mirror of
https://github.com/falcosecurity/falco.git
synced 2026-03-24 05:32:05 +00:00
Compare commits
2 Commits
update/rem
...
0.32.2
| Author | SHA1 | Date | |
|---|---|---|---|
|
5643e2553c | ||
|
54580efaa8 |
@@ -1,2 +1,4 @@
|
||||
emeritus_approvers:
|
||||
approvers:
|
||||
- jonahjon
|
||||
reviewers:
|
||||
- jonahjon
|
||||
|
||||
@@ -316,169 +316,56 @@ jobs:
|
||||
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
|
||||
/source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -f /build-arm64/release/falco-${FALCO_VERSION}-aarch64.deb -r deb-dev
|
||||
|
||||
"build-docker-dev":
|
||||
docker:
|
||||
- image: alpine:3.16
|
||||
steps:
|
||||
- attach_workspace:
|
||||
at: /
|
||||
- setup_remote_docker:
|
||||
version: 20.10.12
|
||||
docker_layer_caching: true
|
||||
- run:
|
||||
name: Install deps
|
||||
command: |
|
||||
apk update
|
||||
apk add make bash git docker docker-cli-buildx py3-pip
|
||||
pip install awscli
|
||||
- run:
|
||||
name: Login to registries
|
||||
command: |
|
||||
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
|
||||
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
|
||||
- run:
|
||||
name: Build and publish no-driver-dev
|
||||
command: |
|
||||
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
|
||||
cd /source/falco
|
||||
docker buildx build --push --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} \
|
||||
-t falcosecurity/falco-no-driver:x86_64-master \
|
||||
-t falcosecurity/falco:x86_64-master-slim \
|
||||
-t public.ecr.aws/falcosecurity/falco-no-driver:x86_64-master \
|
||||
-t public.ecr.aws/falcosecurity/falco:x86_64-master-slim \
|
||||
docker/no-driver
|
||||
- run:
|
||||
name: Build and publish falco-dev
|
||||
command: |
|
||||
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
|
||||
cd /source/falco
|
||||
docker buildx build --push --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} \
|
||||
-t falcosecurity/falco:x86_64-master \
|
||||
-t public.ecr.aws/falcosecurity/falco:x86_64-master \
|
||||
docker/falco
|
||||
- run:
|
||||
name: Build and publish falco-driver-loader-dev
|
||||
command: |
|
||||
cd /source/falco
|
||||
docker buildx build --push --build-arg FALCO_IMAGE_TAG=master \
|
||||
-t falcosecurity/falco-driver-loader:x86_64-master \
|
||||
-t public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-master \
|
||||
docker/driver-loader
|
||||
|
||||
"build-docker-dev-arm64":
|
||||
machine:
|
||||
enabled: true
|
||||
image: ubuntu-2004:202101-01
|
||||
docker_layer_caching: true
|
||||
resource_class: arm.medium
|
||||
steps:
|
||||
- attach_workspace:
|
||||
at: /tmp
|
||||
- run:
|
||||
name: Install deps
|
||||
command: |
|
||||
sudo apt update
|
||||
sudo apt install groff less python3-pip
|
||||
pip install awscli
|
||||
- run:
|
||||
name: Login to registries
|
||||
command: |
|
||||
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
|
||||
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
|
||||
- run:
|
||||
name: Build and publish no-driver-dev
|
||||
command: |
|
||||
FALCO_VERSION=$(cat /tmp/build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
|
||||
cd /tmp/source-arm64/falco
|
||||
docker buildx build --push --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} \
|
||||
-t falcosecurity/falco-no-driver:aarch64-master \
|
||||
-t falcosecurity/falco:aarch64-master-slim \
|
||||
-t public.ecr.aws/falcosecurity/falco-no-driver:aarch64-master \
|
||||
-t public.ecr.aws/falcosecurity/falco:aarch64-master-slim \
|
||||
docker/no-driver
|
||||
- run:
|
||||
name: Build and publish falco-dev
|
||||
command: |
|
||||
FALCO_VERSION=$(cat /tmp/build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
|
||||
cd /tmp/source-arm64/falco
|
||||
docker buildx build --push --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} \
|
||||
-t falcosecurity/falco:aarch64-master \
|
||||
-t public.ecr.aws/falcosecurity/falco:aarch64-master \
|
||||
docker/falco
|
||||
- run:
|
||||
name: Build and publish falco-driver-loader-dev
|
||||
command: |
|
||||
cd /tmp/source-arm64/falco
|
||||
docker buildx build --push --build-arg FALCO_IMAGE_TAG=master \
|
||||
-t falcosecurity/falco-driver-loader:aarch64-master \
|
||||
-t public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-master \
|
||||
docker/driver-loader
|
||||
|
||||
# Publish docker packages
|
||||
"publish-docker-dev":
|
||||
docker:
|
||||
- image: cimg/base:stable
|
||||
user: root
|
||||
steps:
|
||||
- attach_workspace:
|
||||
at: /
|
||||
- checkout
|
||||
- setup_remote_docker:
|
||||
version: 20.10.12
|
||||
- run:
|
||||
name: Install deps
|
||||
name: Prepare env
|
||||
command: |
|
||||
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
|
||||
docker context create falco-env
|
||||
docker buildx create falco-env --driver docker-container --use
|
||||
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
|
||||
sudo apt update
|
||||
sudo apt install groff less python3-pip
|
||||
pip install awscli
|
||||
- run:
|
||||
name: Login to registries
|
||||
name: Login to aws ECR
|
||||
command: |
|
||||
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
|
||||
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
|
||||
- run:
|
||||
name: Upload no-driver-dev manifest to registries
|
||||
name: Build and publish no-driver-dev
|
||||
command: |
|
||||
docker manifest create falcosecurity/falco-no-driver:master \
|
||||
falcosecurity/falco-no-driver:aarch64-master \
|
||||
falcosecurity/falco-no-driver:x86_64-master
|
||||
docker manifest push falcosecurity/falco-no-driver:master
|
||||
|
||||
docker manifest create falcosecurity/falco:master-slim \
|
||||
falcosecurity/falco:aarch64-master-slim \
|
||||
falcosecurity/falco:x86_64-master-slim
|
||||
docker manifest push falcosecurity/falco:master-slim
|
||||
|
||||
docker manifest create public.ecr.aws/falcosecurity/falco-no-driver:master \
|
||||
public.ecr.aws/falcosecurity/falco-no-driver:aarch64-master \
|
||||
public.ecr.aws/falcosecurity/falco-no-driver:x86_64-master
|
||||
docker manifest push public.ecr.aws/falcosecurity/falco-no-driver:master
|
||||
|
||||
docker manifest create public.ecr.aws/falcosecurity/falco:master-slim \
|
||||
public.ecr.aws/falcosecurity/falco:aarch64-master-slim \
|
||||
public.ecr.aws/falcosecurity/falco:x86_64-master-slim
|
||||
docker manifest push public.ecr.aws/falcosecurity/falco:master-slim
|
||||
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
|
||||
docker buildx build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} --platform "arm64,amd64" --push \
|
||||
-t falcosecurity/falco-no-driver:master \
|
||||
-t falcosecurity/falco:master-slim \
|
||||
-t public.ecr.aws/falcosecurity/falco-no-driver:master \
|
||||
-t public.ecr.aws/falcosecurity/falco:master-slim \
|
||||
docker/no-driver
|
||||
- run:
|
||||
name: Upload falco-dev manifest to registries
|
||||
name: Build and publish dev
|
||||
command: |
|
||||
docker manifest create falcosecurity/falco:master \
|
||||
falcosecurity/falco:aarch64-master \
|
||||
falcosecurity/falco:x86_64-master
|
||||
docker manifest push falcosecurity/falco:master
|
||||
|
||||
docker manifest create public.ecr.aws/falcosecurity/falco:master \
|
||||
public.ecr.aws/falcosecurity/falco:aarch64-master \
|
||||
public.ecr.aws/falcosecurity/falco:x86_64-master
|
||||
docker manifest push public.ecr.aws/falcosecurity/falco:master
|
||||
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
|
||||
docker buildx build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} --platform "arm64,amd64" --push \
|
||||
-t falcosecurity/falco:master \
|
||||
-t public.ecr.aws/falcosecurity/falco:master \
|
||||
docker/falco
|
||||
- run:
|
||||
name: Upload falco-driver-loader-dev manifest to registries
|
||||
name: Build and publish dev falco-driver-loader-dev
|
||||
command: |
|
||||
docker manifest create falcosecurity/falco-driver-loader:master \
|
||||
falcosecurity/falco-driver-loader:aarch64-master \
|
||||
falcosecurity/falco-driver-loader:x86_64-master
|
||||
docker manifest push falcosecurity/falco-driver-loader:master
|
||||
|
||||
docker manifest create public.ecr.aws/falcosecurity/falco-driver-loader:master \
|
||||
public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-master \
|
||||
public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-master
|
||||
docker manifest push public.ecr.aws/falcosecurity/falco-driver-loader:master
|
||||
docker buildx build --build-arg FALCO_IMAGE_TAG=master --platform "arm64,amd64" --push \
|
||||
-t falcosecurity/falco-driver-loader:master \
|
||||
-t public.ecr.aws/falcosecurity/falco-driver-loader:master \
|
||||
docker/driver-loader
|
||||
|
||||
# Publish the packages
|
||||
"publish-packages":
|
||||
@@ -530,222 +417,62 @@ jobs:
|
||||
command: |
|
||||
FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
|
||||
/source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -f /build-arm64/release/falco-${FALCO_VERSION}-aarch64.deb -r deb
|
||||
|
||||
"build-docker":
|
||||
docker:
|
||||
- image: alpine:3.16
|
||||
steps:
|
||||
- attach_workspace:
|
||||
at: /
|
||||
- setup_remote_docker:
|
||||
version: 20.10.12
|
||||
docker_layer_caching: true
|
||||
- run:
|
||||
name: Install deps
|
||||
command: |
|
||||
apk update
|
||||
apk add make bash git docker docker-cli-buildx py3-pip
|
||||
pip install awscli
|
||||
- run:
|
||||
name: Login to registries
|
||||
command: |
|
||||
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
|
||||
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
|
||||
- run:
|
||||
name: Build and publish no-driver
|
||||
command: |
|
||||
cd /source/falco
|
||||
docker buildx build --push --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
|
||||
-t "falcosecurity/falco-no-driver:x86_64-${CIRCLE_TAG}" \
|
||||
-t falcosecurity/falco-no-driver:x86_64-latest \
|
||||
-t "falcosecurity/falco:x86_64-${CIRCLE_TAG}-slim" \
|
||||
-t "falcosecurity/falco:x86_64-latest-slim" \
|
||||
-t "public.ecr.aws/falcosecurity/falco-no-driver:x86_64-${CIRCLE_TAG}" \
|
||||
-t "public.ecr.aws/falcosecurity/falco-no-driver:x86_64-latest" \
|
||||
-t "public.ecr.aws/falcosecurity/falco:x86_64-${CIRCLE_TAG}-slim" \
|
||||
-t "public.ecr.aws/falcosecurity/falco:x86_64-latest-slim" \
|
||||
docker/no-driver
|
||||
- run:
|
||||
name: Build and publish falco
|
||||
command: |
|
||||
cd /source/falco
|
||||
docker buildx build --push --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
|
||||
-t "falcosecurity/falco:x86_64-${CIRCLE_TAG}" \
|
||||
-t "falcosecurity/falco:x86_64-latest" \
|
||||
-t "public.ecr.aws/falcosecurity/falco:x86_64-${CIRCLE_TAG}" \
|
||||
-t "public.ecr.aws/falcosecurity/falco:x86_64-latest" \
|
||||
docker/falco
|
||||
- run:
|
||||
name: Build and publish falco-driver-loader
|
||||
command: |
|
||||
cd /source/falco
|
||||
docker buildx build --push --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} \
|
||||
-t "falcosecurity/falco-driver-loader:x86_64-${CIRCLE_TAG}" \
|
||||
-t "falcosecurity/falco-driver-loader:x86_64-latest" \
|
||||
-t "public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-${CIRCLE_TAG}" \
|
||||
-t "public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-latest" \
|
||||
docker/driver-loader
|
||||
|
||||
"build-docker-arm64":
|
||||
machine:
|
||||
enabled: true
|
||||
image: ubuntu-2004:202101-01
|
||||
docker_layer_caching: true
|
||||
resource_class: arm.medium
|
||||
steps:
|
||||
- attach_workspace:
|
||||
at: /tmp
|
||||
- run:
|
||||
name: Install deps
|
||||
command: |
|
||||
sudo apt update
|
||||
sudo apt install groff less python3-pip
|
||||
pip install awscli
|
||||
- run:
|
||||
name: Login to registries
|
||||
command: |
|
||||
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
|
||||
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
|
||||
- run:
|
||||
name: Build and publish no-driver
|
||||
command: |
|
||||
cd /tmp/source-arm64/falco
|
||||
docker buildx build --push --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} \
|
||||
-t falcosecurity/falco-no-driver:aarch64-${CIRCLE_TAG} \
|
||||
-t falcosecurity/falco-no-driver:aarch64-latest \
|
||||
-t falcosecurity/falco:aarch64-${CIRCLE_TAG}-slim \
|
||||
-t "falcosecurity/falco:aarch64-latest-slim" \
|
||||
-t public.ecr.aws/falcosecurity/falco-no-driver:aarch64-${CIRCLE_TAG} \
|
||||
-t "public.ecr.aws/falcosecurity/falco-no-driver:aarch64-latest" \
|
||||
-t public.ecr.aws/falcosecurity/falco:aarch64-${CIRCLE_TAG}-slim \
|
||||
-t "public.ecr.aws/falcosecurity/falco:aarch64-latest-slim" \
|
||||
docker/no-driver
|
||||
- run:
|
||||
name: Build and publish falco
|
||||
command: |
|
||||
cd /tmp/source-arm64/falco
|
||||
docker buildx build --push --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
|
||||
-t "falcosecurity/falco:aarch64-${CIRCLE_TAG}" \
|
||||
-t "falcosecurity/falco:aarch64-latest" \
|
||||
-t "public.ecr.aws/falcosecurity/falco:aarch64-${CIRCLE_TAG}" \
|
||||
-t "public.ecr.aws/falcosecurity/falco:aarch64-latest" \
|
||||
docker/falco
|
||||
- run:
|
||||
name: Build and publish falco-driver-loader
|
||||
command: |
|
||||
cd /tmp/source-arm64/falco
|
||||
docker buildx build --push --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} \
|
||||
-t "falcosecurity/falco-driver-loader:aarch64-${CIRCLE_TAG}" \
|
||||
-t "falcosecurity/falco-driver-loader:aarch64-latest" \
|
||||
-t "public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-${CIRCLE_TAG}" \
|
||||
-t "public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-latest" \
|
||||
docker/driver-loader
|
||||
|
||||
# Publish docker packages
|
||||
"publish-docker":
|
||||
docker:
|
||||
- image: cimg/base:stable
|
||||
user: root
|
||||
steps:
|
||||
- attach_workspace:
|
||||
at: /
|
||||
- checkout
|
||||
- setup_remote_docker:
|
||||
version: 20.10.12
|
||||
- run:
|
||||
name: Install deps
|
||||
name: Prepare env
|
||||
command: |
|
||||
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
|
||||
docker context create falco-env
|
||||
docker buildx create falco-env --driver docker-container --use
|
||||
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
|
||||
sudo apt update
|
||||
sudo apt install groff less python3-pip
|
||||
pip install awscli
|
||||
- run:
|
||||
name: Login to registries
|
||||
name: Login to aws ECR
|
||||
command: |
|
||||
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
|
||||
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
|
||||
- run:
|
||||
name: Upload no-driver manifest to registries
|
||||
name: Build and publish no-driver
|
||||
command: |
|
||||
docker manifest create falcosecurity/falco-no-driver:${CIRCLE_TAG} \
|
||||
falcosecurity/falco-no-driver:aarch64-${CIRCLE_TAG} \
|
||||
falcosecurity/falco-no-driver:x86_64-${CIRCLE_TAG}
|
||||
docker manifest push falcosecurity/falco-no-driver:${CIRCLE_TAG}
|
||||
|
||||
docker manifest create falcosecurity/falco-no-driver:latest \
|
||||
falcosecurity/falco-no-driver:aarch64-latest \
|
||||
falcosecurity/falco-no-driver:x86_64-latest
|
||||
docker manifest push falcosecurity/falco-no-driver:latest
|
||||
|
||||
docker manifest create falcosecurity/falco:${CIRCLE_TAG}-slim \
|
||||
falcosecurity/falco:aarch64-${CIRCLE_TAG}-slim \
|
||||
falcosecurity/falco:x86_64-${CIRCLE_TAG}-slim
|
||||
docker manifest push falcosecurity/falco:${CIRCLE_TAG}-slim
|
||||
|
||||
docker manifest create falcosecurity/falco:latest-slim \
|
||||
falcosecurity/falco:aarch64-latest-slim \
|
||||
falcosecurity/falco:x86_64-latest-slim
|
||||
docker manifest push falcosecurity/falco:latest-slim
|
||||
|
||||
docker manifest create public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG} \
|
||||
public.ecr.aws/falcosecurity/falco-no-driver:aarch64-${CIRCLE_TAG} \
|
||||
public.ecr.aws/falcosecurity/falco-no-driver:x86_64-${CIRCLE_TAG}
|
||||
docker manifest push public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}
|
||||
|
||||
docker manifest create public.ecr.aws/falcosecurity/falco-no-driver:latest \
|
||||
public.ecr.aws/falcosecurity/falco-no-driver:aarch64-latest \
|
||||
public.ecr.aws/falcosecurity/falco-no-driver:x86_64-latest
|
||||
docker manifest push public.ecr.aws/falcosecurity/falco-no-driver:latest
|
||||
|
||||
docker manifest create public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim \
|
||||
public.ecr.aws/falcosecurity/falco:aarch64-${CIRCLE_TAG}-slim \
|
||||
public.ecr.aws/falcosecurity/falco:x86_64-${CIRCLE_TAG}-slim
|
||||
docker manifest push public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim
|
||||
|
||||
docker manifest create public.ecr.aws/falcosecurity/falco:latest-slim \
|
||||
public.ecr.aws/falcosecurity/falco:aarch64-latest-slim \
|
||||
public.ecr.aws/falcosecurity/falco:x86_64-latest-slim
|
||||
docker manifest push public.ecr.aws/falcosecurity/falco:latest-slim
|
||||
docker buildx build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} --platform "arm64,amd64" --push \
|
||||
-t "falcosecurity/falco-no-driver:${CIRCLE_TAG}" \
|
||||
-t falcosecurity/falco-no-driver:latest \
|
||||
-t "falcosecurity/falco:${CIRCLE_TAG}-slim" \
|
||||
-t "falcosecurity/falco:latest-slim" \
|
||||
-t "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" \
|
||||
-t "public.ecr.aws/falcosecurity/falco-no-driver:latest" \
|
||||
-t "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim" \
|
||||
-t "public.ecr.aws/falcosecurity/falco:latest-slim" \
|
||||
docker/no-driver
|
||||
- run:
|
||||
name: Upload falco manifest to registries
|
||||
name: Build and publish falco
|
||||
command: |
|
||||
docker manifest create falcosecurity/falco:${CIRCLE_TAG} \
|
||||
falcosecurity/falco:aarch64-${CIRCLE_TAG} \
|
||||
falcosecurity/falco:x86_64-${CIRCLE_TAG}
|
||||
docker manifest push falcosecurity/falco:${CIRCLE_TAG}
|
||||
|
||||
