github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-22 20:52:27 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: github:perf-experiments
Branches Tags
github:master github:fix/buffered_outputs github:fix/http-output-on-non-linux-platforms github:dependabot/submodules/submodules/falcosecurity-rules-048d2f8 github:feat/capture-events-filesize-limits github:update/libs github:3485_webserver_with_own_uid_gid github:release/0.43.x github:ekoops-patch-1 github:release/0.42.x github:release/0.41.x github:test/wip github:new/musl_static_aarch64 github:release/0.40.x github:release/0.39.x github:wip/test_libs_master github:release/0.38.x github:generalize-indexable-ruleset-polymorphic github:chore/test_pr1803 github:LucaGuerra-patch-1 github:release/0.37.x github:fix_CI_5 github:chore/use_actuated_helper github:fix_CI_4 github:bump_falco_latest_libs github:new/static_aarch64 github:fix/use_plugin_name github:new/mode-in-config github:release/0.36.x github:test_filterchecks github:test_release_0.36.0 github:fix/workaround_glibc_bug_timer_delete github:wip/test github:add-load-files-method github:test/ci github:update/pidfile-usage-doc github:bump_libs_andrea github:release/0.35.x github:remove-source-ruleset-overwrite-when-loading github:mstemm-works-with-latest-libs github:test/PR546 github:test/PR959 github:libs_bump github:release/0.34.x github:release/0.34.0 github:fix/kmod_cleanup github:chore/move-rules-to-their-repo github:enable_maintainers_gh_jobs github:dev_docker github:fix/dev_version github:exec-hashes github:falco_modern_probe github:release/0.33.1 github:test_modern_probe github:fix/docker_img_host_root_runtime github:release/0.33.0 github:test_falco_bump github:chore/falco_lock_file github:fix_falco_service github:test_deb_rpm github:buffer_dimension github:testing/falco-0-32-3/issue/1909 github:test/libs/pr/567 github:test/new_libs github:release/0.32.2 github:update/remove-mesos-support github:remove-fntlnz github:test/libs/pr/213 github:leogr-patch-1 github:build/fix-conffiles github:add-app-actions github:add-app-actions-prerebase-2 github:add-grpc-rules-loading github:fix-plugins-issue-56 github:field-properties-changes github:embed-lua-scripts github:new/plugin-system-api-additions-prerebase github:embeddable-falco-engine github:build/apply-libs-pr-41 github:build/upgrade-driver-version-mid2021 github:build/upgrade-driver-version-for-0-29-0 github:build/update-driver-version-wip github:hotfix/grpc-in-packages github:use-url-safe-chars-version github:rules-fp-fixes-2021-02 github:allow-unknown-sources github:libhawk-rules github:build/docs github:update/cli github:update/logo github:caniszczyk-patch-1 github:new/logger github:new/inspect-per-cpu github:new/ci-build-aarch64 github:release/0.26.2 github:temporary/test-ci-broken-tests github:libhawk github:add-exceptions-support-copy2 github:add-exceptions-support-copy github:chore/remove-time-macrodefs github:update/release-drivers github:rules-bash-history-top-only github:fix/scripts-modprobe github:perf-experiments github:fix/1272 github:fix/1272-test github:readme-update github:proposal/rules-engine-version-scope github:nova-debug github:falco-driver-loader-dockerfile github:chore/integration-grpc-with-event-generator github:feat/grpc-integration-tests github:new/profiler github:falco-arm-support github:falco-on-arm github:feature/inputs-mvp github:adding-install-script github:feat/modulecheck github:falco-release-0-17-0 github:falco-release-0-17-1 github:add-addl-pst-owners github:683-handle-sinsp-errors github:allow-regex-chars-rule-names github:backup-master github:add-context-to-rules-errors
github:0.43.0 github:0.43.0-rc4 github:0.43.0-rc3 github:0.43.0-rc2 github:0.43.0-rc1 github:0.42.1 github:0.42.0 github:0.42.0-rc4 github:0.42.0-rc3 github:0.42.0-rc2 github:0.42.0-rc1 github:0.41.3 github:0.41.2 github:0.41.1 github:0.41.1-rc1 github:0.41.0 github:0.41.0-rc2 github:0.41.0-rc1 github:0.40.0 github:0.40.0-rc1 github:0.39.2 github:0.39.1 github:0.39.1-rc1 github:0.39.0 github:0.39.0-rc3 github:0.39.0-rc2 github:0.39.0-rc1 github:0.38.2 github:0.38.2-rc2 github:0.38.2-rc1 github:0.38.1 github:0.38.1-rc1 github:0.38.0 github:0.38.0-rc5 github:0.38.0-rc4 github:0.38.0-rc3 github:0.38.0-rc2 github:0.38.0-rc1 github:0.37.1 github:0.37.1-rc1 github:0.37.0 github:0.37.0-rc3 github:0.37.0-rc2 github:0.37.0-rc1 github:0.36.2 github:0.36.2-rc1 github:0.36.1 github:0.36.1-rc1 github:0.36.0 github:0.36.0-rc3 github:0.36.0-rc2 github:0.36.0-rc1 github:0.35.1 github:0.35.0 github:0.35.0-rc2 github:0.35.0-rc1 github:0.35.0-alpha5 github:0.35.0-alpha4 github:0.35.0-alpha3 github:0.35.0-alpha2 github:0.35.0-alpha1 github:0.34.1 github:0.34.0 github:0.33.1 github:0.33.0 github:0.32.2 github:0.32.1 github:0.32.0 github:0.31.1 github:0.31.0 github:0.30.0 github:0.29.1 github:0.29.0 github:0.28.1 github:0.28.0 github:0.27.0 github:0.26.2 github:0.26.1 github:0.26.0 github:0.25.0 github:0.24.0 github:0.23.0 github:0.22.1 github:0.22.0 github:0.21.0 github:0.20.0 github:0.19.0 github:0.18.0 github:0.17.1 github:0.17.0 github:0.16.0 github:0.15.3 github:0.15.2 github:0.15.1 github:0.15.0 github:0.14.0 github:0.13.1 github:0.13.0 github:agent/0.85.1 github:0.12.1 github:0.12.0 github:agent/0.85.0 github:agent/0.84.2 github:agent/0.84.3 github:agent/0.84.1 github:agent/0.84.0 github:0.11.1 github:0.11.0 github:agent/0.83.1 github:agent/0.83.0 github:agent/0.81.0 github:agent/0.82.0 github:agent/0.80.2 github:agent/0.80.1 github:0.10.0 github:agent/0.80.0 github:agent/0.79.0 github:agent/0.79.1 github:agent/0.78.0 github:agent/0.78.1 github:agent/0.76.4 github:agent/0.77.0 github:agent/0.76.3 github:0.9.0 github:agent/0.76.0 github:agent/0.76.1 github:agent/0.76.2 github:agent/0.75.0 github:agent/0.74.0 github:agent/0.73.2 github:agent/0.73.1 github:agent/0.73.0 github:agent/0.72.4 github:agent/0.72.0 github:agent/0.72.1 github:agent/0.72.2 github:agent/0.72.3 github:agent/0.71.0 github:agent/0.70.0 github:0.8.1 github:0.8.0 github:agent/0.69.0 github:agent/0.68.0 github:agent/0.66.0 github:agent/0.67.0 github:agent/0.65.0 github:agent/0.65.1 github:agent/0.63.0 github:agent/0.63.1 github:agent/0.64.0 github:agent/0.61.0 github:agent/0.62.0 github:0.7.0 github:0.6.1 github:agent/0.60.0 github:agent/0.59.0 github:agent/0.58.0 github:agent/0.57.0 github:agent/0.56.0 github:0.6.0 github:0.6.0-test github:agent/0.55.0 github:agent/0.54.0 github:agent/0.53.0 github:agent/0.52.0 github:agent/0.51.0 github:agent/0.50.1 github:agent/0.50.0 github:0.5.0 github:agent/0.49.1 github:agent/0.49.0 github:agent/0.48.0 github:agent/0.47.0 github:agent/0.46.0 github:agent/0.45.0 github:agent/0.44.0 github:agent/0.43.0 github:0.4.0 github:agent/0.42.0 github:agent/0.40.0 github:agent/0.41.0 github:0.3.0 github:v0.2.0 github:v0.1.0
..
compare: github:new/profiler
Branches Tags
github:fix/buffered_outputs github:fix/http-output-on-non-linux-platforms github:dependabot/submodules/submodules/falcosecurity-rules-048d2f8 github:master github:feat/capture-events-filesize-limits github:update/libs github:3485_webserver_with_own_uid_gid github:release/0.43.x github:ekoops-patch-1 github:release/0.42.x github:release/0.41.x github:test/wip github:new/musl_static_aarch64 github:release/0.40.x github:release/0.39.x github:wip/test_libs_master github:release/0.38.x github:generalize-indexable-ruleset-polymorphic github:chore/test_pr1803 github:LucaGuerra-patch-1 github:release/0.37.x github:fix_CI_5 github:chore/use_actuated_helper github:fix_CI_4 github:bump_falco_latest_libs github:new/static_aarch64 github:fix/use_plugin_name github:new/mode-in-config github:release/0.36.x github:test_filterchecks github:test_release_0.36.0 github:fix/workaround_glibc_bug_timer_delete github:wip/test github:add-load-files-method github:test/ci github:update/pidfile-usage-doc github:bump_libs_andrea github:release/0.35.x github:remove-source-ruleset-overwrite-when-loading github:mstemm-works-with-latest-libs github:test/PR546 github:test/PR959 github:libs_bump github:release/0.34.x github:release/0.34.0 github:fix/kmod_cleanup github:chore/move-rules-to-their-repo github:enable_maintainers_gh_jobs github:dev_docker github:fix/dev_version github:exec-hashes github:falco_modern_probe github:release/0.33.1 github:test_modern_probe github:fix/docker_img_host_root_runtime github:release/0.33.0 github:test_falco_bump github:chore/falco_lock_file github:fix_falco_service github:test_deb_rpm github:buffer_dimension github:testing/falco-0-32-3/issue/1909 github:test/libs/pr/567 github:test/new_libs github:release/0.32.2 github:update/remove-mesos-support github:remove-fntlnz github:test/libs/pr/213 github:leogr-patch-1 github:build/fix-conffiles github:add-app-actions github:add-app-actions-prerebase-2 github:add-grpc-rules-loading github:fix-plugins-issue-56 github:field-properties-changes github:embed-lua-scripts github:new/plugin-system-api-additions-prerebase github:embeddable-falco-engine github:build/apply-libs-pr-41 github:build/upgrade-driver-version-mid2021 github:build/upgrade-driver-version-for-0-29-0 github:build/update-driver-version-wip github:hotfix/grpc-in-packages github:use-url-safe-chars-version github:rules-fp-fixes-2021-02 github:allow-unknown-sources github:libhawk-rules github:build/docs github:update/cli github:update/logo github:caniszczyk-patch-1 github:new/logger github:new/inspect-per-cpu github:new/ci-build-aarch64 github:release/0.26.2 github:temporary/test-ci-broken-tests github:libhawk github:add-exceptions-support-copy2 github:add-exceptions-support-copy github:chore/remove-time-macrodefs github:update/release-drivers github:rules-bash-history-top-only github:fix/scripts-modprobe github:perf-experiments github:fix/1272 github:fix/1272-test github:readme-update github:proposal/rules-engine-version-scope github:nova-debug github:falco-driver-loader-dockerfile github:chore/integration-grpc-with-event-generator github:feat/grpc-integration-tests github:new/profiler github:falco-arm-support github:falco-on-arm github:feature/inputs-mvp github:adding-install-script github:feat/modulecheck github:falco-release-0-17-0 github:falco-release-0-17-1 github:add-addl-pst-owners github:683-handle-sinsp-errors github:allow-regex-chars-rule-names github:backup-master github:add-context-to-rules-errors
github:0.43.0 github:0.43.0-rc4 github:0.43.0-rc3 github:0.43.0-rc2 github:0.43.0-rc1 github:0.42.1 github:0.42.0 github:0.42.0-rc4 github:0.42.0-rc3 github:0.42.0-rc2 github:0.42.0-rc1 github:0.41.3 github:0.41.2 github:0.41.1 github:0.41.1-rc1 github:0.41.0 github:0.41.0-rc2 github:0.41.0-rc1 github:0.40.0 github:0.40.0-rc1 github:0.39.2 github:0.39.1 github:0.39.1-rc1 github:0.39.0 github:0.39.0-rc3 github:0.39.0-rc2 github:0.39.0-rc1 github:0.38.2 github:0.38.2-rc2 github:0.38.2-rc1 github:0.38.1 github:0.38.1-rc1 github:0.38.0 github:0.38.0-rc5 github:0.38.0-rc4 github:0.38.0-rc3 github:0.38.0-rc2 github:0.38.0-rc1 github:0.37.1 github:0.37.1-rc1 github:0.37.0 github:0.37.0-rc3 github:0.37.0-rc2 github:0.37.0-rc1 github:0.36.2 github:0.36.2-rc1 github:0.36.1 github:0.36.1-rc1 github:0.36.0 github:0.36.0-rc3 github:0.36.0-rc2 github:0.36.0-rc1 github:0.35.1 github:0.35.0 github:0.35.0-rc2 github:0.35.0-rc1 github:0.35.0-alpha5 github:0.35.0-alpha4 github:0.35.0-alpha3 github:0.35.0-alpha2 github:0.35.0-alpha1 github:0.34.1 github:0.34.0 github:0.33.1 github:0.33.0 github:0.32.2 github:0.32.1 github:0.32.0 github:0.31.1 github:0.31.0 github:0.30.0 github:0.29.1 github:0.29.0 github:0.28.1 github:0.28.0 github:0.27.0 github:0.26.2 github:0.26.1 github:0.26.0 github:0.25.0 github:0.24.0 github:0.23.0 github:0.22.1 github:0.22.0 github:0.21.0 github:0.20.0 github:0.19.0 github:0.18.0 github:0.17.1 github:0.17.0 github:0.16.0 github:0.15.3 github:0.15.2 github:0.15.1 github:0.15.0 github:0.14.0 github:0.13.1 github:0.13.0 github:agent/0.85.1 github:0.12.1 github:0.12.0 github:agent/0.85.0 github:agent/0.84.2 github:agent/0.84.3 github:agent/0.84.1 github:agent/0.84.0 github:0.11.1 github:0.11.0 github:agent/0.83.1 github:agent/0.83.0 github:agent/0.81.0 github:agent/0.82.0 github:agent/0.80.2 github:agent/0.80.1 github:0.10.0 github:agent/0.80.0 github:agent/0.79.0 github:agent/0.79.1 github:agent/0.78.0 github:agent/0.78.1 github:agent/0.76.4 github:agent/0.77.0 github:agent/0.76.3 github:0.9.0 github:agent/0.76.0 github:agent/0.76.1 github:agent/0.76.2 github:agent/0.75.0 github:agent/0.74.0 github:agent/0.73.2 github:agent/0.73.1 github:agent/0.73.0 github:agent/0.72.4 github:agent/0.72.0 github:agent/0.72.1 github:agent/0.72.2 github:agent/0.72.3 github:agent/0.71.0 github:agent/0.70.0 github:0.8.1 github:0.8.0 github:agent/0.69.0 github:agent/0.68.0 github:agent/0.66.0 github:agent/0.67.0 github:agent/0.65.0 github:agent/0.65.1 github:agent/0.63.0 github:agent/0.63.1 github:agent/0.64.0 github:agent/0.61.0 github:agent/0.62.0 github:0.7.0 github:0.6.1 github:agent/0.60.0 github:agent/0.59.0 github:agent/0.58.0 github:agent/0.57.0 github:agent/0.56.0 github:0.6.0 github:0.6.0-test github:agent/0.55.0 github:agent/0.54.0 github:agent/0.53.0 github:agent/0.52.0 github:agent/0.51.0 github:agent/0.50.1 github:agent/0.50.0 github:0.5.0 github:agent/0.49.1 github:agent/0.49.0 github:agent/0.48.0 github:agent/0.47.0 github:agent/0.46.0 github:agent/0.45.0 github:agent/0.44.0 github:agent/0.43.0 github:0.4.0 github:agent/0.42.0 github:agent/0.40.0 github:agent/0.41.0 github:0.3.0 github:v0.2.0 github:v0.1.0

20 Commits
perf-exper ... new/profil

Author SHA1 Message Date
Lorenzo Fontana
9c6c2f7b02 temporary commit 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-16 19:46:46 +02:00
Leonardo Di Donato
8dfc5da425 update(tests/profiler): serialization/deserialization of profiler nodes 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-14 15:38:32 +02:00
Leonardo Di Donato
cc8bc663df update(userspace/profiler): introduce profiler namespace 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-14 15:38:32 +02:00
Lorenzo Fontana
35cba8a231 new(tests/profiler): flatbuffer serialization tests skaffold 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-14 15:38:32 +02:00
Lorenzo Fontana
694f13c9a2 build(userspace/profiler): dependency between profiler flatbuffer generation and tests target 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-14 15:38:29 +02:00
Leonardo Di Donato
e17fb1cb04 build: initial setup for flatbuffers (cmake) 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-14 15:37:52 +02:00
Leonardo Di Donato
943d49bdf2 wip: initial flatbuffer definition for profile data 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-14 15:37:52 +02:00
Leonardo Di Donato
f8783b3312 chore(profiler): tests naming and other refinements 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-14 15:37:51 +02:00
Leonardo Di Donato
96df786ce8 update(tests/profiler): profiler detects parent (single chunk) 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-14 15:37:51 +02:00
Leonardo Di Donato
54050b2d4a update(tests/profiler): setup test for parents 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-14 15:37:51 +02:00
Leonardo Di Donato
dac2ff9379 new(userspace/profiler): get the parent 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-14 15:37:51 +02:00
Lorenzo Fontana
7e048f384c update(profiler): give profiler its own home 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-14 15:37:49 +02:00
Lorenzo Fontana
43446369ec update(tests): use hedley in profiler tests 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-14 15:37:15 +02:00
Lorenzo Fontana
e8afe72063 update(tests/falco): more complete profiler tests 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-14 15:37:15 +02:00
Leonardo Di Donato
1710812065 chore(cmake/modules): refinements to the Catch2 cmake module 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-14 15:37:15 +02:00
Leonardo Di Donato
b21f09aebd build: hedley macros 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-14 15:37:15 +02:00
Leonardo Di Donato
02853d5310 update(userspace/falco): move the chunck allocation code out-of-line 
This makes the usual (the most common code path, since the `else` clause
is hit very rarely) straight-line.

It removes an unnecessary `jmp .LBBx_y` that was taken every time.

For this reason, the resulting code is more efficient.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-14 15:37:14 +02:00
Lorenzo Fontana
755ba8f9a2 new(tests): profiler tests bootstrap 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-05-14 15:37:07 +02:00
Leonardo Di Donato
d2d7ead732 build(userspace/falco): build the profiler header file 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-14 15:36:11 +02:00
Leonardo Di Donato
fb948912a3 new(userspace/falco): initial profiler impl 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-05-14 15:36:08 +02:00
94 changed files with 1369 additions and 2215 deletions
Expand all files Collapse all files

59
.circleci/config.yml
View File

@@ -2,9 +2,9 @@ version: 2
jobs:
# Build using ubuntu LTS
# This build is dynamic, most dependencies are taken from the OS
"build/ubuntu-focal":
"build/ubuntu-bionic":
docker:
- image: ubuntu:focal
- image: ubuntu:bionic
steps:
- checkout
- run:
@@ -12,19 +12,19 @@ jobs:
command: apt update -y
- run:
name: Install dependencies
command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
command: apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm linux-headers-$(uname -r) libelf-dev cmake build-essential libcurl4-openssl-dev -y
- run:
name: Prepare project
command: |
mkdir build
pushd build
cmake -DBUILD_BPF=On ..
cmake ..
popd
- run:
name: Build
command: |
pushd build
KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
make -j4 all
popd
- run:
name: Run unit tests
@@ -34,9 +34,9 @@ jobs:
popd
# Debug build using ubuntu LTS
# This build is dynamic, most dependencies are taken from the OS
"build/ubuntu-focal-debug":
"build/ubuntu-bionic-debug":
docker:
- image: ubuntu:focal
- image: ubuntu:bionic
steps:
- checkout
- run:
@@ -44,19 +44,19 @@ jobs:
command: apt update -y
- run:
name: Install dependencies
command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
command: apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm linux-headers-$(uname -r) libelf-dev cmake build-essential libcurl4-openssl-dev -y
- run:
name: Prepare project
command: |
mkdir build
pushd build
cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_BPF=On ..
cmake -DCMAKE_BUILD_TYPE=debug ..
popd
- run:
name: Build
command: |
pushd build
KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
make -j4 all
popd
- run:
name: Run unit tests
@@ -138,15 +138,6 @@ jobs:
- run:
name: Execute integration tests
command: /usr/bin/entrypoint test
"tests/driver-loader/integration":
machine:
image: ubuntu-1604:202004-01
steps:
- attach_workspace:
at: /tmp/ws
- run:
name: Execute driver-loader integration tests
command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
# Sign rpm packages
"rpm/sign":
docker:
@@ -217,19 +208,17 @@ jobs:
- checkout
- setup_remote_docker
- run:
name: Build and publish no-driver-dev
name: Build and publish slim-dev
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco-no-driver:master docker/no-driver
docker tag falcosecurity/falco-no-driver:master falcosecurity/falco:master-slim
docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master-slim docker/slim
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
docker push falcosecurity/falco-no-driver:master
docker push falcosecurity/falco:master-slim
- run:
name: Build and publish dev
command: |
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master docker/falco
docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master docker/stable
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
docker push falcosecurity/falco:master
- run:
@@ -277,21 +266,17 @@ jobs:
- checkout
- setup_remote_docker
- run:
name: Build and publish no-driver
name: Build and publish slim
command: |
docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco-no-driver:${CIRCLE_TAG}" docker/no-driver
docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" falcosecurity/falco-no-driver:latest
docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" "falcosecurity/falco:${CIRCLE_TAG}-slim"
docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" "falcosecurity/falco:latest-slim"
docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}-slim" docker/slim
docker tag "falcosecurity/falco:${CIRCLE_TAG}-slim" falcosecurity/falco:latest-slim
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
docker push "falcosecurity/falco-no-driver:${CIRCLE_TAG}"
docker push "falcosecurity/falco-no-driver:latest"
docker push "falcosecurity/falco:${CIRCLE_TAG}-slim"
docker push "falcosecurity/falco:latest-slim"
- run:
name: Build and publish falco
name: Build and publish stable
command: |
docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}" docker/falco
docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}" docker/stable
docker tag "falcosecurity/falco:${CIRCLE_TAG}" falcosecurity/falco:latest
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
docker push "falcosecurity/falco:${CIRCLE_TAG}"
@@ -308,16 +293,13 @@ workflows:
version: 2
build_and_test:
jobs:
- "build/ubuntu-focal"
- "build/ubuntu-focal-debug"
- "build/ubuntu-bionic"
- "build/ubuntu-bionic-debug"
- "build/centos7"
- "build/centos7-debug"
- "tests/integration":
requires:
- "build/centos7"
- "tests/driver-loader/integration":
requires:
- "build/centos7"
- "rpm/sign":
context: falco
filters:
@@ -345,7 +327,6 @@ workflows:
only: master
requires:
- "publish/packages-dev"
- "tests/driver-loader/integration"
release:
jobs:
- "build/centos7":

4
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@@ -40,8 +40,12 @@ Please remove the leading whitespace before the `/kind <>` you uncommented.
> /area engine
> /area examples
> /area rules
> /area integrations
> /area tests
> /area proposals

