new(test): read grpc config fields

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>

docker/build/install-falco.yaml

@@ -1,45 +0,0 @@
-kind: DaemonSet
-apiVersion: apps/v1
-metadata:
-  name: falco
-  namespace: falco
-  labels:
-    app: falco
-spec:
-  selector:
-    matchLabels:
-      app: falco
-  template:
-    metadata:
-      labels:
-        app: falco
-    spec:
-      tolerations:
-        - operator: Exists
-      hostPID: true
-      hostNetwork: true
-containers:
-  - name: falco-init
-    image: alpine
-    imagePullPolicy: Always
-    securityContext:
-      privileged: true
-lifecycle:
-  preStop:
-    exec:
-      command:
-        - "nsenter"
-        - "-t"
-        - "1"
-        - "-m"
-        - "--"
-        - "/bin/sh"
-        - "-c"
-        - |
-          #!/bin/bash
-          curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
-          echo "deb https://dl.bintray.com/falcosecurity/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list
-          apt-get update -y
-          apt-get -y install linux-headers-$(uname -r)
-          apt-get install -y falco
-          exit 0

docker/tester/Dockerfile

@@ -1,16 +1,18 @@
 FROM fedora:31
 
 LABEL name="falcosecurity/falco-tester"
-LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
+LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release
 
+ADD https://github.com/fullstorydev/grpcurl/releases/download/v1.6.0/grpcurl_1.6.0_linux_x86_64.tar.gz /
 RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
 RUN pip install --user avocado-framework==69.0
 RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
+RUN tar -C /usr/bin -xvf grpcurl_1.6.0_linux_x86_64.tar.gz
 
 COPY ./root /
 

rules/falco_rules.yaml

@@ -55,7 +55,6 @@
 - macro: proc_name_exists
   condition: (proc.name!="<NA>")
 
-# todo(leogr): we miss "renameat2", but it's not yet supported by sinsp
 - macro: rename
   condition: evt.type in (rename, renameat)
 - macro: mkdir
@@ -81,29 +80,17 @@
 
 - macro: bin_dir_mkdir
   condition: >
-     (evt.arg.path startswith /bin/ or
-     evt.arg.path startswith /sbin/ or
-     evt.arg.path startswith /usr/bin/ or
-     evt.arg.path startswith /usr/sbin/)
+    (evt.arg[1] startswith /bin/ or
+     evt.arg[1] startswith /sbin/ or
+     evt.arg[1] startswith /usr/bin/ or
+     evt.arg[1] startswith /usr/sbin/)
 
 - macro: bin_dir_rename
   condition: >
-     (evt.arg.path startswith /bin/ or
-     evt.arg.path startswith /sbin/ or
-     evt.arg.path startswith /usr/bin/ or
-     evt.arg.path startswith /usr/sbin/ or
-     evt.arg.name startswith /bin/ or
-     evt.arg.name startswith /sbin/ or
-     evt.arg.name startswith /usr/bin/ or
-     evt.arg.name startswith /usr/sbin/ or
-     evt.arg.oldpath startswith /bin/ or
-     evt.arg.oldpath startswith /sbin/ or
-     evt.arg.oldpath startswith /usr/bin/ or
-     evt.arg.oldpath startswith /usr/sbin/ or
-     evt.arg.newpath startswith /bin/ or
-     evt.arg.newpath startswith /sbin/ or
-     evt.arg.newpath startswith /usr/bin/ or
-     evt.arg.newpath startswith /usr/sbin/)
+    evt.arg[1] startswith /bin/ or
+    evt.arg[1] startswith /sbin/ or
+    evt.arg[1] startswith /usr/bin/ or
+    evt.arg[1] startswith /usr/sbin/
 