docker manifest create falcosecurity/falco:latest \
|
||||
falcosecurity/falco:aarch64-latest \
|
||||
falcosecurity/falco:x86_64-latest
|
||||
docker manifest push falcosecurity/falco:latest
|
||||
|
||||
docker manifest create public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG} \
|
||||
public.ecr.aws/falcosecurity/falco:aarch64-${CIRCLE_TAG} \
|
||||
public.ecr.aws/falcosecurity/falco:x86_64-${CIRCLE_TAG}
|
||||
docker manifest push public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}
|
||||
|
||||
docker manifest create public.ecr.aws/falcosecurity/falco:latest \
|
||||
public.ecr.aws/falcosecurity/falco:aarch64-latest \
|
||||
public.ecr.aws/falcosecurity/falco:x86_64-latest
|
||||
docker manifest push public.ecr.aws/falcosecurity/falco:latest
|
||||
docker buildx build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} --platform "arm64,amd64" --push \
|
||||
-t "falcosecurity/falco:${CIRCLE_TAG}" \
|
||||
-t "falcosecurity/falco:latest" \
|
||||
-t "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" \
|
||||
-t "public.ecr.aws/falcosecurity/falco:latest" \
|
||||
docker/falco
|
||||
- run:
|
||||
name: Upload falco-driver-loader manifest to registries
|
||||
name: Build and publish falco-driver-loader
|
||||
command: |
|
||||
docker manifest create falcosecurity/falco-driver-loader:${CIRCLE_TAG} \
|
||||
falcosecurity/falco-driver-loader:aarch64-${CIRCLE_TAG} \
|
||||
falcosecurity/falco-driver-loader:x86_64-${CIRCLE_TAG}
|
||||
docker manifest push falcosecurity/falco-driver-loader:${CIRCLE_TAG}
|
||||
|
||||
docker manifest create falcosecurity/falco-driver-loader:latest \
|
||||
falcosecurity/falco-driver-loader:aarch64-latest \
|
||||
falcosecurity/falco-driver-loader:x86_64-latest
|
||||
docker manifest push falcosecurity/falco-driver-loader:latest
|
||||
|
||||
docker manifest create public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG} \
|
||||
public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-${CIRCLE_TAG} \
|
||||
public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-${CIRCLE_TAG}
|
||||
docker manifest push public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}
|
||||
|
||||
docker manifest create public.ecr.aws/falcosecurity/falco-driver-loader:latest \
|
||||
public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-latest \
|
||||
public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-latest
|
||||
docker manifest push public.ecr.aws/falcosecurity/falco-driver-loader:latest
|
||||
docker buildx build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} --platform "arm64,amd64" --push \
|
||||
-t "falcosecurity/falco-driver-loader:${CIRCLE_TAG}" \
|
||||
-t "falcosecurity/falco-driver-loader:latest" \
|
||||
-t "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" \
|
||||
-t "public.ecr.aws/falcosecurity/falco-driver-loader:latest" \
|
||||
docker/driver-loader
|
||||
|
||||
workflows:
|
||||
version: 2.1
|
||||
@@ -800,7 +527,7 @@ workflows:
|
||||
requires:
|
||||
- "tests-integration"
|
||||
- "tests-integration-arm64"
|
||||
- "build-docker-dev":
|
||||
- "publish-docker-dev":
|
||||
context:
|
||||
- falco
|
||||
- test-infra
|
||||
@@ -813,31 +540,6 @@ workflows:
|
||||
- "publish-packages-dev"
|
||||
- "publish-packages-deb-dev"
|
||||
- "tests-driver-loader-integration"
|
||||
- "build-docker-dev-arm64":
|
||||
context:
|
||||
- falco
|
||||
- test-infra
|
||||
filters:
|
||||
tags:
|
||||
ignore: /.*/
|
||||
branches:
|
||||
only: master
|
||||
requires:
|
||||
- "publish-packages-dev"
|
||||
- "publish-packages-deb-dev"
|
||||
- "tests-driver-loader-integration"
|
||||
- "publish-docker-dev":
|
||||
context:
|
||||
- falco
|
||||
- test-infra
|
||||
filters:
|
||||
tags:
|
||||
ignore: /.*/
|
||||
branches:
|
||||
only: master
|
||||
requires:
|
||||
- "build-docker-dev"
|
||||
- "build-docker-dev-arm64"
|
||||
# - "quality/static-analysis" # This is temporarily disabled: https://github.com/falcosecurity/falco/issues/1526
|
||||
release:
|
||||
jobs:
|
||||
@@ -893,37 +595,13 @@ workflows:
|
||||
only: /.*/
|
||||
branches:
|
||||
ignore: /.*/
|
||||
- "build-docker":
|
||||
context:
|
||||
- falco
|
||||
- test-infra
|
||||
requires:
|
||||
- "publish-packages"
|
||||
- "publish-packages-deb"
|
||||
filters:
|
||||
tags:
|
||||
only: /.*/
|
||||
branches:
|
||||
ignore: /.*/
|
||||
- "build-docker-arm64":
|
||||
context:
|
||||
- falco
|
||||
- test-infra
|
||||
requires:
|
||||
- "publish-packages"
|
||||
- "publish-packages-deb"
|
||||
filters:
|
||||
tags:
|
||||
only: /.*/
|
||||
branches:
|
||||
ignore: /.*/
|
||||
- "publish-docker":
|
||||
context:
|
||||
- falco
|
||||
- test-infra
|
||||
requires:
|
||||
- "build-docker"
|
||||
- "build-docker-arm64"
|
||||
- "publish-packages"
|
||||
- "publish-packages-deb"
|
||||
filters:
|
||||
tags:
|
||||
only: /.*/
|
||||
|
||||
12
CHANGELOG.md
12
CHANGELOG.md
@@ -1,5 +1,17 @@
|
||||
# Change Log
|
||||
|
||||
## v0.32.2
|
||||
|
||||
Released on 2022-08-09
|
||||
|
||||
### Major Changes
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* fix: Added ARCH to bpf download URL [[#2142](https://github.com/falcosecurity/falco/pull/2142)] - [@eric-engberg](https://github.com/eric-engberg)
|
||||
|
||||
|
||||
## v0.32.1
|
||||
|
||||
Released on 2022-07-11
|
||||
|
||||
@@ -56,9 +56,6 @@ if(NOT DEFINED FALCO_ETC_DIR)
|
||||
set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
|
||||
endif()
|
||||
|
||||
# This will be used to print the architecture for which Falco is compiled.
|
||||
set(FALCO_TARGET_ARCH ${CMAKE_SYSTEM_PROCESSOR})
|
||||
|
||||
if(NOT DRAIOS_DEBUG_FLAGS)
|
||||
set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
|
||||
endif()
|
||||
|
||||
12
OWNERS
12
OWNERS
@@ -1,12 +1,18 @@
|
||||
approvers:
|
||||
- fntlnz
|
||||
- kris-nova
|
||||
- leodido
|
||||
- mstemm
|
||||
- leogr
|
||||
- jasondellaluce
|
||||
- fededp
|
||||
reviewers:
|
||||
- kaizhe
|
||||
- mfdii
|
||||
emeritus_approvers:
|
||||
- fntlnz
|
||||
- kaizhe
|
||||
- kris-nova
|
||||
- leodido
|
||||
- mfdii
|
||||
- mstemm
|
||||
- leogr
|
||||
- jasondellaluce
|
||||
- fededp
|
||||
|
||||
14
README.md
14
README.md
@@ -51,12 +51,12 @@ Notes:
|
||||
|
||||
| | development | stable |
|
||||
|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| rpm-x86_64 | [][1] | [][2] |
|
||||
| deb-x86_64 | [][3] | [][4] |
|
||||
| binary-x86_64 | [][5] | [][6] |
|
||||
| rpm-aarch64 | [][1] | [][2] |
|
||||
| deb-aarch64 | [][3] | [][4] |
|
||||
| binary-aarch64 | [][7] | [][8] |
|
||||
| rpm | [][1] | [][2] |
|
||||
| deb | [][3] | [][4] |
|
||||
| binary | [][5] | [][6] |
|
||||
| rpm-arm64 | [][1] | [][2] |
|
||||
| deb-arm64 | [][3] | [][4] |
|
||||
| binary-arm64 | [][7] | [][8] |
|
||||
|
||||
---
|
||||
|
||||
@@ -164,4 +164,4 @@ Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
|
||||
[5]: https://download.falco.org/?prefix=packages/bin-dev/x86_64/
|
||||
[6]: https://download.falco.org/?prefix=packages/bin/x86_64/
|
||||
[7]: https://download.falco.org/?prefix=packages/bin-dev/aarch64/
|
||||
[8]: https://download.falco.org/?prefix=packages/bin/aarch64/
|
||||
[8]: https://download.falco.org/?prefix=packages/bin/aarch64/
|
||||
@@ -68,12 +68,9 @@ Now assume `x.y.z` is the new version.
|
||||
|
||||
| Packages | Download |
|
||||
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
| rpm-x86_64 | [](https://download.falco.org/packages/rpm/falco-x.y.z-x86_64.rpm) |
|
||||
| deb-x86_64 | [](https://download.falco.org/packages/deb/stable/falco-x.y.z-x86_64.deb) |
|
||||
| tgz-x86_64 | [](https://download.falco.org/packages/bin/x86_64/falco-x.y.z-x86_64.tar.gz) |
|
||||
| rpm-aarch64 | [](https://download.falco.org/packages/rpm/falco-x.y.z-aarch64.rpm) |
|
||||
| deb-aarch64 | [](https://download.falco.org/packages/deb/stable/falco-x.y.z-aarch64.deb) |
|
||||
| tgz-aarch64 | [](https://download.falco.org/packages/bin/aarch64/falco-x.y.z-aarch64.tar.gz) |
|
||||
| rpm | [](https://download.falco.org/packages/rpm/falco-x.y.z-x86_64.rpm) |
|
||||
| deb | [](https://download.falco.org/packages/deb/stable/falco-x.y.z-x86_64.deb) |
|
||||
| tgz | [](https://download.falco.org/packages/bin/x86_64/falco-x.y.z-x86_64.tar.gz) |
|
||||
|
||||
| Images |
|
||||
| --------------------------------------------------------------------------- |
|
||||
|
||||
@@ -26,8 +26,8 @@ else()
|
||||
# In case you want to test against another driver version (or branch, or commit) just pass the variable -
|
||||
# ie., `cmake -DDRIVER_VERSION=dev ..`
|
||||
if(NOT DRIVER_VERSION)
|
||||
set(DRIVER_VERSION "b4c198773bf05486e122f6d3f7f63be125242413")
|
||||
set(DRIVER_CHECKSUM "SHA256=e85fa42a0b58ba21ca7efb38c20ce25207f4816245bdf154e6b9a037a1cce930")
|
||||
set(DRIVER_VERSION "2.0.0+driver")
|
||||
set(DRIVER_CHECKSUM "SHA256=e616dfe27f95670a63150339ea2484937c5ce9b7e42d176de86c3f61481ae676")
|
||||
endif()
|
||||
|
||||
# cd /path/to/build && cmake /path/to/source
|
||||
|
||||
@@ -27,8 +27,8 @@ else()
|
||||
# In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
|
||||
# ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
|
||||
if(NOT FALCOSECURITY_LIBS_VERSION)
|
||||
set(FALCOSECURITY_LIBS_VERSION "b4c198773bf05486e122f6d3f7f63be125242413")
|
||||
set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=e85fa42a0b58ba21ca7efb38c20ce25207f4816245bdf154e6b9a037a1cce930")
|
||||
set(FALCOSECURITY_LIBS_VERSION "0.7.0")
|
||||
set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=3adc1620c0e830554a54cdd486158dc2c0c40552e113785b70fbbc99edb7d96f")
|
||||
endif()
|
||||
|
||||
# cd /path/to/build && cmake /path/to/source
|
||||
@@ -68,7 +68,6 @@ set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "")
|
||||
set(USE_BUNDLED_TBB ON CACHE BOOL "")
|
||||
set(USE_BUNDLED_B64 ON CACHE BOOL "")
|
||||
set(USE_BUNDLED_JSONCPP ON CACHE BOOL "")
|
||||
set(USE_BUNDLED_VALIJSON ON CACHE BOOL "")
|
||||
|
||||
list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")
|
||||
|
||||
|
||||
@@ -2,4 +2,5 @@ labels:
|
||||
- area/integration
|
||||
approvers:
|
||||
- leogr
|
||||
|
||||
reviewers:
|
||||
- leogr
|
||||
|
||||
@@ -73,9 +73,7 @@ watch_config_files: true
|
||||
# time zone, as governed by /etc/localtime.
|
||||
time_format_iso_8601: false
|
||||
|
||||
# If "true", print falco alert messages and rules file
|
||||
# loading/validation results as json, which allows for easier
|
||||
# consumption by downstream programs. Default is "false".
|
||||
# Whether to output events in json or text
|
||||
json_output: false
|
||||
|
||||
# When using json output, whether or not to include the "output" property
|
||||
|
||||
@@ -5,6 +5,7 @@ reviewers:
|
||||
- fntlnz
|
||||
- mfdii
|
||||
- kaizhe
|
||||
- darryk10
|
||||
- mstemm
|
||||
labels:
|
||||
- area/rules
|
||||
|
||||
|
||||
@@ -360,7 +360,6 @@
|
||||
- rule: Disallowed SSH Connection
|
||||
desc: Detect any new ssh connection to a host other than those in an allowed group of hosts
|
||||
condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts
|
||||
enabled: false
|
||||
output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
|
||||
priority: NOTICE
|
||||
tags: [network, mitre_remote_service]
|
||||
@@ -511,7 +510,7 @@
|
||||
# %container.info, without any leading term (file=%fd.name
|
||||
# %container.info user=%user.name user_loginuid=%user.loginuid, and not file=%fd.name
|
||||
# container=%container.info user=%user.name user_loginuid=%user.loginuid). The output will change
|
||||
# based on the context and whether or not -pk/-pc was specified on
|
||||
# based on the context and whether or not -pk/-pm/-pc was specified on
|
||||
# the command line.
|
||||
- macro: container
|
||||
condition: (container.id != host)
|
||||
@@ -960,6 +959,9 @@
|
||||
# This rule is disabled by default as many system management tools
|
||||
# like ansible, etc can read these files/paths. Enable it using this macro.
|
||||
|
||||
- macro: consider_ssh_reads
|
||||
condition: (never_true)
|
||||
|
||||
- macro: user_known_read_ssh_information_activities
|
||||
condition: (never_true)
|
||||
|
||||
@@ -967,10 +969,10 @@
|
||||
desc: Any attempt to read files below ssh directories by non-ssh programs
|
||||
condition: >
|
||||
((open_read or open_directory) and
|
||||
consider_ssh_reads and
|
||||
(user_ssh_directory or fd.name startswith /root/.ssh) and
|
||||
not user_known_read_ssh_information_activities and
|
||||
not proc.name in (ssh_binaries))
|
||||
enabled: false
|
||||
output: >
|
||||
ssh-related file/directory read by non-ssh program (user=%user.name user_loginuid=%user.loginuid
|
||||
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)
|
||||
@@ -1146,9 +1148,6 @@
|
||||
- macro: user_known_write_below_etc_activities
|
||||
condition: (never_true)
|
||||
|
||||
- macro: calico_node
|
||||
condition: (container.image.repository endswith calico/node and proc.name=calico-node)
|
||||
|
||||
- macro: write_etc_common
|
||||
condition: >
|
||||
etc_dir and evt.dir = < and open_write
|
||||
@@ -1254,7 +1253,6 @@
|
||||
and not mcafee_writing_cma_d
|
||||
and not avinetworks_supervisor_writing_ssh
|
||||
and not multipath_writing_conf
|
||||
and not calico_node
|
||||
|
||||
- rule: Write below etc
|
||||
desc: an attempt to write to any file below /etc
|
||||
@@ -1473,7 +1471,7 @@
|
||||
tags: [filesystem, software_mgmt, mitre_persistence]
|
||||
|
||||
- macro: postgres_running_wal_e
|
||||
condition: (proc.pname=postgres and (proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e" or proc.cmdline startswith "sh -c envdir \"/run/etc/wal-e.d/env\" wal-g wal-push"))
|
||||
condition: (proc.pname=postgres and proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e")
|
||||
|
||||
- macro: redis_running_prepost_scripts
|
||||
condition: (proc.aname[2]=redis-server and (proc.cmdline contains "redis-server.post-up.d" or proc.cmdline contains "redis-server.pre-up.d"))
|
||||
@@ -1552,6 +1550,9 @@
|
||||
- list: network_plugin_binaries
|
||||
items: [aws-cni, azure-vnet]
|
||||
|
||||
- macro: calico_node
|
||||
condition: (container.image.repository endswith calico/node and proc.name=calico-node)
|
||||
|
||||
- macro: weaveworks_scope
|
||||
condition: (container.image.repository endswith weaveworks/scope and proc.name=scope)
|
||||
|
||||
@@ -1758,13 +1759,6 @@
|
||||
container.image.repository endswith /prometheus-node-exporter or
|
||||
container.image.repository endswith /image-inspector))
|
||||
|
||||
- list: redhat_io_images_privileged
|
||||
items: [registry.redhat.io/openshift-logging/fluentd-rhel8, registry.redhat.io/openshift4/ose-csi-node-driver-registrar, registry.redhat.io/openshift4/ose-kubernetes-nmstate-handler-rhel8, registry.redhat.io/openshift4/ose-local-storage-diskmaker]
|
||||
|
||||
- macro: redhat_image
|
||||
condition: >
|
||||
(container.image.repository in (redhat_io_images_privileged))
|
||||
|
||||
# https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html
|
||||
# official AWS EKS registry list. AWS has different ECR repo per region
|
||||
- macro: allowed_aws_ecr_registry_root_for_eks
|
||||
@@ -1847,8 +1841,7 @@
|
||||
public.ecr.aws/falcosecurity/falco,
|
||||
quay.io/calico/node,
|
||||
sysdig/sysdig,
|
||||
sematext_images,
|
||||
k8s.gcr.io/dns/k8s-dns-node-cache
|
||||
sematext_images
|
||||
]
|
||||
|
||||
- macro: falco_privileged_containers
|
||||
@@ -1888,8 +1881,7 @@
|
||||
aws_eks_image_sensitive_mount or
|
||||
container.image.repository in (trusted_images) or
|
||||
container.image.repository in (falco_sensitive_mount_images) or
|
||||
container.image.repository startswith quay.io/sysdig/ or
|
||||
container.image.repository=k8scloudprovider/cinder-csi-plugin)
|
||||
container.image.repository startswith quay.io/sysdig/)
|
||||
|
||||
# Add conditions to this macro (probably in a separate file,
|
||||
# overwriting this macro) to specify additional containers that are
|
||||
@@ -1907,7 +1899,6 @@
|
||||
and container.privileged=true
|
||||
and not falco_privileged_containers
|
||||
and not user_privileged_containers
|
||||
and not redhat_image
|
||||
output: Privileged container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
|
||||
priority: INFO
|
||||
tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
|
||||
@@ -2206,6 +2197,9 @@
|
||||
- list: test_connect_ports
|
||||
items: [0, 9, 80, 3306]
|
||||
|
||||
- macro: do_unexpected_udp_check
|
||||
condition: (never_true)
|
||||
|
||||
- list: expected_udp_ports
|
||||
items: [53, openvpn_udp_ports, l2tp_udp_ports, statsd_ports, ntp_ports, test_connect_ports]
|
||||
|
||||
@@ -2214,8 +2208,7 @@
|
||||
|
||||
- rule: Unexpected UDP Traffic
|
||||
desc: UDP traffic not on port 53 (DNS) or other commonly used ports
|
||||
condition: (inbound_outbound) and fd.l4proto=udp and not expected_udp_traffic
|
||||
enabled: false
|
||||
condition: (inbound_outbound) and do_unexpected_udp_check and fd.l4proto=udp and not expected_udp_traffic
|
||||
output: >
|
||||
Unexpected UDP Traffic Seen
|
||||
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository)
|
||||
@@ -2398,12 +2391,7 @@
|
||||
sysdig/sysdig, falcosecurity/falco,
|
||||
fluent/fluentd-kubernetes-daemonset, prom/prometheus,
|
||||
ibm_cloud_containers,
|
||||
public.ecr.aws/falcosecurity/falco, velero/velero,
|
||||
quay.io/jetstack/cert-manager-cainjector, weaveworks/kured,
|
||||
quay.io/prometheus-operator/prometheus-operator,
|
||||
k8s.gcr.io/ingress-nginx/kube-webhook-certgen, quay.io/spotahome/redis-operator,
|
||||
registry.opensource.zalan.do/acid/postgres-operator, registry.opensource.zalan.do/acid/postgres-operator-ui,
|
||||
rabbitmqoperator/cluster-operator)
|
||||
public.ecr.aws/falcosecurity/falco)
|
||||
or (k8s.ns.name = "kube-system"))
|
||||
|
||||
- macro: k8s_api_server
|
||||
@@ -2457,11 +2445,6 @@
|
||||
condition: (never_true)