5
.github/stale.yml vendored
View File

@@ -6,6 +6,7 @@ daysUntilClose: 7
exemptLabels:
- cncf
- roadmap
- enhancement
- "help wanted"
# Label to use when marking an issue as stale
staleLabel: wontfix
@@ -14,7 +15,5 @@ markComment: >
This issue has been automatically marked as stale because it has not had
recent activity. It will be closed if no further activity occurs. Thank you
for your contributions.
Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed.
Please refer to a maintainer to get such label added if you think this should be kept open.
# Comment to post when closing a stale issue. Set to `false` to disable
closeComment: false
closeComment: false

5
ADOPTERS.md
View File

@@ -8,13 +8,8 @@ This is a list of production adopters of Falco (in alphabetical order):
* [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.
* [GitLab](https://about.gitlab.com/direction/defend/container_host_security/) - GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate. GitLab Ultimate provides the single tool teams need to find, triage, and fix vulnerabilities in applications, services, and cloud-native environments enabling them to manage their risk. This provides them with repeatable, defensible processes that automate security and compliance policies. GitLab includes a tight integration with Falco, allowing users to defend their containerized applications from attacks while running in production.
* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containerswhich could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
* [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
* https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
* https://hipaa.preferral.com/01-preferral_hipaa_compliance/

151
CHANGELOG.md
View File

@@ -2,156 +2,9 @@
This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
## v0.24.0
Released on 2020-07-16
### Major Changes
* new: Falco now supports userspace instrumentation with the -u flag [[#1195](https://github.com/falcosecurity/falco/pull/1195)]
* BREAKING CHANGE: --stats_interval is now --stats-interval [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
* new: auto threadiness for gRPC server [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
* BREAKING CHANGE: server streaming gRPC outputs method is now `falco.outputs.service/get` [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
* new: new bi-directional async streaming gRPC outputs (`falco.outputs.service/sub`) [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
* new: unix socket for the gRPC server [[#1217](https://github.com/falcosecurity/falco/pull/1217)]
### Minor Changes
* update: driver version is 85c88952b018fdbce2464222c3303229f5bfcfad now [[#1305](https://github.com/falcosecurity/falco/pull/1305)]
* update: `SKIP_MODULE_LOAD` renamed to `SKIP_DRIVER_LOADER` [[#1297](https://github.com/falcosecurity/falco/pull/1297)]
* docs: add leogr to OWNERS [[#1300](https://github.com/falcosecurity/falco/pull/1300)]
* update: default threadiness to 0 ("auto" behavior) [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
* update: k8s audit endpoint now defaults to /k8s-audit everywhere [[#1292](https://github.com/falcosecurity/falco/pull/1292)]
* update(falco.yaml): `webserver.k8s_audit_endpoint` default value changed from `/k8s_audit` to `/k8s-audit` [[#1261](https://github.com/falcosecurity/falco/pull/1261)]
* docs(test): instructions to run regression test suites locally [[#1234](https://github.com/falcosecurity/falco/pull/1234)]
### Bug Fixes
* fix: --stats-interval correctly accepts values >= 999 (ms) [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
* fix: make the eBPF driver build work on CentOS 8 [[#1301](https://github.com/falcosecurity/falco/pull/1301)]
* fix(userspace/falco): correct options handling for `buffered_output: false` which was not honored for the `stdout` output [[#1296](https://github.com/falcosecurity/falco/pull/1296)]
* fix(userspace/falco): honor -M also when using a trace file [[#1245](https://github.com/falcosecurity/falco/pull/1245)]
* fix: high CPU usage when using server streaming gRPC outputs [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
* fix: missing newline from some log messages (eg., token bucket depleted) [[#1257](https://github.com/falcosecurity/falco/pull/1257)]
### Rule Changes
* rule(Container Drift Detected (chmod)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
* rule(Container Drift Detected (open+create)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
* rule(Write below etc): allow snapd to write its unit files [[#1289](https://github.com/falcosecurity/falco/pull/1289)]
* rule(macro remote_file_copy_procs): fix reference to remote_file_copy_binaries [[#1224](https://github.com/falcosecurity/falco/pull/1224)]
* rule(list allowed_k8s_users): whitelisted kube-apiserver-healthcheck user created by kops >= 1.17.0 for the kube-apiserver-healthcheck sidecar [[#1286](https://github.com/falcosecurity/falco/pull/1286)]
* rule(Change thread namespace): Allow `protokube`, `dockerd`, `tini` and `aws` binaries to change thread namespace. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
* rule(macro exe_running_docker_save): to filter out cmdlines containing `/var/run/docker`. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
* rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Schedule Cron Jobs): exclude known cron jobs [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Update Package Registry): exclude known package registry update [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Read ssh information): do not throw for activities known to read SSH info [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Write below rpm database): do not throw for activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(DB program spawned process): do not throw for processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Modify binary dirs): do not throw for activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_system_user_login): new macro to exclude known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(System user interactive): do not throw for known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(User mgmt binaries): do not throw for activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Create files below dev): do not throw for activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Container Drift Detected (open+create)): do not throw for activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Create NodePort Service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro user_known_exec_pod_activities): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Attach/Exec Pod): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro trusted_pod): defines trusted pods by an image list [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Pod Created in Kube Namespace): do not throw for trusted pods [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(macro trusted_sa): define trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(Service Account Created in Kube Namespace): do not throw for trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
* rule(list network_tool_binaries): add zmap to the list [[#1284](https://github.com/falcosecurity/falco/pull/1284)]
* rule(macro root_dir): correct macro to exactly match the `/root` dir and not other with just `/root` as a prefix [[#1279](https://github.com/falcosecurity/falco/pull/1279)]
* rule(macro user_expected_terminal_shell_in_container_conditions): allow whitelisting terminals in containers under specific conditions [[#1154](https://github.com/falcosecurity/falco/pull/1154)]
* rule(macro user_known_write_below_binary_dir_activities): allow writing to a binary dir in some conditions [[#1260](https://github.com/falcosecurity/falco/pull/1260)]
* rule(macro trusted_logging_images): Add addl fluentd image [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
* rule(macro trusted_logging_images): Let azure-npm image write to /var/log [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
* rule(macro lvprogs_writing_conf): Add lvs as a lvm program [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
* rule(macro user_known_k8s_client_container): Allow hcp-tunnelfront to run kubectl in containers [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
* rule(list allowed_k8s_users): Add vertical pod autoscaler as known k8s users [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
* rule(Anonymous Request Allowed): update to checking auth decision equals to allow [[#1267](https://github.com/falcosecurity/falco/pull/1267)]
* rule(Container Drift Detected (chmod)): new rule to detect if an existing file get exec permissions in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
* rule(Container Drift Detected (open+create)): new rule to detect if a new file with execution permission is created in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
* rule(Mkdir binary dirs): correct condition in macro `bin_dir_mkdir` to catch `mkdirat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
* rule(Modify binary dirs): correct condition in macro `bin_dir_rename` to catch `rename`, `renameat`, and `unlinkat` syscalls [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
* rule(Create files below dev): correct condition to catch `openat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
* rule(macro user_known_set_setuid_or_setgid_bit_conditions): create macro [[#1213](https://github.com/falcosecurity/falco/pull/1213)]
## v0.23.0
Released on 2020-05-18
### Major Changes
* BREAKING CHANGE: the falco-driver-loader script now references `falco-probe.o` and `falco-probe.ko` as `falco.o` and `falco.ko` [[#1158](https://github.com/falcosecurity/falco/pull/1158)]
* BREAKING CHANGE: the `falco-driver-loader` script environment variable to use a custom repository to download drivers now uses the `DRIVERS_REPO` environment variable instead of `DRIVER_LOOKUP_URL`. This variable must contain the parent URI containing the following directory structure `/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]`. e.g: [[#1160](https://github.com/falcosecurity/falco/pull/1160)]
* new(scripts): options and command-line usage for `falco-driver-loader` [[#1200](https://github.com/falcosecurity/falco/pull/1200)]
* new: ability to specify exact matches when adding rules to Falco engine (only API) [[#1185](https://github.com/falcosecurity/falco/pull/1185)]
* new(docker): add an image that wraps the `falco-driver-loader` with the toolchain [[#1192](https://github.com/falcosecurity/falco/pull/1192)]
* new(docker): add `falcosecurity/falco-no-driver` image [[#1205](https://github.com/falcosecurity/falco/pull/1205)]
### Minor Changes
* update(scripts): improve `falco-driver-loader` output messages [[#1200](https://github.com/falcosecurity/falco/pull/1200)]
* update: containers look for prebuilt drivers on the Drivers Build Grid [[#1158](https://github.com/falcosecurity/falco/pull/1158)]
* update: driver version bump to 96bd9bc560f67742738eb7255aeb4d03046b8045 [[#1190](https://github.com/falcosecurity/falco/pull/1190)]
* update(docker): now `falcosecurity/falco:slim-*` alias to `falcosecurity/falco-no-driver:*` [[#1205](https://github.com/falcosecurity/falco/pull/1205)]
* docs: instructions to run unit tests [[#1199](https://github.com/falcosecurity/falco/pull/1199)]
* docs(examples): move `/examples` to `contrib` repo [[#1191](https://github.com/falcosecurity/falco/pull/1191)]
* update(docker): remove `minimal` image [[#1196](https://github.com/falcosecurity/falco/pull/1196)]
* update(integration): move `/integrations` to `contrib` repo [[#1157](https://github.com/falcosecurity/falco/pull/1157)]
* https://dl.bintray.com/driver/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]` [[#1160](https://github.com/falcosecurity/falco/pull/1160)]
* update(docker/event-generator): remove the event-generator from Falco repository [[#1156](https://github.com/falcosecurity/falco/pull/1156)]
* docs(examples): set audit level to metadata for object secrets [[#1153](https://github.com/falcosecurity/falco/pull/1153)]
### Bug Fixes
* fix(scripts): upstream files (prebuilt drivers) for the generic Ubuntu kernel contains "ubuntu-generic" [[#1212](https://github.com/falcosecurity/falco/pull/1212)]
* fix: support Falco driver on Linux kernels 5.6.y [[#1174](https://github.com/falcosecurity/falco/pull/1174)]
### Rule Changes
* rule(Redirect STDOUT/STDIN to Network Connection in Container): correct rule name as per rules naming convention [[#1164](https://github.com/falcosecurity/falco/pull/1164)]
* rule(Redirect STDOUT/STDIN to Network Connection in Container): new rule to detect Redirect stdout/stdin to network connection in container [[#1152](https://github.com/falcosecurity/falco/pull/1152)]
* rule(K8s Secret Created): new rule to track the creation of Kubernetes secrets (excluding kube-system and service account secrets) [[#1151](https://github.com/falcosecurity/falco/pull/1151)]
* rule(K8s Secret Deleted): new rule to track the deletion of Kubernetes secrets (excluding kube-system and service account secrets) [[#1151](https://github.com/falcosecurity/falco/pull/1151)]
## v0.22.1
Released on 2020-04-17
Released on 2020-17-04
### Major Changes
@@ -171,7 +24,7 @@ Released on 2020-04-17
## v0.22.0
Released on 2020-04-16
Released on 2020-16-04
### Major Changes

43
CMakeLists.txt
View File

@@ -17,8 +17,8 @@ project(falco)
option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
# Elapsed time
# set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
# Elapsed time set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add
# a flag to enable this
# Make flag for parallel processing
include(ProcessorCount)
@@ -93,28 +93,26 @@ message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
ExternalProject_Add(
njson
URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
URL "https://s3.amazonaws.com/download.draios.com/dependencies/njson-3.3.0.tar.gz"
URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND "")
# curses
# We pull this in because libsinsp won't build without it
# curses We pull this in because libsinsp won't build without it
set(CURSES_NEED_NCURSES TRUE)
find_package(Curses REQUIRED)
message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")
# libb64
set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
message(STATUS "Using bundled b64 in '${B64_SRC}'")
set(B64_INCLUDE "${B64_SRC}/include")
set(B64_LIB "${B64_SRC}/src/libb64.a")
ExternalProject_Add(
b64
URL "https://github.com/libb64/libb64/archive/v1.2.1.zip"
URL_HASH "SHA256=665134c2b600098a7ebd3d00b6a866cb34909a6d48e0e37a0eda226a4ad2638a"
URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
URL_HASH "SHA256=343d8d61c5cbe3d3407394f16a5390c06f8ff907bd8d614c16546310b689bfd3"
CONFIGURE_COMMAND ""
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
@@ -136,8 +134,8 @@ set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
ExternalProject_Add(
luajit
URL "https://github.com/LuaJIT/LuaJIT/archive/v2.0.3.tar.gz"
URL_HASH "SHA256=8da3d984495a11ba1bce9a833ba60e18b532ca0641e7d90d97fafe85ff014baa"
URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
URL_HASH "SHA256=55be6cb2d101ed38acca32c5b1f99ae345904b365b642203194c585d27bebd79"
CONFIGURE_COMMAND ""
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
@@ -152,15 +150,20 @@ list(APPEND LPEG_DEPENDENCIES "luajit")
ExternalProject_Add(
lpeg
DEPENDS ${LPEG_DEPENDENCIES}
URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
URL_HASH "SHA256=10190ae758a22a16415429a9eb70344cf29cbda738a6962a9f94a732340abf8e"
BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
BUILD_IN_SOURCE 1
CONFIGURE_COMMAND ""
INSTALL_COMMAND "")
# libyaml
include(libyaml)
find_library(LIBYAML_LIB NAMES libyaml.so)
if(LIBYAML_LIB)
message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
else()
message(FATAL_ERROR "Couldn't find system libyaml")
endif()
# lyaml
set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
@@ -171,7 +174,7 @@ list(APPEND LYAML_DEPENDENCIES "luajit")
ExternalProject_Add(
lyaml
DEPENDS ${LYAML_DEPENDENCIES}
URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
@@ -211,8 +214,11 @@ ExternalProject_Add(
BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
#string-view-lite
include(DownloadStringViewLite)
# Hedley
include(DownloadHedley)
# FlatBuffers
include(FlatBuffers)
# gRPC
include(gRPC)
@@ -235,8 +241,8 @@ add_subdirectory(rules)
# Dockerfiles
add_subdirectory(docker)
# Clang format
# add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)
# Clang format add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT
# "Formatting ..." VERBATIM)
# Shared build variables
set(FALCO_SINSP_LIBRARY sinsp)
@@ -245,6 +251,7 @@ set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
set(FALCO_BIN_DIR bin)
add_subdirectory(scripts)
add_subdirectory(userspace/profiler)
add_subdirectory(userspace/engine)
add_subdirectory(userspace/falco)
add_subdirectory(tests)

2
CONTRIBUTING.md
View File

@@ -81,7 +81,7 @@ Some examples:
### Slack
Other discussion, and **support requests** should go through the `#falco` channel in the Kubernetes slack, please join [here](https://slack.k8s.io/).
Other discussion, and **support requests** should go through the `#falco` channel in the open source slack, please join [here](https://slack.sysdig.com).
## Pull Requests

2
OWNERS
View File

@@ -3,7 +3,6 @@ approvers:
- kris-nova
- leodido
- mstemm
- leogr
reviewers:
- fntlnz
- kaizhe
@@ -11,4 +10,3 @@ reviewers:
- leodido
- mfdii
- mstemm
- leogr

12
RELEASE.md
View File

@@ -2,7 +2,7 @@
Our release process is mostly automated, but we still need some manual steps to initiate and complete it.
Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
@@ -12,26 +12,25 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
### 1. Release notes
- Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
- Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
- Check the release note block of every PR matching the `is:pr is:merged closed:>YYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
- Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
- If the PR has no milestone, assign it to the milestone currently undergoing release
- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYT-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD) filter) and add them to the milestone currently undergoing release
- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them
### 2. Milestones
- Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
- Close the completed milestone
### 3. Release PR
- Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
- If any, manually correct it then open an issue to automate version number bumping later
- Versions table in the `README.md` update itself automatically
- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
- Add the lastest changes on top the previous `CHANGELOG.md`
- Submit a PR with the above modifications
- Await PR approval
- Close the completed milestone as soon PR is merged
## Release
@@ -53,7 +52,6 @@ Let `x.y.z` the new version.
- Wait for the CI to complete
### 2. Update the GitHub release
- [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
- Use `x.y.z` both as tag version and release title
- Use the following template to fill the release description:

0
brand/teal-logo.svg → brand/teal-logo.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.2 KiB

After

Width:  |  Height:  |  Size: 4.2 KiB

17
cmake/modules/CPackConfig.cmake
View File

@@ -1,16 +1,3 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.")
set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got @falco.org addresses
@@ -30,14 +17,14 @@ set(CPACK_GENERATOR DEB RPM TGZ)
set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0), libyaml-0-2")
set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
"${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
)
set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, libyaml, ncurses")
set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")

2
cmake/modules/Coverage.cmake
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at

9
cmake/modules/DownloadCatch.cmake
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
@@ -12,16 +12,17 @@
#
include(ExternalProject)
set(CATCH2_INCLUDE ${CMAKE_BINARY_DIR}/catch2-prefix/include)
set(CATCH2_PREFIX ${CMAKE_BINARY_DIR}/catch2-prefix)
set(CATCH2_INCLUDE ${CATCH2_PREFIX}/include)
set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.12.1.tar.gz URL_HASH
SHA256=e5635c082282ea518a8dd7ee89796c8026af8ea9068cd7402fb1615deacd91c3)
ExternalProject_Add(
catch2
PREFIX ${CMAKE_BINARY_DIR}/catch2-prefix
PREFIX ${CATCH2_PREFIX}
${CATCH_EXTERNAL_URL}
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/catch2-prefix/src/catch2/single_include/catch2/catch.hpp
INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${CATCH2_PREFIX}/src/catch2/single_include/catch2/catch.hpp
${CATCH2_INCLUDE}/catch.hpp)

2
cmake/modules/DownloadFakeIt.cmake
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at

21
cmake/modules/DownloadStringViewLite.cmake → cmake/modules/DownloadHedley.cmake
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
@@ -10,20 +10,17 @@
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
include(ExternalProject)
set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
message(STATUS "Found string-view-lite: include: ${STRING_VIEW_LITE_INCLUDE}")
set(HEDLEY_PREFIX ${CMAKE_BINARY_DIR}/hedley-prefix)
set(HEDLEY_INCLUDE ${HEDLEY_PREFIX}/include)
message(STATUS "Found hedley: include: ${HEDLEY_INCLUDE}")
ExternalProject_Add(
string-view-lite
PREFIX ${STRING_VIEW_LITE_PREFIX}
GIT_REPOSITORY "https://github.com/martinmoene/string-view-lite.git"
GIT_TAG "v1.4.0"
hedley
PREFIX ${HEDLEY_PREFIX}
GIT_REPOSITORY "https://github.com/nemequ/hedley.git"
GIT_TAG "v13"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND
${CMAKE_COMMAND} -E copy ${STRING_VIEW_LITE_PREFIX}/src/string-view-lite/include/nonstd/string_view.hpp
${STRING_VIEW_LITE_INCLUDE}/nonstd/string_view.hpp)
INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${HEDLEY_PREFIX}/src/hedley/hedley.h ${HEDLEY_INCLUDE}/hedley.h)

2
cmake/modules/FindMakedev.cmake
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at

82
cmake/modules/FlatBuffers.cmake Normal file
View File

@@ -0,0 +1,82 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
if(NOT USE_BUNDLED_DEPS)
find_program(FLATBUFFERS_FLATC_EXECUTABLE NAMES flatc)
find_path(FLATBUFFERS_INCLUDE_DIR NAMES flatbuffers/flatbuffers.h)
if(FLATBUFFERS_FLATC_EXECUTABLE AND FLATBUFFERS_INCLUDE_DIR)
message(STATUS "Found flatbuffers: include: ${FLATBUFFERS_INCLUDE_DIR}, flatc: ${FLATBUFFERS_FLATC_EXECUTABLE}")
else()
message(FATAL_ERROR "Couldn't find system flatbuffers")
endif()
else()
include(ExternalProject)
set(FLATBUFFERS_PREFIX ${CMAKE_BINARY_DIR}/flatbuffers-prefix)
set(FLATBUFFERS_FLATC_EXECUTABLE
${FLATBUFFERS_PREFIX}/bin/flatc
CACHE INTERNAL "FlatBuffer compiler")
set(FLATBUFFERS_INCLUDE_DIR
${FLATBUFFERS_PREFIX}/include
CACHE INTERNAL "FlatBuffer include directory")
ExternalProject_Add(
flatbuffers
PREFIX ${FLATBUFFERS_PREFIX}
GIT_REPOSITORY "https://github.com/google/flatbuffers.git"
GIT_TAG "v1.12.0"
CMAKE_ARGS
-DCMAKE_INSTALL_PREFIX=${FLATBUFFERS_PREFIX}
-DCMAKE_BUILD_TYPE=Release
-DFLATBUFFERS_CODE_COVERAGE=OFF
-DFLATBUFFERS_BUILD_TESTS=OFF
-DFLATBUFFERS_INSTALL=ON
-DFLATBUFFERS_BUILD_FLATLIB=OFF
-DFLATBUFFERS_BUILD_FLATC=ON
-DFLATBUFFERS_BUILD_FLATHASH=OFF
-DFLATBUFFERS_BUILD_GRPCTEST=OFF
-DFLATBUFFERS_BUILD_SHAREDLIB=OFF
BUILD_BYPRODUCTS ${FLATBUFFERS_FLATC_EXECUTABLE})
endif()
# From FindFlatBuffer.cmake
include(FindPackageHandleStandardArgs)
find_package_handle_standard_args(FlatBuffers DEFAULT_MSG FLATBUFFERS_FLATC_EXECUTABLE FLATBUFFERS_INCLUDE_DIR)
if(FLATBUFFERS_FOUND)
function(FLATBUFFERS_GENERATE_C_HEADERS Name)
set(FLATC_OUTPUTS)
foreach(FILE ${ARGN})
get_filename_component(FLATC_OUTPUT ${FILE} NAME_WE)
set(FLATC_OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/${FLATC_OUTPUT}_generated.h")
list(APPEND FLATC_OUTPUTS ${FLATC_OUTPUT})
add_custom_command(
OUTPUT ${FLATC_OUTPUT}
COMMAND ${FLATBUFFERS_FLATC_EXECUTABLE} ARGS -c -o "${CMAKE_CURRENT_BINARY_DIR}/" ${FILE}
DEPENDS ${FILE}
COMMENT "Building C++ header for ${FILE}"
WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
endforeach()
set(${Name}_OUTPUTS
${FLATC_OUTPUTS}
PARENT_SCOPE)
endfunction()
set(FLATBUFFERS_INCLUDE_DIRS ${FLATBUFFERS_INCLUDE_DIR})
include_directories(${CMAKE_BINARY_DIR})
else()
set(FLATBUFFERS_INCLUDE_DIR)
endif()

13
cmake/modules/GetFalcoVersion.cmake
View File

@@ -1,16 +1,3 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# Retrieve git ref and commit hash
include(GetGitRevisionDescription)

16
cmake/modules/OpenSSL.cmake
View File

@@ -1,15 +1,3 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
if(NOT USE_BUNDLED_DEPS)
find_package(OpenSSL REQUIRED)
message(STATUS "Found openssl: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
@@ -32,8 +20,8 @@ else()
ExternalProject_Add(
openssl
# START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
URL "https://github.com/openssl/openssl/archive/OpenSSL_1_0_2n.tar.gz"
URL_HASH "SHA256=4f4bc907caff1fee6ff8593729e5729891adcee412049153a3bb4db7625e8364"
URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz"
URL_HASH "SHA256=370babb75f278c39e0c50e8c4e7493bc0f18db6867478341a832a982fd15a8fe"
# END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
BUILD_COMMAND ${CMD_MAKE}

4
cmake/modules/cURL.cmake
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
@@ -31,7 +31,7 @@ else()
curl
DEPENDS openssl
# START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
URL "https://github.com/curl/curl/releases/download/curl-7_61_0/curl-7.61.0.tar.bz2"
URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.61.0.tar.bz2"
URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
# END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
CONFIGURE_COMMAND