 - macro: etc_dir
   condition: fd.name startswith /etc/
@@ -1518,7 +1505,7 @@
 
 - rule: Modify binary dirs
   desc: an attempt to modify any file below a set of binary directories.
-  condition: bin_dir_rename and modify and not package_mgmt_procs and not exe_running_docker_save
+  condition: (bin_dir_rename) and modify and not package_mgmt_procs and not exe_running_docker_save
   output: >
     File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
     pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args container_id=%container.id image=%container.image.repository)
@@ -2238,7 +2225,7 @@
   desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.
   condition: >
     fd.directory = /dev and
-    (evt.type = creat or ((evt.type = open or evt.type = openat) and evt.arg.flags contains O_CREAT))
+    (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT))
     and not proc.name in (dev_creation_binaries)
     and not fd.name in (allowed_dev_files)
     and not fd.name startswith /dev/tty

test/confs/grpc_unix_socket.yaml

@@ -0,0 +1,38 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Whether to output events in json or text.
+json_output: false
+
+# Send information logs to stderr and/or syslog
+# Note these are *not* security notification logs!
+# These are just Falco lifecycle (and possibly error) logs.
+log_stderr: false
+log_syslog: false
+
+# Where security notifications should go.
+stdout_output:
+  enabled: false
+
+# gRPC server using an unix socket.
+grpc:
+    enabled: true
+    bind_address: "unix:////tmp/falco.sock"
+    threadiness: 8
+
+grpc_output:
+  enabled: true

test/falco_test.py

@@ -195,6 +195,19 @@ class FalcoTest(Test):
                         os.makedirs(filedir)
             self.outputs = outputs
 
+        self.grpc_unix_socket_path = self.params.get('grpc_unix_socket_path', '*', default='/var/run/falco.sock')
+        self.grpc_address = self.params.get('address', 'grpc/*', default='/var/run/falco.sock')
+        if self.grpc_address.startswith("unix://"):
+            self.is_grpc_using_unix_socket = True
+            self.grpc_address = self.grpc_address[len("unix://"):]
+        self.grpc_proto = self.params.get('proto', 'grpc/*', default='')
+        self.grpc_service = self.params.get('service', 'grpc/*', default='')
+        self.grpc_method = self.params.get('method', 'grpc/*', default='')
+        self.grpc_results = self.params.get('results', 'grpc/*', default='')
+        # todo: if string wrap in an array
+        if self.grpc_results == '':
+            self.grpc_results = []
+
         self.disable_tags = self.params.get('disable_tags', '*', default='')
 
         if self.disable_tags == '':

test/falco_tests.yaml

@@ -672,6 +672,20 @@ trace_files: !mux
     outputs:
       - /tmp/falco_outputs/program_output.txt: Warning An open was seen
 
+  grpc_unix_socket_outputs:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/single_rule.yaml
+    conf_file: confs/grpc_unix_socket.yaml
+    grpc:
+      address: unix:///tmp/falco.sock
+      proto: output.proto
+      service: falco.output.service
+      method: subscribe
+      results:
+        - "Warning An open was seen"
+
   detect_counts:
     detect: True
     detect_level: WARNING

userspace/README.md

@@ -1,22 +0,0 @@
-# Userspace
-
-Here is where the main Falco engine lives.
-
-There are two libraries here that are roughly seperated in the following way.are
-
-### falco
-
-This is the beloved `main()` function of the Falco program, as well as the logic for various falco outputs.
-
-An output is just a way of delivering a Falco alert, the most simple output is the Falco stdout log.
-
-### engine
-
-This is the processing engine that connect the inbound stream of systemcalls to the rules engine.
-
-This is the main powerhouse behind Falco, and does the assertion at runtime that compares system call events to rules.are
-
-
-### CMake
-
-If you are adding new files to either library you must define the `.cpp` file in the associated CMakeLists.txt file such that the linker will know where to find your new file.

userspace/engine/CMakeLists.txt

@@ -16,7 +16,6 @@ set(FALCO_ENGINE_SOURCE_FILES
     falco_engine.cpp
     falco_utils.cpp
     json_evt.cpp
-    prettyprint.cpp
     ruleset.cpp
     token_bucket.cpp
     formats.cpp)

userspace/engine/falco_engine.cpp

@@ -22,7 +22,6 @@ limitations under the License.
 #include "falco_engine.h"
 #include "falco_utils.h"
 #include "falco_engine_version.h"
-#include "prettyprint.h"
 #include "config_falco_engine.h"
 