|
||||
|
||||
# Container is supposed to be immutable. Package management should be done in building the image.
|
||||
- macro: pkg_mgmt_in_kube_proxy
|
||||
condition: >
|
||||
proc.cmdline startswith "update-alternat"
|
||||
and container.image.repository = "k8s.gcr.io/kube-proxy"
|
||||
|
||||
- rule: Launch Package Management Process in Container
|
||||
desc: Package management process ran inside container
|
||||
condition: >
|
||||
@@ -2471,7 +2454,6 @@
|
||||
and package_mgmt_procs
|
||||
and not package_mgmt_ancestor_procs
|
||||
and not user_known_package_manager_in_container
|
||||
and not pkg_mgmt_in_kube_proxy
|
||||
output: >
|
||||
Package management process launched in container (user=%user.name user_loginuid=%user.loginuid
|
||||
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
|
||||
|
||||
@@ -261,13 +261,6 @@ print_clean_termination() {
|
||||
echo
|
||||
}
|
||||
|
||||
print_filename_components() {
|
||||
echo " - driver name: ${DRIVER_NAME}"
|
||||
echo " - target identifier: ${TARGET_ID}"
|
||||
echo " - kernel release: ${KERNEL_RELEASE}"
|
||||
echo " - kernel version: ${KERNEL_VERSION}"
|
||||
}
|
||||
|
||||
clean_kernel_module() {
|
||||
echo
|
||||
echo "================ Cleaning phase ================"
|
||||
@@ -356,8 +349,6 @@ load_kernel_module() {
|
||||
get_target_id
|
||||
|
||||
local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
|
||||
echo "* Filename '${FALCO_KERNEL_MODULE_FILENAME}' is composed of:"
|
||||
print_filename_components
|
||||
|
||||
if [ -f "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
|
||||
echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
|
||||
@@ -513,17 +504,15 @@ load_bpf_probe_download() {
|
||||
}
|
||||
|
||||
load_bpf_probe() {
|
||||
echo "* Mounting debugfs"
|
||||
|
||||
if [ ! -d /sys/kernel/debug/tracing ]; then
|
||||
echo "* Mounting debugfs"
|
||||
mount -t debugfs nodev /sys/kernel/debug
|
||||
fi
|
||||
|
||||
get_target_id
|
||||
|
||||
BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
|
||||
echo "* Filename '${BPF_PROBE_FILENAME}' is composed of:"
|
||||
print_filename_components
|
||||
|
||||
if [ -n "$ENABLE_DOWNLOAD" ]; then
|
||||
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
|
||||
@@ -673,7 +662,7 @@ if [ -z "$has_opts" ]; then
|
||||
fi
|
||||
|
||||
if [ -z "$source_only" ]; then
|
||||
echo "* Running falco-driver-loader for: falco version=${FALCO_VERSION}, driver version=${DRIVER_VERSION}, arch=${ARCH}, kernel release=${KERNEL_RELEASE}, kernel version=${KERNEL_VERSION}"
|
||||
echo "* Running falco-driver-loader for: falco version=${FALCO_VERSION}, driver version=${DRIVER_VERSION}"
|
||||
|
||||
if [ "$(id -u)" != 0 ]; then
|
||||
>&2 echo "This program must be run as root (or with sudo)"
|
||||
|
||||
@@ -77,10 +77,6 @@ class FalcoTest(Test):
|
||||
else:
|
||||
self.stderr_not_contains = [self.stderr_not_contains]
|
||||
|
||||
self.validate_ok = self.params.get('validate_ok', '*', default='')
|
||||
self.validate_warnings = self.params.get('validate_warnings', '*', default='')
|
||||
self.validate_errors = self.params.get('validate_errors', '*', default='')
|
||||
|
||||
self.exit_status = self.params.get('exit_status', '*', default=0)
|
||||
self.should_detect = self.params.get('detect', '*', default=False)
|
||||
self.check_detection_counts = self.params.get('check_detection_counts', '*', default=True)
|
||||
@@ -109,9 +105,6 @@ class FalcoTest(Test):
|
||||
if self.validate_rules_file == False:
|
||||
self.validate_rules_file = []
|
||||
else:
|
||||
# Always enable json output when validating rules
|
||||
# files. Makes parsing errors/warnings easier
|
||||
self.json_output = True
|
||||
if not isinstance(self.validate_rules_file, list):
|
||||
self.validate_rules_file = [self.validate_rules_file]
|
||||
|
||||
@@ -160,6 +153,13 @@ class FalcoTest(Test):
|
||||
detect_counts[key] = value
|
||||
self.detect_counts = detect_counts
|
||||
|
||||
self.rules_warning = self.params.get(
|
||||
'rules_warning', '*', default=False)
|
||||
if self.rules_warning == False:
|
||||
self.rules_warning = set()
|
||||
else:
|
||||
self.rules_warning = set(self.rules_warning)
|
||||
|
||||
# Maps from rule name to set of evttypes
|
||||
self.rules_events = self.params.get('rules_events', '*', default=False)
|
||||
if self.rules_events == False:
|
||||
@@ -265,6 +265,22 @@ class FalcoTest(Test):
|
||||
if self.package != 'None':
|
||||
self.uninstall_package()
|
||||
|
||||
def check_rules_warnings(self, res):
|
||||
|
||||
found_warning = set()
|
||||
|
||||
for match in re.finditer('Rule ([^:]+): warning \(([^)]+)\):', res.stderr.decode("utf-8")):
|
||||
rule = match.group(1)
|
||||
warning = match.group(2)
|
||||
found_warning.add(rule)
|
||||
|
||||
self.log.debug("Expected warning rules: {}".format(self.rules_warning))
|
||||
self.log.debug("Actual warning rules: {}".format(found_warning))
|
||||
|
||||
if found_warning != self.rules_warning:
|
||||
self.fail("Expected rules with warnings {} does not match actual rules with warnings {}".format(
|
||||
self.rules_warning, found_warning))
|
||||
|
||||
def check_rules_events(self, res):
|
||||
|
||||
found_events = {}
|
||||
@@ -360,68 +376,7 @@ class FalcoTest(Test):
|
||||
|
||||
return True
|
||||
|
||||
def get_validate_json(self, res):
|
||||
if self.validate_json is None:
|
||||
# The first line of stdout should be the validation result as json
|
||||
self.validate_json = json.loads(res.stdout.decode("utf-8").partition('\n')[0])
|
||||
return self.validate_json
|
||||
|
||||
def check_validate_ok(self, res):
|
||||
if self.validate_ok != '':
|
||||
vobj = self.get_validate_json(res)
|
||||
for expected in self.validate_ok:
|
||||
found = False
|
||||
for vres in vobj["falco_load_results"]:
|
||||
if vres["successful"] and os.path.basename(vres["name"]) == expected:
|
||||
found = True
|
||||
break
|
||||
if not found:
|
||||
self.fail("Validation json did not contain a successful result for file '{}'".format(expected))
|
||||
|
||||
def check_validate_warnings(self, res):
|
||||
if self.validate_warnings != '':
|
||||
vobj = self.get_validate_json(res)
|
||||
for warnobj in self.validate_warnings:
|
||||
found = False
|
||||
for vres in vobj["falco_load_results"]:
|
||||
for warning in vres["warnings"]:
|
||||
if warning["code"] == warnobj["code"]:
|
||||
if ("message" in warnobj and warning["message"] == warnobj["message"]) or ("message_contains" in warnobj and warnobj["message_contains"] in warning["message"]):
|
||||
for loc in warning["context"]["locations"]:
|
||||
if loc["item_type"] == warnobj["item_type"] and loc["item_name"] == warnobj["item_name"]:
|
||||
found = True
|
||||
break
|
||||
if not found:
|
||||
if "message" in warnobj:
|
||||
self.fail("Validation json did not contain a warning '{}' for '{}' '{}' with message '{}'".format(
|
||||
warnobj["code"], warnobj["item_type"], warnobj["item_name"], warnobj["message"]))
|
||||
else:
|
||||
self.fail("Validation json did not contain a warning '{}' for '{}' '{}' with message containing '{}'".format(
|
||||
warnobj["code"], warnobj["item_type"], warnobj["item_name"], warnobj["message_contains"]))
|
||||
|
||||
def check_validate_errors(self, res):
|
||||
if self.validate_errors != '':
|
||||
vobj = self.get_validate_json(res)
|
||||
for errobj in self.validate_errors:
|
||||
found = False
|
||||
for vres in vobj["falco_load_results"]:
|
||||
for error in vres["errors"]:
|
||||
if error["code"] == errobj["code"]:
|
||||
if ("message" in errobj and error["message"] == errobj["message"]) or ("message_contains" in errobj and errobj["message_contains"] in error["message"]):
|
||||
for loc in error["context"]["locations"]:
|
||||
if loc["item_type"] == errobj["item_type"] and loc["item_name"] == errobj["item_name"]:
|
||||
found = True
|
||||
break
|
||||
if not found:
|
||||
if "message" in errobj:
|
||||
self.fail("Validation json did not contain a error '{}' for '{}' '{}' with message '{}'".format(
|
||||
errobj["code"], errobj["item_type"], errobj["item_name"], errobj["message"]))
|
||||
else:
|
||||
self.fail("Validation json did not contain a error '{}' for '{}' '{}' with message containing '{}'".format(
|
||||
errobj["code"], errobj["item_type"], errobj["item_name"], errobj["message_contains"]))
|
||||
|
||||
|
||||
def check_json_event_output(self, res):
|
||||
def check_json_output(self, res):
|
||||
if self.json_output:
|
||||
# Just verify that any lines starting with '{' are valid json objects.
|
||||
# Doesn't do any deep inspection of the contents.
|
||||
@@ -623,8 +578,6 @@ class FalcoTest(Test):
|
||||
# This sets falco_binary_path as a side-effect.
|
||||
self.install_package()
|
||||
|
||||
self.validate_json = None
|
||||
|
||||
trace_arg = self.trace_file
|
||||
|
||||
if self.trace_file:
|
||||
@@ -691,22 +644,18 @@ class FalcoTest(Test):
|
||||
self.error("Falco command \"{}\" exited with unexpected return value {} (!= {})".format(
|
||||
cmd, res.exit_status, self.exit_status))
|
||||
|
||||
self.check_validate_ok(res)
|
||||
self.check_validate_errors(res)
|
||||
self.check_validate_warnings(res)
|
||||
|
||||
# No need to check any outputs if the falco process exited abnormally.
|
||||
if res.exit_status != 0:
|
||||
return
|
||||
|
||||
self.check_rules_warnings(res)
|
||||
if len(self.rules_events) > 0:
|
||||
self.check_rules_events(res)
|
||||
if len(self.validate_rules_file) == 0 and self.check_detection_counts:
|
||||
self.check_detections(res)
|
||||
if len(self.detect_counts) > 0:
|
||||
self.check_detections_by_rule(res)
|
||||
if not self.validate_rules_file:
|
||||
self.check_json_event_output(res)
|
||||
self.check_json_output(res)
|
||||
self.check_outputs()
|
||||
self.check_output_strictly_contains(res)
|
||||
self.check_grpc()
|
||||
|
||||
@@ -20,55 +20,22 @@ trace_files: !mux
|
||||
builtin_rules_no_warnings:
|
||||
detect: False
|
||||
trace_file: trace_files/empty.scap
|
||||
rules_warning: False
|
||||
|
||||
# The rules_events part of this test was mistakenly disabled when
|
||||
# generic events (e.g. k8s_audit support) was added (#1715).
|
||||
# The implementation no longer prints messages of the form:
|
||||
# "Event types for rule (<RULE>): (<EVENT TYPES>)
|
||||
# And without that output, none of the checks below rules_events
|
||||
# are considered.
|
||||
# XXX/mstemm add it back
|
||||
test_warnings:
|
||||
detect: False
|
||||
trace_file: trace_files/empty.scap
|
||||
validate_rules_file: rules/falco_rules_warnings.yaml
|
||||
validate_warnings:
|
||||
- item_type: rule
|
||||
item_name: no_evttype
|
||||
code: LOAD_NO_EVTTYPE
|
||||
message: "Rule matches too many evt.type values. This has a significant performance penalty."
|
||||
- item_type: rule
|
||||
item_name: evttype_not_equals
|
||||
code: LOAD_NO_EVTTYPE
|
||||
message: "Rule matches too many evt.type values. This has a significant performance penalty."
|
||||
- item_type: rule
|
||||
item_name: leading_not
|
||||
code: LOAD_NO_EVTTYPE
|
||||
message: "Rule matches too many evt.type values. This has a significant performance penalty."
|
||||
- item_type: rule
|
||||
item_name: not_equals_at_end
|
||||
code: LOAD_NO_EVTTYPE
|
||||
message: "Rule matches too many evt.type values. This has a significant performance penalty."
|
||||
- item_type: rule
|
||||
item_name: not_at_end
|
||||
code: LOAD_NO_EVTTYPE
|
||||
message: "Rule matches too many evt.type values. This has a significant performance penalty."
|
||||
- item_type: rule
|
||||
item_name: not_equals_and_not
|
||||
code: LOAD_NO_EVTTYPE
|
||||
message: "Rule matches too many evt.type values. This has a significant performance penalty."
|
||||
- item_type: rule
|
||||
item_name: leading_in_not_equals_at_evttype
|
||||
code: LOAD_NO_EVTTYPE
|
||||
message: "Rule matches too many evt.type values. This has a significant performance penalty."
|
||||
- item_type: rule
|
||||
item_name: not_with_evttypes
|
||||
code: LOAD_NO_EVTTYPE
|
||||
message: "Rule matches too many evt.type values. This has a significant performance penalty."
|
||||
- item_type: rule
|
||||
item_name: not_with_evttypes_addl
|
||||
code: LOAD_NO_EVTTYPE
|
||||
message: "Rule matches too many evt.type values. This has a significant performance penalty."
|
||||
rules_file: rules/falco_rules_warnings.yaml
|
||||
rules_warning:
|
||||
- no_evttype
|
||||
- evttype_not_equals
|
||||
- leading_not
|
||||
- not_equals_at_end
|
||||
- not_at_end
|
||||
- not_equals_and_not
|
||||
- leading_in_not_equals_at_evttype
|
||||
- not_with_evttypes
|
||||
- not_with_evttypes_addl
|
||||
rules_events:
|
||||
- no_warnings: [execve]
|
||||
- no_evttype: [all]
|
||||
@@ -284,149 +251,159 @@ trace_files: !mux
|
||||
|
||||
invalid_not_yaml:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: file
|
||||
item_name: ""
|
||||
code: LOAD_ERR_YAML_VALIDATE
|
||||
message: "Rules content is not yaml"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Rules content is not yaml
|
||||
validate_rules_file:
|
||||
- rules/invalid_not_yaml.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_not_array:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: file
|
||||
item_name: ""
|
||||
code: LOAD_ERR_YAML_VALIDATE
|
||||
message: "Rules content is not yaml array of objects"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Rules content is not yaml array of objects
|
||||
validate_rules_file:
|
||||
- rules/invalid_not_array.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_array_item_not_object:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: item
|
||||
item_name: ""
|
||||
code: LOAD_ERR_YAML_VALIDATE
|
||||
message: "Unexpected element type. Each element should be a yaml associative array."
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Unexpected element type. Each element should be a yaml associative array.
|
||||
---
|
||||
- foo
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_array_item_not_object.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_engine_version_not_number:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: required_engine_version
|
||||
item_name: ""
|
||||
code: LOAD_ERR_YAML_VALIDATE
|
||||
message: "Can't decode YAML scalar value"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Value of required_engine_version must be a number
|
||||
---
|
||||
- required_engine_version: not-a-number
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_engine_version_not_number.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_yaml_parse_error:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: file
|
||||
item_name: ""
|
||||
code: LOAD_ERR_YAML_PARSE
|
||||
message: "yaml-cpp: error at line 1, column 11: illegal map value"
|
||||
validate_rules_file:
|
||||
- rules/invalid_yaml_parse_error.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_list_without_items:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: list
|
||||
item_name: bad_list
|
||||
code: LOAD_ERR_YAML_VALIDATE
|
||||
message: "Item has no mapping for key 'items'"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
List must have property items
|
||||
---
|
||||
- list: bad_list
|
||||
no_items: foo
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_list_without_items.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_macro_without_condition:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: macro
|
||||
item_name: bad_macro
|
||||
code: LOAD_ERR_YAML_VALIDATE
|
||||
message: "Item has no mapping for key 'condition'"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Macro must have property condition
|
||||
---
|
||||
- macro: bad_macro
|
||||
nope: 1
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_macro_without_condition.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_rule_without_output:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: rule
|
||||
item_name: no output rule
|
||||
code: LOAD_ERR_YAML_VALIDATE
|
||||
message: "Item has no mapping for key 'output'"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Rule must have properties 'condition', 'output', 'desc', and 'priority'
|
||||
---
|
||||
- rule: no output rule
|
||||
desc: some desc
|
||||
condition: evt.type=fork
|
||||
priority: INFO
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_rule_without_output.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_append_rule_without_condition:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: rule
|
||||
item_name: no condition rule
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "Appended rule must have exceptions or condition property"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Appended rule must have exceptions or condition property
|
||||
---
|
||||
- rule: no condition rule
|
||||
append: true
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_append_rule_without_condition.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_append_macro_dangling:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: macro
|
||||
item_name: dangling append
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "Macro has 'append' key but no macro by that name already exists"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Macro dangling append has 'append' key but no macro by that name already exists
|
||||
---
|
||||
- macro: dangling append
|
||||
condition: and evt.type=execve
|
||||
append: true
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_append_macro_dangling.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_list_append_dangling:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: list
|
||||
item_name: my_list
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "List has 'append' key but no list by that name already exists"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
List my_list has 'append' key but no list by that name already exists
|
||||
---
|
||||
- list: my_list
|
||||
items: [not-cat]
|
||||
append: true
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/list_append_failure.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_rule_append_dangling:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: rule
|
||||
item_name: my_rule
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "Rule has 'append' key but no rule by that name already exists"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Rule my_rule has 'append' key but no rule by that name already exists
|
||||
---
|
||||
- rule: my_rule
|
||||
condition: evt.type=open
|
||||
append: true
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/rule_append_failure.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_overwrite_macro:
|
||||
exit_status: 1
|
||||
validate_ok: [invalid_base_macro.yaml]
|
||||
validate_errors:
|
||||
- item_type: macro
|
||||
item_name: some macro
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "Undefined macro 'foo' used in filter."