2
cmake/modules/jq.cmake
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at

32
cmake/modules/libyaml.cmake
View File

@@ -1,32 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
if(NOT USE_BUNDLED_DEPS)
find_library(LIBYAML_LIB NAMES libyaml.so)
if(LIBYAML_LIB)
message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
else()
message(FATAL_ERROR "Couldn't find system libyaml")
endif()
else()
set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
ExternalProject_Add(
libyaml
URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
CONFIGURE_COMMAND ./configure --enable-static=true --enable-shared=false
BUILD_COMMAND ${CMD_MAKE}
BUILD_IN_SOURCE 1
INSTALL_COMMAND "")
endif()

8
cmake/modules/sysdig.cmake
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
@@ -16,7 +16,7 @@ set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
# this needs to be here at the top
if(USE_BUNDLED_DEPS)
# explicitly force this dependency to use the bundled OpenSSL
# explicitly force this dependency to use the system OpenSSL
set(USE_BUNDLED_OPENSSL ON)
endif()
@@ -26,8 +26,8 @@ file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
# To update sysdig version for the next release, change the default below
# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
if(NOT SYSDIG_VERSION)
set(SYSDIG_VERSION "85c88952b018fdbce2464222c3303229f5bfcfad")
set(SYSDIG_CHECKSUM "SHA256=6c3f5f2d699c9540e281f50cbc5cb6b580f0fc689798bc65d4a77f57f932a71c")
set(SYSDIG_VERSION "96bd9bc560f67742738eb7255aeb4d03046b8045")
set(SYSDIG_CHECKSUM "SHA256=766e8952a36a4198fd976b9d848523e6abe4336612188e4fc911e217d8e8a00d")
endif()
set(PROBE_VERSION "${SYSDIG_VERSION}")

2
cmake/modules/yaml-cpp.cmake
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at

4
docker/README.md
View File

@@ -6,9 +6,9 @@ This directory contains various ways to package Falco as a container and related
| Name | Directory | Description |
|---|---|---|
| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. |
| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. |
| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). |
| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
| _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |

2
docker/driver-loader/docker-entrypoint.sh
View File

@@ -25,4 +25,4 @@ do
ln -s "$i" "/usr/src/$base"
done
/usr/bin/falco-driver-loader "$@"
/usr/bin/falco-driver-loader $1

6
docker/local/docker-entrypoint.sh
View File

@@ -1,6 +1,6 @@
#!/usr/bin/env bash
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,9 +17,9 @@
#
# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
echo "* Setting up /usr/src links from host"
for i in "$HOST_ROOT/usr/src"/*

58
docker/no-driver/Dockerfile
View File

@@ -1,58 +0,0 @@
FROM ubuntu:18.04 as ubuntu
LABEL maintainer="cncf-falco-dev@lists.cncf.io"
ARG FALCO_VERSION
ARG VERSION_BUCKET=bin
ENV FALCO_VERSION=${FALCO_VERSION}
ENV VERSION_BUCKET=${VERSION_BUCKET}
WORKDIR /
ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
RUN apt-get update -y && \
apt-get install -y binutils && \
tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
mv falco-${FALCO_VERSION}-x86_64 falco && \
strip falco/usr/bin/falco && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
&& mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
FROM scratch
COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
/lib/x86_64-linux-gnu/libc.so.6 \
/lib/x86_64-linux-gnu/libdl.so.2 \
/lib/x86_64-linux-gnu/libgcc_s.so.1 \
/lib/x86_64-linux-gnu/libm.so.6 \
/lib/x86_64-linux-gnu/libnsl.so.1 \
/lib/x86_64-linux-gnu/libnss_compat.so.2 \
/lib/x86_64-linux-gnu/libnss_files.so.2 \
/lib/x86_64-linux-gnu/libnss_nis.so.2 \
/lib/x86_64-linux-gnu/libpthread.so.0 \
/lib/x86_64-linux-gnu/librt.so.1 \
/lib/x86_64-linux-gnu/libz.so.1 \
/lib/x86_64-linux-gnu/
COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
/usr/lib/x86_64-linux-gnu/libstdc++.so.6
COPY --from=ubuntu /etc/ld.so.cache \
/etc/nsswitch.conf \
/etc/ld.so.cache \
/etc/passwd \
/etc/group \
/etc/
COPY --from=ubuntu /etc/default/nss /etc/default/nss
COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
COPY --from=ubuntu /falco /
CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

48
docker/slim/Dockerfile Normal file
View File

@@ -0,0 +1,48 @@
FROM ubuntu:18.04
LABEL maintainer="cncf-falco-dev@lists.cncf.io"
LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name <name> <image>"
ARG FALCO_VERSION=latest
ARG VERSION_BUCKET=deb
ENV FALCO_VERSION=${FALCO_VERSION}
ENV VERSION_BUCKET=${VERSION_BUCKET}
ENV HOST_ROOT /host
ENV HOME /root
RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
# bash-completion \
# bc \
ca-certificates \
curl \
gnupg2 \
jq \
# netcat \
# xz-utils \
&& rm -rf /var/lib/apt/lists/*
RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
&& apt-get update -y \
&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
# Change the falco config within the container to enable ISO 8601
# output.
RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
# Some base images have an empty /lib/modules by default
# If it's not empty, docker build will fail instead of
# silently overwriting the existing directory
RUN rm -df /lib/modules \
&& ln -s $HOST_ROOT/lib/modules /lib/modules
CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

0
docker/falco/Dockerfile → docker/stable/Dockerfile
View File

10
docker/falco/docker-entrypoint.sh → docker/stable/docker-entrypoint.sh
View File

@@ -1,6 +1,6 @@
#!/usr/bin/env bash
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,14 +16,10 @@
# limitations under the License.
#
# todo(leogr): remove deprecation notice within a couple of releases
if [[ ! -z "${SKIP_MODULE_LOAD}" ]]; then
echo "* SKIP_MODULE_LOAD is deprecated and will be removed soon, use SKIP_DRIVER_LOADER instead"
fi
# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
if [[ -z "${SKIP_DRIVER_LOADER}" ]] && [[ -z "${SKIP_MODULE_LOAD}" ]]; then
if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
echo "* Setting up /usr/src links from host"
for i in "$HOST_ROOT/usr/src"/*

6
docker/tester/Dockerfile
View File

@@ -1,20 +1,16 @@
FROM fedora:31
LABEL name="falcosecurity/falco-tester"
LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
LABEL maintainer="cncf-falco-dev@lists.cncf.io"
ENV FALCO_VERSION=
ENV BUILD_TYPE=release
ADD https://github.com/fullstorydev/grpcurl/releases/download/v1.6.0/grpcurl_1.6.0_linux_x86_64.tar.gz /
RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
ENV PATH="/root/.local/bin/:${PATH}"
RUN pip install --user avocado-framework==69.0
RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
RUN pip install --user watchdog==0.10.2
RUN pip install --user pathtools==0.1.2
RUN tar -C /usr/bin -xvf grpcurl_1.6.0_linux_x86_64.tar.gz
COPY ./root /

2
docker/tester/root/runners/deb.Dockerfile
View File

@@ -6,7 +6,7 @@ RUN test -n FALCO_VERSION
ENV FALCO_VERSION ${FALCO_VERSION}
RUN apt update -y
RUN apt install dkms -y
RUN apt install dkms libyaml-0-2 -y
ADD falco-${FALCO_VERSION}-x86_64.deb /
RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb

2
docker/tester/root/runners/tar.gz.Dockerfile
View File

@@ -6,7 +6,7 @@ RUN test -n FALCO_VERSION
ENV FALCO_VERSION ${FALCO_VERSION}
RUN apt update -y
RUN apt install dkms curl -y
RUN apt install dkms libyaml-0-2 curl -y
ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /

2
docker/tester/root/usr/bin/entrypoint
View File

@@ -69,7 +69,7 @@ case "$CMD" in
# run tests
echo "Running regression tests ..."
cd "$SOURCE_DIR/falco/test"
./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
./run_regression_tests.sh "$BUILD_DIR/$BUILD_TYPE"
# clean docker images
clean_image "deb"

2
docker/tester/root/usr/bin/usage
View File

@@ -30,7 +30,7 @@ How to use.
How to build.
* cd docker/tester && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-tester .
* cd docker/builder && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-tester .
Environment.

32
falco.yaml
View File

@@ -139,7 +139,7 @@ stdout_output:
webserver:
enabled: true
listen_port: 8765
k8s_audit_endpoint: /k8s-audit
k8s_audit_endpoint: /k8s_audit
ssl_enabled: false
ssl_certificate: /etc/falco/falco.pem
@@ -167,37 +167,21 @@ http_output:
enabled: false
url: http://some.url
# Falco supports running a gRPC server with two main binding types
# 1. Over the network with mandatory mutual TLS authentication (mTLS)
# 2. Over a local unix socket with no authentication
# By default, the gRPC server is disabled, with no enabled services (see grpc_output)
# please comment/uncomment and change accordingly the options below to configure it.
# Important note: if Falco has any troubles creating the gRPC server
# this information will be logged, however the main Falco daemon will not be stopped.
# gRPC server over network with (mandatory) mutual TLS configuration.
# This gRPC server is secure by default so you need to generate certificates and update their paths here.
# gRPC server configuration.
# The gRPC server is secure by default (mutual TLS) so you need to generate certificates and update their paths here.
# By default the gRPC server is off.
# You can configure the address to bind and expose it.
# By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use.
# grpc:
# enabled: true
# bind_address: "0.0.0.0:5060"
# # when threadiness is 0, Falco sets it by automatically figuring out the number of online cores
# threadiness: 0
# private_key: "/etc/falco/certs/server.key"
# cert_chain: "/etc/falco/certs/server.crt"
# root_certs: "/etc/falco/certs/ca.crt"
# gRPC server using an unix socket
grpc:
enabled: false
bind_address: "unix:///var/run/falco.sock"
# when threadiness is 0, Falco automatically guesses it depending on the number of online cores
threadiness: 0
bind_address: "0.0.0.0:5060"
threadiness: 8
private_key: "/etc/falco/certs/server.key"
cert_chain: "/etc/falco/certs/server.crt"
root_certs: "/etc/falco/certs/ca.crt"
# gRPC output service.
# By default it is off.
# By enabling this all the output events will be kept in memory until you read them with a gRPC client.
# Make sure to have a consumer for them or leave this disabled.
grpc_output:
enabled: false