 #include "formats.h"
@@ -317,9 +316,6 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_sinsp_event(sinsp_ev
 			string err = "Error invoking function output: " + string(lerr);
 			throw falco_exception(err);
 		}
-
-		prettyprint::sinsp_event(ev, "Raw event just before popping to Lua");
-
 		res->evt = ev;
 		const char *p =  lua_tostring(m_ls, -3);
 		res->rule = p;

userspace/engine/prettyprint.cpp

@@ -1,82 +0,0 @@
-/*
-Copyright (C) 2019 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#include "prettyprint.h"
-
-/**
- * sinsp_event will pretty print a pointer to a sinsp_evt.
- *
- * This can be used for debugging an event at various times during development.
- * This should never be turned on in production. Feel free to add fields below
- * as we need them, and we can just dump an event in here whenever we need while
- * debugging.
- *
- * sinsp_events are blue because they are happy.
- */
-void prettyprint::sinsp_event(sinsp_evt *ev, const char* note)
-{
-  ev->get_type()
-  prettyprint::warning();
-  printf("\033[0;34m"); // Start Blue
-  printf("\n*************************************************************\n");
-  printf("[Sinsp Event: %s]\n\n", note);
-  printf("name: %s\n", ev->get_name());
-  for(uint32_t i = 0; i <= ev->get_num_params(); i++){
-  }
-  for(int64_t j = 0; j <= ev->get_fd_num(); j++) {
-    printf("%s: %s\n", ev->get_param_name(j), ev->get_param_value_str(j, true).c_str());
-  };
-  // One off fields
-  //printf("fdinfo: %s\n", ev->get_fd_info()->tostring_clean().c_str());
-  //printf("type: %d\n", ev->get_type());
-/*
-  printf("k8s.ns.name: %s\n", ev->get_param_value_str("k8s.ns.name", true).c_str());
-  printf("k8s %s\n", ev->get_param_value_str("k8s", true).c_str());
-  printf("container: %s\n", ev->get_param_value_str("container", true).c_str());
-  printf("proc.pid: %s\n", ev->get_param_value_str("%proc.pid", true).c_str());
-  printf("proc: %s\n", ev->get_param_value_str("%proc", true).c_str());
-  printf("data: %s\n", ev->get_param_value_str("data", true).c_str());
-  printf("cpu: %s\n", ev->get_param_value_str("cpu", true).c_str());
-  printf("fd: %s\n", ev->get_param_value_str("fd", true).c_str());
-  printf("fd: %s\n", ev->get_param_value_str("evt.arg.fd", true).c_str());
-  printf("user: %s\n", ev->get_param_value_str("user", true).c_str());
-*/
-
-  printf("*************************************************************\n");
-  printf("\033[0m");
-}
-
-/**
- * has_alerted controls our one time preliminary alert for using pretty print which is debug only
- */
-bool prettyprint::has_alerted = false;
-
-/**
- * Warnings are red
- */
-void prettyprint::warning() {
-  if (!prettyprint::has_alerted) {
-    printf("\033[0;31m"); // Start Red
-    printf("\n\n");
-    printf("*************************************************************\n");
-    printf("          [Pretty Printing Debugging is Enabled]             \n");
-    printf("  This should never be used in production, by anyone, ever.  \n");
-    printf("*************************************************************\n");
-    printf("\033[0m");
-    prettyprint::has_alerted = true;
-  }
-}
-

userspace/engine/prettyprint.h

@@ -1,42 +0,0 @@
-/*
-Copyright (C) 2019 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#include <string>
-#include <set>
-#include <vector>
-#include <list>
-#include <map>
-
-#include "sinsp.h"
-#include "filter.h"
-#include "event.h"
-
-#include "gen_filter.h"
-
-
-#ifndef FALCO_FALCO_USERSPACE_PRETTYPRINT_H_
-#define FALCO_FALCO_USERSPACE_PRETTYPRINT_H_
-
-class prettyprint {
- public:
-  static void sinsp_event(sinsp_evt *ev, const char* note = "");
-
- private:
-  static bool has_alerted;
-  static void warning();
-};
-
-#endif //FALCO_FALCO_USERSPACE_PRETTYPRINT_H_

userspace/falco/falco_outputs.cpp

@@ -145,8 +145,6 @@ void falco_outputs::handle_event(gen_event *ev, string &rule, string &source,
 		return;
 	}
 
-
-
 	std::lock_guard<std::mutex> guard(m_ls_semaphore);
 	lua_getglobal(m_ls, m_lua_output_event.c_str());