|
||||
validate_warnings:
|
||||
- item_type: macro
|
||||
item_name: some macro
|
||||
code: LOAD_UNUSED_MACRO
|
||||
message: "Macro not referred to by any other rule/macro"
|
||||
stdout_contains: |+
|
||||
.*invalid_base_macro.yaml: Ok
|
||||
.*invalid_overwrite_macro.yaml: 1 errors:
|
||||
Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
|
||||
---
|
||||
- macro: some macro
|
||||
condition: foo
|
||||
append: false
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_base_macro.yaml
|
||||
- rules/invalid_overwrite_macro.yaml
|
||||
@@ -434,17 +411,18 @@ trace_files: !mux
|
||||
|
||||
invalid_append_macro:
|
||||
exit_status: 1
|
||||
validate_ok: [invalid_base_macro.yaml]
|
||||
validate_errors:
|
||||
- item_type: macro
|
||||
item_name: some macro
|
||||
code: LOAD_ERR_COMPILE_CONDITION
|
||||
message: "unexpected token after 'execve', expecting 'or', 'and'"
|
||||
validate_warnings:
|
||||
- item_type: macro
|
||||
item_name: some macro
|
||||
code: LOAD_UNUSED_MACRO
|
||||
message: "Macro not referred to by any other rule/macro"
|
||||
stdout_contains: |+
|
||||
.*invalid_base_macro.yaml: Ok
|
||||
.*invalid_append_macro.yaml: 1 errors:
|
||||
Compilation error when compiling "evt.type=execve foo": 17: unexpected token after 'execve', expecting 'or', 'and'
|
||||
---
|
||||
- macro: some macro
|
||||
condition: evt.type=execve
|
||||
|
||||
- macro: some macro
|
||||
condition: foo
|
||||
append: true
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_base_macro.yaml
|
||||
- rules/invalid_append_macro.yaml
|
||||
@@ -452,39 +430,49 @@ trace_files: !mux
|
||||
|
||||
invalid_overwrite_macro_multiple_docs:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: macro
|
||||
item_name: some macro
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "Undefined macro 'foo' used in filter."
|
||||
validate_warnings:
|
||||
- item_type: macro
|
||||
item_name: some macro
|
||||
code: LOAD_UNUSED_MACRO
|
||||
message: "Macro not referred to by any other rule/macro"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
|
||||
---
|
||||
- macro: some macro
|
||||
condition: foo
|
||||
append: false
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_overwrite_macro_multiple_docs.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_append_macro_multiple_docs:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: macro
|
||||
item_name: some macro
|
||||
code: LOAD_ERR_COMPILE_CONDITION
|
||||
message: "unexpected token after 'execve', expecting 'or', 'and'"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Compilation error when compiling "evt.type=execve foo": 17: unexpected token after 'execve', expecting 'or', 'and'
|
||||
---
|
||||
- macro: some macro
|
||||
condition: evt.type=execve
|
||||
|
||||
- macro: some macro
|
||||
condition: foo
|
||||
append: true
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_append_macro_multiple_docs.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_overwrite_rule:
|
||||
exit_status: 1
|
||||
validate_ok: [invalid_base_rule.yaml]
|
||||
validate_errors:
|
||||
- item_type: rule
|
||||
item_name: some rule
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "Undefined macro 'bar' used in filter."
|
||||
stdout_contains: |+
|
||||
.*invalid_base_rule.yaml: Ok
|
||||
.*invalid_overwrite_rule.yaml: 1 errors:
|
||||
Undefined macro 'bar' used in filter.
|
||||
---
|
||||
- rule: some rule
|
||||
desc: some desc
|
||||
condition: bar
|
||||
output: some output
|
||||
priority: INFO
|
||||
append: false
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_base_rule.yaml
|
||||
- rules/invalid_overwrite_rule.yaml
|
||||
@@ -492,12 +480,24 @@ trace_files: !mux
|
||||
|
||||
invalid_append_rule:
|
||||
exit_status: 1
|
||||
validate_ok: [invalid_base_rule.yaml]
|
||||
validate_errors:
|
||||
- item_type: rule
|
||||
item_name: some rule
|
||||
code: LOAD_ERR_COMPILE_CONDITION
|
||||
message: "unexpected token after 'open', expecting 'or', 'and'"
|
||||
stdout_contains: |+
|
||||
.*invalid_base_rule.yaml: Ok
|
||||
.*invalid_append_rule.yaml: 1 errors:
|
||||
Compilation error when compiling "evt.type=open bar": 15: unexpected token after 'open', expecting 'or', 'and'
|
||||
---
|
||||
- rule: some rule
|
||||
desc: some desc
|
||||
condition: evt.type=open
|
||||
output: some output
|
||||
priority: INFO
|
||||
|
||||
- rule: some rule
|
||||
desc: some desc
|
||||
condition: bar
|
||||
output: some output
|
||||
priority: INFO
|
||||
append: true
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_base_rule.yaml
|
||||
- rules/invalid_append_rule.yaml
|
||||
@@ -505,66 +505,96 @@ trace_files: !mux
|
||||
|
||||
invalid_overwrite_rule_multiple_docs:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: rule
|
||||
item_name: some rule
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "Undefined macro 'bar' used in filter."
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Undefined macro 'bar' used in filter.
|
||||
---
|
||||
- rule: some rule
|
||||
desc: some desc
|
||||
condition: bar
|
||||
output: some output
|
||||
priority: INFO
|
||||
append: false
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_overwrite_rule_multiple_docs.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_append_rule_multiple_docs:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: rule
|
||||
item_name: some rule
|
||||
code: LOAD_ERR_COMPILE_CONDITION
|
||||
message: "unexpected token after 'open', expecting 'or', 'and'"
|
||||
stdout_contains: |+
|
||||
Compilation error when compiling "evt.type=open bar": 15: unexpected token after 'open', expecting 'or', 'and'
|
||||
---
|
||||
- rule: some rule
|
||||
desc: some desc
|
||||
condition: evt.type=open
|
||||
output: some output
|
||||
priority: INFO
|
||||
|
||||
- rule: some rule
|
||||
desc: some desc
|
||||
condition: bar
|
||||
output: some output
|
||||
priority: INFO
|
||||
append: true
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_append_rule_multiple_docs.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_missing_rule_name:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: rule
|
||||
item_name: ""
|
||||
code: LOAD_ERR_YAML_VALIDATE
|
||||
message: "Mapping for key 'rule' is empty"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Rule name is empty
|
||||
---
|
||||
- rule:
|
||||
desc: some desc
|
||||
condition: evt.type=execve
|
||||
output: some output
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_missing_rule_name.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_missing_list_name:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: list
|
||||
item_name: ""
|
||||
code: LOAD_ERR_YAML_VALIDATE
|
||||
message: "Mapping for key 'list' is empty"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
List name is empty
|
||||
---
|
||||
- list:
|
||||
items: [foo]
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_missing_list_name.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_missing_macro_name:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: macro
|
||||
item_name: ""
|
||||
code: LOAD_ERR_YAML_VALIDATE
|
||||
message: "Mapping for key 'macro' is empty"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Macro name is empty
|
||||
---
|
||||
- macro:
|
||||
condition: evt.type=execve
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_missing_macro_name.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
invalid_rule_output:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: rule
|
||||
item_name: rule_with_invalid_output
|
||||
code: LOAD_ERR_COMPILE_OUTPUT
|
||||
message: "invalid formatting token not_a_real_field"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'
|
||||
---
|
||||
- rule: rule_with_invalid_output
|
||||
desc: A rule with an invalid output field
|
||||
condition: evt.type=open
|
||||
output: "An open was seen %not_a_real_field"
|
||||
priority: WARNING
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/invalid_rule_output.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
@@ -592,13 +622,13 @@ trace_files: !mux
|
||||
rules_file:
|
||||
- rules/single_rule_enabled_flag.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
|
||||
disabled_rule_using_false_enabled_flag_only:
|
||||
detect: False
|
||||
rules_file:
|
||||
- rules/disabled_rule_using_enabled_flag_only.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
|
||||
enabled_rule_using_false_enabled_flag_only:
|
||||
detect: True
|
||||
detect_level: WARNING
|
||||
@@ -995,6 +1025,13 @@ trace_files: !mux
|
||||
- open_12: 0
|
||||
- open_13: 0
|
||||
|
||||
list_append_failure:
|
||||
exit_status: 1
|
||||
stderr_contains: "List my_list has 'append' key but no list by that name already exists"
|
||||
rules_file:
|
||||
- rules/list_append_failure.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
list_append:
|
||||
detect: True
|
||||
detect_level: WARNING
|
||||
@@ -1008,6 +1045,13 @@ trace_files: !mux
|
||||
- rules/list_append_false.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
macro_append_failure:
|
||||
exit_status: 1
|
||||
stderr_contains: "Macro my_macro has 'append' key but no macro by that name already exists"
|
||||
rules_file:
|
||||
- rules/macro_append_failure.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
macro_append:
|
||||
detect: True
|
||||
detect_level: WARNING
|
||||
@@ -1021,6 +1065,13 @@ trace_files: !mux
|
||||
- rules/macro_append_false.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
rule_append_failure:
|
||||
exit_status: 1
|
||||
stderr_contains: "Rule my_rule has 'append' key but no rule by that name already exists"
|
||||
rules_file:
|
||||
- rules/rule_append_failure.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
rule_append_skipped:
|
||||
detect: False
|
||||
priority: ERROR
|
||||
@@ -1101,18 +1152,10 @@ trace_files: !mux
|
||||
dev_null: 0
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
validate_skip_unknown_noevt:
|
||||
validate_warnings:
|
||||
- item_type: rule
|
||||
item_name: "Contains Unknown Event And Skipping"
|
||||
code: LOAD_UNKNOWN_FIELD
|
||||
message: "filter_check called with nonexistent field proc.nobody"
|
||||
validate_rules_file:
|
||||
- rules/skip_unknown_evt.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
detect_skip_unknown_noevt:
|
||||
skip_unknown_noevt:
|
||||
detect: False
|
||||
rules_warning:
|
||||
- Contains Unknown Event And Skipping
|
||||
rules_file:
|
||||
- rules/skip_unknown_evt.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
@@ -1125,34 +1168,41 @@ trace_files: !mux
|
||||
|
||||
skip_unknown_error:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: rule
|
||||
item_name: "Contains Unknown Event And Not Skipping"
|
||||
code: LOAD_ERR_COMPILE_CONDITION
|
||||
message: "filter_check called with nonexistent field proc.nobody"
|
||||
validate_rules_file:
|
||||
stderr_contains: |+
|
||||
Could not load rules file.*skip_unknown_error.yaml: 1 errors:
|
||||
Rule Contains Unknown Event And Not Skipping: error filter_check called with nonexistent field proc.nobody
|
||||
---
|
||||
- rule: Contains Unknown Event And Not Skipping
|
||||
desc: Contains an unknown event
|
||||
condition: proc.nobody=cat
|
||||
output: Never
|
||||
skip-if-unknown-filter: false
|
||||
priority: INFO
|
||||
---
|
||||
rules_file:
|
||||
- rules/skip_unknown_error.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
skip_unknown_unspec_error:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: rule
|
||||
item_name: "Contains Unknown Event And Unspecified"
|
||||
code: LOAD_ERR_COMPILE_CONDITION
|
||||
message: "filter_check called with nonexistent field proc.nobody"
|
||||
validate_rules_file:
|
||||
stderr_contains: |+
|
||||
Could not load rules file .*skip_unknown_unspec.yaml: 1 errors:
|
||||
Rule Contains Unknown Event And Unspecified: error filter_check called with nonexistent field proc.nobody
|
||||
---
|
||||
- rule: Contains Unknown Event And Unspecified
|
||||
desc: Contains an unknown event
|
||||
condition: proc.nobody=cat
|
||||
output: Never
|
||||
priority: INFO
|
||||
---
|
||||
rules_file:
|
||||
- rules/skip_unknown_unspec.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
engine_version_mismatch:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: required_engine_version
|
||||
item_name: ""
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message_contains: "Rules require engine version 9999999, but engine version is"
|
||||
validate_rules_file:
|
||||
stderr_contains: Rules require engine version 9999999, but engine version is
|
||||
rules_file:
|
||||
- rules/engine_version_mismatch.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
|
||||
@@ -20,99 +20,175 @@ trace_files: !mux
|
||||
|
||||
rule_exception_no_fields:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: exception
|
||||
item_name: ex1
|
||||
code: LOAD_ERR_YAML_VALIDATE
|
||||
message: "Item has no mapping for key 'fields'"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Rule exception item ex1: must have fields property with a list of fields
|
||||
---
|
||||
- rule: My Rule
|
||||
desc: Some desc
|
||||
condition: evt.type=open and proc.name=cat
|
||||
output: Some output
|
||||
exceptions:
|
||||
- name: ex1
|
||||
priority: error
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/exceptions/item_no_fields.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
rule_exception_no_name:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: exception
|
||||
item_name: ""
|
||||
code: LOAD_ERR_YAML_VALIDATE
|
||||
message: "Item has no mapping for key 'name'"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Rule exception item must have name property
|
||||
---
|
||||
- rule: My Rule
|
||||
desc: Some desc
|
||||
condition: evt.type=open and proc.name=cat
|
||||
output: Some output
|
||||
exceptions:
|
||||
- fields: [proc.name, fd.filename]
|
||||
priority: error
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/exceptions/item_no_name.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
rule_exception_append_no_name:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: exception
|
||||
item_name: ""
|
||||
code: LOAD_ERR_YAML_VALIDATE
|
||||
message: "Item has no mapping for key 'name'"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Rule exception item must have name property
|
||||
---
|
||||
- rule: My Rule
|
||||
exceptions:
|
||||
- values:
|
||||
- [nginx, /tmp/foo]
|
||||
append: true
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/exceptions/append_item_no_name.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
rule_exception_unknown_fields:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: exception
|
||||
item_name: ex1
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "'not.exist' is not a supported filter field"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Rule exception item ex1: field name not.exist is not a supported filter field
|
||||
---
|
||||
- rule: My Rule
|
||||
desc: Some desc
|
||||
condition: evt.type=open and proc.name=cat
|
||||
output: Some output
|
||||
exceptions:
|
||||
- name: ex1
|
||||
fields: [not.exist]
|
||||
priority: error
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/exceptions/item_unknown_fields.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
rule_exception_comps_fields_len_mismatch:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: exception
|
||||
item_name: ex1
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "Fields and comps lists must have equal length"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Rule exception item ex1: fields and comps lists must have equal length
|
||||
---
|
||||
- rule: My Rule
|
||||
desc: Some desc
|
||||
condition: evt.type=open and proc.name=cat
|
||||
output: Some output
|
||||
exceptions:
|
||||
- name: ex1
|
||||
fields: [proc.name, fd.filename]
|
||||
comps: [=]
|
||||
priority: error
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/exceptions/item_comps_fields_len_mismatch.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
rule_exception_unknown_comp:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: exception
|
||||
item_name: ex1
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "'no-comp' is not a supported comparison operator"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Rule exception item ex1: comparison operator no-comp is not a supported comparison operator
|
||||
---
|
||||
- rule: My Rule
|
||||
desc: Some desc
|
||||
condition: evt.type=open and proc.name=cat
|
||||
output: Some output
|
||||
exceptions:
|
||||
- name: ex1
|
||||
fields: [proc.name, fd.filename]
|
||||
comps: [=, no-comp]
|
||||
priority: error
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/exceptions/item_unknown_comp.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
rule_exception_fields_values_len_mismatch:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: exception
|
||||
item_name: ex1
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "Fields and values lists must have equal length"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Exception item ex1: fields and values lists must have equal length
|
||||
---
|
||||
- rule: My Rule
|
||||
desc: Some desc
|
||||
condition: evt.type=open and proc.name=cat
|
||||
output: Some output
|
||||
exceptions:
|
||||
- name: ex1
|
||||
fields: [proc.name, fd.filename]
|
||||
values:
|
||||
- [nginx]
|
||||
priority: error
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/exceptions/item_fields_values_len_mismatch.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
rule_exception_append_fields_values_len_mismatch:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: exception
|
||||
item_name: ex1
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "Fields and values lists must have equal length"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Exception item ex1: fields and values lists must have equal length
|
||||
---
|
||||
- rule: My Rule
|
||||
desc: Some desc
|
||||
condition: evt.type=open and proc.name=cat
|
||||
output: Some output
|
||||
exceptions:
|
||||
- name: ex1
|
||||
fields: [proc.name, fd.filename]
|
||||
priority: error
|
||||
|
||||
- rule: My Rule
|
||||
exceptions:
|
||||
- name: ex1
|
||||
values:
|
||||
- [nginx]
|
||||
append: true
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/exceptions/append_item_fields_values_len_mismatch.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
rule_exception_append_item_not_in_rule:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: exception
|
||||
item_name: ex2
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "Rule exception must have fields property with a list of fields"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Rule exception new item ex2: must have fields property with a list of fields
|
||||
---
|
||||
- rule: My Rule
|
||||
exceptions:
|
||||
- name: ex2
|
||||
values:
|
||||
- [apache, /tmp]
|
||||
append: true
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/exceptions/append_item_not_in_rule.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
@@ -249,7 +325,7 @@ trace_files: !mux
|
||||
rules_file:
|
||||
- rules/exceptions/rule_exception_new_single_field_append.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
|
||||
rule_exception_new_second_field_append:
|
||||
detect: False
|
||||
detect_level: WARNING
|
||||
@@ -259,11 +335,18 @@ trace_files: !mux
|
||||
|
||||
rule_exception_new_append_no_field:
|
||||
exit_status: 1
|
||||
validate_errors:
|
||||
- item_type: exception
|
||||
item_name: proc_cmdline
|
||||
code: LOAD_ERR_VALIDATE
|
||||
message: "Rule exception must have fields property with a list of fields"
|
||||
stdout_is: |+
|
||||
1 errors:
|
||||
Rule exception new item proc_cmdline: must have fields property with a list of fields
|
||||
---
|
||||
- rule: Open From Cat
|
||||
exceptions:
|
||||
- name: proc_cmdline
|
||||
comps: in
|
||||
values:
|
||||
- "cat /dev/null"
|
||||
append: true
|
||||
---
|
||||
validate_rules_file:
|
||||
- rules/exceptions/rule_exception_new_no_field_append.yaml
|
||||
trace_file: trace_files/cat_write.scap
|
||||
|
||||
@@ -75,7 +75,7 @@ trace_files: !mux
|
||||
|
||||
incompat_plugin_api:
|
||||
exit_status: 1
|
||||
stderr_contains: "plugin required API version '10000000.0.0' not compatible with the framework's API version '.*'"
|
||||
stderr_contains: "Plugin required API version '10000000.0.0' is not supported by the plugin API version of the framework '.*'"
|
||||
conf_file: BUILD_DIR/test/confs/plugins/incompatible_plugin_api.yaml
|
||||
rules_file:
|
||||
- rules/plugins/cloudtrail_create_instances.yaml
|
||||
@@ -89,30 +89,27 @@ trace_files: !mux
|
||||
|
||||
wrong_plugin_path:
|
||||
exit_status: 1
|
||||
stderr_contains: "cannot load plugin.*No such file or directory"
|
||||
stderr_contains: "error loading plugin.*No such file or directory. Exiting"
|
||||
conf_file: BUILD_DIR/test/confs/plugins/wrong_plugin_path.yaml
|
||||
rules_file:
|
||||
- rules/plugins/cloudtrail_incompat_plugin_version.yaml
|
||||
|
||||
no_plugins_unknown_source:
|
||||
exit_status: 0
|
||||
validate_warnings:
|
||||
- item_type: rule
|
||||
item_name: Cloudtrail Create Instance
|
||||
code: LOAD_UNKNOWN_SOURCE
|
||||
message: "Unknown source aws_cloudtrail, skipping"
|
||||
validate_rules_file:
|
||||
detect: False
|
||||
rules_file:
|
||||
- rules/plugins/cloudtrail_create_instances.yaml
|
||||
trace_file: trace_files/empty.scap
|
||||
rules_warning:
|
||||
- Cloudtrail Create Instance
|
||||
stderr_contains: "Rule Cloudtrail Create Instance: warning .unknown-source.: unknown source aws_cloudtrail, skipping"
|
||||
|
||||
no_plugins_unknown_source_rule_exception:
|
||||
exit_status: 0
|
||||
validate_warnings:
|
||||
- item_type: rule
|
||||
item_name: Cloudtrail Create Instance
|
||||
code: LOAD_UNKNOWN_SOURCE
|
||||
message: "Unknown source aws_cloudtrail, skipping"
|
||||
validate_rules_file:
|
||||
detect: False
|
||||
rules_file:
|
||||
- rules/plugins/cloudtrail_create_instances_exceptions.yaml
|
||||
|
||||
trace_file: trace_files/empty.scap
|
||||
rules_warning:
|
||||
- Cloudtrail Create Instance
|
||||
stderr_contains: "Rule Cloudtrail Create Instance: warning .unknown-source.: unknown source aws_cloudtrail, skipping"
|
||||
|
||||
|
||||
|
||||
@@ -30,7 +30,6 @@ traces: !mux
|
||||
|
||||
container-privileged:
|
||||
trace_file: traces-positive/container-privileged.scap
|
||||
all_events: True
|
||||
detect: True
|
||||
detect_level: INFO
|
||||
detect_counts:
|
||||
@@ -38,7 +37,6 @@ traces: !mux
|
||||
|
||||
container-sensitive-mount:
|
||||
trace_file: traces-positive/container-sensitive-mount.scap
|
||||
all_events: True
|
||||
detect: True
|
||||
detect_level: INFO
|
||||
detect_counts:
|
||||
@@ -53,7 +51,6 @@ traces: !mux
|
||||
|
||||
db-program-spawned-process:
|
||||
trace_file: traces-positive/db-program-spawned-process.scap
|
||||
all_events: True
|
||||
detect: True
|
||||
detect_level: NOTICE
|
||||
detect_counts:
|
||||
@@ -135,7 +132,6 @@ traces: !mux
|
||||
|
||||
system-user-interactive:
|
||||
trace_file: traces-positive/system-user-interactive.scap
|
||||
all_events: True
|
||||
detect: True
|
||||
detect_level: INFO
|
||||
detect_counts:
|
||||
@@ -143,7 +139,6 @@ traces: !mux
|
||||
|
||||
user-mgmt-binaries:
|
||||
trace_file: traces-positive/user-mgmt-binaries.scap
|
||||
all_events: True
|
||||
detect: True
|
||||
detect_level: NOTICE
|
||||
detect_counts:
|
||||
@@ -174,7 +169,6 @@ traces: !mux
|
||||
# When a new version of the scap files is generated this should then become "traces-positive"
|
||||
docker-compose:
|
||||
trace_file: traces-negative/docker-compose.scap
|
||||
all_events: True
|
||||
detect: True
|
||||
detect_level: NOTICE
|
||||
detect_counts:
|
||||
|
||||
19
test/rules/macro_append_failure.yaml
Normal file
19
test/rules/macro_append_failure.yaml
Normal file
@@ -0,0 +1,19 @@
|
||||
#
|
||||
# Copyright (C) 2019 The Falco Authors.
|
||||
#
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
- macro: my_macro
|
||||
condition: proc.name=not-cat
|
||||
append: true
|
||||
25
test/utils/run_sysdig.sh
Normal file
25
test/utils/run_sysdig.sh
Normal file
@@ -0,0 +1,25 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Copyright (C) 2019 The Falco Authors.
|
||||
#
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# Run sysdig excluding all events that aren't used by Falco and also
|
||||
# excluding other high-volume events that aren't essential. This
|
||||
# results in smaller trace files.
|
||||
|
||||
# The remaining arguments are taken from the command line.
|
||||
|
||||
exec sudo sysdig not evt.type in '(mprotect,brk,mq_timedreceive,mq_receive,mq_timedsend,mq_send,getrusage,procinfo,rt_sigprocmask,rt_sigaction,ioctl,clock_getres,clock_gettime,clock_nanosleep,clock_settime,close,epoll_create,epoll_create1,epoll_ctl,epoll_pwait,epoll_wait,eventfd,fcntl,fcntl64,fstat,fstat64,fstatat64,fstatfs,fstatfs64,futex,getitimer,gettimeofday,ioprio_get,ioprio_set,llseek,lseek,lstat,lstat64,mmap,mmap2,munmap,nanosleep,poll,ppoll,pread,pread64,preadv,procinfo,pselect6,pwrite,pwrite64,pwritev,read,readv,recv,recvfrom,recvmmsg,recvmsg,sched_yield,select,send,sendfile,sendfile64,sendmmsg,sendmsg,sendto,setitimer,settimeofday,shutdown,splice,stat,stat64,statfs,statfs64,switch,tee,timer_create,timer_delete,timerfd_create,timerfd_gettime,timerfd_settime,timer_getoverrun,timer_gettime,timer_settime,wait4,write,writev) and user.name!=ec2-user' "$@"
|
||||
@@ -57,14 +57,12 @@ ast::expr* compile(const string &fltstr)
|
||||
TEST_CASE("Should find event types from filter", "[rule_loader]")
|
||||
{
|
||||
set<uint16_t> openat_only{
|
||||
PPME_SYSCALL_OPENAT_E, PPME_SYSCALL_OPENAT_X,
|
||||
PPME_SYSCALL_OPENAT_2_E, PPME_SYSCALL_OPENAT_2_X };
|
||||
|
||||
set<uint16_t> close_only{
|
||||
PPME_SYSCALL_CLOSE_E, PPME_SYSCALL_CLOSE_X };
|
||||
|
||||
set<uint16_t> openat_close{
|
||||
PPME_SYSCALL_OPENAT_E, PPME_SYSCALL_OPENAT_X,
|
||||
PPME_SYSCALL_OPENAT_2_E, PPME_SYSCALL_OPENAT_2_X,
|
||||
PPME_SYSCALL_CLOSE_E, PPME_SYSCALL_CLOSE_X };
|
||||
|
||||
@@ -75,8 +73,9 @@ TEST_CASE("Should find event types from filter", "[rule_loader]")
|
||||
set<uint16_t> no_events;
|
||||
for(uint32_t i = 2; i < PPM_EVENT_MAX; i++)
|
||||
{
|
||||
// Skip events that are unused.
|
||||
if(g_infotables.m_event_info[i].flags & EF_UNUSED)
|
||||
// Skip "old" event versions that have been replaced
|
||||
// by newer event versions, or events that are unused.
|
||||
if(g_infotables.m_event_info[i].flags & (EF_OLD_VERSION | EF_UNUSED))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
@@ -232,4 +231,4 @@ TEST_CASE("Should find event types from filter", "[rule_loader]")
|
||||
auto f = compile("not (not evt.type=openat)");
|
||||
compare_evttypes(f, openat_only);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -19,7 +19,7 @@ limitations under the License.
|
||||
|
||||
static bool warns(const std::string& condition)
|
||||
{
|
||||
std::set<falco::load_result::warning_code> w;
|
||||
std::set<std::string> w;
|
||||
auto ast = libsinsp::filter::parser(condition).parse();
|
||||
filter_warning_resolver().run(ast, w);
|
||||
delete ast;
|
||||
|
||||
@@ -13,7 +13,6 @@
|
||||
set(FALCO_ENGINE_SOURCE_FILES
|
||||
falco_common.cpp
|
||||
falco_engine.cpp
|
||||
falco_load_result.cpp
|
||||
falco_utils.cpp
|
||||
json_evt.cpp
|
||||
evttype_index_ruleset.cpp
|
||||
|
||||
@@ -18,7 +18,6 @@ limitations under the License.
|
||||
#include <unistd.h>
|
||||
#include <string>
|
||||
#include <fstream>
|
||||
#include <utility>
|
||||
|
||||
#include <sinsp.h>
|
||||
#include <plugin.h>
|
||||
@@ -37,7 +36,6 @@ limitations under the License.
|
||||
const std::string falco_engine::s_default_ruleset = "falco-default-ruleset";
|
||||
|
||||
using namespace std;
|
||||
using namespace falco;
|
||||
|
||||
falco_engine::falco_engine(bool seed_rng)
|
||||
: m_next_ruleset_id(0),
|
||||
@@ -167,89 +165,80 @@ void falco_engine::list_fields(std::string &source, bool verbose, bool names_onl
|
||||
|
||||
void falco_engine::load_rules(const string &rules_content, bool verbose, bool all_events)
|
||||
{
|
||||
static const std::string no_name = "N/A";
|
||||
uint64_t dummy;
|
||||
|
||||
std::unique_ptr<load_result> res = load_rules(rules_content, no_name);
|
||||
|
||||
if(verbose)
|
||||
{
|
||||
// Here, verbose controls whether to additionally
|
||||
// "log" e.g. print to stderr. What's logged is always
|
||||
// non-verbose so it fits on a single line.
|
||||
// todo(jasondellaluce): introduce a logging callback in Falco
|
||||
fprintf(stderr, "%s\n", res->as_string(false).c_str());
|
||||
}
|
||||
|
||||
if(!res->successful())
|
||||
{
|
||||
// The output here is always the full e.g. "verbose" output.
|
||||
throw falco_exception(res->as_string(true).c_str());
|
||||
}
|
||||
return load_rules(rules_content, verbose, all_events, dummy);
|
||||
}
|
||||
|
||||
std::unique_ptr<load_result> falco_engine::load_rules(const std::string &rules_content, const std::string &name)
|
||||
void falco_engine::load_rules(const string &rules_content, bool verbose, bool all_events, uint64_t &required_engine_version)
|
||||
{
|
||||
rule_loader::configuration cfg(rules_content, m_sources, name);
|
||||
rule_loader::configuration cfg(rules_content, m_sources);
|
||||
cfg.min_priority = m_min_priority;
|
||||
cfg.output_extra = m_extra;
|
||||
cfg.replace_output_container_info = m_replace_container_info;
|
||||
cfg.default_ruleset_id = m_default_ruleset_id;
|
||||
|
||||
std::ostringstream os;
|
||||
rule_reader reader;
|
||||
if (reader.load(cfg, m_rule_loader))
|
||||
bool success = reader.load(cfg, m_rule_loader);
|
||||
if (success)
|
||||
{
|
||||
for (auto &src : m_sources)
|
||||
{
|
||||
src.ruleset = src.ruleset_factory->new_ruleset();
|
||||
}
|
||||
m_rules.clear();
|
||||
m_rule_loader.compile(cfg, m_rules);
|
||||
success = m_rule_loader.compile(cfg, m_rules);
|
||||
}
|
||||
|
||||
return std::move(cfg.res);
|
||||
}
|
||||
|
||||
void falco_engine::load_rules_file(const std::string &rules_filename, bool verbose, bool all_events)
|
||||
{
|
||||
std::unique_ptr<load_result> res = load_rules_file(rules_filename);
|
||||
|
||||
if(verbose)
|
||||
if (!cfg.errors.empty())
|
||||
{
|
||||
// Here, verbose controls whether to additionally
|
||||
// "log" e.g. print to stderr. What's logged is always
|
||||
// non-verbose so it fits on a single line.
|
||||
os << cfg.errors.size() << " errors:" << std::endl;
|
||||
for(auto &err : cfg.errors)
|
||||
{
|
||||
os << err << std::endl;
|
||||
}
|
||||
}
|
||||
if (!cfg.warnings.empty())
|
||||
{
|
||||
os << cfg.warnings.size() << " warnings:" << std::endl;
|
||||
for(auto &warn : cfg.warnings)
|
||||
{
|
||||
os << warn << std::endl;
|
||||
}
|
||||
}
|
||||
if(!success)
|
||||
{
|
||||
throw falco_exception(os.str());
|
||||
}
|
||||
if (verbose && os.str() != "") {
|
||||
// todo(jasondellaluce): introduce a logging callback in Falco
|
||||
fprintf(stderr, "%s\n", res->as_string(false).c_str());
|
||||
}
|
||||
|
||||
if(!res->successful())
|
||||
{
|
||||
// The output here is always the full e.g. "verbose" output.
|
||||
throw falco_exception(res->as_string(true).c_str());
|
||||
fprintf(stderr, "When reading rules content: %s", os.str().c_str());
|
||||
}
|
||||
}
|
||||
|
||||
std::unique_ptr<load_result> falco_engine::load_rules_file(const string &rules_filename)
|
||||
void falco_engine::load_rules_file(const string &rules_filename, bool verbose, bool all_events)
|
||||
{
|
||||
uint64_t dummy;
|
||||
|
||||
return load_rules_file(rules_filename, verbose, all_events, dummy);
|
||||
}
|
||||
|
||||
void falco_engine::load_rules_file(const string &rules_filename, bool verbose, bool all_events, uint64_t &required_engine_version)
|
||||
{
|
||||
ifstream is;
|
||||
|
||||
is.open(rules_filename);
|
||||
if (!is.is_open())
|
||||
{
|
||||
rule_loader::context ctx(rules_filename);
|
||||
std::string empty;
|
||||
|
||||
std::unique_ptr<rule_loader::result> res(new rule_loader::result(rules_filename));
|
||||
|
||||
res->add_error(load_result::LOAD_ERR_FILE_READ, "Could not open for reading.", ctx, empty);
|
||||
|
||||
return std::move(res);
|
||||
throw falco_exception("Could not open rules filename " +
|
||||
rules_filename + " " +
|
||||
"for reading");
|
||||
}
|
||||
|
||||
string rules_content((istreambuf_iterator<char>(is)),
|
||||
istreambuf_iterator<char>());
|
||||
|
||||
return load_rules(rules_content, rules_filename);
|
||||
load_rules(rules_content, verbose, all_events, required_engine_version);
|
||||
}
|
||||
|
||||
void falco_engine::enable_rule(const string &substring, bool enabled, const string &ruleset)
|
||||
@@ -350,7 +339,7 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t so
|
||||
{
|
||||
return unique_ptr<struct rule_result>();
|
||||
}
|
||||
|
||||
|
||||
unique_ptr<struct rule_result> res(new rule_result());
|
||||
res->evt = ev;
|
||||
res->rule = rule.name;
|
||||
@@ -452,8 +441,8 @@ bool falco_engine::check_plugin_requirements(
|
||||
if (!plugin_version.check(req_version))
|
||||
{
|
||||
err = "Plugin '" + plugin.name
|
||||
+ "' version '" + plugin.version
|
||||
+ "' is not compatible with required plugin version '"
|
||||
+ "' version '" + plugin.version
|
||||
+ "' is not compatible with required plugin version '"
|
||||
+ reqver + "'";
|
||||
return false;
|
||||
}
|
||||
|
||||
@@ -34,7 +34,6 @@ limitations under the License.
|
||||
#include "stats_manager.h"
|
||||
#include "falco_common.h"
|
||||
#include "falco_source.h"
|
||||
#include "falco_load_result.h"
|
||||
|
||||
//
|
||||
// This class acts as the primary interface between a program and the
|
||||
@@ -65,10 +64,11 @@ public:
|
||||
void load_rules(const std::string &rules_content, bool verbose, bool all_events);
|
||||
|
||||
//
|
||||
// Identical to above, but returns a result object instead of
|
||||
// throwing exceptions on error.
|
||||
std::unique_ptr<falco::load_result> load_rules_file(const std::string &rules_filename);
|
||||
std::unique_ptr<falco::load_result> load_rules(const std::string &rules_content, const std::string &name);
|
||||
// Identical to above, but also returns the required engine version for the file/content.
|
||||
// (If no required engine version is specified, returns 0).
|
||||
//
|
||||
void load_rules_file(const std::string &rules_filename, bool verbose, bool all_events, uint64_t &required_engine_version);
|
||||
void load_rules(const std::string &rules_content, bool verbose, bool all_events, uint64_t &required_engine_version);
|
||||
|
||||
//
|
||||
// Enable/Disable any rules matching the provided substring.
|
||||
@@ -145,7 +145,7 @@ public:
|
||||
// of all output expressions. You can also choose to replace
|
||||
// %container.info with the extra information or add it to the
|
||||
// end of the expression. This is used in open source falco to
|
||||
// add k8s/container information to outputs when
|
||||
// add k8s/mesos/container information to outputs when
|
||||
// available.
|
||||
//
|
||||
void set_extra(string &extra, bool replace_container_info);
|
||||
@@ -188,7 +188,7 @@ public:
|
||||
std::size_t add_source(const std::string &source,
|
||||
std::shared_ptr<gen_event_filter_factory> filter_factory,
|
||||
std::shared_ptr<gen_event_formatter_factory> formatter_factory);
|
||||
|
||||
|
||||
//
|
||||
// Equivalent to above, but allows specifying a ruleset factory
|
||||
// for the newly added source.
|
||||
|
||||
@@ -16,9 +16,9 @@ limitations under the License.
|
||||
|
||||
// The version of rules/filter fields/etc supported by this Falco
|
||||
// engine.
|
||||
#define FALCO_ENGINE_VERSION (14)
|
||||
#define FALCO_ENGINE_VERSION (13)
|
||||
|
||||
// This is the result of running "falco --list -N | sha256sum" and
|
||||
// represents the fields supported by this version of Falco. It's used
|
||||
// at build time to detect a changed set of fields.
|
||||
#define FALCO_FIELDS_CHECKSUM "674c6cf2bc1c105038c8676f018fa3d1431d86597df428453441f5d859cad284"
|
||||
#define FALCO_FIELDS_CHECKSUM "94290ff98e5affc85b2287b09a3f4054918f14e90db1ac4bfd6d5ce4e910329c"
|
||||
|
||||
@@ -1,104 +0,0 @@
|
||||
/*
|
||||
Copyright (C) 2022 The Falco Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
#include "falco_load_result.h"
|
||||
|
||||
static const std::string error_codes[] = {
|
||||
"LOAD_ERR_FILE_READ",
|
||||
"LOAD_ERR_YAML_PARSE",
|
||||
"LOAD_ERR_YAML_VALIDATE",
|
||||
"LOAD_ERR_COMPILE_CONDITION",
|
||||
"LOAD_ERR_COMPILE_OUTPUT",
|
||||
"LOAD_ERR_VALIDATE"
|
||||
};
|
||||
|
||||
const std::string& falco::load_result::error_code_str(error_code ec)
|
||||
{
|
||||
return error_codes[ec];
|
||||
}
|
||||
|
||||
static const std::string error_strings[] = {
|
||||
"File read error",
|
||||
"YAML parse error",
|
||||
"Error validating internal structure of YAML file",
|
||||
"Error compiling condition",
|
||||
"Error compiling output",
|
||||
"Error validating rule/macro/list/exception objects"
|
||||
};
|
||||
|
||||
const std::string& falco::load_result::error_str(error_code ec)
|
||||
{
|
||||
return error_strings[ec];
|
||||
}
|
||||
|
||||
static const std::string error_descs[] = {
|
||||
"This occurs when falco can not read a given file. Check permissions and whether the file exists.",
|
||||
"This occurs when the rules content is not valid YAML.",
|
||||
"This occurs when the internal structure of the YAML file is incorrect. Examples include not consisting of a sequence of maps, a given rule/macro/list item not having required keys, values not having the right type (e.g. the items property of a list not being a sequence), etc.",
|
||||
"This occurs when a condition string can not be compiled to a filter object.",
|
||||
"This occurs when an output string can not be compiled to an output object.",
|
||||
"This occurs when a rule/macro/list item is incorrect. Examples include a condition field referring to an undefined macro, falco engine/plugin version mismatches, items with append without any existing item, exception fields/comps having different lengths, etc."