32
proposals/20190826-grpc-outputs.md
View File

@@ -1,4 +1,4 @@
# Falco gRPC Outputs
# gRPC Falco Output
<!-- toc -->
@@ -25,7 +25,7 @@ An alert is an "output" when it goes over a transport, and it is emitted by Falc
At the current moment, however, Falco can deliver alerts in a very basic way, for example by dumping them to standard output.
For this reason, many Falco users asked, with issues - eg., [falco#528](https://github.com/falcosecurity/falco/issues/528) - or in the [slack channel](https://slack.k8s.io) if we can find a more consumable way to implement Falco outputs in an extensible way.
For this reason, many Falco users asked, with issues - eg., [falco#528](https://github.com/falcosecurity/falco/issues/528) - or in the [slack channel](https://sysdig.slack.com) if we can find a more consumable way to implement Falco outputs in an extensible way.
The motivation behind this proposal is to design a new output implementation that can meet our user's needs.
@@ -39,10 +39,7 @@ The motivation behind this proposal is to design a new output implementation tha
- To continue supporting the old output formats by implementing their same interface
- To be secure by default (**mutual TLS** authentication)
- To be **asynchronous** and **non-blocking**
- To provide a connection over unix socket (no authentication)
- To implement a Go client
- To implement a Rust client
- To implement a Python client
- To implement a Go SDK
### Non-Goals
@@ -80,25 +77,26 @@ syntax = "proto3";
import "google/protobuf/timestamp.proto";
import "schema.proto";
package falco.outputs;
package falco.output;
option go_package = "github.com/falcosecurity/client-go/pkg/api/outputs";
option go_package = "github.com/falcosecurity/client-go/pkg/api/output";
// This service defines the RPC methods
// to `request` a stream of output `response`s.
// The `subscribe` service defines the RPC call
// to perform an output `request` which will lead to obtain an output `response`.
service service {
// Subscribe to a stream of Falco outputs by sending a stream of requests.
rpc sub(stream request) returns (stream response);
// Get all the Falco outputs present in the system up to this call.
rpc get(request) returns (stream response);
rpc subscribe(request) returns (stream response);
}
// The `request` message is the logical representation of the request model.
// It is the input of the `output.service` service.
// It is the input of the `subscribe` service.
// It is used to configure the kind of subscription to the gRPC streaming server.
message request {
bool keepalive = 1;
// string duration = 2; // TODO(leodido, fntlnz): not handled yet but keeping for reference.
// repeated string tags = 3; // TODO(leodido, fntlnz): not handled yet but keeping for reference.
}
// The `response` message is the representation of the output model.
// The `response` message is the logical representation of the output model.
// It contains all the elements that Falco emits in an output along with the
// definitions for priorities and source.
message response {
@@ -108,7 +106,7 @@ message response {
string rule = 4;
string output = 5;
map<string, string> output_fields = 6;
string hostname = 7;
// repeated string tags = 7; // TODO(leodido,fntlnz): tags not supported yet, keeping for reference
}
```

254
rules/falco_rules.yaml
View File

@@ -55,7 +55,6 @@
- macro: proc_name_exists
condition: (proc.name!="<NA>")
# todo(leogr): we miss "renameat2", but it's not yet supported by sinsp
- macro: rename
condition: evt.type in (rename, renameat)
- macro: mkdir
@@ -81,36 +80,24 @@
- macro: bin_dir_mkdir
condition: >
(evt.arg.path startswith /bin/ or
evt.arg.path startswith /sbin/ or
evt.arg.path startswith /usr/bin/ or
evt.arg.path startswith /usr/sbin/)
(evt.arg[1] startswith /bin/ or
evt.arg[1] startswith /sbin/ or
evt.arg[1] startswith /usr/bin/ or
evt.arg[1] startswith /usr/sbin/)
- macro: bin_dir_rename
condition: >
(evt.arg.path startswith /bin/ or
evt.arg.path startswith /sbin/ or
evt.arg.path startswith /usr/bin/ or
evt.arg.path startswith /usr/sbin/ or
evt.arg.name startswith /bin/ or
evt.arg.name startswith /sbin/ or
evt.arg.name startswith /usr/bin/ or
evt.arg.name startswith /usr/sbin/ or
evt.arg.oldpath startswith /bin/ or
evt.arg.oldpath startswith /sbin/ or
evt.arg.oldpath startswith /usr/bin/ or
evt.arg.oldpath startswith /usr/sbin/ or
evt.arg.newpath startswith /bin/ or
evt.arg.newpath startswith /sbin/ or
evt.arg.newpath startswith /usr/bin/ or
evt.arg.newpath startswith /usr/sbin/)
evt.arg[1] startswith /bin/ or
evt.arg[1] startswith /sbin/ or
evt.arg[1] startswith /usr/bin/ or
evt.arg[1] startswith /usr/sbin/
- macro: etc_dir
condition: fd.name startswith /etc/
# This detects writes immediately below / or any write anywhere below /root
- macro: root_dir
condition: (fd.directory=/ or fd.name startswith /root/)
condition: ((fd.directory=/ or fd.name startswith /root) and fd.name contains "/")
- list: shell_binaries
items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash]
@@ -232,7 +219,7 @@
# The truncated dpkg-preconfigu is intentional, process names are
# truncated at the sysdig level.
- list: package_mgmt_binaries
items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd]
items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk]
- macro: package_mgmt_procs
condition: proc.name in (package_mgmt_binaries)
@@ -490,16 +477,12 @@
- macro: consider_all_cron_jobs
condition: (never_true)
- macro: user_known_cron_jobs
condition: (never_true)
- rule: Schedule Cron Jobs
desc: Detect cron jobs scheduled
condition: >
((open_write and fd.name startswith /etc/cron) or
(spawned_process and proc.name = "crontab")) and
consider_all_cron_jobs and
not user_known_cron_jobs
((open_write and fd.name startswith /etc/cron) or
(spawned_process and proc.name = "crontab"))
output: >
Cron jobs were scheduled to run (user=%user.name command=%proc.cmdline
file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
@@ -724,7 +707,7 @@
- macro: lvprogs_writing_conf
condition: >
(proc.name in (dmeventd,lvcreate,pvscan,lvs) and
(proc.name in (dmeventd,lvcreate,pvscan) and
(fd.name startswith /etc/lvm/archive or
fd.name startswith /etc/lvm/backup or
fd.name startswith /etc/lvm/cache))
@@ -865,8 +848,7 @@
- macro: exe_running_docker_save
condition: >
proc.name = "exe"
and (proc.cmdline contains "/var/lib/docker"
or proc.cmdline contains "/var/run/docker")
and proc.cmdline contains "/var/lib/docker"
and proc.pname in (dockerd, docker)
# Ideally we'd have a length check here as well but sysdig
@@ -935,28 +917,18 @@
- macro: modify_repositories
condition: (evt.arg.newpath pmatch (repository_directories))
- macro: user_known_update_package_registry
condition: (never_true)
- rule: Update Package Repository
desc: Detect package repositories get updated
condition: >
((open_write and access_repositories) or (modify and modify_repositories))
and not package_mgmt_procs
and not exe_running_docker_save
and not user_known_update_package_registry
output: >
Repository files get updated (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository)
priority:
NOTICE
tags: [filesystem, mitre_persistence]
# Users should overwrite this macro to specify conditions under which a
# write under the binary dir is ignored. For example, it may be okay to
# install a binary in the context of a ci/cd build.
- macro: user_known_write_below_binary_dir_activities
condition: (never_true)
- rule: Write below binary dir
desc: an attempt to write to any file below a set of binary directories
condition: >
@@ -965,7 +937,6 @@
and not exe_running_docker_save
and not python_running_get_pip
and not python_running_ms_oms
and not user_known_write_below_binary_dir_activities
output: >
File below a known binary directory opened for writing (user=%user.name
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
@@ -1036,17 +1007,13 @@
- macro: consider_ssh_reads
condition: (never_true)
- macro: user_known_read_ssh_information_activities
condition: (never_true)
- rule: Read ssh information
desc: Any attempt to read files below ssh directories by non-ssh programs
condition: >
((open_read or open_directory) and
consider_ssh_reads and
(consider_ssh_reads and
(open_read or open_directory) and
(user_ssh_directory or fd.name startswith /root/.ssh) and
not user_known_read_ssh_information_activities and
not proc.name in (ssh_binaries))
(not proc.name in (ssh_binaries)))
output: >
ssh-related file/directory read by non-ssh program (user=%user.name
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)
@@ -1389,9 +1356,6 @@
- macro: runc_writing_exec_fifo
condition: (proc.cmdline="runc:[1:CHILD] init" and fd.name=/exec.fifo)
- macro: runc_writing_var_lib_docker
condition: (proc.cmdline="runc:[1:CHILD] init" and evt.arg.filename startswith /var/lib/docker)
- rule: Write below root
desc: an attempt to write to any file directly below / or /root
condition: >
@@ -1422,15 +1386,12 @@
- macro: cmp_cp_by_passwd
condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts)
- macro: user_known_read_sensitive_files_activities
condition: (never_true)
- rule: Read sensitive file trusted after startup
desc: >
an attempt to read any sensitive file (e.g. files containing user/password/authentication
information) by a trusted program after startup. Trusted programs might read these files
at startup to load initial state, but not afterwards.
condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" and not user_known_read_sensitive_files_activities
condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd"
output: >
Sensitive file opened for reading by trusted program after startup (user=%user.name
command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
@@ -1458,11 +1419,6 @@
- macro: user_read_sensitive_file_conditions
condition: cmp_cp_by_passwd
- macro: user_read_sensitive_file_containers
condition: (container and
(container.image.repository endswith "sysdig/agent") or
(container.image.repository endswith "sysdig/agent-slim"))
- rule: Read sensitive file untrusted
desc: >
an attempt to read any sensitive file (e.g. files containing user/password/authentication
@@ -1486,8 +1442,6 @@
and not veritas_driver_script
and not perl_running_centrifydc
and not runuser_reading_pam
and not user_known_read_sensitive_files_activities
and not user_read_sensitive_file_containers
output: >
Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)
@@ -1500,9 +1454,6 @@
proc.pcmdline = "python -m amazon_linux_extras system_motd" and
proc.cmdline startswith "python -c import yum;")
- macro: user_known_write_rpm_database_activities
condition: (never_true)
# Only let rpm-related programs write to the rpm database
- rule: Write below rpm database
desc: an attempt to write to the rpm database by any non-rpm related program
@@ -1513,7 +1464,6 @@
and not python_running_chef
and not exe_running_docker_save
and not amazon_linux_running_python_yum
and not user_known_write_rpm_database_activities
output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)"
priority: ERROR
tags: [filesystem, software_mgmt, mitre_persistence]
@@ -1538,9 +1488,6 @@
- macro: run_by_appdynamics
condition: (proc.pname=java and proc.pcmdline startswith "java -jar -Dappdynamics")
- macro: user_known_db_spawned_processes
condition: (never_true)
- rule: DB program spawned process
desc: >
a database-server related program spawned a new process other than itself.
@@ -1550,31 +1497,24 @@
and spawned_process
and not proc.name in (db_server_binaries)
and not postgres_running_wal_e
and not user_known_db_spawned_processes
output: >
Database-related program spawned process other than itself (user=%user.name
program=%proc.cmdline parent=%proc.pname container_id=%container.id image=%container.image.repository)
priority: NOTICE
tags: [process, database, mitre_execution]
- macro: user_known_modify_bin_dir_activities
condition: (never_true)
- rule: Modify binary dirs
desc: an attempt to modify any file below a set of binary directories.
condition: bin_dir_rename and modify and not package_mgmt_procs and not exe_running_docker_save and not user_known_modify_bin_dir_activities
condition: (bin_dir_rename) and modify and not package_mgmt_procs and not exe_running_docker_save
output: >
File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args container_id=%container.id image=%container.image.repository)
priority: ERROR
tags: [filesystem, mitre_persistence]
- macro: user_known_mkdir_bin_dir_activities
condition: (never_true)
- rule: Mkdir binary dirs
desc: an attempt to create a directory below a set of binary directories.
condition: mkdir and bin_dir_mkdir and not package_mgmt_procs and not user_known_mkdir_bin_dir_activities
condition: mkdir and bin_dir_mkdir and not package_mgmt_procs
output: >
Directory below known binary directory created (user=%user.name
command=%proc.cmdline directory=%evt.arg.path container_id=%container.id image=%container.image.repository)
@@ -1610,7 +1550,7 @@
and not proc.name in (user_known_change_thread_namespace_binaries)
and not proc.name startswith "runc"
and not proc.cmdline startswith "containerd"
and not proc.pname in (sysdigcloud_binaries, hyperkube, kubelet, protokube, dockerd, tini, aws)
and not proc.pname in (sysdigcloud_binaries, hyperkube, kubelet)
and not python_running_sdchecks
and not java_running_sdjagent
and not kubelet_running_loopback
@@ -1830,9 +1770,7 @@
# In this file, it just takes one of the images in trusted_containers
# and repeats it.
- macro: user_trusted_containers
condition: (container.image.repository endswith sysdig/agent or
container.image.repository endswith sysdig/agent-slim or
container.image.repository endswith sysdig/node-image-analyzer)
condition: (container.image.repository endswith sysdig/agent)
- list: sematext_images
items: [docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent, docker.io/sematext/logagent,
@@ -1846,8 +1784,7 @@
docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig,
gcr.io/google_containers/kube-proxy, docker.io/calico/node, quay.io/calico/node,
docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/mesosphere/mesos-slave,
docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy,
docker.io/falcosecurity/falco
docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy
]
- macro: falco_privileged_containers
@@ -1980,9 +1917,6 @@
priority: WARNING
tags: [container, mitre_lateral_movement]
- macro: user_known_system_user_login
condition: (never_true)
# Anything run interactively by root
# - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
# output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
@@ -1990,23 +1924,17 @@
- rule: System user interactive
desc: an attempt to run interactive commands by a system (i.e. non-login) user
condition: spawned_process and system_users and interactive and not user_known_system_user_login
condition: spawned_process and system_users and interactive
output: "System user ran an interactive command (user=%user.name command=%proc.cmdline container_id=%container.id image=%container.image.repository)"
priority: INFO
tags: [users, mitre_remote_access_tools]
# In some cases, a shell is expected to be run in a container. For example, configuration
# management software may do this, which is expected.
- macro: user_expected_terminal_shell_in_container_conditions
condition: (never_true)
- rule: Terminal shell in container
desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
condition: >
spawned_process and container
and shell_procs and proc.tty != 0
and container_entrypoint
and not user_expected_terminal_shell_in_container_conditions
output: >
A shell was spawned in a container with an attached terminal (user=%user.name %container.info
shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)
@@ -2261,9 +2189,6 @@
priority: NOTICE
tags: [users, mitre_privilege_escalation]
- macro: user_known_user_management_activities
condition: (never_true)
- rule: User mgmt binaries
desc: >
activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded.
@@ -2281,8 +2206,7 @@
not run_by_sumologic_securefiles and
not run_by_yum and
not run_by_ms_oms and
not run_by_google_accounts_daemon and
not user_known_user_management_activities
not run_by_google_accounts_daemon
output: >
User management binary command run outside of container
(user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
@@ -2295,20 +2219,16 @@
/dev/random, /dev/urandom, /dev/console, /dev/kmsg
]
- macro: user_known_create_files_below_dev_activities
condition: (never_true)
# (we may need to add additional checks against false positives, see:
# https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
- rule: Create files below dev
desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.
condition: >
fd.directory = /dev and
(evt.type = creat or ((evt.type = open or evt.type = openat) and evt.arg.flags contains O_CREAT))
(evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT))
and not proc.name in (dev_creation_binaries)
and not fd.name in (allowed_dev_files)
and not fd.name startswith /dev/tty
and not user_known_create_files_below_dev_activities
output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)"
priority: ERROR
tags: [filesystem, mitre_persistence]
@@ -2368,18 +2288,9 @@
- macro: k8s_api_server
condition: (fd.sip.name="kubernetes.default.svc.cluster.local")
- macro: user_known_contact_k8s_api_server_activities
condition: (never_true)
- rule: Contact K8S API Server From Container
desc: Detect attempts to contact the K8S API Server from a container
condition: >
evt.type=connect and evt.dir=< and
(fd.typechar=4 or fd.typechar=6) and
container and
not k8s_containers and
k8s_api_server and
not user_known_contact_k8s_api_server_activities
condition: evt.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6) and container and not k8s_containers and k8s_api_server
output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag connection=%fd.name)
priority: NOTICE
tags: [network, k8s, container, mitre_discovery]
@@ -2401,7 +2312,7 @@
tags: [network, k8s, container, mitre_port_knocking]
- list: network_tool_binaries
items: [nc, ncat, nmap, dig, tcpdump, tshark, ngrep, telnet, mitmproxy, socat, zmap]
items: [nc, ncat, nmap, dig, tcpdump, tshark, ngrep, telnet, mitmproxy, socat]
- macro: network_tool_procs
condition: (proc.name in (network_tool_binaries))
@@ -2445,13 +2356,10 @@
priority: WARNING
tags: [network, process, mitre_execution]
- macro: user_known_network_tool_activities
condition: (never_true)
- rule: Launch Suspicious Network Tool in Container
desc: Detect network tools launched inside container
condition: >
spawned_process and container and network_tool_procs and not user_known_network_tool_activities
spawned_process and container and network_tool_procs
output: >
Network tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname
container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
@@ -2470,8 +2378,7 @@
spawned_process and
not container and
consider_network_tools_on_host and
network_tool_procs and
not user_known_network_tool_activities
network_tool_procs
output: >
Network tool launched on host (user=%user.name command=%proc.cmdline parent_process=%proc.pname)
priority: NOTICE
@@ -2530,9 +2437,7 @@
- macro: trusted_logging_images
condition: (container.image.repository endswith "splunk/fluentd-hec" or
container.image.repository endswith "fluent/fluentd-kubernetes-daemonset" or
container.image.repository endswith "openshift3/ose-logging-fluentd" or
container.image.repository endswith "containernetworking/azure-npm")
container.image.repository endswith "fluent/fluentd-kubernetes-daemonset")
- rule: Clear Log Activities
desc: Detect clearing of critical log files
@@ -2554,12 +2459,9 @@
- macro: clear_data_procs
condition: (proc.name in (data_remove_commands))
- macro: user_known_remove_data_activities
condition: (never_true)
- rule: Remove Bulk Data from Disk
desc: Detect process running to clear bulk data from disk
condition: spawned_process and clear_data_procs and not user_known_remove_data_activities
condition: spawned_process and clear_data_procs
output: >
Bulk data has been removed from disk (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
priority:
@@ -2598,7 +2500,7 @@
- rule: Delete Bash History
desc: Detect bash history deletion
condition: >
((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or
((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or
(open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
output: >
Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
@@ -2612,12 +2514,6 @@
- list: user_known_chmod_applications
items: [hyperkube, kubelet]
# This macro should be overridden in user rules as needed. This is useful if a given application
# should not be ignored alltogether with the user_known_chmod_applications list, but only in
# specific conditions.
- macro: user_known_set_setuid_or_setgid_bit_conditions
condition: (never_true)
- rule: Set Setuid or Setgid bit
desc: >
When the setuid or setgid bits are set for an application,
@@ -2627,7 +2523,6 @@
consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID")
and not proc.name in (user_known_chmod_applications)
and not exe_running_docker_save
and not user_known_set_setuid_or_setgid_bit_conditions
output: >
Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name process=%proc.name
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
@@ -2642,17 +2537,14 @@
- macro: consider_hidden_file_creation
condition: (never_true)
- macro: user_known_create_hidden_file_activities
condition: (never_true)
- rule: Create Hidden Files or Directories
desc: Detect hidden files or directories created
condition: >
((modify and evt.arg.newpath contains "/.") or
(mkdir and evt.arg.path contains "/.") or
(open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories))) and
consider_hidden_file_creation and
not user_known_create_hidden_file_activities
(consider_hidden_file_creation and (
(modify and evt.arg.newpath contains "/.") or
(mkdir and evt.arg.path contains "/.") or
(open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories)))
)
output: >
Hidden file or directory created (user=%user.name command=%proc.cmdline
file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
@@ -2664,7 +2556,7 @@
items: [rsync, scp, sftp, dcp]
- macro: remote_file_copy_procs
condition: (proc.name in (remote_file_copy_binaries))
condition: (proc.name in (remote_File_copy_binaries))
- rule: Launch Remote File Copy Tools in Container
desc: Detect remote file copy tools launched in container
@@ -2795,16 +2687,11 @@
# Whitelist for known docker client binaries run inside container
# - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE
- macro: user_known_k8s_client_container
condition: >
(k8s.ns.name="kube-system" and container.image.repository=k8s.gcr.io/fluentd-gcp-scaler) or
container.image.repository=mcr.microsoft.com/aks/hcp/hcp-tunnel-front
- macro: user_known_k8s_client_container_parens
condition: (user_known_k8s_client_container)
condition: (k8s.ns.name="kube-system" and container.image.repository=k8s.gcr.io/fluentd-gcp-scaler)
- rule: The docker client is executed in a container
desc: Detect a k8s client tool executed inside a container
condition: spawned_process and container and not user_known_k8s_client_container_parens and proc.name in (k8s_client_binaries)
condition: spawned_process and container and not user_known_k8s_client_container and proc.name in (k8s_client_binaries)
output: "Docker or kubernetes client executed in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)"
priority: WARNING
tags: [container, mitre_execution]
@@ -2825,7 +2712,7 @@
output: Packet socket was created in a container (user=%user.name command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: NOTICE
tags: [network, mitre_discovery]
# Change to (always_true) to enable rule 'Network connection outside local subnet'
- macro: enabled_rule_network_only_subnet
condition: (never_true)
@@ -2841,7 +2728,7 @@
- macro: network_local_subnet
condition: >
fd.rnet in (rfc_1918_addresses) or
fd.ip = "0.0.0.0" or
fd.ip = "0.0.0.0" or
fd.net = "127.0.0.0/8"
# # How to test:
@@ -2901,67 +2788,18 @@
not fd.sport in (authorized_server_port)
output: >
Network connection outside authorized port and binary
(command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id
(command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id
image=%container.image.repository)
priority: WARNING
tags: [network]
- macro: user_known_stand_streams_redirect_activities
condition: (never_true)
- rule: Redirect STDOUT/STDIN to Network Connection in Container
desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell).
condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities
condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6")
output: >
Redirect stdout/stdin to network connection (user=%user.name %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
priority: WARNING
