healthz");
 	m_webserver_ssl_enabled = m_config->get_scalar<bool>("webserver", "ssl_enabled", false);
 	m_webserver_ssl_certificate = m_config->get_scalar<string>("webserver", "ssl_certificate", "/etc/falco/falco.pem");

--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@@ -216,6 +216,7 @@ public:
 	bool m_webserver_enabled;
 	uint32_t m_webserver_listen_port;
 	std::string m_webserver_k8s_audit_endpoint;
+	std::string m_webserver_k8s_healthz_endpoint;
 	bool m_webserver_ssl_enabled;
 	std::string m_webserver_ssl_certificate;
 	std::set<syscall_evt_drop_mgr::action> m_syscall_evt_drop_actions;
--- a/userspace/falco/webserver.cpp
+++ b/userspace/falco/webserver.cpp
@@ -34,6 +34,15 @@ k8s_audit_handler::~k8s_audit_handler()
 {
 }

+bool k8s_healthz_handler::handleGet(CivetServer *server, struct mg_connection *conn)
+{
+	const std::string status_body = "{\"status\": \"ok\"}";
+	mg_send_http_ok(conn, "application/json", status_body.size());
+	mg_printf(conn, "%s", status_body.c_str());
+
+	return true;
+}
+
 bool k8s_audit_handler::accept_data(falco_engine *engine,
 				    falco_outputs *outputs,
 				    std::string &data,
@@ -148,7 +157,7 @@ bool k8s_audit_handler::handlePost(CivetServer *server, struct mg_connection *co
 		return true;
 	}

-	std::string ok_body = "<html><body>Ok</body></html>";
+	const std::string ok_body = "<html><body>Ok</body></html>";
 	mg_send_http_ok(conn, "text/html", ok_body.size());
 	mg_printf(conn, "%s", ok_body.c_str());

@@ -233,6 +242,8 @@ void falco_webserver::start()

 	m_k8s_audit_handler = make_unique<k8s_audit_handler>(m_engine, m_outputs);
 	m_server->addHandler(m_config->m_webserver_k8s_audit_endpoint, *m_k8s_audit_handler);
+	m_k8s_healthz_handler = make_unique<k8s_healthz_handler>();
+	m_server->addHandler(m_config->m_webserver_k8s_healthz_endpoint, *m_k8s_healthz_handler);
 }

 void falco_webserver::stop()
@@ -241,5 +252,6 @@ void falco_webserver::stop()
 	{
 		m_server = NULL;
 		m_k8s_audit_handler = NULL;
+		m_k8s_healthz_handler = NULL;
 	}
 }
--- a/userspace/falco/webserver.h
+++ b/userspace/falco/webserver.h
@@ -41,6 +41,20 @@ private:
 	bool accept_uploaded_data(std::string &post_data, std::string &errstr);
 };