|
||||
};
|
||||
|
||||
const std::string& falco::load_result::error_desc(error_code ec)
|
||||
{
|
||||
return error_strings[ec];
|
||||
}
|
||||
|
||||
static const std::string warning_codes[] = {
|
||||
"LOAD_UNKNOWN_SOURCE",
|
||||
"LOAD_UNSAFE_NA_CHECK",
|
||||
"LOAD_NO_EVTTYPE",
|
||||
"LOAD_UNKNOWN_FIELD",
|
||||
"LOAD_UNUSED_MACRO",
|
||||
"LOAD_UNUSED_LIST",
|
||||
"LOAD_UNKNOWN_ITEM"
|
||||
};
|
||||
|
||||
const std::string& falco::load_result::warning_code_str(warning_code wc)
|
||||
{
|
||||
return warning_codes[wc];
|
||||
}
|
||||
|
||||
static const std::string warning_strings[] = {
|
||||
"Unknown event source",
|
||||
"Unsafe <NA> comparison in condition",
|
||||
"Condition has no event-type restriction",
|
||||
"Unknown field in condition",
|
||||
"Unused macro",
|
||||
"Unused list",
|
||||
"Unknown rules file item"
|
||||
};
|
||||
|
||||
const std::string& falco::load_result::warning_str(warning_code wc)
|
||||
{
|
||||
return warning_strings[wc];
|
||||
}
|
||||
|
||||
static const std::string warning_descs[] = {
|
||||
"A rule has a unknown event source. This can occur when reading rules content without having a corresponding plugin loaded, etc. The rule will be silently ignored.",
|
||||
"Comparing a field value with <NA> is unsafe and can lead to unpredictable behavior of the rule condition. If you need to check for the existence of a field, consider using the 'exists' operator instead.",
|
||||
"A rule condition matches too many evt.type values. This has a significant performance penalty. Make the condition more specific by adding an evt.type field or further restricting the number of evt.type values in the condition.",
|
||||
"A rule condition refers to a field that does not exist. This is normally an error, but if a rule has a skip-if-unknown-filter property, the error is downgraded to a warning.",
|
||||
"A macro is defined in the rules content but is not used by any other macro or rule.",
|
||||
"A list is defined in the rules content but is not used by any other list, macro, or rule.",
|
||||
"An unknown top-level object is in the rules content. It will be ignored."
|
||||
};
|
||||
|
||||
const std::string& falco::load_result::warning_desc(warning_code wc)
|
||||
{
|
||||
return warning_descs[wc];
|
||||
}
|
||||
@@ -1,94 +0,0 @@
|
||||
/*
|
||||
Copyright (C) 2022 The Falco Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
#pragma once
|
||||
|
||||
#include <string>
|
||||
#include <nlohmann/json.hpp>
|
||||
|
||||
namespace falco
|
||||
{
|
||||
|
||||
// Represents the result of loading a rules file.
|
||||
class load_result {
|
||||
public:
|
||||
|
||||
enum error_code {
|
||||
LOAD_ERR_FILE_READ = 0,
|
||||
LOAD_ERR_YAML_PARSE,
|
||||
LOAD_ERR_YAML_VALIDATE,
|
||||
LOAD_ERR_COMPILE_CONDITION,
|
||||
LOAD_ERR_COMPILE_OUTPUT,
|
||||
LOAD_ERR_VALIDATE
|
||||
};
|
||||
|
||||
// The error code as a string
|
||||
static const std::string& error_code_str(error_code ec);
|
||||
|
||||
// A short string representation of the error
|
||||
static const std::string& error_str(error_code ec);
|
||||
|
||||
// A longer description of what the error represents and the
|
||||
// impact.
|
||||
static const std::string& error_desc(error_code ec);
|
||||
|
||||
enum warning_code {
|
||||
LOAD_UNKNOWN_SOURCE = 0,
|
||||
LOAD_UNSAFE_NA_CHECK,
|
||||
LOAD_NO_EVTTYPE,
|
||||
LOAD_UNKNOWN_FIELD,
|
||||
LOAD_UNUSED_MACRO,
|
||||
LOAD_UNUSED_LIST,
|
||||
LOAD_UNKNOWN_ITEM
|
||||
};
|
||||
|
||||
// The warning code as a string
|
||||
static const std::string& warning_code_str(warning_code ec);
|
||||
|
||||
// A short string representation of the warning
|
||||
static const std::string& warning_str(warning_code ec);
|
||||
|
||||
// A longer description of what the warning represents and the
|
||||
// impact.
|
||||
static const std::string& warning_desc(warning_code ec);
|
||||
|
||||
// If true, the rules were loaded successfully and can be used
|
||||
// against events. If false, there were one or more
|
||||
// errors--use one of the as_xxx methods to return information
|
||||
// about why the rules could not be loaded.
|
||||
virtual bool successful() = 0;
|
||||
|
||||
// If true, there were one or more warnings. successful() and
|
||||
// has_warnings() can both be true if there were only warnings.
|
||||
virtual bool has_warnings() = 0;
|
||||
|
||||
// This contains a human-readable version of the result,
|
||||
// suitable for display to end users.
|
||||
//
|
||||
// When verbose is true, the returned value has full details
|
||||
// on the result including document locations/context.
|
||||
//
|
||||
// When verbose is false, the returned value is a short string
|
||||
// with the success value and a list of
|
||||
// errors/warnings. Suitable for simple one-line display.
|
||||
virtual const std::string& as_string(bool verbose) = 0;
|
||||
|
||||
// This contains the full result structure as json, suitable
|
||||
// for automated parsing/interpretation downstream.
|
||||
virtual const nlohmann::json& as_json() = 0;
|
||||
};
|
||||
|
||||
} // namespace falco
|
||||
@@ -48,8 +48,9 @@ void filter_evttype_resolver::visitor::evttypes(string evtname, set<uint16_t>& o
|
||||
const struct ppm_event_info* etable = g_infotables.m_event_info;
|
||||
for(uint16_t i = 2; i < PPM_EVENT_MAX; i++)
|
||||
{
|
||||
// Skip unused events or events not matching the requested evtname
|
||||
if(!(etable[i].flags & EF_UNUSED)
|
||||
// Skip "old" event versions, unused events, or events not matching
|
||||
// the requested evtname
|
||||
if(!(etable[i].flags & (EF_OLD_VERSION | EF_UNUSED))
|
||||
&& (evtname.empty() || string(etable[i].name) == evtname))
|
||||
{
|
||||
out.insert(i);
|
||||
|
||||
@@ -17,9 +17,8 @@ limitations under the License.
|
||||
#include <sinsp.h>
|
||||
#include "filter_warning_resolver.h"
|
||||
|
||||
using namespace falco;
|
||||
|
||||
static const char* no_value = "<NA>";
|
||||
static const char* warn_unsafe_na_check = "unsafe-na-check";
|
||||
|
||||
static inline bool is_unsafe_field(const string& f)
|
||||
{
|
||||
@@ -35,7 +34,7 @@ static inline bool is_equality_operator(const string& op)
|
||||
|
||||
bool filter_warning_resolver::run(
|
||||
libsinsp::filter::ast::expr* filter,
|
||||
std::set<load_result::warning_code>& warnings) const
|
||||
std::set<string>& warnings) const
|
||||
{
|
||||
visitor v;
|
||||
auto size = warnings.size();
|
||||
@@ -45,6 +44,22 @@ bool filter_warning_resolver::run(
|
||||
return warnings.size() > size;
|
||||
}
|
||||
|
||||
// todo(jasondellaluce): use an hard-coded map once we support more warnings
|
||||
bool filter_warning_resolver::format(
|
||||
const std::string& code,
|
||||
std::string& out) const
|
||||
{
|
||||
if (code == warn_unsafe_na_check)
|
||||
{
|
||||
out = "comparing a field value with <NA> is unsafe and can lead to "
|
||||
"unpredictable behavior of the rule condition. If you need to "
|
||||
" check for the existence of a field, consider using the "
|
||||
"'exists' operator instead.";
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
void filter_warning_resolver::visitor::visit(
|
||||
libsinsp::filter::ast::binary_check_expr* e)
|
||||
{
|
||||
@@ -61,7 +76,7 @@ void filter_warning_resolver::visitor::visit(
|
||||
{
|
||||
if (m_is_equality_check && e->value == no_value)
|
||||
{
|
||||
m_warnings->insert(load_result::LOAD_UNSAFE_NA_CHECK);
|
||||
m_warnings->insert(warn_unsafe_na_check);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -71,6 +86,6 @@ void filter_warning_resolver::visitor::visit(
|
||||
if (m_is_equality_check
|
||||
&& std::find(e->values.begin(), e->values.end(), no_value) != e->values.end())
|
||||
{
|
||||
m_warnings->insert(load_result::LOAD_UNSAFE_NA_CHECK);
|
||||
m_warnings->insert(warn_unsafe_na_check);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -21,7 +21,6 @@ limitations under the License.
|
||||
#include <set>
|
||||
#include <memory>
|
||||
#include "falco_common.h"
|
||||
#include "falco_load_result.h"
|
||||
|
||||
/*!
|
||||
\brief Searches for bad practices in filter conditions and
|
||||
@@ -43,13 +42,40 @@ public:
|
||||
*/
|
||||
bool run(
|
||||
libsinsp::filter::ast::expr* filter,
|
||||
std::set<falco::load_result::warning_code>& warnings) const;
|
||||
std::set<std::string>& warnings) const;
|
||||
|
||||
/*!
|
||||
\brief Given a warning code retrieved through run(), returns
|
||||
a verbose message describing the problem of the warning.
|
||||
\param code The warning code string
|
||||
\param out The string to be filled-out with the warning message
|
||||
\return true if the warning code is recognized, false otherwise
|
||||
*/
|
||||
bool format(const std::string& code, std::string& out) const;
|
||||
|
||||
/*!
|
||||
\brief Given a warning code retrieved through run(), returns
|
||||
a verbose message describing the problem of the warning.
|
||||
\param code The warning code string
|
||||
\return The warning message string
|
||||
\throw falco_exception if the warning code is not recognized
|
||||
|
||||
*/
|
||||
inline std::string format(const std::string& code) const
|
||||
{
|
||||
std::string v;
|
||||
if (!format(code, v))
|
||||
{
|
||||
throw falco_exception("unrecognized warning code: " + code);
|
||||
}
|
||||
return v;
|
||||
}
|
||||
|
||||
private:
|
||||
struct visitor : public libsinsp::filter::ast::base_expr_visitor
|
||||
{
|
||||
bool m_is_equality_check;
|
||||
std::set<falco::load_result::warning_code>* m_warnings;
|
||||
std::set<std::string>* m_warnings;
|
||||
|
||||
void visit(libsinsp::filter::ast::value_expr* e) override;
|
||||
void visit(libsinsp::filter::ast::list_expr* e) override;
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -20,10 +20,8 @@ limitations under the License.
|
||||
#include <string>
|
||||
#include <vector>
|
||||
#include <yaml-cpp/yaml.h>
|
||||
#include <nlohmann/json.hpp>
|
||||
#include "falco_rule.h"
|
||||
#include "falco_source.h"
|
||||
#include "falco_load_result.h"
|
||||
#include "indexed_vector.h"
|
||||
|
||||
|
||||
@@ -33,111 +31,34 @@ limitations under the License.
|
||||
class rule_loader
|
||||
{
|
||||
public:
|
||||
class context
|
||||
{
|
||||
public:
|
||||
struct location
|
||||
{
|
||||
// The original location in the document
|
||||
YAML::Mark mark;
|
||||
|
||||
// The kind of item at this location
|
||||
// (e.g. "list", "macro", "rule", "exception", etc)
|
||||
std::string item_type;
|
||||
|
||||
// The name of this item (e.g. "Write Below Etc",
|
||||
// etc).
|
||||
std::string item_name;
|
||||
};
|
||||
|
||||
context(const std::string& name);
|
||||
context(const YAML::Node& mark,
|
||||
const std::string item_type,
|
||||
const std::string item_name,
|
||||
const context& parent);
|
||||
virtual ~context() = default;
|
||||
|
||||
// Return a snippet of the provided rules content
|
||||
// corresponding to this context.
|
||||
std::string snippet(const std::string& content) const;
|
||||
|
||||
std::string as_string();
|
||||
nlohmann::json as_json();
|
||||
|
||||
private:
|
||||
std::string name;
|
||||
|
||||
// A chain of locations from the current item, its
|
||||
// parent, possibly older ancestors.
|
||||
std::vector<location> m_locs;
|
||||
};
|
||||
|
||||
struct warning
|
||||
{
|
||||
falco::load_result::warning_code wc;
|
||||
std::string msg;
|
||||
context ctx;
|
||||
std::string snippet;
|
||||
};
|
||||
|
||||
struct error
|
||||
{
|
||||
falco::load_result::error_code ec;
|
||||
std::string msg;
|
||||
context ctx;
|
||||
std::string snippet;
|
||||
};
|
||||
|
||||
class rule_load_exception : public std::exception
|
||||
{
|
||||
public:
|
||||
rule_load_exception(falco::load_result::error_code ec, std::string msg, const context& ctx);
|
||||
virtual ~rule_load_exception();
|
||||
const char* what();
|
||||
|
||||
falco::load_result::error_code ec;
|
||||
std::string msg;
|
||||
context ctx;
|
||||
|
||||
std::string errstr;
|
||||
};
|
||||
|
||||
/*!
|
||||
\brief Contains the result of loading rule definitions
|
||||
\brief Represents a section of text from which a certain info
|
||||
struct has been decoded
|
||||
*/
|
||||
class result : public falco::load_result
|
||||
struct context
|
||||
{
|
||||
public:
|
||||
result(const std::string &name);
|
||||
virtual ~result() = default;
|
||||
std::string content;
|
||||
|
||||
virtual bool successful() override;
|
||||
virtual bool has_warnings() override;
|
||||
virtual const std::string& as_string(bool verbose) override;
|
||||
virtual const nlohmann::json& as_json() override;
|
||||
/*!
|
||||
\brief Wraps an error by adding info about the text section
|
||||
*/
|
||||
inline std::string error(std::string err) const
|
||||
{
|
||||
std::string cnt = content;
|
||||
err += "\n---\n";
|
||||
err += trim(cnt);
|
||||
err += "\n---";
|
||||
return err;
|
||||
}
|
||||
|
||||
void add_error(falco::load_result::error_code ec,
|
||||
const std::string& msg,
|
||||
const context& ctx,
|
||||
const std::string& rules_content);
|
||||
|
||||
void add_warning(falco::load_result::warning_code ec,
|
||||
const std::string& msg,
|
||||
const context& ctx,
|
||||
const std::string& rules_content);
|
||||
protected:
|
||||
|
||||
const std::string& as_summary_string();
|
||||
const std::string& as_verbose_string();
|
||||
std::string name;
|
||||
bool success;
|
||||
|
||||
std::vector<error> errors;
|
||||
std::vector<warning> warnings;
|
||||
|
||||
std::string res_summary_string;
|
||||
std::string res_verbose_string;
|
||||
nlohmann::json res_json;
|
||||
/*!
|
||||
\brief Appends another text section info to this one
|
||||
*/
|
||||
inline void append(context& m)
|
||||
{
|
||||
content += "\n\n";
|
||||
content += m.content;
|
||||
}
|
||||
};
|
||||
|
||||
/*!
|
||||
@@ -147,17 +68,13 @@ public:
|
||||
{
|
||||
explicit configuration(
|
||||
const std::string& cont,
|
||||
const indexed_vector<falco_source>& srcs,
|
||||
std::string name)
|
||||
: content(cont), sources(srcs), name(name)
|
||||
{
|
||||
res.reset(new result(name));
|
||||
}
|
||||
const indexed_vector<falco_source>& srcs)
|
||||
: content(cont), sources(srcs) {}
|
||||
|
||||
const std::string& content;
|
||||
const indexed_vector<falco_source>& sources;
|
||||
std::string name;
|
||||
std::unique_ptr<result> res;
|
||||
std::vector<std::string> errors;
|
||||
std::vector<std::string> warnings;
|
||||
std::string output_extra;
|
||||
uint16_t default_ruleset_id;
|
||||
bool replace_output_container_info;
|
||||
@@ -169,10 +86,6 @@ public:
|
||||
*/
|
||||
struct engine_version_info
|
||||
{
|
||||
engine_version_info(context &ctx);
|
||||
~engine_version_info() = default;
|
||||
|
||||
context ctx;
|
||||
uint32_t version;
|
||||
};
|
||||
|
||||
@@ -181,26 +94,15 @@ public:
|
||||
*/
|
||||
struct plugin_version_info
|
||||
{
|
||||
// This differs from the other _info structs by having
|
||||
// a default constructor. This allows it to be used
|
||||
// by falco_engine, which aliases the type.
|
||||
plugin_version_info();
|
||||
plugin_version_info(context &ctx);
|
||||
~plugin_version_info() = default;
|
||||
|
||||
context ctx;
|
||||
std::string name;
|
||||
std::string version;
|
||||
};
|
||||
|
||||
/*!
|
||||
\brief Represents infos about a list
|
||||
\brief Represents infos about a list
|
||||
*/
|
||||
struct list_info
|
||||
{
|
||||
list_info(context &ctx);
|
||||
~list_info() = default;
|
||||
|
||||
context ctx;
|
||||
bool used;
|
||||
size_t index;
|
||||
@@ -210,15 +112,11 @@ public:
|
||||
};
|
||||
|
||||
/*!
|
||||
\brief Represents infos about a macro
|
||||
\brief Represents infos about a macro
|
||||
*/
|
||||
struct macro_info
|
||||
{
|
||||
macro_info(context &ctx);
|
||||
~macro_info() = default;
|
||||
|
||||
context ctx;
|
||||
context cond_ctx;
|
||||
bool used;
|
||||
size_t index;
|
||||
size_t visibility;
|
||||
@@ -232,9 +130,6 @@ public:
|
||||
*/
|
||||
struct rule_exception_info
|
||||
{
|
||||
rule_exception_info(context &ctx);
|
||||
~rule_exception_info() = default;
|
||||
|
||||
/*!
|
||||
\brief This is necessary due to the dynamic-typed nature of
|
||||
exceptions. Each of fields, comps, and values, can either be a
|
||||
@@ -253,7 +148,6 @@ public:
|
||||
}
|
||||
};
|
||||
|
||||
context ctx;
|
||||
std::string name;
|
||||
entry fields;
|
||||
entry comps;
|
||||
@@ -261,16 +155,11 @@ public:
|
||||
};
|
||||
|
||||
/*!
|
||||
\brief Represents infos about a rule
|
||||
\brief Represents infos about a rule
|
||||
*/
|
||||
struct rule_info
|
||||
{
|
||||
rule_info(context &ctx);
|
||||
~rule_info() = default;
|
||||
|
||||
context ctx;
|
||||
context cond_ctx;
|
||||
context output_ctx;
|
||||
size_t index;
|
||||
size_t visibility;
|
||||
std::string name;
|
||||
@@ -296,7 +185,7 @@ public:
|
||||
/*!
|
||||
\brief Uses the internal state to compile a list of falco_rules
|
||||
*/
|
||||
virtual void compile(configuration& cfg, indexed_vector<falco_rule>& out) const;
|
||||
virtual bool compile(configuration& cfg, indexed_vector<falco_rule>& out) const;
|
||||
|
||||
/*!
|
||||
\brief Returns the set of all required versions for each plugin according
|
||||
|
||||
@@ -16,222 +16,139 @@ limitations under the License.
|
||||
|
||||
#include "rule_reader.h"
|
||||
|
||||
#define THROW(cond, err, ctx) { if ((cond)) { throw rule_loader::rule_load_exception(load_result::LOAD_ERR_YAML_VALIDATE, (err), (ctx)); } }
|
||||
#define THROW(cond, err) { if (cond) { throw falco_exception(err); } }
|
||||
|
||||
using namespace falco;
|
||||
|
||||
// Don't call this directly, call decode_val/decode_optional_val instead.