# The two Container Drift rules below will fire when a new executable is created in a container.
# There are two ways to create executables - file is created with execution permissions or permissions change of existing file.
# We will use a new sysdig filter, is_open_exec, to find all files creations with execution permission, and will trace all chmods in a container.
# The use case we are targeting here is an attempt to execute code that was not shipped as part of a container (drift) -
# an activity that might be malicious or non-compliant.
# Two things to pay attention to:
# 1) In most cases, 'docker cp' will not be identified, but the assumption is that if an attacker gained access to the container runtime daemon, they are already privileged
# 2) Drift rules will be noisy in environments in which containers are built (e.g. docker build)
# These two rules are not enabled by default. Use `never_true` in macro condition to enable them.
- macro: user_known_container_drift_activities
condition: (always_true)
- rule: Container Drift Detected (chmod)
desc: New executable created in a container due to chmod
condition: >
chmod and
consider_all_chmods and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0 and
((evt.arg.mode contains "S_IXUSR") or
(evt.arg.mode contains "S_IXGRP") or
(evt.arg.mode contains "S_IXOTH"))
output: Drift detected (chmod), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
priority: ERROR
# ****************************************************************************
# * "Container Drift Detected (open+create)" requires FALCO_ENGINE_VERSION 6 *
# ****************************************************************************
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: Drift detected (open+create), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
priority: ERROR
# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to
# falco_rules.local.yaml.

58
rules/k8s_audit_rules.yaml
View File

@@ -40,15 +40,8 @@
# If you wish to restrict activity to a specific set of users, override/append to this list.
# users created by kops are included
- list: vertical_pod_autoscaler_users
items: ["vpa-recommender", "vpa-updater"]
- list: allowed_k8s_users
items: [
"minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
"kubernetes-admin",
vertical_pod_autoscaler_users,
]
items: ["minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy"]
- rule: Disallowed K8s User
desc: Detect any k8s operation by users outside of an allowed set of users.
@@ -156,13 +149,10 @@
source: k8s_audit
tags: [k8s]
- macro: user_known_node_port_service
condition: (k8s_audit_never_true)
- rule: Create NodePort Service
desc: >
Detect an attempt to start a service with a NodePort service type
condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
condition: kevt and service and kcreate and ka.req.service.type=NodePort
output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
priority: WARNING
source: k8s_audit
@@ -190,7 +180,7 @@
- rule: Anonymous Request Allowed
desc: >
Detect any request made by the anonymous user that was allowed
condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
condition: kevt and ka.user.name=system:anonymous and ka.auth.decision!=reject and not health_endpoint
output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
priority: WARNING
source: k8s_audit
@@ -205,31 +195,15 @@
# attach request was created privileged or not. For now, we have a
# less severe rule that detects attaches/execs to any pod.
- macro: user_known_exec_pod_activities
condition: (k8s_audit_never_true)
- rule: Attach/Exec Pod
desc: >
Detect any attempt to attach/exec to a pod
condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach)
output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
priority: NOTICE
source: k8s_audit
tags: [k8s]
- macro: user_known_pod_debug_activities
condition: (k8s_audit_never_true)
# Only works when feature gate EphemeralContainers is enabled
- rule: EphemeralContainers Created
desc: >
Detect any ephemeral container created
condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
priority: NOTICE
source: k8s_audit
tags: [k8s]
# In a local/user rules fie, you can append to this list to add additional allowed namespaces
- list: allowed_namespaces
items: [kube-system, kube-public, default]
@@ -242,35 +216,19 @@
source: k8s_audit
tags: [k8s]
- list: user_trusted_image_list
items: []
- list: k8s_image_list
items: [k8s.gcr.io/kube-apiserver, kope/kube-apiserver-healthcheck]
- macro: trusted_pod
condition: (ka.req.pod.containers.image.repository in (user_trusted_image_list) or
ka.req.pod.containers.image.repository in (k8s_image_list))
# Detect any new pod created in the kube-system namespace
- rule: Pod Created in Kube Namespace
desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not trusted_pod
condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public)
output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
priority: WARNING
source: k8s_audit
tags: [k8s]
- list: user_known_sa_list
items: []
- macro: trusted_sa
condition: (ka.target.name in (user_known_sa_list))
# Detect creating a service account in the kube-system/kube-public namespace
- rule: Service Account Created in Kube Namespace
desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful
output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
priority: WARNING
source: k8s_audit
@@ -512,6 +470,8 @@
source: k8s_audit
tags: [k8s]
- macro: ingress
condition: ka.target.resource=ingresses
@@ -547,6 +507,8 @@
priority: WARNING
tags: [k8s, network]
- macro: node
condition: ka.target.resource=nodes

6
scripts/debian/falco
View File

@@ -64,8 +64,8 @@ do_start()
# 2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
if [ ! -d /sys/module/falco ]; then
/sbin/modprobe falco || exit 1
if [ ! -d /sys/module/falco_probe ]; then
/sbin/modprobe falco-probe || exit 1
fi
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS \
@@ -96,7 +96,7 @@ do_stop()
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
/sbin/rmmod falco
/sbin/rmmod falco-probe
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"

492
scripts/falco-driver-loader
View File

@@ -23,7 +23,8 @@
#
# Returns 1 if $cos_ver > $base_ver, 0 otherwise
#
cos_version_greater() {
cos_version_greater()
{
if [[ $cos_ver == "${base_ver}" ]]; then
return 0
fi
@@ -67,29 +68,29 @@ cos_version_greater() {
get_kernel_config() {
if [ -f /proc/config.gz ]; then
echo "* Found kernel config at /proc/config.gz"
echo "Found kernel config at /proc/config.gz"
KERNEL_CONFIG_PATH=/proc/config.gz
elif [ -f "/boot/config-${KERNEL_RELEASE}" ]; then
echo "* Found kernel config at /boot/config-${KERNEL_RELEASE}"
echo "Found kernel config at /boot/config-${KERNEL_RELEASE}"
KERNEL_CONFIG_PATH=/boot/config-${KERNEL_RELEASE}
elif [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/boot/config-${KERNEL_RELEASE}" ]; then
echo "* Found kernel config at ${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
echo "Found kernel config at ${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
KERNEL_CONFIG_PATH="${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
elif [ -f "/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
echo "* Found kernel config at /usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
echo "Found kernel config at /usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
KERNEL_CONFIG_PATH="/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
elif [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
echo "* Found kernel config at ${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
echo "Found kernel config at ${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
KERNEL_CONFIG_PATH="${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
elif [ -f "/lib/modules/${KERNEL_RELEASE}/config" ]; then
# this code works both for native host and agent container assuming that
# Dockerfile sets up the desired symlink /lib/modules -> $HOST_ROOT/lib/modules
echo "* Found kernel config at /lib/modules/${KERNEL_RELEASE}/config"
echo "Found kernel config at /lib/modules/${KERNEL_RELEASE}/config"
KERNEL_CONFIG_PATH="/lib/modules/${KERNEL_RELEASE}/config"
fi
if [ -z "${KERNEL_CONFIG_PATH}" ]; then
>&2 echo "Cannot find kernel config"
echo "Cannot find kernel config"
exit 1
fi
@@ -130,7 +131,7 @@ get_target_id() {
if [[ $KERNEL_RELEASE == *"aws"* ]]; then
TARGET_ID="ubuntu-aws"
else
TARGET_ID="ubuntu-generic"
TARGET_ID="ubuntu"
fi
;;
(*)
@@ -139,59 +140,6 @@ get_target_id() {
esac
}
load_kernel_module_compile() {
# skip dkms on UEK hosts because it will always fail
if [[ $(uname -r) == *uek* ]]; then
echo "* Skipping dkms install for UEK host"
else
if hash dkms &>/dev/null; then
echo "* Trying to dkms install ${DRIVER_NAME} module"
if dkms install -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"
if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
exit 0
elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
exit 0
else
echo "* Unable to insmod ${DRIVER_NAME} module"
fi
else
DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
if [ -f "${DKMS_LOG}" ]; then
echo "* Running dkms build failed, dumping ${DKMS_LOG}"
cat "${DKMS_LOG}"
else
echo "* Running dkms build failed, couldn't find ${DKMS_LOG}"
fi
fi
else
echo "* Skipping dkms install (dkms not found)"
fi
fi
}
load_kernel_module_download() {
get_target_id
local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
local URL
URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
echo "* Trying to download prebuilt module from ${URL}"
if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
echo "* Download succeeded"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module loaded"
exit $?
else
>&2 echo "Download failed, consider compiling your own ${DRIVER_NAME} module and loading it or getting in touch with the Falco community"
exit 1
fi
}
load_kernel_module() {
if ! hash lsmod > /dev/null 2>&1; then
>&2 echo "This program requires lsmod"
@@ -229,160 +177,67 @@ load_kernel_module() {
exit 0
fi
if [ -n "$ENABLE_COMPILE" ]; then
load_kernel_module_compile
# skip dkms on UEK hosts because it will always fail`
if [[ $(uname -r) == *uek* ]]; then
echo "* Skipping dkms install for UEK host"
else
if hash dkms &>/dev/null && dkms install -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
echo "* Trying to load a dkms ${DRIVER_NAME} module, if present"
if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
echo "${DRIVER_NAME} module found and loaded in dkms"
exit 0
elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
echo "${DRIVER_NAME} module found and loaded in dkms (xz)"
exit 0
else
echo "* Unable to insmod"
fi
else
DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
if [ -f "${DKMS_LOG}" ]; then
echo "* Running dkms build failed, dumping ${DKMS_LOG}"
cat "${DKMS_LOG}"
else
echo "* Running dkms build failed, couldn't find ${DKMS_LOG}"
fi
fi
fi
echo "* Trying to load a system ${DRIVER_NAME} driver, if present"
if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
echo "${DRIVER_NAME} module found and loaded with modprobe"
exit 0
fi
fi
echo "* Trying to find locally a prebuilt ${DRIVER_NAME} module for kernel ${KERNEL_RELEASE}, if present"
echo "* Trying to find a prebuilt ${DRIVER_NAME} module for kernel ${KERNEL_RELEASE}"
get_target_id
local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
if [ -f "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
echo "* Found a prebuilt module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module loaded"
echo "Found a prebuilt module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}"
exit $?
fi
if [ -n "$ENABLE_DOWNLOAD" ]; then
load_kernel_module_download
fi
}
load_bpf_probe_compile() {
local BPF_KERNEL_SOURCES_URL=""
local STRIP_COMPONENTS=1
customize_kernel_build() {
if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
fi
make olddefconfig > /dev/null
make modules_prepare > /dev/null
}
if [ -n "${COS}" ]; then
echo "* COS detected (build ${BUILD_ID}), using cos kernel headers"
BPF_KERNEL_SOURCES_URL="https://storage.googleapis.com/cos-tools/${BUILD_ID}/kernel-headers.tgz"
KERNEL_EXTRA_VERSION="+"
STRIP_COMPONENTS=0
customize_kernel_build() {
pushd usr/src/* > /dev/null || exit
# Note: this overrides the KERNELDIR set while untarring the tarball
KERNELDIR=$(pwd)
export KERNELDIR
sed -i '/^#define randomized_struct_fields_start struct {$/d' include/linux/compiler-clang.h
sed -i '/^#define randomized_struct_fields_end };$/d' include/linux/compiler-clang.h
popd > /dev/null || exit
# Might need to configure our own sources depending on COS version
cos_ver=${BUILD_ID}
base_ver=11553.0.0
cos_version_greater
greater_ret=$?
if [[ greater_ret -eq 1 ]]; then
export KBUILD_EXTRA_CPPFLAGS=-DCOS_73_WORKAROUND
fi
}
fi
if [ -n "${MINIKUBE}" ]; then
echo "* Minikube detected (${MINIKUBE_VERSION}), using linux kernel sources for minikube kernel"
local kernel_version
kernel_version=$(uname -r)
local -r kernel_version_major=$(echo "${kernel_version}" | cut -d. -f1)
local -r kernel_version_minor=$(echo "${kernel_version}" | cut -d. -f2)
local -r kernel_version_patch=$(echo "${kernel_version}" | cut -d. -f3)
if [ "${kernel_version_patch}" == "0" ]; then
kernel_version="${kernel_version_major}.${kernel_version_minor}"
fi
BPF_KERNEL_SOURCES_URL="http://mirrors.edge.kernel.org/pub/linux/kernel/v${kernel_version_major}.x/linux-${kernel_version}.tar.gz"
fi
if [ -n "${BPF_USE_LOCAL_KERNEL_SOURCES}" ]; then
local -r kernel_version_major=$(uname -r | cut -d. -f1)
local -r kernel_version=$(uname -r | cut -d- -f1)
KERNEL_EXTRA_VERSION="-$(uname -r | cut -d- -f2)"
echo "* Using downloaded kernel sources for kernel version ${kernel_version}..."
BPF_KERNEL_SOURCES_URL="http://mirrors.edge.kernel.org/pub/linux/kernel/v${kernel_version_major}.x/linux-${kernel_version}.tar.gz"
fi
if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
echo "* Downloading ${BPF_KERNEL_SOURCES_URL}"
mkdir -p /tmp/kernel
cd /tmp/kernel || exit
cd "$(mktemp -d -p /tmp/kernel)" || exit
if ! curl -L -o kernel-sources.tgz --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
>&2 echo "Download failed"
exit 1;
fi
echo "* Extracting kernel sources"
mkdir kernel-sources && tar xf kernel-sources.tgz -C kernel-sources --strip-components "${STRIP_COMPONENTS}"
cd kernel-sources || exit
KERNELDIR=$(pwd)
export KERNELDIR
if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
zcat "${KERNEL_CONFIG_PATH}" > .config
else
cat "${KERNEL_CONFIG_PATH}" > .config
fi
echo "* Configuring kernel"
customize_kernel_build
fi
echo "* Trying to compile the eBPF probe (${BPF_PROBE_FILENAME})"
make -C "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf" > /dev/null
mkdir -p "${HOME}/.falco"
mv "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf/probe.o" "${HOME}/.falco/${BPF_PROBE_FILENAME}"
if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
rm -r /tmp/kernel
fi
}
load_bpf_probe_download() {
local URL
URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g)
URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
echo "* Trying to download a prebuilt eBPF probe from ${URL}"
if ! curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}"; then
>&2 echo "Download failed"
exit 1;
echo "* Trying to download prebuilt module from ${URL}"
if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
echo "Download succeeded, loading module"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}"
exit $?
else
>&2 echo "Download failed, consider compiling your own ${DRIVER_NAME} module and loading it or getting in touch with the Falco community"
exit 1
fi
}
load_bpf_probe() {
echo "* Mounting debugfs"
if [ ! -d /sys/kernel/debug/tracing ]; then
@@ -407,27 +262,128 @@ load_bpf_probe() {
get_target_id
BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
local BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
if [ -n "$ENABLE_COMPILE" ]; then
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* Skipping compile, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
else
load_bpf_probe_compile
if [ ! -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
local BPF_KERNEL_SOURCES_URL=""
local STRIP_COMPONENTS=1
customize_kernel_build() {
if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
fi
make olddefconfig > /dev/null
make modules_prepare > /dev/null
}
if [ -n "${COS}" ]; then
echo "* COS detected (build ${BUILD_ID}), using cos kernel headers..."
BPF_KERNEL_SOURCES_URL="https://storage.googleapis.com/cos-tools/${BUILD_ID}/kernel-headers.tgz"
KERNEL_EXTRA_VERSION="+"
STRIP_COMPONENTS=0
customize_kernel_build() {
pushd usr/src/* > /dev/null || exit
# Note: this overrides the KERNELDIR set while untarring the tarball
KERNELDIR=$(pwd)
export KERNELDIR
sed -i '/^#define randomized_struct_fields_start struct {$/d' include/linux/compiler-clang.h
sed -i '/^#define randomized_struct_fields_end };$/d' include/linux/compiler-clang.h
popd > /dev/null || exit
# Might need to configure our own sources depending on COS version
cos_ver=${BUILD_ID}
base_ver=11553.0.0
cos_version_greater
greater_ret=$?
if [[ greater_ret -eq 1 ]]; then
export KBUILD_EXTRA_CPPFLAGS=-DCOS_73_WORKAROUND
fi
}
fi
if [ -n "${MINIKUBE}" ]; then
echo "* Minikube detected (${MINIKUBE_VERSION}), using linux kernel sources for minikube kernel"
local kernel_version
kernel_version=$(uname -r)
local -r kernel_version_major=$(echo "${kernel_version}" | cut -d. -f1)
local -r kernel_version_minor=$(echo "${kernel_version}" | cut -d. -f2)
local -r kernel_version_patch=$(echo "${kernel_version}" | cut -d. -f3)
if [ "${kernel_version_patch}" == "0" ]; then
kernel_version="${kernel_version_major}.${kernel_version_minor}"
fi
BPF_KERNEL_SOURCES_URL="http://mirrors.edge.kernel.org/pub/linux/kernel/v${kernel_version_major}.x/linux-${kernel_version}.tar.gz"
fi
if [ -n "${BPF_USE_LOCAL_KERNEL_SOURCES}" ]; then
local -r kernel_version_major=$(uname -r | cut -d. -f1)
local -r kernel_version=$(uname -r | cut -d- -f1)
KERNEL_EXTRA_VERSION="-$(uname -r | cut -d- -f2)"
echo "* Using downloaded kernel sources for kernel version ${kernel_version}..."
BPF_KERNEL_SOURCES_URL="http://mirrors.edge.kernel.org/pub/linux/kernel/v${kernel_version_major}.x/linux-${kernel_version}.tar.gz"
fi
if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
echo "* Downloading ${BPF_KERNEL_SOURCES_URL}"
mkdir -p /tmp/kernel
cd /tmp/kernel || exit
cd "$(mktemp -d -p /tmp/kernel)" || exit
if ! curl -L -o kernel-sources.tgz --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
exit 1;
fi
echo "* Extracting kernel sources"
mkdir kernel-sources && tar xf kernel-sources.tgz -C kernel-sources --strip-components "${STRIP_COMPONENTS}"
cd kernel-sources || exit
KERNELDIR=$(pwd)
export KERNELDIR
if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
zcat "${KERNEL_CONFIG_PATH}" > .config
else
cat "${KERNEL_CONFIG_PATH}" > .config
fi
echo "* Configuring kernel"
customize_kernel_build
fi
echo "* Trying to compile the eBPF probe (${BPF_PROBE_FILENAME})"
make -C "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf" > /dev/null
mkdir -p "${HOME}/.falco"
mv "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf/probe.o" "${HOME}/.falco/${BPF_PROBE_FILENAME}"
if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
rm -r /tmp/kernel
fi
fi
if [ -n "$ENABLE_DOWNLOAD" ]; then
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* Skipping download, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
else
load_bpf_probe_download
fi
if [ ! -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
local URL
URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g)
echo "* Trying to download a prebuilt eBPF probe from ${URL}"
curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}"
fi
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
echo "* eBPF probe located in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
if [ ! -f /proc/sys/net/core/bpf_jit_enable ]; then
echo "******************************************************************"
echo "** BPF doesn't have JIT enabled, performance might be degraded. **"
@@ -435,37 +391,20 @@ load_bpf_probe() {
echo "******************************************************************"
fi
ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o" \
&& echo "* Success: eBPF probe symlinked to ${HOME}/.falco/${DRIVER_NAME}-bpf.o"
echo "* eBPF probe located, it's now possible to start Falco"
ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o"
exit $?
else
>&2 echo "Failure to find an eBPF probe"
echo "* Failure to find an eBPF probe"
exit 1
fi
}
print_usage() {
echo ""
echo "Usage:"
echo " falco-driver-loader [driver] [options]"
echo ""
echo "Available drivers:"
echo " module kernel module (default)"
echo " bpf eBPF probe"
echo ""
echo "Options:"
echo " --help show brief help"
echo " --compile try to compile the driver locally"
echo " --download try to download a prebuilt driver"
echo " --source-only skip execution and allow sourcing in another script"
echo ""
}
ARCH=$(uname -m)
KERNEL_RELEASE=$(uname -r)
KERNEL_VERSION=$(uname -v | sed 's/#\([[:digit:]]\+\).*/\1/')
DRIVERS_REPO=${DRIVERS_REPO:-"@DRIVERS_REPO@"}
if [ -n "$DRIVER_INSECURE_DOWNLOAD" ]
then
FALCO_DRIVER_CURL_OPTIONS=-fsSk
@@ -473,91 +412,26 @@ else
FALCO_DRIVER_CURL_OPTIONS=-fsS
fi
if [[ -z "$MAX_RMMOD_WAIT" ]]; then
MAX_RMMOD_WAIT=60
MAX_RMMOD_WAIT=60
if [[ $# -ge 1 ]]; then
MAX_RMMOD_WAIT=$1
fi
DRIVER_VERSION="@PROBE_VERSION@"
DRIVER_NAME="@PROBE_NAME@"
DRIVER="module"
if [ -v FALCO_BPF_PROBE ]; then
DRIVER="bpf"
if [ "$(id -u)" != 0 ]; then
echo "Installer must be run as root (or with sudo)."
exit 1
fi
ENABLE_COMPILE=
ENABLE_DOWNLOAD=
has_args=
has_opts=
source_only=
while test $# -gt 0; do
case "$1" in
module|bpf)
if [ -n "$has_args" ]; then
>&2 echo "Only one driver can be passed"
print_usage
exit 1
else
DRIVER="$1"
has_args="true"
shift
fi
;;
-h|--help)
print_usage
exit 0
;;
--compile)
ENABLE_COMPILE="yes"
has_opts="true"
shift
;;
--download)
ENABLE_DOWNLOAD="yes"
has_opts="true"
shift
;;
--source-only)
source_only="true"
shift
;;
--*)
>&2 echo "Unknown option: $1"
print_usage
exit 1
;;
*)
>&2 echo "Unknown driver: $1"
print_usage
exit 1
;;
esac
done
if [ -z "$has_opts" ]; then
ENABLE_COMPILE="yes"
ENABLE_DOWNLOAD="yes"
if ! hash curl > /dev/null 2>&1; then
echo "This program requires curl"
exit 1
fi
if [ -z "$source_only" ]; then
if [ "$(id -u)" != 0 ]; then
>&2 echo "This program must be run as root (or with sudo)"
exit 1
fi
if ! hash curl > /dev/null 2>&1; then
>&2 echo "This program requires curl"
exit 1
fi
echo "* Running falco-driver-loader with: driver=$DRIVER, compile=${ENABLE_COMPILE:-"no"}, download=${ENABLE_DOWNLOAD:-"no"}"
case $DRIVER in
module)
load_kernel_module
;;
bpf)
load_bpf_probe
;;
esac
fi
if [ -v FALCO_BPF_PROBE ] || [ "${1}" = "bpf" ]; then
load_bpf_probe
else
load_kernel_module
fi

6
scripts/rpm/falco
View File

@@ -53,8 +53,8 @@ start() {
# [ -f $config ] || exit 6
echo -n $"Starting $prog: "
daemon $exec --daemon --pidfile=$pidfile
if [ ! -d /sys/module/falco ]; then
/sbin/modprobe falco || return $?
if [ ! -d /sys/module/falco_probe ]; then
/sbin/modprobe falco-probe || return $?
fi
retval=$?
echo
@@ -67,7 +67,7 @@ stop() {
killproc -p $pidfile
retval=$?
echo
/sbin/rmmod falco
/sbin/rmmod falco-probe
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}

3
test/CMakeLists.txt
View File

@@ -1,4 +1 @@
add_subdirectory(trace_files)
add_custom_target(test-trace-files ALL)
add_dependencies(test-trace-files trace-files-base-scap trace-files-psp trace-files-k8s-audit)

111
test/README.md
View File

@@ -1,115 +1,6 @@
# Falco regression tests
# Falco Regression tests
This folder contains the Regression tests suite for Falco.
You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/source/#run-regression-tests).
## Test suites
- [falco_tests](./falco_tests.yaml)
- [falco_traces](./falco_traces.yaml.in)
- [falco_tests_package](./falco_tests_package.yaml)
- [falco_k8s_audit_tests](./falco_k8s_audit_tests.yaml)
- [falco_tests_psp](./falco_tests_psp.yaml)
## Running locally
This step assumes you already built Falco.
Note that the tests are intended to be run against a [release build](https://falco.org/docs/source/#specify-the-build-type) of Falco, at the moment.
Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:
```console
make test-trace-files
```
It prepares the fixtures (`json` and `scap` files) needed by the integration tests.
Using `virtualenv` the steps to locally run a specific test suite are the following ones (from this directory):
```console
virtualenv venv
source venv/bin/activate
pip install -r requirements.txt
BUILD_DIR="../build" avocado run --mux-yaml falco_tests.yaml --job-results-dir /tmp/job-results -- falco_test.py
deactivate
```
The name of the specific test suite to run is `falco_tests.yaml` in this case. Change it to run others test suites.
In case you want to only execute a specific test case, use the `--mux-filter-only` parameter as follows:
```console
BUILD_DIR="../build" avocado run --mux-yaml falco_tests.yaml --job-results-dir /tmp/job-results --mux-filter-only /run/trace_files/program_output -- falco_test.py
```
To obtain the path of all the available variants for a given test suite, execute:
```console
avocado variants --mux-yaml falco_tests.yaml
```
### falco_traces
The `falco_traces.yaml` test suite gets generated through the `falco_traces.yaml.in` file and some fixtures (`scap` files) downloaded from the web at execution time.
1. Ensure you have `unzip` and `xargs` utilities
2. Prepare the test suite with the following command:
```console
bash run_regression_tests.sh -p -v
```
### falco_tests_package
The `falco_tests_package.yaml` test suite requires some additional setup steps to be succesfully run on your local machine.