+class k8s_healthz_handler : public CivetHandler
+{
+public:
+	k8s_healthz_handler()
+	{
+	}
+
+	virtual ~k8s_healthz_handler()
+	{
+	}
+
+	bool handleGet(CivetServer *server, struct mg_connection *conn);
+};
+
 class falco_webserver
 {
 public:
@@ -60,4 +74,5 @@ private:
 	falco_outputs *m_outputs;
 	unique_ptr<CivetServer> m_server;
 	unique_ptr<k8s_audit_handler> m_k8s_audit_handler;
+	unique_ptr<k8s_healthz_handler> m_k8s_healthz_handler;
 };
Author	SHA1	Message	Date
Mark Stemm	09ac4b9ff6	Use url-safe characters in falco version In some cases, you might want to host falco packages in a way where they're directly accessible via http. The '+' character that separates the version and the git hash ends up breaking naive solutions that don't properly url-escape the package name before doing the http fetch. Of course, clients can properly url-escape, but switching to a tilde is url safe and I think still preserves the idea of separating the version and hash. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2021-03-11 14:41:35 -08:00
POCTEO	34bbe2984f	Pocteo as an adopter Signed-off-by: Walid DRIDI <contact@pocteo.co>	2021-03-11 16:58:59 +01:00
Leonardo Grasso	825e6caf2d	build: fetch build deps from download.falco.org Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2021-03-10 18:00:52 +01:00
jonahjon	96ad761308	adding falco-slim build/push Signed-off-by: jonahjon <jonahjones094@gmail.com>	2021-03-05 12:22:47 +01:00
Leo Di Donato	bb7ce37159	fix(.circleci): correctly publish the falco-driver-loader container image from master to AWS ECR gallery Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2021-03-05 12:22:47 +01:00
Leo Di Donato	c66d056f67	fix(.circleci): the falco-driver-loader container images requires FALCO_IMAGE_TAG build arg (release to AWS ECR gallery) Signed-off-by: Leonardo Di Donato	2021-03-05 12:22:47 +01:00
Leo Di Donato	6a2759fe94	update(.circleci): tag falco-no-driver:<tag> image as falco-no-driver:latest, falco:<tag>-slim, and falco:latest-slim And publish them too. Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2021-03-05 12:22:47 +01:00
Leo Di Donato	b91c5b613a	update(.circleci): falco-no-driver:latest from bin bucket Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2021-03-05 12:22:47 +01:00
Leo Di Donato	6fe9f8da0b	fix(.circleci): falco-no-driver container images grabs Falco from the bin[-dev] bucket Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2021-03-05 12:22:47 +01:00
jonahjon	e888a1d354	adding other alternate AWS builds to circleCI Signed-off-by: jonahjon <jonahjones094@gmail.com>	2021-03-05 12:22:47 +01:00
Isaac Rivera	6e746d71ba	fixing typo Signed-off-by: Isaac Rivera <irivera007@yahoo.com>	2021-03-05 12:16:33 +01:00
Isaac Rivera	2de8176c88	adding shapesecurity to adopters Signed-off-by: Isaac Rivera <irivera007@yahoo.com>	2021-03-05 12:16:33 +01:00
Shane Lawrence	74164b1ef8	Use default pip version to get avocado version. Signed-off-by: Shane Lawrence <shane@lawrence.dev>	2021-03-05 10:50:27 +01:00
Shane Lawrence	da8f054043	Fix broken links to docs. Signed-off-by: Shane Lawrence <shane@lawrence.dev>	2021-03-05 10:48:21 +01:00
Bart van der Schans	05545f228d	Add flex and bison to docker for building bpf module on recent amazon linux2 Signed-off-by: Bart van der Schans <bart@vanderschans.nl>	2021-03-05 10:46:10 +01:00
Spencer Krum	b3693a0b75	chore(rules): Add ibmcloud operator lifecycle manager Signed-off-by: Spencer Krum <nibz@spencerkrum.com>	2021-02-19 12:35:30 +01:00
Spencer Krum	a54f946135	chore(rules): Rule exceptions for ibm cloud Whitelist ibm images for connecting to k8s api server IBM Observability by Sysdig has a vendored sysdig/agent image. IBM's Kubernetes Service ships with an operator manager. Example: 19:12:45.090908160: Notice Unexpected connection to K8s API Server from container (command=catalog -namespace ibm-system -configmapServerImage=registry.ng.bluemix.net/armada-master/configmap-operator-registry:v1.6.1 k8s.ns=ibm-system k8s.pod=catalog-operator-6495d76869-ncl2z container=4ad7a04fa1e0 image=registry.ng.bluemix.net/armada-master/olm:0.14.1-IKS-1 connection=172.30.108.219:48200->172.21.0.1:443) k8s.ns=ibm-system k8s.pod=catalog-operator-6495d76869-ncl2z container=4ad7a04fa1e0 IBM's Kubernetes service also ships with a metrics collecting agent Signed-off-by: Spencer Krum <nibz@spencerkrum.com>	2021-02-19 12:35:30 +01:00
Leonardo Grasso	85db1aa997	fix(rules): correct indentation Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2021-02-19 09:24:55 +01:00
ismail yenigul	37a6caae12	remove commercial images to unblock PR add endpoint-controller to user_known_sa_list related event: { "output": "05:19:25.557989888: Warning Service account created in kube namespace (user=system:kube-controller-manager serviceaccount=endpoint-controller ns=kube-system)", "priority": "Warning", "rule": "Service Account Created in Kube Namespace", "time": "2021-02-16T05:19:25.557989888Z", "output_fields": { "jevt.time": "05:19:25.557989888", "ka.target.name": "endpoint-controller", "ka.target.namespace": "kube-system", "ka.user.name": "system:kube-controller-manager" } } Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>	2021-02-19 09:24:55 +01:00
ismail yenigul	2d962dfcb0	rebase to master update user_known_sa_list with k8s internal sa in kube-system { "output": "10:27:56.539783936: Warning Service account created in kube namespace (user=system:kube-controller-manager serviceaccount=replicaset-controller ns=kube-system)", "priority": "Warning", "rule": "Service Account Created in Kube Namespace", "time": "2021-02-15T10:27:56.539783936Z", "output_fields": { "jevt.time": "10:27:56.539783936", "ka.target.name": "replicaset-controller", "ka.target.namespace": "kube-system", "ka.user.name": "system:kube-controller-manager" } } { "output": "17:06:18.267429888: Warning Service account created in kube namespace (user=system:kube-controller-manager serviceaccount=deployment-controller ns=kube-system)", "priority": "Warning", "rule": "Service Account Created in Kube Namespace", "time": "2021-02-15T17:06:18.267429888Z", "output_fields": { "jevt.time": "17:06:18.267429888", "ka.target.name": "deployment-controller", "ka.target.namespace": "kube-system", "ka.user.name": "system:kube-controller-manager" } } and more.. Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>	2021-02-19 09:24:55 +01:00
Petr Michalec	541845156f	rhsm cert updates Signed-off-by: Petr Michalec <epcim@apealive.net> Signed-off-by: Petr Michalec <pmichalec@ves.io>	2021-02-18 15:42:06 +01:00
darryk5	0879523776	update: add review suggestions for Rule Sudo Potential Privilege Escalation Signed-off-by: darryk5 <stefano.chierici@sysdig.com> Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>	2021-02-17 21:36:51 +01:00
darryk5	81e880b486	Added Rule Sudo Potential Privilege Escalation (CVE-2021-3156) See #1540 Signed-off-by: darryk5 <stefano.chierici@sysdig.com> Co-authored-by: Lorenzo Fontana <lo@linux.com>	2021-02-17 21:36:51 +01:00
Carlos Panato	f140cdfd68	falco: add healthz endpoint Signed-off-by: Carlos Panato <ctadeu@gmail.com>	2021-02-11 20:29:07 +01:00