|
||||
template <typename T>
|
||||
static void decode_val_generic(const YAML::Node& item, const char *key, T& out, const rule_loader::context& ctx, bool optional)
|
||||
static rule_loader::context yaml_get_context(
|
||||
const string& content,
|
||||
const vector<YAML::Node>& docs,
|
||||
vector<YAML::Node>::iterator doc,
|
||||
YAML::iterator node)
|
||||
{
|
||||
const YAML::Node& val = item[key];
|
||||
|
||||
if(!val.IsDefined() && optional)
|
||||
rule_loader::context m;
|
||||
YAML::Node item = *node++;
|
||||
YAML::Node cur_doc = *doc++;
|
||||
// include the "- " sequence mark
|
||||
size_t from = item.Mark().pos - 2;
|
||||
size_t to = 0;
|
||||
if (node != cur_doc.end())
|
||||
{
|
||||
return;
|
||||
// end of item is beginning of next item
|
||||
to = node->Mark().pos - 2;
|
||||
}
|
||||
|
||||
THROW(!val.IsDefined(), std::string("Item has no mapping for key '") + key + "'", ctx);
|
||||
THROW(val.IsNull(), std::string("Mapping for key '") + key + "' is empty", ctx);
|
||||
|
||||
rule_loader::context valctx(val, "value for", key, ctx);
|
||||
THROW(!val.IsScalar(), "Value is not a scalar value", valctx);
|
||||
THROW(val.Scalar().empty(), "Value must be non-empty", valctx);
|
||||
|
||||
THROW(!YAML::convert<T>::decode(val, out), "Can't decode YAML scalar value", valctx);
|
||||
}
|
||||
|
||||
template <typename T>
|
||||
static void decode_val(const YAML::Node& item, const char *key, T& out, const rule_loader::context& ctx)
|
||||
{
|
||||
bool optional = false;
|
||||
|
||||
decode_val_generic(item, key, out, ctx, optional);
|
||||
}
|
||||
|
||||
template <typename T>
|
||||
static void decode_optional_val(const YAML::Node& item, const char *key, T& out, const rule_loader::context& ctx)
|
||||
{
|
||||
bool optional = true;
|
||||
|
||||
decode_val_generic(item, key, out, ctx, optional);
|
||||
}
|
||||
|
||||
// Don't call this directly, call decode_items/decode_tags instead.
|
||||
template <typename T>
|
||||
static void decode_seq(const YAML::Node& item, const char *key,
|
||||
std::function<void(T)> inserter,
|
||||
const rule_loader::context &ctx, bool optional)
|
||||
{
|
||||
const YAML::Node& val = item[key];
|
||||
|
||||
if(!val.IsDefined() && optional)
|
||||
else if (doc != docs.end())
|
||||
{
|
||||
return;
|
||||
// end of item is beginning of next doc
|
||||
to = doc->Mark().pos - 4;
|
||||
}
|
||||
|
||||
THROW(!val.IsDefined(), std::string("Item has no mapping for key '") + key + "'", ctx);
|
||||
|
||||
rule_loader::context valctx(val, "value for", key, ctx);
|
||||
THROW(!val.IsSequence(), "Value is not a sequence", valctx);
|
||||
|
||||
T value;
|
||||
for(const YAML::Node& v : val)
|
||||
else
|
||||
{
|
||||
rule_loader::context ictx(v, "list item", "", valctx);
|
||||
THROW(!v.IsScalar(), "sequence value is not scalar", ictx);
|
||||
THROW(!YAML::convert<T>::decode(v, value), "Can't decode YAML sequence value", ictx);
|
||||
inserter(value);
|
||||
// end of item is end of file contents
|
||||
to = content.length();
|
||||
}
|
||||
m.content = content.substr(from, to - from);
|
||||
m.content = trim(m.content);
|
||||
return m;
|
||||
}
|
||||
|
||||
template <typename T>
|
||||
static void decode_items(const YAML::Node& item, vector<T>& out,
|
||||
const rule_loader::context& ctx)
|
||||
static bool decode_val(const YAML::Node& v, T& out)
|
||||
{
|
||||
bool optional = false;
|
||||
|
||||
std::function<void(T)> inserter = [&out] (T value) {
|
||||
out.push_back(value);
|
||||
};
|
||||
|
||||
decode_seq(item, "items", inserter, ctx, optional);
|
||||
return v.IsDefined() && v.IsScalar() && YAML::convert<T>::decode(v, out);
|
||||
}
|
||||
|
||||
template <typename T>
|
||||
static void decode_tags(const YAML::Node& item, set<T>& out,
|
||||
const rule_loader::context& ctx)
|
||||
static bool decode_seq(const YAML::Node& item, vector<T>& out)
|
||||
{
|
||||
bool optional = true;
|
||||
|
||||
std::function<void(T)> inserter = [&out] (T value) {
|
||||
out.insert(value);
|
||||
};
|
||||
|
||||
decode_seq(item, "tags", inserter, ctx, optional);
|
||||
}
|
||||
|
||||
// Don't call this directly, call decode_exception_{fields,comps,values} instead
|
||||
static void decode_exception_info_entry(
|
||||
const YAML::Node& item,
|
||||
const char *key,
|
||||
rule_loader::rule_exception_info::entry& out,
|
||||
const rule_loader::context& ctx,
|
||||
bool optional)
|
||||
{
|
||||
const YAML::Node& val = (key == NULL ? item : item[key]);
|
||||
|
||||
if(!val.IsDefined() && optional)
|
||||
if (item.IsDefined() && item.IsSequence())
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
THROW(!val.IsDefined(), std::string("Item has no mapping for key '") + key + "'", ctx);
|
||||
|
||||
rule_loader::context valctx(val, "value for", (key == NULL ? "" : key), ctx);
|
||||
|
||||
if (val.IsScalar())
|
||||
{
|
||||
THROW(val.Scalar().empty(), "Value must be non-empty", valctx);
|
||||
out.is_list = false;
|
||||
THROW(!YAML::convert<string>::decode(val, out.item), "Could not decode scalar value", valctx);
|
||||
}
|
||||
if (val.IsSequence())
|
||||
{
|
||||
out.is_list = true;
|
||||
rule_loader::rule_exception_info::entry tmp;
|
||||
for(const YAML::Node& v : val)
|
||||
T value;
|
||||
for(const YAML::Node& v : item)
|
||||
{
|
||||
rule_loader::context lctx(v, "list exception entry", "", valctx);
|
||||
THROW(!v.IsScalar() || !YAML::convert<T>::decode(v, value),
|
||||
"Can't decode YAML sequence value: " + YAML::Dump(v));
|
||||
out.push_back(value);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
// Optional is always false once you get past the outer values
|
||||
optional = false;
|
||||
decode_exception_info_entry(v, NULL, tmp, lctx, optional);
|
||||
out.items.push_back(tmp);
|
||||
template <typename T>
|
||||
static bool decode_seq(const YAML::Node& item, set<T>& out)
|
||||
{
|
||||
if (item.IsDefined() && item.IsSequence())
|
||||
{
|
||||
T value;
|
||||
for(const YAML::Node& v : item)
|
||||
{
|
||||
THROW(!v.IsScalar() || !YAML::convert<T>::decode(v, value),
|
||||
"Can't decode YAML sequence value: " + YAML::Dump(v));
|
||||
out.insert(value);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
static bool decode_exception_info_entry(
|
||||
const YAML::Node& item,
|
||||
rule_loader::rule_exception_info::entry& out)
|
||||
{
|
||||
if (item.IsDefined())
|
||||
{
|
||||
if (item.IsScalar())
|
||||
{
|
||||
out.is_list = false;
|
||||
if (YAML::convert<string>::decode(item, out.item))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
}
|
||||
if (item.IsSequence())
|
||||
{
|
||||
out.is_list = true;
|
||||
rule_loader::rule_exception_info::entry tmp;
|
||||
for(const YAML::Node& v : item)
|
||||
{
|
||||
if (!decode_exception_info_entry(v, tmp))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
out.items.push_back(tmp);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void decode_exception_fields(
|
||||
const YAML::Node& item,
|
||||
rule_loader::rule_exception_info::entry& out,
|
||||
const rule_loader::context& ctx,
|
||||
bool optional)
|
||||
{
|
||||
decode_exception_info_entry(item, "fields", out, ctx, optional);
|
||||
}
|
||||
|
||||
static void decode_exception_comps(
|
||||
const YAML::Node& item,
|
||||
rule_loader::rule_exception_info::entry& out,
|
||||
const rule_loader::context& ctx)
|
||||
{
|
||||
bool optional = true;
|
||||
|
||||
decode_exception_info_entry(item, "comps", out, ctx, optional);
|
||||
}
|
||||
|
||||
static void decode_exception_values(
|
||||
const YAML::Node& item,
|
||||
rule_loader::rule_exception_info::entry& out,
|
||||
const rule_loader::context& ctx)
|
||||
{
|
||||
bool optional = false;
|
||||
|
||||
decode_exception_info_entry(item, NULL, out, ctx, optional);
|
||||
return false;
|
||||
}
|
||||
|
||||
static void read_rule_exceptions(
|
||||
const YAML::Node& item,
|
||||
rule_loader::rule_info& v,
|
||||
const rule_loader::context& parent,
|
||||
bool append)
|
||||
rule_loader::rule_info& v)
|
||||
{
|
||||
const YAML::Node& exs = item["exceptions"];
|
||||
|
||||
// No exceptions property, or an exceptions property with
|
||||
// nothing in it, are allowed
|
||||
if(!exs.IsDefined() || exs.IsNull())
|
||||
// An exceptions property with nothing in it is allowed
|
||||
if(item.IsNull())
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
rule_loader::context exes_ctx(exs, "exceptions", "", parent);
|
||||
|
||||
THROW(!exs.IsSequence(), "Rule exceptions must be a sequence", exes_ctx);
|
||||
|
||||
for (auto &ex : exs)
|
||||
THROW(!item.IsSequence(), "Rule exceptions must be a sequence");
|
||||
for (auto &ex : item)
|
||||
{
|
||||
// Make a temp context to verify simple properties
|
||||
// about the exception.
|
||||
std::string name;
|
||||
rule_loader::context tmp(ex, "exception", "", exes_ctx);
|
||||
|
||||
THROW(!ex.IsMap(), "Rule exception must be a mapping", tmp);
|
||||
decode_val(ex, "name", name, tmp);
|
||||
|
||||
// Now use a real context including the exception name.
|
||||
rule_loader::context ex_ctx(ex, "exception", name, parent);
|
||||
rule_loader::rule_exception_info v_ex(ex_ctx);
|
||||
v_ex.name = name;
|
||||
|
||||
rule_loader::rule_exception_info v_ex;
|
||||
THROW(!decode_val(ex["name"], v_ex.name) || v_ex.name.empty(),
|
||||
"Rule exception item must have name property");
|
||||
// note: the legacy lua loader used to throw a "xxx must strings" error
|
||||
|
||||
// fields are optional when append is true
|
||||
decode_exception_fields(ex, v_ex.fields, ex_ctx, append);
|
||||
decode_exception_comps(ex, v_ex.comps, ex_ctx);
|
||||
const YAML::Node& exvals = ex["values"];
|
||||
if (exvals.IsDefined())
|
||||
decode_exception_info_entry(ex["fields"], v_ex.fields);
|
||||
decode_exception_info_entry(ex["comps"], v_ex.comps);
|
||||
if (ex["values"].IsDefined())
|
||||
{
|
||||
rule_loader::context vals_ctx(exvals, "exception values", "", ex_ctx);
|
||||
THROW(!exvals.IsSequence(),
|
||||
"Rule exception values must be a sequence", vals_ctx);
|
||||
for (auto &val : exvals)
|
||||
THROW(!ex["values"].IsSequence(),
|
||||
"Rule exception values must be a sequence");
|
||||
for (auto &val : ex["values"])
|
||||
{
|
||||
rule_loader::context vctx(val, "exception value", "", vals_ctx);
|
||||
rule_loader::rule_exception_info::entry v_ex_val;
|
||||
|
||||
decode_exception_values(val, v_ex_val, vctx);
|
||||
decode_exception_info_entry(val, v_ex_val);
|
||||
v_ex.values.push_back(v_ex_val);
|
||||
}
|
||||
}
|
||||
@@ -240,65 +157,43 @@ static void read_rule_exceptions(
|
||||
}
|
||||
|
||||
static void read_item(
|
||||
rule_loader::configuration& cfg,
|
||||
rule_loader& loader,
|
||||
const YAML::Node& item,
|
||||
const rule_loader::context& parent)
|
||||
rule_loader::configuration& cfg,
|
||||
rule_loader& loader,
|
||||
const YAML::Node& item,
|
||||
const rule_loader::context& ctx)
|
||||
{
|
||||
rule_loader::context tmp(item, "item", "", parent);
|
||||
THROW(!item.IsMap(), "Unexpected element type. "
|
||||
"Each element should be a yaml associative array.", tmp);
|
||||
|
||||
if (item["required_engine_version"].IsDefined())
|
||||
{
|
||||
rule_loader::context ctx(item, "required_engine_version", "", parent);
|
||||
rule_loader::engine_version_info v(ctx);
|
||||
|
||||
decode_val(item, "required_engine_version", v.version, ctx);
|
||||
rule_loader::engine_version_info v;
|
||||
THROW(!decode_val(item["required_engine_version"], v.version),
|
||||
"Value of required_engine_version must be a number");
|
||||
loader.define(cfg, v);
|
||||
}
|
||||
else if(item["required_plugin_versions"].IsDefined())
|
||||
{
|
||||
const YAML::Node& req_plugin_vers = item["required_plugin_versions"];
|
||||
rule_loader::context ctx(req_plugin_vers, "required_plugin_versions", "", parent);
|
||||
THROW(!item["required_plugin_versions"].IsSequence(),
|
||||
"Value of required_plugin_versions must be a sequence");
|
||||
|
||||
THROW(!req_plugin_vers.IsSequence(),
|
||||
"Value of required_plugin_versions must be a sequence",
|
||||
ctx);
|
||||
|
||||
for(const YAML::Node& plugin : req_plugin_vers)
|
||||
for(const YAML::Node& plugin : item["required_plugin_versions"])
|
||||
{
|
||||
// Use a temp context until we can get a name
|
||||
std::string name;
|
||||
rule_loader::context tmp(plugin, "plugin version", "", ctx);
|
||||
THROW(!plugin.IsMap(), "Plugin version must be a mapping", tmp);
|
||||
decode_val(plugin, "name", name, tmp);
|
||||
|
||||
rule_loader::context pctx(plugin, "plugin version", name, ctx);
|
||||
rule_loader::plugin_version_info v(pctx);
|
||||
decode_val(plugin, "version", v.version, pctx);
|
||||
v.name = name;
|
||||
|
||||
rule_loader::plugin_version_info v;
|
||||
THROW(!decode_val(plugin["name"], v.name) || v.name.empty(),
|
||||
"required_plugin_versions item must have name property");
|
||||
THROW(!decode_val(plugin["version"], v.version) || v.version.empty(),
|
||||
"required_plugin_versions item must have version property");
|
||||
loader.define(cfg, v);
|
||||
}
|
||||
}
|
||||
else if(item["list"].IsDefined())
|
||||
{
|
||||
std::string name;
|
||||
// Using tmp context until name is decoded
|
||||
rule_loader::context tmp(item, "list", "", parent);
|
||||
decode_val(item, "list", name, tmp);
|
||||
|
||||
rule_loader::context ctx(item, "list", name, parent);
|
||||
rule_loader::list_info v(ctx);
|
||||
|
||||
rule_loader::list_info v;
|
||||
v.ctx = ctx;
|
||||
bool append = false;
|
||||
decode_val(item, "list", v.name, ctx);
|
||||
decode_items(item, v.items, ctx);
|
||||
|
||||
decode_optional_val(item, "append", append, ctx);
|
||||
|
||||
if(append)
|
||||
THROW(!decode_val(item["list"], v.name) || v.name.empty(),
|
||||
"List name is empty");
|
||||
THROW(!decode_seq(item["items"], v.items),
|
||||
"List must have property items");
|
||||
if(decode_val(item["append"], append) && append)
|
||||
{
|
||||
loader.append(cfg, v);
|
||||
}
|
||||
@@ -309,24 +204,14 @@ static void read_item(
|
||||
}
|
||||
else if(item["macro"].IsDefined())
|
||||
{
|
||||
std::string name;
|
||||
// Using tmp context until name is decoded
|
||||
rule_loader::context tmp(item, "macro", "", parent);
|
||||
decode_val(item, "macro", name, tmp);
|
||||
|
||||
rule_loader::context ctx(item, "macro", name, parent);
|
||||
rule_loader::macro_info v(ctx);
|
||||
v.name = name;
|
||||
|
||||
rule_loader::macro_info v;
|
||||
v.ctx = ctx;
|
||||
bool append = false;
|
||||
decode_val(item, "condition", v.cond, ctx);
|
||||
|
||||
// Now set the proper context for the condition now that we know it exists
|
||||
v.cond_ctx = rule_loader::context(item["condition"], "condition", "", ctx);
|
||||
|
||||
decode_optional_val(item, "append", append, ctx);
|
||||
|
||||
if(append)
|
||||
THROW(!decode_val(item["macro"], v.name) || v.name.empty(),
|
||||
"Macro name is empty");
|
||||
THROW(!decode_val(item["condition"], v.cond) || v.cond.empty(),
|
||||
"Macro must have property condition");
|
||||
if(decode_val(item["append"], append) && append)
|
||||
{
|
||||
loader.append(cfg, v);
|
||||
}
|
||||
@@ -337,81 +222,57 @@ static void read_item(
|
||||
}
|
||||
else if(item["rule"].IsDefined())
|
||||
{
|
||||
std::string name;
|
||||
|
||||
// Using tmp context until name is decoded
|
||||
rule_loader::context tmp(item, "rule", "", parent);
|
||||
decode_val(item, "rule", name, tmp);
|
||||
|
||||
rule_loader::context ctx(item, "rule", name, parent);
|
||||
rule_loader::rule_info v(ctx);
|
||||
v.name = name;
|
||||
|
||||
rule_loader::rule_info v;
|
||||
v.ctx = ctx;
|
||||
bool append = false;
|
||||
v.enabled = true;
|
||||
v.warn_evttypes = true;
|
||||
v.skip_if_unknown_filter = false;
|
||||
|
||||
decode_optional_val(item, "append", append, ctx);
|
||||
|
||||
if(append)
|
||||
THROW(!decode_val(item["rule"], v.name) || v.name.empty(),
|
||||
"Rule name is empty");
|
||||
if(decode_val(item["append"], append) && append)
|
||||
{
|
||||
decode_optional_val(item, "condition", v.cond, ctx);
|
||||
if(item["condition"].IsDefined())
|
||||
decode_val(item["condition"], v.cond);
|
||||
if (item["exceptions"].IsDefined())
|
||||
{
|
||||
v.cond_ctx = rule_loader::context(item["condition"], "condition", "", ctx);
|
||||
read_rule_exceptions(item["exceptions"], v);
|
||||
}
|
||||
read_rule_exceptions(item, v, ctx, append);
|
||||
loader.append(cfg, v);
|
||||
}
|
||||
else
|
||||
{
|
||||
// If the rule does *not* have any of
|
||||
// condition/output/desc/priority, it *must*
|
||||
// have an enabled property. Use the enabled
|
||||
// property to set the enabled status of an
|
||||
// earlier rule.