In particular, it requires some runners (ie., docker images) to be already built and present into your local machine.
1. Ensure you have `docker` up and running
2. Ensure you build Falco (with bundled deps)
The recommended way of doing it by running the `falcosecurity/falco-builder` docker image from the project root:
```console
docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder cmake
docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder falco
```
3. Ensure you build the Falco packages from the Falco above:
```console
docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder package
```
4. Ensure you build the runners:
```console
FALCO_VERSION=$(./mybuild/release/userspace/falco/falco --version | head -n 1 | cut -d' ' -f3 | tr -d '\r')
mkdir -p /tmp/runners-rootfs
cp -R ./test/rules /tmp/runners-rootfs
cp -R ./test/trace_files /tmp/runners-rootfs
cp ./mybuild/release/falco-${FALCO_VERSION}-x86_64.{deb,rpm,tar.gz} /tmp/runners-rootfs
docker build -f docker/tester/root/runners/deb.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-deb /tmp/runners-rootfs
docker build -f docker/tester/root/runners/rpm.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-rpm /tmp/runners-rootfs
docker build -f docker/tester/root/runners/tar.gz.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-tar.gz /tmp/runners-rootfs
```
5. Run the `falco_tests_package.yaml` test suite from the `test` directory
```console
cd test
BUILD_DIR="../mybuild" avocado run --mux-yaml falco_tests_package.yaml --job-results-dir /tmp/job-results -- falco_test.py
```
### Execute all the test suites
In case you want to run all the test suites at once, you can directly use the `run_regression_tests.sh` runner script.
```console
cd test
./run_regression_tests.sh -v
```
Just make sure you followed all the previous setup steps.

38
test/confs/grpc_unix_socket.yaml
View File

@@ -1,38 +0,0 @@
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Whether to output events in json or text.
json_output: false
# Send information logs to stderr and/or syslog
# Note these are *not* security notification logs!
# These are just Falco lifecycle (and possibly error) logs.
log_stderr: false
log_syslog: false
# Where security notifications should go.
stdout_output:
enabled: false
# gRPC server using an unix socket.
grpc:
enabled: true
bind_address: "unix:///tmp/falco/falco.sock"
threadiness: 8
grpc_output:
enabled: true

8
test/confs/program_output.yaml
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -21,14 +21,14 @@ rules_file: /etc/falco_rules.yaml
# Whether to output events in json or text
json_output: false
# Send information logs to stderr and/or syslog
# Note these are *not* security notification logs!
# These are just Falco lifecycle (and possibly error) logs.
# Send information logs to stderr and/or syslog Note these are *not* security
# notification logs! These are just Falco lifecycle (and possibly error) logs.
log_stderr: false
log_syslog: false
# Where security notifications should go.
# Multiple outputs can be enabled.
syslog_output:
enabled: false

2
test/confs/psp.yaml
View File

@@ -136,7 +136,7 @@ stdout_output:
webserver:
enabled: true
listen_port: 8765
k8s_audit_endpoint: /k8s-audit
k8s_audit_endpoint: /k8s_audit
ssl_enabled: false
ssl_certificate: /etc/falco/falco.pem

48
test/driver-loader/run_test.sh
View File

@@ -1,48 +0,0 @@
#!/usr/bin/env bash
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
set -euo pipefail
BUILD_DIR=$1
SCRIPT=$(readlink -f $0)
SCRIPTDIR=$(dirname "$SCRIPT")
RUNNERDIR="${SCRIPTDIR}/runner"
FALCO_VERSION=$(cat ${BUILD_DIR}/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
DRIVER_VERSION=$(cat ${BUILD_DIR}/userspace/falco/config_falco.h | grep 'DRIVER_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
FALCO_PACKAGE="falco-${FALCO_VERSION}-x86_64.tar.gz"
cp "${BUILD_DIR}/${FALCO_PACKAGE}" "${RUNNERDIR}"
pushd "${RUNNERDIR}"
docker build --build-arg FALCO_VERSION="$FALCO_VERSION" \
-t falcosecurity/falco:test-driver-loader \
-f "${RUNNERDIR}/Dockerfile" "${RUNNERDIR}"
popd
rm -f "${RUNNERDIR}/${FALCO_PACKAGE}"
docker run --rm --privileged \
-e FALCO_VERSION="$FALCO_VERSION" \
-e DRIVER_VERSION="$DRIVER_VERSION" \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco:test-driver-loader
docker rmi -f falcosecurity/falco:test-driver-loader

32
test/driver-loader/runner/Dockerfile
View File

@@ -1,32 +0,0 @@
FROM ubuntu:18.04
ARG FALCO_VERSION=
RUN test -n FALCO_VERSION
ENV FALCO_VERSION ${FALCO_VERSION}
ENV DRIVER_VERSION=
ENV HOST_ROOT=/host
# Minimal set of deps required to run falco-driver-loader and falco
RUN apt-get update -y
RUN apt-get install -y --no-install-recommends \
ca-certificates \
dkms \
curl \
gcc \
clang-7 \
llvm-7 \
libelf-dev
RUN rm -rf /usr/bin/clang \
&& rm -rf /usr/bin/llc \
&& ln -s /usr/bin/clang-7 /usr/bin/clang \
&& ln -s /usr/bin/llc-7 /usr/bin/llc
RUN rm -rf /lib/modules \
&& ln -s $HOST_ROOT/lib/modules /lib/modules
ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /
COPY test.sh /
CMD /test.sh

136
test/driver-loader/runner/test.sh
View File

@@ -1,136 +0,0 @@
#!/usr/bin/env bash
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
set -euo pipefail
FALCO="falco -M 1"
FALCO_DRIVER_LOADER=falco-driver-loader
function init() {
# We need this here since is not part of the falco-driver-loader script
#
# todo(leogr): maybe this can be moved into falco-driver-loader directly
# since it depends on HOST_ROOT
if [ -n "${HOST_ROOT}" ]; then
echo "INIT: Setting up /usr/src links from host"
for i in "$HOST_ROOT/usr/src"/*
do
base=$(basename "$i")
ln -s "$i" "/usr/src/$base"
done
fi
local EXPECTED_DRIVER_VERSION=${DRIVER_VERSION}
# We need some env vars to be populated
# Just source falco-driver-loader, and call get_target_id
# Loaded driver will be cleaned up later, if any.
echo "INIT: Sourcing ${FALCO_DRIVER_LOADER} to get env vars populated"
set +eu
source $FALCO_DRIVER_LOADER --source-only
get_target_id
set -eu
if [ ! "${EXPECTED_DRIVER_VERSION}" = "${DRIVER_VERSION}" ]; then
echo "INIT: Unexpected DRIVER_VERSION in falco-driver-loader"
echo "Expected: ${EXPECTED_DRIVER_VERSION}"
echo "Found: ${DRIVER_VERSION}"
exit 1
fi
FALCO_KERNEL_MODULE_PATH="${HOME}/.falco/${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
FALCO_BPF_PROBE_PATH="${HOME}/.falco/${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
cleanup_drivers
}
function cleanup_drivers() {
echo "CLEANUP: remove drivers, if any"
# kernel module
rmmod "$DRIVER_NAME" > /dev/null 2>&1 || true
dkms uninstall "$DRIVER_NAME/$DRIVER_VERSION" > /dev/null 2>&1 || true
rm -f "$FALCO_KERNEL_MODULE_PATH"
# bpf probe
local PROBE_INSTALL_PATH="${HOME}/.falco/${DRIVER_NAME}-bpf.o"
rm -f "$FALCO_BPF_PROBE_PATH"
rm -f "$PROBE_INSTALL_PATH"
}
function run_test() {
echo ""
echo "TEST: $1"
echo ""
$1
echo ""
echo "PASS: $1"
echo ""
cleanup_drivers
}
function assert_kernel_module() {
echo "ASSERT: module loaded"
local KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
if ! lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1; then
echo "FAIL: module not loaded"
exit 1
fi
echo "ASSERT: falco works with module"
if ! $FALCO; then
echo "FAIL: falco does not work with module"
exit 1
fi
}
function assert_bpf_probe() {
local PROBE_INSTALL_PATH="${HOME}/.falco/${DRIVER_NAME}-bpf.o"
echo "ASSERT: eBPF probe at $PROBE_INSTALL_PATH"
if ! test -f "$PROBE_INSTALL_PATH"; then
echo "FAIL: eBPF probe not found"
exit 1
fi
echo "ASSERT: falco works with bpf"
if ! FALCO_BPF_PROBE="" $FALCO; then
echo "FAIL: falco does not work with bpf"
exit 1
fi
}
function test_kernel_module() {
$FALCO_DRIVER_LOADER
assert_kernel_module
}
function test_bpf_probe() {
$FALCO_DRIVER_LOADER bpf
assert_bpf_probe
}
echo "falco-driver-loader tester"
echo ""
echo "Falco version: $FALCO_VERSION"
echo "Driver version: $DRIVER_VERSION"
echo "HOST_ROOT: ${HOST_ROOT}"
echo ""
init
run_test "test_kernel_module"
run_test "test_bpf_probe"

69
test/falco_test.py
View File

@@ -28,8 +28,6 @@ import urllib.request
from avocado import Test
from avocado import main
from avocado.utils import process
from watchdog.observers import Observer
from watchdog.events import PatternMatchingEventHandler
class FalcoTest(Test):
@@ -197,24 +195,6 @@ class FalcoTest(Test):
os.makedirs(filedir)
self.outputs = outputs
self.grpcurl_res = None
self.grpc_observer = None
self.grpc_address = self.params.get('address', 'grpc/*', default='/var/run/falco.sock')
if self.grpc_address.startswith("unix://"):
self.is_grpc_using_unix_socket = True
self.grpc_address = self.grpc_address[len("unix://"):]
else:
self.is_grpc_using_unix_socket = False
self.grpc_proto = self.params.get('proto', 'grpc/*', default='')
self.grpc_service = self.params.get('service', 'grpc/*', default='')
self.grpc_method = self.params.get('method', 'grpc/*', default='')
self.grpc_results = self.params.get('results', 'grpc/*', default='')
if self.grpc_results == '':
self.grpc_results = []
else:
if type(self.grpc_results) == str:
self.grpc_results = [self.grpc_results]
self.disable_tags = self.params.get('disable_tags', '*', default='')
if self.disable_tags == '':
@@ -431,54 +411,12 @@ class FalcoTest(Test):
md5_output = subprocess.check_output(["md5sum", "/boot/config-{}".format(kernel_release)]).rstrip()
config_hash = md5_output.split(" ")[0]
probe_filename = "falco-{}-{}-{}-{}.ko".format(falco_version, arch, kernel_release, config_hash)
driver_path = os.path.join(self.falcodir, "driver", "falco.ko")
probe_filename = "falco-probe-{}-{}-{}-{}.ko".format(falco_version, arch, kernel_release, config_hash)
driver_path = os.path.join(self.falcodir, "driver", "falco-probe.ko")
module_path = os.path.join(self.module_dir, probe_filename)
self.log.debug("Copying {} to {}".format(driver_path, module_path))
shutil.copyfile(driver_path, module_path)
def init_grpc_handler(self):
self.grpcurl_res = None
if len(self.grpc_results) > 0:
if not self.is_grpc_using_unix_socket:
self.fail("This test suite supports gRPC with unix socket only")
cmdline = "grpcurl -import-path ../userspace/falco " \
"-proto {} -plaintext -unix {} " \
"{}/{}".format(self.grpc_proto, self.grpc_address, self.grpc_service, self.grpc_method)
that = self
class GRPCUnixSocketEventHandler(PatternMatchingEventHandler):
def on_created(self, event):
# that.log.info("EVENT: {}", event)
that.grpcurl_res = process.run(cmdline)
path = os.path.dirname(self.grpc_address)
process.run("mkdir -p {}".format(path))
event_handler = GRPCUnixSocketEventHandler(patterns=['*'],
ignore_directories=True)
self.grpc_observer = Observer()
self.grpc_observer.schedule(event_handler, path, recursive=False)
self.grpc_observer.start()
def check_grpc(self):
if self.grpc_observer is not None:
self.grpc_observer.stop()
self.grpc_observer = None
if self.grpcurl_res is None:
self.fail("gRPC responses not found")
for exp_result in self.grpc_results:
found = False
for line in self.grpcurl_res.stdout.decode("utf-8").splitlines():
match = re.search(exp_result, line)
if match is not None:
found = True
if found == False:
self.fail("Could not find a line '{}' in gRPC responses".format(exp_result))
def test(self):
self.log.info("Trace file %s", self.trace_file)
@@ -486,8 +424,6 @@ class FalcoTest(Test):
self.possibly_copy_driver()
self.init_grpc_handler()
if self.package != 'None':
# This sets falco_binary_path as a side-effect.
self.install_package()
@@ -590,7 +526,6 @@ class FalcoTest(Test):
self.check_detections_by_rule(res)
self.check_json_output(res)
self.check_outputs()
self.check_grpc()
pass

16
test/falco_tests.yaml
View File

@@ -672,22 +672,6 @@ trace_files: !mux
outputs:
- /tmp/falco_outputs/program_output.txt: Warning An open was seen
grpc_unix_socket_outputs:
detect: True
detect_level: WARNING
rules_file:
- rules/single_rule.yaml
conf_file: confs/grpc_unix_socket.yaml
trace_file: trace_files/cat_write.scap
run_duration: 5
grpc:
address: unix:///tmp/falco/falco.sock
proto: outputs.proto
service: falco.outputs.service
method: get
results:
- "Warning An open was seen"
detect_counts:
detect: True
detect_level: WARNING

2
test/falco_traces.yaml.in
View File

@@ -1,5 +1,5 @@
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");

13
test/requirements.txt
View File

@@ -1,13 +0,0 @@
avocado-framework==69.0
avocado-framework-plugin-varianter-yaml-to-mux==69.0
certifi==2020.4.5.1
chardet==3.0.4
idna==2.9
pathtools==0.1.2
pbr==5.4.5
PyYAML==5.3.1
requests==2.23.0
six==1.14.0
stevedore==1.32.0
urllib3==1.25.9
watchdog==0.10.2

144
test/run_regression_tests.sh
View File

@@ -1,6 +1,6 @@
#!/usr/bin/env bash
#
# Copyright (C) 2020 The Falco Authors.
# Copyright (C) 2019 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -18,46 +18,45 @@
set -euo pipefail
SCRIPT=$(readlink -f $0)
SCRIPTDIR=$(dirname "$SCRIPT")
SCRIPTDIR=$(dirname $SCRIPT)
BUILD_DIR=$1
BRANCH=${2:-none}
TRACE_DIR=$BUILD_DIR/test
mkdir -p $TRACE_DIR
function download_trace_files() {
echo "branch=$BRANCH"
for TRACE in traces-positive traces-negative traces-info ; do
if [ ! -e "$TRACE_DIR/$TRACE" ]; then
if [ "$OPT_BRANCH" != "none" ]; then
curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$OPT_BRANCH.zip
else
curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE.zip
fi
unzip -d "$TRACE_DIR" "$TRACE_DIR/$TRACE.zip"
rm -rf "$TRACE_DIR/$TRACE.zip"
else
if ${OPT_VERBOSE}; then
echo "Trace directory $TRACE_DIR/$TRACE already exist: skipping"
fi
fi
if [ ! -e $TRACE_DIR/$TRACE ]; then
if [ $BRANCH != "none" ]; then
curl -fso $TRACE_DIR/$TRACE.zip https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$BRANCH.zip
else
curl -fso $TRACE_DIR/$TRACE.zip https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE.zip
fi
unzip -d $TRACE_DIR $TRACE_DIR/$TRACE.zip
rm -rf $TRACE_DIR/$TRACE.zip
fi
done
}
function prepare_multiplex_fileset() {
dir=$1
detect=$2
for trace in "$TRACE_DIR/$dir"/*.scap ; do
[ -e "$trace" ] || continue
NAME=$(basename "$trace" .scap)
for trace in $TRACE_DIR/$dir/*.scap ; do
[ -e "$trace" ] || continue
NAME=`basename $trace .scap`
# falco_traces.yaml might already have an entry for this trace file, with specific detection levels and counts.
# If so, skip it.
# Otherwise, add a generic entry showing whether or not to detect anything.
if grep -q "$NAME:" "$SCRIPTDIR/falco_traces.yaml"; then
if ${OPT_VERBOSE}; then
echo "Entry $NAME already exist: skipping"
fi
continue
fi
cat << EOF >> "$SCRIPTDIR/falco_traces.yaml"
# falco_traces.yaml might already have an entry for this trace
# file, with specific detection levels and counts. If so, skip
# it. Otherwise, add a generic entry showing whether or not to
# detect anything.
grep -q "$NAME:" $SCRIPTDIR/falco_traces.yaml && continue
cat << EOF >> $SCRIPTDIR/falco_traces.yaml
$NAME:
detect: $detect
detect_level: WARNING
@@ -67,96 +66,41 @@ EOF
}
function prepare_multiplex_file() {
/bin/cp -f "$SCRIPTDIR/falco_traces.yaml.in" "$SCRIPTDIR/falco_traces.yaml"
cp $SCRIPTDIR/falco_traces.yaml.in $SCRIPTDIR/falco_traces.yaml
prepare_multiplex_fileset traces-positive True
prepare_multiplex_fileset traces-negative False
prepare_multiplex_fileset traces-info True
if ${OPT_VERBOSE}; then
echo "Contents of $SCRIPTDIR/falco_traces.yaml"
cat "$SCRIPTDIR/falco_traces.yaml"
fi
echo "Contents of $SCRIPTDIR/falco_traces.yaml:"
cat $SCRIPTDIR/falco_traces.yaml
}
function print_test_failure_details() {
echo "Showing full job logs for any tests that failed:"
jq '.tests[] | select(.status != "PASS") | .logfile' "$SCRIPTDIR/job-results/latest/results.json" | xargs cat
jq '.tests[] | select(.status != "PASS") | .logfile' $SCRIPTDIR/job-results/latest/results.json | xargs cat
}
function run_tests() {
rm -rf /tmp/falco_outputs
mkdir /tmp/falco_outputs
# If we got this far, we can undo set -e,
# as we're watching the return status when running avocado.
# If we got this far, we can undo set -e, as we're watching the
# return status when running avocado.
set +e
TEST_RC=0
for mult in $SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_package.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml; do
CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
echo "Running $CMD"
BUILD_DIR=${OPT_BUILD_DIR} $CMD
RC=$?
TEST_RC=$((TEST_RC+RC))
if [ $RC -ne 0 ]; then
print_test_failure_details
fi
CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
echo "Running: $CMD"
BUILD_DIR=${BUILD_DIR} $CMD
RC=$?
TEST_RC=$((TEST_RC+$RC))
if [ $RC -ne 0 ]; then
print_test_failure_details
fi
done
}
OPT_ONLY_PREPARE="false"
OPT_VERBOSE="false"
OPT_BUILD_DIR="$(dirname "$SCRIPTDIR")/build"
OPT_BRANCH="none"
while getopts ':p :h :v :b: :d:' 'OPTKEY'; do
case ${OPTKEY} in
'p')
OPT_ONLY_PREPARE="true"
;;
'h')
/bin/bash usage
exit 0
;;
'v')
OPT_VERBOSE="true"
;;
'd')
OPT_BUILD_DIR=${OPTARG}
;;
'b')
OPT_BRANCH=${OPTARG}
;;
'?')
echo "Invalid option: ${OPTARG}." >&2
/bin/bash usage
exit 1
;;
':')
echo "Missing argument for option: ${OPTARG}." >&2
/bin/bash usage
exit 1
;;
*)
echo "Unimplemented option: ${OPTKEY}." >&2
/bin/bash usage
exit 1
;;
esac
done
TRACE_DIR=$OPT_BUILD_DIR/test
if ${OPT_VERBOSE}; then
echo "Build directory = $OPT_BUILD_DIR"
echo "Trace directory = $TRACE_DIR"
echo "Custom branch = $OPT_BRANCH"
fi
mkdir -p "$TRACE_DIR"
download_trace_files
prepare_multiplex_file
if ! ${OPT_ONLY_PREPARE}; then
run_tests
exit $TEST_RC
fi
run_tests
exit $TEST_RC

5
test/trace_files/CMakeLists.txt
View File

@@ -1,6 +1,5 @@
add_subdirectory(k8s_audit)
add_subdirectory(psp)
# Note: list of traces is created at cmake time, not build time
file(GLOB test_trace_files
"${CMAKE_CURRENT_SOURCE_DIR}/*.scap")
@@ -12,8 +11,4 @@ foreach(trace_file_path ${test_trace_files})
add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
DEPENDS ${trace_file_path})
list(APPEND BASE_SCAP_TRACE_FILES_TARGETS test-trace-${trace_file})
endforeach()
add_custom_target(trace-files-base-scap ALL)
add_dependencies(trace-files-base-scap ${BASE_SCAP_TRACE_FILES_TARGETS})

4
test/trace_files/k8s_audit/CMakeLists.txt
View File

@@ -9,8 +9,4 @@ foreach(trace_file_path ${test_trace_files})
add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
DEPENDS ${trace_file_path})
list(APPEND K8S_AUDIT_TRACE_FILES_TARGETS test-trace-${trace_file})
endforeach()
add_custom_target(trace-files-k8s-audit ALL)
add_dependencies(trace-files-k8s-audit ${K8S_AUDIT_TRACE_FILES_TARGETS})

4
test/trace_files/psp/CMakeLists.txt
View File

@@ -10,8 +10,4 @@ foreach(trace_file_path ${test_trace_files})
add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
DEPENDS ${trace_file_path})
list(APPEND PSP_TRACE_FILES_TARGETS test-trace-${trace_file})
endforeach()
add_custom_target(trace-files-psp ALL)
add_dependencies(trace-files-psp ${PSP_TRACE_FILES_TARGETS})

32
test/usage
View File

@@ -1,32 +0,0 @@
#!/usr/bin/env bash
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
cat <<EOF
Hello, this is Falco integration tests runner.
SYNOPSIS
bash run_regression_tests.sh [-h] [-v] [-p] [-d=<build directory>] [-b=<custom branch>]
DESCRIPTION
-h Display usage instructions
-v Verbose output
-p Prepare the falco_traces integration test suite
-b=CUSTOM_BRANCH Specify a custom branch for downloading falco_traces fixtures (defaults to "none")
-d=BUILD_DIRECTORY Specify the build directory where Falco has been built (defaults to $SCRIPTDIR/../build)
EOF

8
tests/CMakeLists.txt
View File

@@ -14,9 +14,9 @@
# License for the specific language governing permissions and limitations under
# the License.
#
set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp falco/test_webserver.cpp)
set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp falco/test_webserver.cpp engine/test_rulesets.cpp profiler/test_profiler.cpp)
set(FALCO_TESTED_LIBRARIES falco_engine)
set(FALCO_TESTED_LIBRARIES falco_engine falco_profiler)
SET(FALCO_TESTS_ARGUMENTS "" CACHE STRING "Test arguments to pass to the Falco test suite")
@@ -43,12 +43,12 @@ if(FALCO_BUILD_TESTS)
"${YAMLCPP_INCLUDE_DIR}"
"${CIVETWEB_INCLUDE_DIR}"
"${PROJECT_SOURCE_DIR}/userspace/falco")
add_dependencies(falco_test catch2)
add_dependencies(falco_test catch2 hedley)
include(CMakeParseArguments)
include(CTest)
include(Catch)
catch_discover_tests(falco_test)
separate_arguments(FALCO_TESTS_ARGUMENTS)
add_custom_target(tests COMMAND ${CMAKE_CTEST_COMMAND} ${FALCO_TESTS_ARGUMENTS} DEPENDS falco_test)
add_custom_target(tests COMMAND ${CMAKE_CTEST_COMMAND} ${FALCO_TESTS_ARGUMENTS} DEPENDS falco_test flatbuffer_profiler)
endif()

53
tests/engine/test_falco_utils.cpp
View File

@@ -1,53 +0,0 @@
/*
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include "falco_utils.h"
#include <nonstd/string_view.hpp>
#include <catch.hpp>
TEST_CASE("is_unix_scheme matches", "[utils]")
{
SECTION("rvalue")
{
bool res = falco::utils::network::is_unix_scheme("unix:///var/run/falco.sock");
REQUIRE(res);
}
SECTION("std::string")
{
std::string url("unix:///var/run/falco.sock");
bool res = falco::utils::network::is_unix_scheme(url);
REQUIRE(res);
}
SECTION("char[]")
{
char url[] = "unix:///var/run/falco.sock";
bool res = falco::utils::network::is_unix_scheme(url);
REQUIRE(res);
}
}
TEST_CASE("is_unix_scheme does not match", "[utils]")
{
bool res = falco::utils::network::is_unix_scheme("something:///var/run/falco.sock");
REQUIRE_FALSE(res);
}
TEST_CASE("is_unix_scheme only matches scheme at the start of the string", "[utils]")
{
bool res = falco::utils::network::is_unix_scheme("/var/run/unix:///falco.sock");
REQUIRE_FALSE(res);
}

353
tests/profiler/test_profiler.cpp Normal file
View File

@@ -0,0 +1,353 @@
/*
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include "profiler.h"
#include <catch.hpp>
#include <thread>
#include <chrono>
#include <algorithm>
#include <hedley.h>
#include <cstdlib>
#include <iostream>
#include <thread>
#include <flatbuffers/flatbuffers.h>
#include "profile_generated.h"
// void profile_recurse(int times)
// {
// PROFILEME();
// for(int i = 1; i < times; i++)
// {
// profile_recurse(1);
// }
// }
void profiler_sleep_1sec()
{
PROFILEME();
std::this_thread::sleep_for(std::chrono::seconds(1));
}
void profiler_sleep_2sec()
{
PROFILEME();
profiler_sleep_1sec();
std::this_thread::sleep_for(std::chrono::seconds(1));
}
TEST_CASE("profiler stores labels and chunks", "[profiler]")
{
SECTION("profiler needs to be allocated before usage")
{
profiler::alloc_chunk();
REQUIRE(profiler::chunks.size() == 1);
REQUIRE(profiler::labels.empty());
}
SECTION("calling a profiled function results in labels and chunks increase")
{
profiler_sleep_1sec();
REQUIRE(profiler::labels.size() == 1);
REQUIRE(profiler::chunks.size() == 1);
}
SECTION("calling just another profiled function that calls the one previously called should only increase labels by one")
{
profiler_sleep_2sec();
REQUIRE(profiler::labels.size() == 2);
REQUIRE(profiler::chunks.size() == 1);
}
SECTION("clean")
{
profiler::labels.clear();
profiler::chunks.clear();
REQUIRE(profiler::labels.empty());
REQUIRE(profiler::chunks.empty());
}
}
void bb()
{
PROFILEME();
std::this_thread::sleep_for(std::chrono::microseconds(1));
}
void aa()
{
PROFILEME();
bb();
std::this_thread::sleep_for(std::chrono::microseconds(1));
}
void aa_threaded()
{
profiler::alloc_chunk();
PROFILEME();
std::this_thread::sleep_for(std::chrono::microseconds(1));
}
void cc()
{
PROFILEME();
std::this_thread::sleep_for(std::chrono::microseconds(1));
}
void profiler_fake_root_func()
{
PROFILEME();
aa();
std::this_thread::sleep_for(std::chrono::microseconds(1));
bb();
std::this_thread::sleep_for(std::chrono::microseconds(1));
cc();
std::this_thread::sleep_for(std::chrono::microseconds(1));
aa();
}
TEST_CASE("profiler computes parents (single chunk)", "[profiler]")
{
profiler::alloc_chunk();
profiler_fake_root_func();
REQUIRE(profiler::labels.size() == 4);
REQUIRE(profiler::chunks.size() == 1);
REQUIRE(profiler::chunks[0].begin[5] == 0); // profiler_fake_root_func is root (parent = 0)
auto predicate = [](int x) {
return [=](const profiler::label &l) {
return l.label == profiler::chunks[0].begin[x];
};
};
// Ctor ordering:
// profile_fake_root
// AA1
// BB1
// BB2
// CC1
// AA2
// BB3
// Dtor ordering:
// BB1
// AA1
// BB2
// CC1
// BB3
// AA2
// profile_fake_root
auto root = std::find_if(std::begin(profiler::labels), std::end(profiler::labels), predicate(0));
REQUIRE(root->func == "profiler_fake_root_func"); // function name is "profiler_fake_root_func"
REQUIRE(profiler::chunks[0].begin[5 + CHUNK_ELEMENTS] == root->label); // aa (call aa1) has parent "profiler_fake_root_func"
{
auto it = std::find_if(std::begin(profiler::labels), std::end(profiler::labels), predicate(CHUNK_ELEMENTS));
REQUIRE(it->func == "aa"); // function name is "aa" (call aa1)
REQUIRE(profiler::chunks[0].begin[5 + (2 * CHUNK_ELEMENTS)] == it->label); // bb (call bb1) has parent "aa" (call aa1)
}
{
auto it = std::find_if(std::begin(profiler::labels), std::end(profiler::labels), predicate(2 * CHUNK_ELEMENTS));
REQUIRE(it->func == "bb"); // function name is "bb" (call bb1)
REQUIRE(profiler::chunks[0].begin[5 + (3 * CHUNK_ELEMENTS)] == root->label); // bb (call bb2) has parent "profiler_fake_root_func"
}
{
auto it = std::find_if(std::begin(profiler::labels), std::end(profiler::labels), predicate(3 * CHUNK_ELEMENTS));
REQUIRE(it->func == "bb"); // function name is "bb" (call bb2)
