mirror of
https://github.com/falcosecurity/falco.git
synced 2026-03-25 06:02:18 +00:00
Compare commits
4 Commits
embed-lua-
...
chore/inte
| Author | SHA1 | Date | |
|---|---|---|---|
|
400567785e | ||
|
960ac52bcc | ||
|
|
3a33dfff0b | ||
|
|
542cdb493c |
@@ -1,16 +1,18 @@
|
||||
FROM fedora:31
|
||||
|
||||
LABEL name="falcosecurity/falco-tester"
|
||||
LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
|
||||
LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
|
||||
LABEL maintainer="cncf-falco-dev@lists.cncf.io"
|
||||
|
||||
ENV FALCO_VERSION=
|
||||
ENV BUILD_TYPE=release
|
||||
|
||||
ADD https://github.com/fullstorydev/grpcurl/releases/download/v1.6.0/grpcurl_1.6.0_linux_x86_64.tar.gz /
|
||||
RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
|
||||
ENV PATH="/root/.local/bin/:${PATH}"
|
||||
RUN pip install --user avocado-framework==69.0
|
||||
RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
|
||||
RUN tar -C /usr/bin -xvf grpcurl_1.6.0_linux_x86_64.tar.gz
|
||||
|
||||
COPY ./root /
|
||||
|
||||
|
||||
38
test/confs/grpc_unix_socket.yaml
Normal file
38
test/confs/grpc_unix_socket.yaml
Normal file
@@ -0,0 +1,38 @@
|
||||
#
|
||||
# Copyright (C) 2020 The Falco Authors.
|
||||
#
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# Whether to output events in json or text.
|
||||
json_output: false
|
||||
|
||||
# Send information logs to stderr and/or syslog
|
||||
# Note these are *not* security notification logs!
|
||||
# These are just Falco lifecycle (and possibly error) logs.
|
||||
log_stderr: false
|
||||
log_syslog: false
|
||||
|
||||
# Where security notifications should go.
|
||||
stdout_output:
|
||||
enabled: true
|
||||
|
||||
# gRPC server using an unix socket.
|
||||
grpc:
|
||||
enabled: true
|
||||
bind_address: "unix:////tmp/falco.sock"
|
||||
threadiness: 8
|
||||
|
||||
grpc_output:
|
||||
enabled: true
|
||||
29
test/confs/stdout_output.yaml
Normal file
29
test/confs/stdout_output.yaml
Normal file
@@ -0,0 +1,29 @@
|
||||
#
|
||||
# Copyright (C) 2020 The Falco Authors.
|
||||
#
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# Whether to output events in json or text.
|
||||
json_output: false
|
||||
|
||||
# Send information logs to stderr and/or syslog
|
||||
# Note these are *not* security notification logs!
|
||||
# These are just Falco lifecycle (and possibly error) logs.
|
||||
log_stderr: false
|
||||
log_syslog: false
|
||||
|
||||
# Where security notifications should go.
|
||||
stdout_output:
|
||||
enabled: true
|
||||
@@ -76,6 +76,8 @@ class FalcoTest(Test):
|
||||
self.exit_status = self.params.get('exit_status', '*', default=0)
|
||||
self.should_detect = self.params.get('detect', '*', default=False)
|
||||
self.trace_file = self.params.get('trace_file', '*', default='')
|
||||
self.event_generator = self.params.get('event_generator', '*', default='')
|
||||
self.event_generator_ver = self.params.get('event_generator_ver', '*', default='latest')
|
||||
|
||||
if self.trace_file and not os.path.isabs(self.trace_file):
|
||||
self.trace_file = os.path.join(build_dir, "test", self.trace_file)
|
||||
@@ -195,6 +197,19 @@ class FalcoTest(Test):
|
||||
os.makedirs(filedir)
|
||||
self.outputs = outputs
|
||||
|
||||
self.grpc_unix_socket_path = self.params.get('grpc_unix_socket_path', '*', default='/var/run/falco.sock')
|
||||
self.grpc_address = self.params.get('address', 'grpc/*', default='/var/run/falco.sock')
|
||||
if self.grpc_address.startswith("unix://"):
|
||||
self.is_grpc_using_unix_socket = True
|
||||
self.grpc_address = self.grpc_address[len("unix://"):]
|
||||
self.grpc_proto = self.params.get('proto', 'grpc/*', default='')
|
||||
self.grpc_service = self.params.get('service', 'grpc/*', default='')
|
||||
self.grpc_method = self.params.get('method', 'grpc/*', default='')
|
||||
self.grpc_results = self.params.get('results', 'grpc/*', default='')
|
||||
# todo: if string wrap in an array
|
||||
if self.grpc_results == '':
|
||||
self.grpc_results = []
|
||||
|
||||
self.disable_tags = self.params.get('disable_tags', '*', default='')