REQUIRE(profiler::chunks[0].begin[5 + (4 * CHUNK_ELEMENTS)] == root->label); // cc (call cc1) has parent "profiler_fake_root_func"
}
{
auto it = std::find_if(std::begin(profiler::labels), std::end(profiler::labels), predicate(4 * CHUNK_ELEMENTS));
REQUIRE(it->func == "cc"); // function name is "cc" (call cc1)
REQUIRE(profiler::chunks[0].begin[5 + (5 * CHUNK_ELEMENTS)] == root->label); // aa (call aa2) has parent "profiler_fake_root_func"
}
{
auto it = std::find_if(std::begin(profiler::labels), std::end(profiler::labels), predicate(5 * CHUNK_ELEMENTS));
REQUIRE(it->func == "aa"); // function name is "aa" (call aa2)
REQUIRE(profiler::chunks[0].begin[5 + (6 * CHUNK_ELEMENTS)] == it->label); // bb (call bb3) has parent "aa" (call aa2)
}
{
auto it = std::find_if(std::begin(profiler::labels), std::end(profiler::labels), predicate(6 * CHUNK_ELEMENTS));
REQUIRE(it->func == "bb"); // function name is "bb" (call bb3)
}
for(std::vector<int>::size_type j = 0; j != profiler::chunks.size(); j++)
{
auto *c = profiler::chunks[j].begin;
for(int i = 0; i < CHUNK_SIZE; i += CHUNK_ELEMENTS)
{
if(c[i] == 0)
{
break;
}
auto parent = c[i + 5];
auto e = ((unsigned long long)c[i + 4]) | (((unsigned long long)c[i + 3]) << 32);
auto s = ((unsigned long long)c[i + 2]) | (((unsigned long long)c[i + 1]) << 32);
char b[1024];
if(i == 0)
{
sprintf(b, "#;idx;parent ;function ;clocks");
std::cout << std::string(b) << std::endl;
}
sprintf(b, "%ld;%03d;%010u;%u;%lld", j, i, parent, c[i], e - s);
std::cout << std::string(b) << std::endl;
}
}
profiler::labels.clear();
profiler::chunks.clear();
REQUIRE(profiler::labels.empty());
REQUIRE(profiler::chunks.empty());
}
// TEST_CASE("profile computes recursive parents (more chunks)", "[profiler]")
// {
// alloc_chunk();
// REQUIRE(chunks.size() == 1);
// size_t expected_chunks = 2;
// int how_many_times = (CHUNK_SIZE / CHUNK_ELEMENTS) * HEDLEY_STATIC_CAST(int, expected_chunks);
// profile_recurse(how_many_times);
// REQUIRE(labels.size() == 1);
// REQUIRE(chunks.size() == expected_chunks + 1);
// for(std::vector<int>::size_type j = 0; j != chunks.size(); j++)
// {
// auto *c = chunks[j].begin;
// for(int i = 0; i < CHUNK_SIZE; i++)
// {
// char b[1024];
// sprintf(b, "%ld - %03d: %u", j, i, c[i]);
// std::cout << std::string(b) << std::endl;
// }
// }
// labels.clear();
// chunks.clear();
// REQUIRE(labels.empty());
// REQUIRE(chunks.empty());
// }
TEST_CASE("profiler flatbuffer serialization deserialization", "[profiler]")
{
flatbuffers::FlatBufferBuilder builder;
auto node_one = profiler::CreateNodeDirect(
builder,
"do_init",
"falco_engine.cpp",
345,
500);
auto node_two_one = profiler::CreateNodeDirect(
builder,
"do_match2",
"ruleset.cpp",
690,
100);
std::vector<flatbuffers::Offset<profiler::Node>> third_level;
third_level.push_back(node_two_one);
auto node_two = profiler::CreateNodeDirect(
builder,
"do_match",
"ruleset.cpp",
678,
250,
&third_level);
std::vector<flatbuffers::Offset<profiler::Node>> second_level;
second_level.push_back(node_one);
second_level.push_back(node_two);
auto root = profiler::CreateNodeDirect(
builder,
"main",
"falco.cpp",
123,
750,
&second_level);
profiler::FinishNodeBuffer(builder, root);
SECTION("binary output has identifier")
{
REQUIRE(profiler::NodeBufferHasIdentifier(builder.GetBufferPointer()) == true);
}
SECTION("deserialization")
{
auto node = profiler::GetNode(builder.GetBufferPointer());
REQUIRE(node->cycles() == 750);
REQUIRE(node->line() == 123);
REQUIRE(node->func()->str() == "main");
REQUIRE(node->file()->str() == "falco.cpp");
REQUIRE(node->childs() != nullptr);
REQUIRE(node->childs()->size() == 2);
REQUIRE(node->childs()->Get(0) == flatbuffers::GetTemporaryPointer(builder, node_one));
REQUIRE(node->childs()->Get(1) == flatbuffers::GetTemporaryPointer(builder, node_two));
auto expect_one = node->childs()->Get(0);
REQUIRE(expect_one->cycles() == 500);
REQUIRE(expect_one->line() == 345);
REQUIRE(expect_one->func()->str() == "do_init");
REQUIRE(expect_one->file()->str() == "falco_engine.cpp");
REQUIRE(expect_one->childs() == nullptr);
auto expect_two = node->childs()->Get(1);
REQUIRE(expect_two->cycles() == 250);
REQUIRE(expect_two->line() == 678);
REQUIRE(expect_two->func()->str() == "do_match");
REQUIRE(expect_two->file()->str() == "ruleset.cpp");
REQUIRE(expect_two->childs() != nullptr);
REQUIRE(expect_two->childs()->size() == 1);
REQUIRE(expect_two->childs()->Get(0) == flatbuffers::GetTemporaryPointer(builder, node_two_one));
auto expect_two_one = expect_two->childs()->Get(0);
REQUIRE(expect_two_one->cycles() == 100);
REQUIRE(expect_two_one->line() == 690);
REQUIRE(expect_two_one->func()->str() == "do_match2");
REQUIRE(expect_two_one->file()->str() == "ruleset.cpp");
REQUIRE(expect_two_one->childs() == nullptr);
}
}
void profile_fake_root_launching_threads()
{
PROFILEME();
std::thread ta(aa_threaded);
std::this_thread::sleep_for(std::chrono::microseconds(1));
bb();
ta.join();
}
TEST_CASE("profiler multi threading", "[profiler]")
{
profiler::alloc_chunk();
REQUIRE(profiler::chunks.size() == 1);
profile_fake_root_launching_threads();
}

7
userspace/engine/CMakeLists.txt
View File

@@ -21,11 +21,7 @@ set(FALCO_ENGINE_SOURCE_FILES
formats.cpp)
add_library(falco_engine STATIC ${FALCO_ENGINE_SOURCE_FILES})
add_dependencies(falco_engine njson lyaml lpeg string-view-lite)
if(USE_BUNDLED_DEPS)
add_dependencies(falco_engine libyaml)
endif()
add_dependencies(falco_engine njson lyaml lpeg)
target_include_directories(
falco_engine
@@ -34,7 +30,6 @@ target_include_directories(
"${NJSON_INCLUDE}"
"${CURL_INCLUDE_DIR}"
"${TBB_INCLUDE_DIR}"
"${STRING_VIEW_LITE_INCLUDE}"
"${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
"${SYSDIG_SOURCE_DIR}/userspace/libscap"
"${SYSDIG_SOURCE_DIR}/userspace/libsinsp"

4
userspace/engine/falco_engine_version.h
View File

@@ -16,9 +16,9 @@ limitations under the License.
// The version of rules/filter fields/etc supported by this falco
// engine.
#define FALCO_ENGINE_VERSION (6)
#define FALCO_ENGINE_VERSION (5)
// This is the result of running "falco --list -N | sha256sum" and
// represents the fields supported by this version of falco. It's used
// at build time to detect a changed set of fields.
#define FALCO_FIELDS_CHECKSUM "2f324e2e66d4b423f53600e7e0fcf2f0ff72e4a87755c490f2ae8f310aba9386"
#define FALCO_FIELDS_CHECKSUM "ca9e75fa41fe4480cdfad8cf275cdbbc334e656569f070c066d87cbd2955c1ae"

33
userspace/engine/falco_utils.cpp
View File

@@ -16,7 +16,6 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
#include <cstring>
#include "falco_utils.h"
#include "banned.h" // This raises a compilation error when certain functions are used
@@ -27,7 +26,7 @@ namespace falco
namespace utils
{
std::string wrap_text(const std::string& str, uint32_t initial_pos, uint32_t indent, uint32_t line_len)
std::string wrap_text(const std::string &str, uint32_t initial_pos, uint32_t indent, uint32_t line_len)
{
std::string ret;
@@ -52,34 +51,6 @@ std::string wrap_text(const std::string& str, uint32_t initial_pos, uint32_t ind
return ret;
}
uint32_t hardware_concurrency()
{
auto hc = std::thread::hardware_concurrency();
return hc ? hc : 1;
}
void readfile(const std::string& filename, std::string& data)
{
std::ifstream file(filename.c_str(), std::ios::in);
if(file.is_open())
{
std::stringstream ss;
ss << file.rdbuf();
file.close();
data = ss.str();
}
return;
}
namespace network
{
bool is_unix_scheme(nonstd::string_view url)
{
return url.starts_with(UNIX_SCHEME);
}
} // namespace network
} // namespace utils
} // namespace falco

17
userspace/engine/falco_utils.h
View File

@@ -17,12 +17,7 @@ limitations under the License.
*/
#include <sstream>
#include <fstream>
#include <iostream>
#include <string>
#include <thread>
#include <nonstd/string_view.hpp>
#pragma once
@@ -32,16 +27,8 @@ namespace falco
namespace utils
{
std::string wrap_text(const std::string& str, uint32_t initial_pos, uint32_t indent, uint32_t line_len);
std::string wrap_text(const std::string &str, uint32_t initial_pos, uint32_t indent, uint32_t line_len);
void readfile(const std::string& filename, std::string& data);
uint32_t hardware_concurrency();
namespace network
{
static const std::string UNIX_SCHEME("unix://");
bool is_unix_scheme(nonstd::string_view url);
} // namespace network
} // namespace utils
} // namespace falco

2
userspace/engine/json_evt.cpp
View File

@@ -45,7 +45,7 @@ const json &json_event::jevt()
return m_jevt;
}
uint64_t json_event::get_ts() const
uint64_t json_event::get_ts()
{
return m_event_ts;
}

6
userspace/engine/json_evt.h
View File

@@ -38,14 +38,14 @@ public:
void set_jevt(nlohmann::json &evt, uint64_t ts);
const nlohmann::json &jevt();
uint64_t get_ts() const;
uint64_t get_ts();
inline uint16_t get_source() const
inline uint16_t get_source()
{
return ESRC_K8S_AUDIT;
}
inline uint16_t get_type() const
inline uint16_t get_type()
{
// All k8s audit events have the single tag "1". - see falco_engine::process_k8s_audit_event
return 1;

30
userspace/falco/CMakeLists.txt
View File

@@ -19,24 +19,23 @@ add_custom_command(
${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.cc
${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.h
${CMAKE_CURRENT_BINARY_DIR}/output.pb.cc
${CMAKE_CURRENT_BINARY_DIR}/output.pb.h
${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
COMMENT "Generate gRPC API"
# Falco gRPC Version API
COMMENT "Generate gRPC version API"
DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
${CMAKE_CURRENT_SOURCE_DIR}/version.proto
# Falco gRPC Outputs API
DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
COMMENT "Generate gRPC outputs API"
DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/output.proto
COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/output.proto
${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
${CMAKE_CURRENT_SOURCE_DIR}/output.proto
WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
add_executable(
@@ -53,13 +52,14 @@ add_executable(
grpc_server_impl.cpp
grpc_request_context.cpp
grpc_server.cpp
utils.cpp
${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.cc
${CMAKE_CURRENT_BINARY_DIR}/output.pb.cc
${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
add_dependencies(falco civetweb string-view-lite)
add_dependencies(falco civetweb)
if(USE_BUNDLED_DEPS)
add_dependencies(falco yamlcpp)
@@ -69,10 +69,11 @@ target_include_directories(
falco
PUBLIC
"${SYSDIG_SOURCE_DIR}/userspace/sysdig"
"${HEDLEY_INCLUDE}"
"${PROJECT_SOURCE_DIR}/userspace/profiler"
"${PROJECT_SOURCE_DIR}/userspace/engine"
"${PROJECT_BINARY_DIR}/userspace/falco"
"${PROJECT_BINARY_DIR}/driver/src"
"${STRING_VIEW_LITE_INCLUDE}"
"${YAMLCPP_INCLUDE_DIR}"
"${CIVETWEB_INCLUDE_DIR}"
"${GRPC_INCLUDE}"
@@ -85,6 +86,7 @@ target_link_libraries(
falco
falco_engine
sinsp
falco_profiler
"${GPR_LIB}"
"${GRPC_LIB}"
"${GRPCPP_LIB}"

18
userspace/falco/configuration.cpp
View File

@@ -1,5 +1,5 @@
/*
Copyright (C) 2020 The Falco Authors.
Copyright (C) 2019 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -20,7 +20,6 @@ limitations under the License.
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include "falco_utils.h"
#include "configuration.h"
#include "logger.h"
@@ -33,7 +32,7 @@ falco_configuration::falco_configuration():
m_time_format_iso_8601(false),
m_webserver_enabled(false),
m_webserver_listen_port(8765),
m_webserver_k8s_audit_endpoint("/k8s-audit"),
m_webserver_k8s_audit_endpoint("/k8s_audit"),
m_webserver_ssl_enabled(false),
m_config(NULL)
{
@@ -149,12 +148,11 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
m_grpc_enabled = m_config->get_scalar<bool>("grpc", "enabled", false);
m_grpc_bind_address = m_config->get_scalar<string>("grpc", "bind_address", "0.0.0.0:5060");
m_grpc_threadiness = m_config->get_scalar<uint32_t>("grpc", "threadiness", 0);
m_grpc_threadiness = m_config->get_scalar<uint32_t>("grpc", "threadiness", 8); // todo > limit it to avoid overshubscription? std::thread::hardware_concurrency()
if(m_grpc_threadiness == 0)
{
m_grpc_threadiness = falco::utils::hardware_concurrency();
throw logic_error("error reading config file (" + m_config_file +"): gRPC threadiness must be greater than 0");
}
// todo > else limit threadiness to avoid oversubscription?
m_grpc_private_key = m_config->get_scalar<string>("grpc", "private_key", "/etc/falco/certs/server.key");
m_grpc_cert_chain = m_config->get_scalar<string>("grpc", "cert_chain", "/etc/falco/certs/server.crt");
m_grpc_root_certs = m_config->get_scalar<string>("grpc", "root_certs", "/etc/falco/certs/ca.crt");
@@ -172,9 +170,9 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
throw logic_error("Error reading config file (" + m_config_file + "): No outputs configured. Please configure at least one output file output enabled but no filename in configuration block");
}
m_log_level = m_config->get_scalar<string>("log_level", "info");
string log_level = m_config->get_scalar<string>("log_level", "info");
falco_logger::set_level(m_log_level);
falco_logger::set_level(log_level);
m_notifications_rate = m_config->get_scalar<uint32_t>("outputs", "rate", 1);
m_notifications_max_burst = m_config->get_scalar<uint32_t>("outputs", "max_burst", 1000);
@@ -200,7 +198,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
m_webserver_enabled = m_config->get_scalar<bool>("webserver", "enabled", false);
m_webserver_listen_port = m_config->get_scalar<uint32_t>("webserver", "listen_port", 8765);
m_webserver_k8s_audit_endpoint = m_config->get_scalar<string>("webserver", "k8s_audit_endpoint", "/k8s-audit");
m_webserver_k8s_audit_endpoint = m_config->get_scalar<string>("webserver", "k8s_audit_endpoint", "/k8s_audit");
m_webserver_ssl_enabled = m_config->get_scalar<bool>("webserver", "ssl_enabled", false);
m_webserver_ssl_certificate = m_config->get_scalar<string>("webserver", "ssl_certificate", "/etc/falco/falco.pem");
@@ -346,4 +344,4 @@ void falco_configuration::set_cmdline_option(const string &opt)
{
m_config->set_scalar(keyval.first, keyval.second);
}
}
}

3
userspace/falco/configuration.h
View File

@@ -195,7 +195,6 @@ public:
std::list<std::string> m_rules_filenames;
bool m_json_output;
bool m_json_include_output_property;
std::string m_log_level;
std::vector<falco_outputs::output_config> m_outputs;
uint32_t m_notifications_rate;
uint32_t m_notifications_max_burst;
@@ -206,7 +205,7 @@ public:
bool m_time_format_iso_8601;
bool m_grpc_enabled;
uint32_t m_grpc_threadiness;
int m_grpc_threadiness;
std::string m_grpc_bind_address;
std::string m_grpc_private_key;
std::string m_grpc_cert_chain;

74
userspace/falco/falco.cpp
View File

@@ -45,6 +45,7 @@ limitations under the License.
#include "statsfilewriter.h"
#include "webserver.h"
#include "grpc_server.h"
#include "profiler.h"
#include "banned.h" // This raises a compilation error when certain functions are used
typedef function<void(sinsp* inspector)> open_t;
@@ -140,9 +141,9 @@ static void usage()
" -P, --pidfile <pid_file> When run as a daemon, write pid to specified file\n"
" -r <rules_file> Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml).\n"
" Can be specified multiple times to read from multiple files/directories.\n"
" -s <stats_file> If specified, append statistics related to Falco's reading/processing of events\n"
" to this file (only useful in live mode).\n"
" --stats-interval <msec> When using -s <stats_file>, write statistics every <msec> ms.\n"
" -s <stats_file> If specified, write statistics related to falco's reading/processing of events\n"
" to this file. (Only useful in live mode).\n"
" --stats_interval <msec> When using -s <stats_file>, write statistics every <msec> ms.\n"
" This uses signals, so don't recommend intervals below 200 ms.\n"
" Defaults to 5000 (5 seconds).\n"
" -S <len>, --snaplen <len>\n"
@@ -158,8 +159,6 @@ static void usage()
" This causes every single line emitted by falco to be flushed,\n"
" which generates higher CPU usage but is useful when piping those outputs\n"
" into another process or into a script.\n"
" -u, --userspace Parse events from userspace.\n"
" To be used in conjunction with the ptrace(2) based driver (pdig).\n"
" -V, --validate <rules_file> Read the contents of the specified rules(s) file and exit.\n"
" Can be specified multiple times to validate multiple files.\n"
" -v Verbose output.\n"
@@ -237,6 +236,7 @@ uint64_t do_inspect(falco_engine *engine,
bool all_events,
int &result)
{
PROFILEME();
uint64_t num_evts = 0;
int32_t rc;
sinsp_evt* ev;
@@ -445,7 +445,6 @@ int falco_init(int argc, char **argv)
set<string> disable_sources;
bool disable_syscall = false;
bool disable_k8s_audit = false;
bool userspace = false;
// Used for writing trace files
int duration_seconds = 0;
@@ -482,10 +481,9 @@ int falco_init(int argc, char **argv)
{"print-base64", no_argument, 0, 'b'},
{"print", required_argument, 0, 'p'},
{"snaplen", required_argument, 0, 'S'},
{"stats-interval", required_argument, 0},
{"stats_interval", required_argument, 0},
{"support", no_argument, 0},
{"unbuffered", no_argument, 0, 'U'},
{"userspace", no_argument, 0, 'u'},
{"validate", required_argument, 0, 'V'},
{"version", no_argument, 0, 0},
{"writefile", required_argument, 0, 'w'},
@@ -504,7 +502,7 @@ int falco_init(int argc, char **argv)
// Parse the args
//
while((op = getopt_long(argc, argv,
"hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UuvV:w:",
"hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UvV:w:",
long_options, &long_index)) != -1)
{
switch(op)
@@ -611,9 +609,6 @@ int falco_init(int argc, char **argv)
buffered_outputs = false;
buffered_cmdline = true;
break;
case 'u':
userspace = true;
break;
case 'v':
verbose = true;
break;
@@ -653,7 +648,7 @@ int falco_init(int argc, char **argv)
list_flds_source = optarg;
}
}
else if (string(long_options[long_index].name) == "stats-interval")
else if (string(long_options[long_index].name) == "stats_interval")
{
stats_interval = atoi(optarg);
}
@@ -802,16 +797,12 @@ int falco_init(int argc, char **argv)
falco_logger::set_time_format_iso_8601(config.m_time_format_iso_8601);
// log after config init because config determines where logs go
falco_logger::log(LOG_INFO, "Falco version " + std::string(FALCO_VERSION) + " (driver version " + std::string(DRIVER_VERSION) + ")\n");
falco_logger::log(LOG_INFO, "Falco initialized with configuration file " + conf_filename + "\n");
}
else
{
config.init(cmdline_options);
falco_logger::set_time_format_iso_8601(config.m_time_format_iso_8601);
// log after config init because config determines where logs go
falco_logger::log(LOG_INFO, "Falco version " + std::string(FALCO_VERSION) + " (driver version " + std::string(DRIVER_VERSION) + ")\n");
falco_logger::log(LOG_INFO, "Falco initialized. No configuration file found, proceeding with defaults\n");
}
@@ -1102,17 +1093,7 @@ int falco_init(int argc, char **argv)
}
else
{
open_t open_cb = [&userspace](sinsp* inspector)
{
if(userspace)
{
// open_udig() is the underlying method used in the capture code to parse userspace events from the kernel.
//
// Falco uses a ptrace(2) based userspace implementation.
// Regardless of the implementation, the underlying method remains the same.
inspector->open_udig();
return;
}
open_t open_cb = [](sinsp* inspector) {
inspector->open();
};
open_t open_nodriver_cb = [](sinsp* inspector) {
@@ -1137,17 +1118,11 @@ int falco_init(int argc, char **argv)
}
catch(sinsp_exception &e)
{
// If syscall input source is enabled and not through userspace instrumentation
if (!disable_syscall && !userspace)
if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null"))
{
// Try to insert the Falco kernel module
if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null"))
{
falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n");
}
open_f(inspector);
falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n");
}
rethrow_exception(current_exception());
open_f(inspector);
}
}
@@ -1166,7 +1141,7 @@ int falco_init(int argc, char **argv)
duration = ((double)clock()) / CLOCKS_PER_SEC;
//
// Run k8s, if required
// run k8s, if required
//
if(k8s_api)
{
@@ -1205,7 +1180,7 @@ int falco_init(int argc, char **argv)
}
//
// Run mesos, if required
// run mesos, if required
//
if(mesos_api)
{
@@ -1230,20 +1205,12 @@ int falco_init(int argc, char **argv)
webserver.start();
}
// gRPC server
// grpc server
if(config.m_grpc_enabled)
{
falco_logger::log(LOG_INFO, "gRPC server threadiness equals to " + to_string(config.m_grpc_threadiness) + "\n");
// TODO(fntlnz,leodido): when we want to spawn multiple threads we need to have a queue per thread, or implement
// different queuing mechanisms, round robin, fanout? What we want to achieve?
grpc_server.init(
config.m_grpc_bind_address,
config.m_grpc_threadiness,
config.m_grpc_private_key,
config.m_grpc_cert_chain,
config.m_grpc_root_certs,
config.m_log_level
);
grpc_server.init(config.m_grpc_bind_address, config.m_grpc_threadiness, config.m_grpc_private_key, config.m_grpc_cert_chain, config.m_grpc_root_certs);
grpc_server_thread = std::thread([&grpc_server] {
grpc_server.run();
});
@@ -1288,14 +1255,6 @@ int falco_init(int argc, char **argv)
}
// Honor -M also when using a trace file.
// Since inspection stops as soon as all events have been consumed
// just await the given duration is reached, if needed.
if(!trace_filename.empty() && duration_to_tot>0)
{
std::this_thread::sleep_for(std::chrono::seconds(duration_to_tot));
}
inspector->close();
engine->print_stats();
sdropmgr.print_stats();
@@ -1334,6 +1293,7 @@ exit:
//
int main(int argc, char **argv)
{
alloc_chunk();
int rc;
// g_restart will cause the falco loop to exit, but we

4
userspace/falco/falco_outputs_queue.h → userspace/falco/falco_output_queue.h
View File

@@ -16,12 +16,12 @@ limitations under the License.
#pragma once
#include "outputs.pb.h"
#include "output.pb.h"
#include "tbb/concurrent_queue.h"
namespace falco
{
namespace outputs
namespace output
{
typedef tbb::concurrent_queue<response> response_cq;

7
userspace/falco/falco_outputs.cpp
View File

@@ -22,10 +22,11 @@ limitations under the License.
#include "formats.h"
#include "logger.h"
#include "falco_outputs_queue.h"
#include "falco_output_queue.h"
#include "banned.h" // This raises a compilation error when certain functions are used
using namespace std;
using namespace falco::output;
const static struct luaL_reg ll_falco_outputs [] =
{
@@ -315,7 +316,7 @@ int falco_outputs::handle_grpc(lua_State *ls)
lua_error(ls);
}
falco::outputs::response grpc_res;
response grpc_res = response();
// time
gen_event *evt = (gen_event *)lua_topointer(ls, 1);
@@ -365,7 +366,7 @@ int falco_outputs::handle_grpc(lua_State *ls)
auto host = grpc_res.mutable_hostname();
*host = (char *)lua_tostring(ls, 7);
falco::outputs::queue::get().push(grpc_res);
falco::output::queue::get().push(grpc_res);
return 1;
}

13
userspace/falco/grpc_context.h
View File

@@ -36,7 +36,7 @@ class context
{
public:
context(::grpc::ServerContext* ctx);
virtual ~context() = default;
~context() = default;
void get_metadata(std::string key, std::string& val);
@@ -50,7 +50,7 @@ class stream_context : public context
public:
stream_context(::grpc::ServerContext* ctx):
context(ctx){};
virtual ~stream_context() = default;
~stream_context() = default;
enum : char
{
@@ -61,15 +61,6 @@ public:
mutable void* m_stream = nullptr; // todo(fntlnz, leodido) > useful in the future
mutable bool m_has_more = false;
mutable bool m_is_running = true;
};
class bidi_context : public stream_context
{
public:
bidi_context(::grpc::ServerContext* ctx):
stream_context(ctx){};
virtual ~bidi_context() = default;
};
} // namespace grpc

124
userspace/falco/grpc_request_context.cpp
View File

@@ -24,12 +24,12 @@ namespace grpc
{
template<>
void request_stream_context<outputs::service, outputs::request, outputs::response>::start(server* srv)
void request_stream_context<falco::output::service, falco::output::request, falco::output::response>::start(server* srv)
{
m_state = request_context_base::REQUEST;
m_srv_ctx.reset(new ::grpc::ServerContext);
auto srvctx = m_srv_ctx.get();
m_res_writer.reset(new ::grpc::ServerAsyncWriter<outputs::response>(srvctx));
m_res_writer.reset(new ::grpc::ServerAsyncWriter<output::response>(srvctx));
m_stream_ctx.reset();
m_req.Clear();
auto cq = srv->m_completion_queue.get();
@@ -38,7 +38,7 @@ void request_stream_context<outputs::service, outputs::request, outputs::respons
}
template<>
void request_stream_context<outputs::service, outputs::request, outputs::response>::process(server* srv)
void request_stream_context<falco::output::service, falco::output::request, falco::output::response>::process(server* srv)
{
// When it is the 1st process call
if(m_state == request_context_base::REQUEST)
@@ -48,46 +48,40 @@ void request_stream_context<outputs::service, outputs::request, outputs::respons
}
// Processing
outputs::response res;
(srv->*m_process_func)(*m_stream_ctx, m_req, res); // get()
if(!m_stream_ctx->m_is_running)
{
m_state = request_context_base::FINISH;
m_res_writer->Finish(::grpc::Status::OK, this);
return;
}
output::response res;
(srv->*m_process_func)(*m_stream_ctx, m_req, res); // subscribe()
// When there are still more responses to stream
if(m_stream_ctx->m_has_more)
{
// todo(leodido) > log "write: tag=this, state=m_state"
m_res_writer->Write(res, this);
return;
}
// No more responses to stream
// Communicate to the gRPC runtime that we have finished.