|
||||
|
||||
if self.disable_tags == '':
|
||||
@@ -417,10 +432,21 @@ class FalcoTest(Test):
|
||||
self.log.debug("Copying {} to {}".format(driver_path, module_path))
|
||||
shutil.copyfile(driver_path, module_path)
|
||||
|
||||
def start_event_generator(self):
|
||||
if self.event_generator != "":
|
||||
self.stop_event_generator()
|
||||
cmdline = "docker run --rm -d --name falco-test-event-generator " \
|
||||
"falcosecurity/event-generator:{} {}".format(self.event_generator_ver, self.event_generator)
|
||||
process.run(cmdline, timeout=120)
|
||||
|
||||
def stop_event_generator(self):
|
||||
if self.event_generator != "":
|
||||
process.run("docker rm -f falco-test-event-generator", ignore_status=True)
|
||||
|
||||
def test(self):
|
||||
self.log.info("Trace file %s", self.trace_file)
|
||||
|
||||
self.falco_binary_path = '{}/userspace/falco/falco'.format(self.falcodir)
|
||||
self.falco_binary_path = 'sudo {}/userspace/falco/falco'.format(self.falcodir)
|
||||
|
||||
self.possibly_copy_driver()
|
||||
|
||||
@@ -457,6 +483,8 @@ class FalcoTest(Test):
|
||||
psp_rules = myfile.read()
|
||||
self.log.debug("Converted Rules: {}".format(psp_rules))
|
||||
|
||||
# Possibly run the event-generator in background
|
||||
self.start_event_generator()
|
||||
|
||||
# Run falco
|
||||
cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o priority={} -v'.format(
|
||||
@@ -481,6 +509,9 @@ class FalcoTest(Test):
|
||||
|
||||
res = self.falco_proc.run(timeout=180, sig=9)
|
||||
|
||||
# Possibly stop the event-generator
|
||||
self.stop_event_generator()
|
||||
|
||||
if self.stdout_is != '':
|
||||
print(self.stdout_is)
|
||||
if self.stdout_is != res.stdout.decode("utf-8"):
|
||||
|
||||
@@ -672,6 +672,33 @@ trace_files: !mux
|
||||
outputs:
|
||||
- /tmp/falco_outputs/program_output.txt: Warning An open was seen
|
||||
|
||||
with_driver:
|
||||
event_generator: run ^syscall.ReadSensitiveFile$ --loop
|
||||
event_generator_ver: 0.3.0
|
||||
run_duration: 30
|
||||
detect: True
|
||||
detect_level: WARNING
|
||||
rules_file:
|
||||
- rules/read_sensitive_file_simplified.yaml
|
||||
conf_file: confs/stdout_output.yaml
|
||||
|
||||
# grpc_unix_socket_outputs:
|
||||
# event_generator: run ^syscall.ReadSensitiveFile$ --loop
|
||||
# event_generator_ver: 0.3.0
|
||||
# run_duration: 30
|
||||
# detect: True
|
||||
# detect_level: WARNING
|
||||
# rules_file:
|
||||
# - rules/read_sensitive_file_simplified.yaml
|
||||
# conf_file: confs/grpc_unix_socket.yaml
|
||||
# grpc:
|
||||
# address: unix:///tmp/falco.sock
|
||||
# proto: output.proto
|
||||
# service: falco.output.service
|
||||
# method: subscribe
|
||||
# results:
|
||||
# - "Warning An open was seen"
|
||||
|
||||
detect_counts:
|
||||
detect: True
|
||||
detect_level: WARNING
|
||||
|
||||
30
test/rules/read_sensitive_file_simplified.yaml
Normal file
30
test/rules/read_sensitive_file_simplified.yaml
Normal file
@@ -0,0 +1,30 @@
|
||||
- macro: proc_name_exists
|
||||
condition: (proc.name!="<NA>")
|
||||
|
||||
- macro: open_read
|
||||
condition: (evt.type=open or evt.type=openat) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0
|
||||
|
||||
- list: sensitive_file_names
|
||||
items: [/etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
|
||||
|
||||
- macro: sensitive_files
|
||||
condition: >
|
||||
fd.name startswith /etc and
|
||||
(fd.name in (sensitive_file_names)
|
||||
or fd.directory in (/etc/sudoers.d, /etc/pam.d))
|
||||
|
||||
- macro: cmp_cp_by_passwd
|
||||
condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts)
|
||||
|
||||
- rule: Read sensitive file
|
||||
desc: >
|
||||
an attempt to read any sensitive file (e.g. files containing user/password/authentication
|
||||
information).
|
||||
condition: >
|
||||
sensitive_files and open_read
|
||||
and proc_name_exists
|
||||
and not cmp_cp_by_passwd
|
||||
output: >
|
||||
Sensitive file opened for reading (user=%user.name program=%proc.name
|
||||
command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)
|
||||
priority: WARNING
|
||||
Reference in New Issue
Block a user