// The memory address of "this" instance uniquely identifies the event.
m_state = request_context_base::FINISH;
// todo(leodido) > log "finish: tag=this, state=m_state"
m_res_writer->Finish(::grpc::Status::OK, this);
else
{
// Communicate to the gRPC runtime that we have finished.
// The memory address of "this" instance uniquely identifies the event.
m_state = request_context_base::FINISH;
// todo(leodido) > log "finish: tag=this, state=m_state"
m_res_writer->Finish(::grpc::Status::OK, this);
}
}
template<>
void request_stream_context<outputs::service, outputs::request, outputs::response>::end(server* srv, bool error)
void request_stream_context<falco::output::service, falco::output::request, falco::output::response>::end(server* srv, bool errored)
{
if(m_stream_ctx)
{
if(error)
if(errored)
{
// todo(leodido) > log error "error streaming: tag=this, state=m_state, stream=m_stream_ctx->m_stream"
}
m_stream_ctx->m_status = error ? stream_context::ERROR : stream_context::SUCCESS;
m_stream_ctx->m_status = errored ? stream_context::ERROR : stream_context::SUCCESS;
// Complete the processing
outputs::response res;
(srv->*m_process_func)(*m_stream_ctx, m_req, res); // get()
output::response res;
(srv->*m_process_func)(*m_stream_ctx, m_req, res); // subscribe()
}
else
{
@@ -104,7 +98,7 @@ void request_stream_context<outputs::service, outputs::request, outputs::respons
}
template<>
void request_context<version::service, version::request, version::response>::start(server* srv)
void falco::grpc::request_context<falco::version::service, falco::version::request, falco::version::response>::start(server* srv)
{
m_state = request_context_base::REQUEST;
m_srv_ctx.reset(new ::grpc::ServerContext);
@@ -119,7 +113,7 @@ void request_context<version::service, version::request, version::response>::sta
}
template<>
void request_context<version::service, version::request, version::response>::process(server* srv)
void falco::grpc::request_context<falco::version::service, falco::version::request, falco::version::response>::process(server* srv)
{
version::response res;
(srv->*m_process_func)(m_srv_ctx.get(), m_req, res);
@@ -131,85 +125,13 @@ void request_context<version::service, version::request, version::response>::pro
}
template<>
void request_context<version::service, version::request, version::response>::end(server* srv, bool error)
void falco::grpc::request_context<falco::version::service, falco::version::request, falco::version::response>::end(server* srv, bool errored)
{
// todo(leodido) > handle processing errors here
// Ask to start processing requests
start(srv);
}
template<>
void request_bidi_context<outputs::service, outputs::request, outputs::response>::start(server* srv)
{
m_state = request_context_base::REQUEST;
m_srv_ctx.reset(new ::grpc::ServerContext);
auto srvctx = m_srv_ctx.get();
m_reader_writer.reset(new ::grpc::ServerAsyncReaderWriter<outputs::response, outputs::request>(srvctx));
m_req.Clear();
auto cq = srv->m_completion_queue.get();
// Request to start processing given requests.
// Using "this" - ie., the memory address of this context - as the tag that uniquely identifies the request.
// In this way, different contexts can serve different requests concurrently.
(srv->m_output_svc.*m_request_func)(srvctx, m_reader_writer.get(), cq, cq, this);
};
template<>
void request_bidi_context<outputs::service, outputs::request, outputs::response>::process(server* srv)
{
switch(m_state)
{
case request_context_base::REQUEST:
m_bidi_ctx.reset(new bidi_context(m_srv_ctx.get()));
m_bidi_ctx->m_status = bidi_context::STREAMING;
m_state = request_context_base::WRITE;
m_reader_writer->Read(&m_req, this);
return;
case request_context_base::WRITE:
// Processing
{
outputs::response res;
(srv->*m_process_func)(*m_bidi_ctx, m_req, res); // sub()
if(!m_bidi_ctx->m_is_running)
{
m_state = request_context_base::FINISH;
m_reader_writer->Finish(::grpc::Status::OK, this);
return;
}
if(m_bidi_ctx->m_has_more)
{
m_state = request_context_base::WRITE;
m_reader_writer->Write(res, this);
return;
}
m_state = request_context_base::WRITE;
m_reader_writer->Read(&m_req, this);
}
return;
default:
return;
}
};
template<>
void request_bidi_context<outputs::service, outputs::request, outputs::response>::end(server* srv, bool error)
{
if(m_bidi_ctx)
{
m_bidi_ctx->m_status = error ? bidi_context::ERROR : bidi_context::SUCCESS;
// Complete the processing
outputs::response res;
(srv->*m_process_func)(*m_bidi_ctx, m_req, res); // sub()
}
// Ask to start processing requests
start(srv);
};
} // namespace grpc
} // namespace falco
} // namespace falco

36
userspace/falco/grpc_request_context.h
View File

@@ -29,8 +29,7 @@ class request_context_base
{
public:
request_context_base() = default;
// virtual to guarantee that the derived classes are destructed properly
virtual ~request_context_base() = default;
~request_context_base() = default;
std::unique_ptr<::grpc::ServerContext> m_srv_ctx;
enum : char
@@ -40,7 +39,6 @@ public:
WRITE,
FINISH
} m_state = UNKNOWN;
virtual void start(server* srv) = 0;
virtual void process(server* srv) = 0;
virtual void end(server* srv, bool isError) = 0;
@@ -65,7 +63,7 @@ public:
void start(server* srv);
void process(server* srv);
void end(server* srv, bool error);
void end(server* srv, bool isError);
private:
std::unique_ptr<::grpc::ServerAsyncWriter<Response>> m_res_writer;
@@ -92,37 +90,11 @@ public:
void start(server* srv);
void process(server* srv);
void end(server* srv, bool error);
void end(server* srv, bool isError);
private:
std::unique_ptr<::grpc::ServerAsyncResponseWriter<Response>> m_res_writer;
Request m_req;
};
template<class Service, class Request, class Response>
class request_bidi_context : public request_context_base
{
public:
request_bidi_context():
m_process_func(nullptr),
m_request_func(nullptr){};
~request_bidi_context() = default;
// Pointer to function that does actual processing
void (server::*m_process_func)(const bidi_context&, const Request&, Response&);
// Pointer to function that requests the system to start processing given requests
void (Service::AsyncService::*m_request_func)(::grpc::ServerContext*, ::grpc::ServerAsyncReaderWriter<Response, Request>*, ::grpc::CompletionQueue*, ::grpc::ServerCompletionQueue*, void*);
void start(server* srv);
void process(server* srv);
void end(server* srv, bool error);
private:
std::unique_ptr<::grpc::ServerAsyncReaderWriter<Response, Request>> m_reader_writer;
std::unique_ptr<bidi_context> m_bidi_ctx;
Request m_req;
};
} // namespace grpc
} // namespace falco
} // namespace falco

123
userspace/falco/grpc_server.cpp
View File

@@ -23,7 +23,7 @@ limitations under the License.
#include "logger.h"
#include "grpc_server.h"
#include "grpc_request_context.h"
#include "falco_utils.h"
#include "utils.h"
#include "banned.h" // This raises a compilation error when certain functions are used
#define REGISTER_STREAM(req, res, svc, rpc, impl, num) \
@@ -44,37 +44,6 @@ limitations under the License.
c.start(this); \
}
#define REGISTER_BIDI(req, res, svc, rpc, impl, num) \
std::vector<request_bidi_context<svc, req, res>> rpc##_contexts(num); \
for(request_bidi_context<svc, req, res> & c : rpc##_contexts) \
{ \
c.m_process_func = &server::impl; \
c.m_request_func = &svc::AsyncService::Request##rpc; \
c.start(this); \
}
static void gpr_log_dispatcher_func(gpr_log_func_args* args)
{
int priority;
switch(args->severity)
{
case GPR_LOG_SEVERITY_ERROR:
priority = LOG_ERR;
break;
case GPR_LOG_SEVERITY_DEBUG:
priority = LOG_DEBUG;
break;
default:
priority = LOG_INFO;
break;
}
string copy = "grpc: ";
copy.append(args->message);
copy.push_back('\n');
falco_logger::log(priority, copy);
}
void falco::grpc::server::thread_process(int thread_index)
{
void* tag = nullptr;
@@ -127,81 +96,38 @@ void falco::grpc::server::thread_process(int thread_index)
}
}
void falco::grpc::server::init(
std::string server_addr,
int threadiness,
std::string private_key,
std::string cert_chain,
std::string root_certs,
std::string log_level)
void falco::grpc::server::init(std::string server_addr, int threadiness, std::string private_key, std::string cert_chain, std::string root_certs)
{
m_server_addr = server_addr;
m_threadiness = threadiness;
m_private_key = private_key;
m_cert_chain = cert_chain;
m_root_certs = root_certs;
// Set the verbosity level of gpr logger
falco::schema::priority logging_level = falco::schema::INFORMATIONAL;
falco::schema::priority_Parse(log_level, &logging_level);
switch(logging_level)
{
case falco::schema::ERROR:
gpr_set_log_verbosity(GPR_LOG_SEVERITY_ERROR);
break;
case falco::schema::DEBUG:
gpr_set_log_verbosity(GPR_LOG_SEVERITY_DEBUG);
break;
case falco::schema::INFORMATIONAL:
default:
// note > info will always enter here since it is != from "informational"
gpr_set_log_verbosity(GPR_LOG_SEVERITY_INFO);
break;
}
gpr_log_verbosity_init();
gpr_set_log_function(gpr_log_dispatcher_func);
if(falco::utils::network::is_unix_scheme(m_server_addr))
{
init_unix_server_builder();
return;
}
init_mtls_server_builder();
}
void falco::grpc::server::init_mtls_server_builder()
{
string private_key;
string cert_chain;
string root_certs;
falco::utils::readfile(m_cert_chain, cert_chain);
falco::utils::readfile(m_private_key, private_key);
falco::utils::readfile(m_root_certs, root_certs);
::grpc::SslServerCredentialsOptions::PemKeyCertPair cert_pair{private_key, cert_chain};
::grpc::SslServerCredentialsOptions ssl_opts(GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
ssl_opts.pem_root_certs = root_certs;
ssl_opts.pem_key_cert_pairs.push_back(cert_pair);
m_server_builder.AddListeningPort(m_server_addr, ::grpc::SslServerCredentials(ssl_opts));
}
void falco::grpc::server::init_unix_server_builder()
{
m_server_builder.AddListeningPort(m_server_addr, ::grpc::InsecureServerCredentials());
}
void falco::grpc::server::run()
{
m_server_builder.RegisterService(&m_output_svc);
m_server_builder.RegisterService(&m_version_svc);
string private_key;
string cert_chain;
string root_certs;
m_completion_queue = m_server_builder.AddCompletionQueue();
m_server = m_server_builder.BuildAndStart();
if(m_server == nullptr)
{
falco_logger::log(LOG_EMERG, "Error starting gRPC server\n");
return;
}
falco::utils::read(m_cert_chain, cert_chain);
falco::utils::read(m_private_key, private_key);
falco::utils::read(m_root_certs, root_certs);
::grpc::SslServerCredentialsOptions::PemKeyCertPair cert_pair{private_key, cert_chain};
::grpc::SslServerCredentialsOptions ssl_opts(GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
ssl_opts.pem_root_certs = root_certs;
ssl_opts.pem_key_cert_pairs.push_back(cert_pair);
::grpc::ServerBuilder builder;
builder.AddListeningPort(m_server_addr, ::grpc::SslServerCredentials(ssl_opts));
builder.RegisterService(&m_output_svc);
builder.RegisterService(&m_version_svc);
m_completion_queue = builder.AddCompletionQueue();
m_server = builder.BuildAndStart();
falco_logger::log(LOG_INFO, "Starting gRPC server at " + m_server_addr + "\n");
// The number of contexts is multiple of the number of threads
@@ -211,8 +137,7 @@ void falco::grpc::server::run()
// todo(leodido) > take a look at thread_stress_test.cc into grpc repository
REGISTER_UNARY(version::request, version::response, version::service, version, version, context_num)
REGISTER_STREAM(outputs::request, outputs::response, outputs::service, get, get, context_num)
REGISTER_BIDI(outputs::request, outputs::response, outputs::service, sub, sub, context_num)
REGISTER_STREAM(output::request, output::response, output::service, subscribe, subscribe, context_num)
m_threads.resize(m_threadiness);
int thread_idx = 0;
@@ -224,7 +149,7 @@ void falco::grpc::server::run()
while(server_impl::is_running())
{
std::this_thread::sleep_for(std::chrono::milliseconds(100));
sleep(1);
}
// todo(leodido) > log "stopping gRPC server"
stop();

28
userspace/falco/grpc_server.h
View File

@@ -29,22 +29,25 @@ namespace grpc
class server : public server_impl
{
public:
server() = default;
server()
{
}
server(std::string server_addr, int threadiness, std::string private_key, std::string cert_chain, std::string root_certs):
m_server_addr(server_addr),
m_threadiness(threadiness),
m_private_key(private_key),
m_cert_chain(cert_chain),
m_root_certs(root_certs)
{
}
virtual ~server() = default;
void init(
std::string server_addr,
int threadiness,
std::string private_key,
std::string cert_chain,
std::string root_certs,
std::string log_level
);
void init(std::string server_addr, int threadiness, std::string private_key, std::string cert_chain, std::string root_certs);
void thread_process(int thread_index);
void run();
void stop();
outputs::service::AsyncService m_output_svc;
output::service::AsyncService m_output_svc;
version::service::AsyncService m_version_svc;
std::unique_ptr<::grpc::ServerCompletionQueue> m_completion_queue;
@@ -58,10 +61,7 @@ private:
std::unique_ptr<::grpc::Server> m_server;
std::vector<std::thread> m_threads;
::grpc::ServerBuilder m_server_builder;
void init_mtls_server_builder();
void init_unix_server_builder();
};
} // namespace grpc
} // namespace falco
} // namespace falco

43
userspace/falco/grpc_server_impl.cpp
View File

@@ -16,8 +16,7 @@ limitations under the License.
#include "config_falco.h"
#include "grpc_server_impl.h"
#include "falco_outputs_queue.h"
#include "logger.h"
#include "falco_output_queue.h"
#include "banned.h" // This raises a compilation error when certain functions are used
bool falco::grpc::server_impl::is_running()
@@ -29,39 +28,29 @@ bool falco::grpc::server_impl::is_running()
return true;
}
void falco::grpc::server_impl::get(const stream_context& ctx, const outputs::request& req, outputs::response& res)
void falco::grpc::server_impl::subscribe(const stream_context& ctx, const output::request& req, output::response& res)
{
if(ctx.m_status == stream_context::SUCCESS || ctx.m_status == stream_context::ERROR)
{
// todo(leodido) > log "status=ctx->m_status, stream=ctx->m_stream"
ctx.m_stream = nullptr;
return;
}
ctx.m_is_running = is_running();
// Start or continue streaming
// m_status == stream_context::STREAMING?
// todo(leodido) > set m_stream
ctx.m_has_more = outputs::queue::get().try_pop(res);
}
void falco::grpc::server_impl::sub(const bidi_context& ctx, const outputs::request& req, outputs::response& res)
{
if(ctx.m_status == stream_context::SUCCESS || ctx.m_status == stream_context::ERROR)
else
{
ctx.m_stream = nullptr;
return;
// Start or continue streaming
// todo(leodido) > check for m_status == stream_context::STREAMING?
// todo(leodido) > set m_stream
if(output::queue::get().try_pop(res) && !req.keepalive())
{
ctx.m_has_more = true;
return;
}
while(is_running() && !output::queue::get().try_pop(res) && req.keepalive())
{
}
ctx.m_has_more = !is_running() ? false : req.keepalive();
}
ctx.m_is_running = is_running();
// Start or continue streaming
// m_status == stream_context::STREAMING?
// todo(leodido) > set m_stream
ctx.m_has_more = outputs::queue::get().try_pop(res);
}
void falco::grpc::server_impl::version(const context& ctx, const version::request&, version::response& res)

7
userspace/falco/grpc_server_impl.h
View File

@@ -17,7 +17,7 @@ limitations under the License.
#pragma once
#include <atomic>
#include "outputs.grpc.pb.h"
#include "output.grpc.pb.h"
#include "version.grpc.pb.h"
#include "grpc_context.h"
@@ -36,11 +36,8 @@ public:
protected:
bool is_running();
// Outputs
void get(const stream_context& ctx, const outputs::request& req, outputs::response& res);
void sub(const bidi_context& ctx, const outputs::request& req, outputs::response& res);
void subscribe(const stream_context& ctx, const output::request& req, output::response& res);
// Version
void version(const context& ctx, const version::request& req, version::response& res);
private:

4
userspace/falco/logger.cpp
View File

@@ -134,7 +134,7 @@ void falco_logger::log(int priority, const string msg)
if(gtm != NULL &&
(strftime(buf, sizeof(buf), "%FT%T%z", gtm) != 0))
{
fprintf(stderr, "%s: %s", buf, copy.c_str());
fprintf(stderr, "%s: %s", buf, msg.c_str());
}
}
else
@@ -151,7 +151,7 @@ void falco_logger::log(int priority, const string msg)
{
tstr = "N/A";
}
fprintf(stderr, "%s: %s", tstr.c_str(), copy.c_str());
fprintf(stderr, "%s: %s", tstr.c_str(), msg.c_str());
}
}
}

2
userspace/falco/lua/output.lua
View File

@@ -18,7 +18,7 @@ local mod = {}
local outputs = {}
function mod.stdout(event, rule, source, priority, priority_num, msg, format, hostname, options)
mod.stdout_message(priority, priority_num, msg, options)
mod.stdout_message(priority, priority_num, msg, outputs)
end
function mod.stdout_message(priority, priority_num, msg, options)

40
userspace/falco/output.proto Normal file
View File

@@ -0,0 +1,40 @@
syntax = "proto3";
import "google/protobuf/timestamp.proto";
import "schema.proto";
package falco.output;
option go_package = "github.com/falcosecurity/client-go/pkg/api/output";
// The `subscribe` service defines the RPC call
// to perform an output `request` which will lead to obtain an output `response`.
service service {
rpc subscribe(request) returns (stream response);
}
// The `request` message is the logical representation of the request model.
// It is the input of the `subscribe` service.
// It is used to configure the kind of subscription to the gRPC streaming server.
//
// By default the request asks to the server to only receive the accumulated events.
// In case you want to wait indefinitely for new events to come set the keepalive option to true.
message request {
bool keepalive = 1;
// string duration = 2; // TODO(leodido, fntlnz): not handled yet but keeping for reference.
// repeated string tags = 3; // TODO(leodido, fntlnz): not handled yet but keeping for reference.
}
// The `response` message is the logical representation of the output model.
// It contains all the elements that Falco emits in an output along with the
// definitions for priorities and source.
message response {
google.protobuf.Timestamp time = 1;
falco.schema.priority priority = 2;
falco.schema.source source = 3;
string rule = 4;
string output = 5;
map<string, string> output_fields = 6;
string hostname = 7;
// repeated string tags = 8; // TODO(leodido,fntlnz): tags not supported yet, keeping for reference
}

55
userspace/falco/outputs.proto
View File

@@ -1,55 +0,0 @@
/*
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
syntax = "proto3";
import "google/protobuf/timestamp.proto";
import "schema.proto";
package falco.outputs;
option go_package = "github.com/falcosecurity/client-go/pkg/api/outputs";
// This service defines the RPC methods
// to `request` a stream of output `response`s.
service service {
// Subscribe to a stream of Falco outputs by sending a stream of requests.
rpc sub(stream request) returns (stream response);
// Get all the Falco outputs present in the system up to this call.
rpc get(request) returns (stream response);
}
// The `request` message is the logical representation of the request model.
// It is the input of the `output.service` service.
message request {
// TODO(leodido,fntlnz): tags not supported yet, keeping it for reference.
// repeated string tags = 1;
}
// The `response` message is the representation of the output model.
// It contains all the elements that Falco emits in an output along with the
// definitions for priorities and source.
message response {
google.protobuf.Timestamp time = 1;
falco.schema.priority priority = 2;
falco.schema.source source = 3;
string rule = 4;
string output = 5;
map<string, string> output_fields = 6;
string hostname = 7;
// TODO(leodido,fntlnz): tags not supported yet, keeping it for reference.
// repeated string tags = 8;
}

16
userspace/falco/schema.proto
View File

@@ -1,19 +1,3 @@
/*
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
syntax = "proto3";
package falco.schema;

4
userspace/falco/statsfilewriter.cpp
View File

@@ -58,8 +58,8 @@ bool StatsFileWriter::init(sinsp *inspector, string &filename, uint32_t interval
return false;
}
timer.it_value.tv_sec = interval_msec / 1000;
timer.it_value.tv_usec = (interval_msec % 1000) * 1000;
timer.it_value.tv_sec = 0;
timer.it_value.tv_usec = interval_msec * 1000;
timer.it_interval = timer.it_value;
if (setitimer(ITIMER_REAL, &timer, NULL) == -1)
{

35
userspace/falco/utils.cpp Normal file
View File

@@ -0,0 +1,35 @@
/*
Copyright (C) 2019 The Falco Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include "utils.h"
#include "banned.h" // This raises a compilation error when certain functions are used
void falco::utils::read(const std::string& filename, std::string& data)
{
std::ifstream file(filename.c_str(), std::ios::in);
if(file.is_open())
{
std::stringstream ss;
ss << file.rdbuf();
file.close();
data = ss.str();
}
return;
}

30
userspace/falco/utils.h Normal file
View File

@@ -0,0 +1,30 @@
/*
Copyright (C) 2019 The Falco Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#pragma once
#include <sstream>
#include <fstream>
#include <iostream>
#include <string>
namespace falco
{
namespace utils
{
void read(const std::string& filename, std::string& data);
} // namespace utils
} // namespace falco

16
userspace/falco/version.proto
View File

@@ -1,19 +1,3 @@
/*
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
syntax = "proto3";
package falco.version;

19
userspace/profiler/CMakeLists.txt Normal file
View File

@@ -0,0 +1,19 @@
#
# Copyright (C) 2020 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
add_library(falco_profiler INTERFACE)
target_include_directories(falco_profiler INTERFACE "${HEDLEY_INCLUDE}" "${FLATBUFFER_INCLUDE_DIR}"
"${CMAKE_CURRENT_BINARY_DIR}")
flatbuffers_generate_c_headers(PROFILE "profile.fbs")
add_custom_target(flatbuffer_profiler DEPENDS ${PROFILE_OUTPUTS})

14
userspace/profiler/profile.fbs Normal file
View File

@@ -0,0 +1,14 @@
namespace profiler;
file_identifier "FPRO";
file_extension "fpro";
table Node {
func:string;
file:string;
line:int;
cycles:uint64;
childs:[Node];
}
root_type Node;

172
userspace/profiler/profiler.h Normal file
View File

@@ -0,0 +1,172 @@
/*
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#pragma once
#include <cstdint>
#include <thread>
#include <vector>
#include <mutex>
#include <memory>
#include <hedley.h>
namespace profiler
{
#define CHUNK_ELEMENTS 7
#define CHUNK_SIZE ((1 << 20) * CHUNK_ELEMENTS) // 20 MiB = 5242880 * sizeof(uint32_t)
#define LABEL_MASK 0x80000000 // Largest positive int32 + 1
struct cursor
{
uint32_t* current;
uint32_t* end;
};
struct chunk
{
uint32_t* begin;
uint32_t* end;
std::thread::id thread;
};
struct label
{
uint32_t label;
std::string file;
std::string func;
int line;
};
thread_local cursor c;
std::vector<label> labels;
std::vector<chunk> chunks;
size_t nchunks;
std::mutex mu;
HEDLEY_NEVER_INLINE void alloc_chunk()
{
auto d = new uint32_t[CHUNK_SIZE];
c.current = d;
c.end = d + CHUNK_SIZE;
mu.lock();
chunks.push_back({d, d + CHUNK_SIZE, std::this_thread::get_id()});
nchunks += 1;
mu.unlock();
}
HEDLEY_NEVER_INLINE uint32_t create_label(char const* file, int line, char const* func)
{
label l;
l.label = labels.size() | LABEL_MASK;
l.file = file;
l.func = func;
l.line = line;
mu.lock();
labels.push_back(l);
mu.unlock();
return l.label;
}
struct profile
{
uint32_t* data;
int n;
int epochs; // (max) depth at the moment of execution
explicit profile(uint32_t label)
{
data = c.current;
auto next = data + CHUNK_ELEMENTS;
n = nchunks;
epochs = (next - chunks[n - 1].begin) / CHUNK_ELEMENTS; // (next - start) / data size
if(HEDLEY_LIKELY(next != c.end))
c.current = next; // adds 28 bytes
else
alloc_chunk(); // note: changes `c` values (current and end)
data[0] = label;
data[5] = 0; // unknown parent
data[6] = 0; // mark current instance as init
unsigned int lo, hi;
__asm__ __volatile__("rdtsc"
: "=a"(lo), "=d"(hi));
data[1] = hi;
data[2] = lo;
}
~profile()
{
unsigned int lo, hi;
__asm__ __volatile__("rdtsc"
: "=a"(lo), "=d"(hi));
data[3] = hi;
data[4] = lo;
if(HEDLEY_LIKELY(epochs > 1))
{
for(int i = 0; i < epochs - 1; i++)
{
// Check whether the i-th destructor before this has been called (>0) or not (0)
if(data[-1 - (i * CHUNK_ELEMENTS)] == 0)
{
// The head of the first destructor which has not been called yet is the parent of the current one
data[5] = data[-((i + 1) * CHUNK_ELEMENTS)];
break;
}
}
}
else if(n > 1)
{
// TODO: make it span across more chunks (until n - 2 == 0)
uint32_t* cdata = chunks[n - 2].end;
for(int i = 0; i < (CHUNK_SIZE / CHUNK_ELEMENTS); i++)
{
if(cdata[-1 - (i * CHUNK_ELEMENTS)] == 0)
{
data[5] = cdata[-((i + 1) * CHUNK_ELEMENTS)];
break;
}
}
}
if(n > 1 && data[5] == 0)
{
// TODO: same as above
// TODO: make it span across more chunks (until n - 2 == 0)
uint32_t* cdata = chunks[n - 2].end;
for(int i = 0; i < (CHUNK_SIZE / CHUNK_ELEMENTS); i++)
{
if(cdata[-1 - (i * CHUNK_ELEMENTS)] == 0)
{
data[5] = cdata[-((i + 1) * CHUNK_ELEMENTS)];
break;
}
}
}
data[6] = n; // mark current instance as done storing the chunk index (+ 1)
}
};
#define PROFILE_VARIABLE_IMPL(arg1, arg2) arg1##arg2
#define PROFILE_VARIABLE(arg1, arg2) PROFILE_VARIABLE_IMPL(arg1, arg2)
#define PROFILEME() \
static uint32_t PROFILE_VARIABLE(_label, __LINE__) = profiler::create_label(__FILE__, __LINE__, __FUNCTION__); \
profiler::profile PROFILE_VARIABLE(_profile_, __LINE__)(PROFILE_VARIABLE(_label, __LINE__));
}; // namespace profiler