|
||||
if (!item["condition"].IsDefined() &&
|
||||
!item["output"].IsDefined() &&
|
||||
!item["desc"].IsDefined() &&
|
||||
!item["priority"].IsDefined())
|
||||
string priority;
|
||||
bool has_enabled = decode_val(item["enabled"], v.enabled);
|
||||
bool has_defs = decode_val(item["condition"], v.cond)
|
||||
&& decode_val(item["output"], v.output)
|
||||
&& decode_val(item["desc"], v.desc)
|
||||
&& decode_val(item["priority"], priority);
|
||||
if (!has_defs)
|
||||
{
|
||||
decode_val(item, "enabled", v.enabled, ctx);
|
||||
THROW(!has_enabled, "Rule must have properties 'condition', 'output', 'desc', and 'priority'");
|
||||
loader.enable(cfg, v);
|
||||
}
|
||||
else
|
||||
{
|
||||
string priority;
|
||||
|
||||
// All of these are required
|
||||
decode_val(item, "condition", v.cond, ctx);
|
||||
v.cond_ctx = rule_loader::context(item["condition"], "condition", "", ctx);
|
||||
|
||||
decode_val(item, "output", v.output, ctx);
|
||||
v.output_ctx = rule_loader::context(item["output"], "output", "", ctx);
|
||||
|
||||
decode_val(item, "desc", v.desc, ctx);
|
||||
decode_val(item, "priority", priority, ctx);
|
||||
|
||||
v.output = trim(v.output);
|
||||
v.source = falco_common::syscall_source;
|
||||
rule_loader::context prictx(item["priority"], "priority value", "", ctx);
|
||||
THROW(!falco_common::parse_priority(priority, v.priority),
|
||||
"Invalid priority", prictx);
|
||||
decode_optional_val(item, "source", v.source, ctx);
|
||||
decode_optional_val(item, "enabled", v.enabled, ctx);
|
||||
decode_optional_val(item, "warn_evttypes", v.warn_evttypes, ctx);
|
||||
decode_optional_val(item, "skip-if-unknown-filter", v.skip_if_unknown_filter, ctx);
|
||||
decode_tags(item, v.tags, ctx);
|
||||
read_rule_exceptions(item, v, ctx, append);
|
||||
"Invalid priority");
|
||||
decode_val(item["source"], v.source);
|
||||
decode_val(item["warn_evttypes"], v.warn_evttypes);
|
||||
decode_val(item["skip-if-unknown-filter"], v.skip_if_unknown_filter);
|
||||
decode_seq(item["tags"], v.tags);
|
||||
if (item["exceptions"].IsDefined())
|
||||
{
|
||||
read_rule_exceptions(item["exceptions"], v);
|
||||
}
|
||||
loader.define(cfg, v);
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
rule_loader::context ctx(item, "unknown", "", parent);
|
||||
cfg.res->add_warning(load_result::LOAD_UNKNOWN_ITEM, "Unknown top level item", ctx, cfg.content);
|
||||
cfg.warnings.push_back("Unknown top level object");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -424,45 +285,45 @@ bool rule_reader::load(rule_loader::configuration& cfg, rule_loader& loader)
|
||||
}
|
||||
catch(const exception& e)
|
||||
{
|
||||
rule_loader::context ctx(cfg.name);
|
||||
cfg.res->add_error(load_result::LOAD_ERR_YAML_PARSE, e.what(), ctx, cfg.content);
|
||||
cfg.errors.push_back("Could not load YAML file: " + string(e.what()));
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
for (auto doc = docs.begin(); doc != docs.end(); doc++)
|
||||
{
|
||||
if (doc->IsDefined() && !doc->IsNull())
|
||||
{
|
||||
rule_loader::context ctx(cfg.name);
|
||||
|
||||
try {
|
||||
THROW(!doc->IsMap() && !doc->IsSequence(),
|
||||
"Rules content is not yaml",
|
||||
ctx);
|
||||
|
||||
THROW(!doc->IsSequence(),
|
||||
"Rules content is not yaml array of objects",
|
||||
ctx);
|
||||
|
||||
for (auto it = doc->begin(); it != doc->end(); it++)
|
||||
if(!doc->IsMap() && !doc->IsSequence())
|
||||
{
|
||||
cfg.errors.push_back("Rules content is not yaml");
|
||||
return false;
|
||||
}
|
||||
if(!doc->IsSequence())
|
||||
{
|
||||
cfg.errors.push_back(
|
||||
"Rules content is not yaml array of objects");
|
||||
return false;
|
||||
}
|
||||
for (auto it = doc->begin(); it != doc->end(); it++)
|
||||
{
|
||||
if (!it->IsNull())
|
||||
{
|
||||
if (!it->IsNull())
|
||||
auto ctx = yaml_get_context(cfg.content, docs, doc, it);
|
||||
YAML::Node item = *it;
|
||||
try
|
||||
{
|
||||
read_item(cfg, loader, *it, ctx);
|
||||
THROW(!item.IsMap(), "Unexpected element type. "
|
||||
"Each element should be a yaml associative array.");
|
||||
read_item(cfg, loader, item, ctx);
|
||||
}
|
||||
catch(const exception& e)
|
||||
{
|
||||
cfg.errors.push_back(ctx.error(e.what()));
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (rule_loader::rule_load_exception &e)
|
||||
{
|
||||
cfg.res->add_error(e.ec, e.msg, e.ctx, cfg.content);
|
||||
|
||||
// Although we *could* continue on to the next doc,
|
||||
// as it's effectively a new rules file, for
|
||||
// consistency we stop at the first error.
|
||||
return false;
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -21,7 +21,7 @@ using namespace falco::app;
|
||||
application::run_result application::init_clients()
|
||||
{
|
||||
#ifndef MINIMAL_BUILD
|
||||
// k8s client is useful only if the syscall source is enabled
|
||||
// k8s and mesos clients are useful only if syscall source is enabled
|
||||
if (!is_syscall_source_enabled())
|
||||
{
|
||||
return run_result::ok();
|
||||
@@ -55,6 +55,23 @@ application::run_result application::init_clients()
|
||||
}
|
||||
m_state->inspector->init_k8s_client(k8s_api_ptr, k8s_api_cert_ptr, k8s_node_name_ptr, m_options.verbose);
|
||||
}
|
||||
|
||||
//
|
||||
// Run mesos, if required
|
||||
//
|
||||
if(!m_options.mesos_api.empty())
|
||||
{
|
||||
// Differs from init_k8s_client in that it
|
||||
// passes a pointer but the inspector does
|
||||
// *not* own it and does not use it after
|
||||
// init_mesos_client() returns.
|
||||
m_state->inspector->init_mesos_client(&(m_options.mesos_api), m_options.verbose);
|
||||
}
|
||||
else if(char* mesos_api_env = getenv("FALCO_MESOS_API"))
|
||||
{
|
||||
std::string mesos_api_copy = mesos_api_env;
|
||||
m_state->inspector->init_mesos_client(&mesos_api_copy, m_options.verbose);
|
||||
}
|
||||
#endif
|
||||
|
||||
return run_result::ok();
|
||||
|
||||
@@ -14,8 +14,6 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
#include <sstream>
|
||||
|
||||
#include "application.h"
|
||||
|
||||
using namespace falco::app;
|
||||
@@ -35,6 +33,11 @@ void application::configure_output_format()
|
||||
output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id";
|
||||
replace_container_info = true;
|
||||
}
|
||||
else if(m_options.print_additional == "m" || m_options.print_additional == "mesos")
|
||||
{
|
||||
output_format = "task=%mesos.task.name container=%container.id";
|
||||
replace_container_info = true;
|
||||
}
|
||||
else if(!m_options.print_additional.empty())
|
||||
{
|
||||
output_format = m_options.print_additional;
|
||||
@@ -86,13 +89,6 @@ application::run_result application::init_falco_engine()
|
||||
return run_result::fatal("At least one event source needs to be enabled");
|
||||
}
|
||||
|
||||
/* Print all enabled sources. */
|
||||
std::ostringstream os;
|
||||
std::copy(m_state->enabled_sources.begin(), m_state->enabled_sources.end(), std::ostream_iterator<std::string>(os, ","));
|
||||
std::string result = os.str();
|
||||
result.pop_back();
|
||||
falco_logger::log(LOG_INFO, "Enabled sources: " + result + "\n");
|
||||
|
||||
m_state->engine->set_min_priority(m_state->config->m_min_priority);
|
||||
|
||||
return run_result::ok();
|
||||
|
||||
@@ -26,9 +26,8 @@ application::run_result application::load_config()
|
||||
falco_logger::set_time_format_iso_8601(m_state->config->m_time_format_iso_8601);
|
||||
|
||||
// log after config init because config determines where logs go
|
||||
falco_logger::log(LOG_INFO, "Falco version: " + std::string(FALCO_VERSION) + "\n");
|
||||
falco_logger::log(LOG_INFO, "Falco initialized with configuration file: " + m_options.conf_filename + "\n");
|
||||
falco_logger::log(LOG_INFO, "Falco compiled for: " + std::string(FALCO_TARGET_ARCH) + "\n");
|
||||
falco_logger::log(LOG_INFO, "Falco version " + std::string(FALCO_VERSION) + "\n");
|
||||
falco_logger::log(LOG_INFO, "Falco initialized with configuration file " + m_options.conf_filename + "\n");
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
@@ -95,26 +95,17 @@ application::run_result application::load_rules_files()
|
||||
|
||||
for (const auto& filename : m_state->config->m_loaded_rules_filenames)
|
||||
{
|
||||
falco_logger::log(LOG_INFO, "Loading rules from file " + filename + "\n");
|
||||
std::unique_ptr<falco::load_result> res;
|
||||
falco_logger::log(LOG_INFO, "Loading rules from file " + filename + ":\n");
|
||||
uint64_t required_engine_version;
|
||||
|
||||
res = m_state->engine->load_rules_file(filename);
|
||||
|
||||
// Print the full output if verbose is true
|
||||
if(m_options.verbose &&
|
||||
(!res->successful() || res->has_warnings()))
|
||||
{
|
||||
printf("%s\n",
|
||||
(m_state->config->m_json_output ?
|
||||
res->as_json().dump().c_str() :
|
||||
res->as_string(true).c_str()));
|
||||
try {
|
||||
m_state->engine->load_rules_file(filename, m_options.verbose, m_options.all_events, required_engine_version);
|
||||
}
|
||||
|
||||
if(!res->successful())
|
||||
catch(falco_exception &e)
|
||||
{
|
||||
// Return the summary version as the error
|
||||
return run_result::fatal(res->as_string(false));
|
||||
return run_result::fatal(string("Could not load rules file ") + filename + ": " + e.what());
|
||||
}
|
||||
m_state->required_engine_versions[filename] = required_engine_version;
|
||||
}
|
||||
|
||||
// Ensure that all plugins are compatible with the loaded set of rules
|
||||
|
||||
@@ -83,14 +83,6 @@ application::run_result application::open_inspector()
|
||||
}
|
||||
}
|
||||
|
||||
/// TODO: we can add a method to the inspector that tells us what
|
||||
/// is the underline engine used. Right now we print something only
|
||||
/// in case of BPF engine
|
||||
if(m_state->inspector->is_bpf_enabled())
|
||||
{
|
||||
falco_logger::log(LOG_INFO, "Falco is using the BPF probe\n");
|
||||
}
|
||||
|
||||
// This must be done after the open
|
||||
if(!m_options.all_events)
|
||||
{
|
||||
|
||||
@@ -58,6 +58,7 @@ application::run_result application::print_support()
|
||||
nlohmann::json finfo;
|
||||
finfo["name"] = filename;
|
||||
nlohmann::json variant;
|
||||
variant["required_engine_version"] = m_state->required_engine_versions[filename];
|
||||
variant["content"] = read_file(filename);
|
||||
finfo["variants"].push_back(variant);
|
||||
support["rules_files"].push_back(finfo);
|
||||
|
||||
@@ -123,10 +123,6 @@ application::run_result application::do_inspect(syscall_evt_drop_mgr &sdropmgr,
|
||||
|
||||
continue;
|
||||
}
|
||||
else if(rc == SCAP_FILTERED_EVENT)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
else if(rc == SCAP_EOF)
|
||||
{
|
||||
break;
|
||||
|
||||
@@ -15,7 +15,6 @@ limitations under the License.
|
||||
*/
|
||||
|
||||
#include "application.h"
|
||||
#include <string>
|
||||
|
||||
using namespace falco::app;
|
||||
|
||||
@@ -23,64 +22,27 @@ application::run_result application::validate_rules_files()
|
||||
{
|
||||
if(m_options.validate_rules_filenames.size() > 0)
|
||||
{
|
||||
bool successful = true;
|
||||
std::string summary;
|
||||
|
||||
falco_logger::log(LOG_INFO, "Validating rules file(s):\n");
|
||||
for(auto file : m_options.validate_rules_filenames)
|
||||
{
|
||||
falco_logger::log(LOG_INFO, " " + file + "\n");
|
||||
}
|
||||
|
||||
// The json output encompasses all files so the
|
||||
// validation result is a single json object.
|
||||
nlohmann::json results = nlohmann::json::array();
|
||||
|
||||
for(auto file : m_options.validate_rules_filenames)
|
||||
{
|
||||
std::unique_ptr<falco::load_result> res;
|
||||
|
||||
res = m_state->engine->load_rules_file(file);
|
||||
|
||||
successful &= res->successful();
|
||||
|
||||
if(summary != "")
|
||||
{
|
||||
summary += "\n";
|
||||
// Only include the prefix if there is more than one file
|
||||
std::string prefix = (m_options.validate_rules_filenames.size() > 1 ? file + ": " : "");
|
||||
try {
|
||||
m_state->engine->load_rules_file(file, m_options.verbose, m_options.all_events);
|
||||
}
|
||||
summary += file + ": " + (res->successful() ? "Ok" : "Invalid");
|
||||
|
||||
if(m_state->config->m_json_output)
|
||||
catch(falco_exception &e)
|
||||
{
|
||||
results.push_back(res->as_json());
|
||||
}
|
||||
else
|
||||
{
|
||||
// Print the full output when verbose is true
|
||||
if(m_options.verbose &&
|
||||
(!res->successful() || res->has_warnings()))
|
||||
{
|
||||
printf("%s\n", res->as_string(true).c_str());
|
||||
}
|
||||
printf("%s%s", prefix.c_str(), e.what());
|
||||
return run_result::fatal(prefix + e.what());
|
||||
}
|
||||
printf("%sOk\n", prefix.c_str());
|
||||
}
|
||||
|
||||
if(m_state->config->m_json_output)
|
||||
{
|
||||
nlohmann::json res;
|
||||
res["falco_load_results"] = results;
|
||||
printf("%s\n", res.dump().c_str());
|
||||
}
|
||||
|
||||
if(successful)
|
||||
{
|
||||
printf("%s\n", summary.c_str());
|
||||
return run_result::exit();
|
||||
}
|
||||
else
|
||||
{
|
||||
return run_result::fatal(summary);
|
||||
}
|
||||
falco_logger::log(LOG_INFO, "Ok\n");
|
||||
return run_result::exit();
|
||||
}
|
||||
|
||||
return run_result::ok();
|
||||
|
||||
@@ -180,13 +180,16 @@ void cmdline_options::define()
|
||||
("list-syscall-events", "List all defined system call events.", cxxopts::value<bool>(list_syscall_events))
|
||||
#ifndef MUSL_OPTIMIZED
|
||||
("list-plugins", "Print info on all loaded plugins and exit.", cxxopts::value(list_plugins)->default_value("false"))
|
||||
#endif
|
||||
#ifndef MINIMAL_BUILD
|
||||
("m,mesos-api", "Enable Mesos support by connecting to the API server specified as argument. E.g. \"http://admin:password@127.0.0.1:5050\". Marathon url is optional and defaults to Mesos address, port 8080. The API servers can also be specified via the environment variable FALCO_MESOS_API.", cxxopts::value(mesos_api), "<url[,marathon_url]>")
|
||||
#endif
|
||||
("M", "Stop collecting after <num_seconds> reached.", cxxopts::value(duration_to_tot)->default_value("0"), "<num_seconds>")
|
||||
("markdown", "When used with --list/--list-syscall-events, print the content in Markdown format", cxxopts::value<bool>(markdown))
|
||||
("N", "When used with --list, only print field names.", cxxopts::value(names_only)->default_value("false"))
|
||||
("o,option", "Set the value of option <opt> to <val>. Overrides values in configuration file. <opt> can be identified using its location in configuration file using dot notation. Elements which are entries of lists can be accessed via square brackets [].\n E.g. base.id = val\n base.subvalue.subvalue2 = val\n base.list[1]=val", cxxopts::value(cmdline_config_options), "<opt>=<val>")
|
||||
("plugin-info", "Print info for a single plugin and exit.\nThis includes all descriptivo info like name and author, along with the\nschema format for the init configuration and a list of suggested open parameters.\n<plugin_name> can be the name of the plugin or its configured library_path.", cxxopts::value(print_plugin_info), "<plugin_name>")
|
||||
("p,print", "Add additional information to each falco notification's output.\nWith -pc or -pcontainer will use a container-friendly format.\nWith -pk or -pkubernetes will use a kubernetes-friendly format.\nAdditionally, specifying -pc/-pk will change the interpretation of %container.info in rule output fields.", cxxopts::value(print_additional), "<output_format>")
|
||||
("p,print", "Add additional information to each falco notification's output.\nWith -pc or -pcontainer will use a container-friendly format.\nWith -pk or -pkubernetes will use a kubernetes-friendly format.\nWith -pm or -pmesos will use a mesos-friendly format.\nAdditionally, specifying -pc/-pk/-pm will change the interpretation of %container.info in rule output fields.", cxxopts::value(print_additional), "<output_format>")
|
||||
("P,pidfile", "When run as a daemon, write pid to specified file", cxxopts::value(pidfilename)->default_value("/var/run/falco.pid"), "<pid_file>")
|
||||
("r", "Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml). Can be specified multiple times to read from multiple files/directories.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
|
||||
("s", "If specified, append statistics related to Falco's reading/processing of events to this file (only useful in live mode).", cxxopts::value(stats_filename), "<stats_file>")
|
||||
|
||||
@@ -58,6 +58,7 @@ public:
|
||||
std::string print_plugin_info;
|
||||
bool list_syscall_events;
|
||||
bool markdown;
|
||||
std::string mesos_api;
|
||||
int duration_to_tot;
|
||||
bool names_only;
|
||||
std::vector<std::string> cmdline_config_options;
|
||||
|
||||
@@ -81,6 +81,8 @@ private:
|
||||
// from event source to filtercheck list.
|
||||
std::map<std::string, filter_check_list> plugin_filter_checks;
|
||||
|
||||
std::map<string,uint64_t> required_engine_versions;
|
||||
|
||||
std::string cmdline;
|
||||
|
||||
#ifndef MINIMAL_BUILD
|
||||
|
||||
@@ -24,7 +24,6 @@ limitations under the License.
|
||||
#define FALCO_VERSION_PATCH @FALCO_VERSION_PATCH@
|
||||
#define FALCO_VERSION_PRERELEASE "@FALCO_VERSION_PRERELEASE@"
|
||||
#define FALCO_VERSION_BUILD "@FALCO_VERSION_BUILD@"
|
||||
#define FALCO_TARGET_ARCH "@FALCO_TARGET_ARCH@"
|
||||
|
||||
#define FALCO_SOURCE_DIR "${PROJECT_SOURCE_DIR}"
|
||||
#define FALCO_SOURCE_CONF_FILE "${PROJECT_SOURCE_DIR}/falco.yaml"
|
||||
@@ -34,4 +33,4 @@ limitations under the License.
|
||||
#define FALCOSECURITY_LIBS_VERSION "${FALCOSECURITY_LIBS_VERSION}"
|
||||
|
||||
#define DRIVER_NAME "@DRIVER_NAME@"
|
||||
#define DRIVER_VERSION "@DRIVER_VERSION@"
|
||||
#define DRIVER_VERSION "@DRIVER_VERSION@"
|
||||
@@ -73,18 +73,6 @@ bool syscall_evt_drop_mgr::process_event(std::shared_ptr<sinsp> inspector, sinsp
|
||||
delta.n_evts = stats.n_evts - m_last_stats.n_evts;
|
||||
delta.n_drops = stats.n_drops - m_last_stats.n_drops;
|
||||
delta.n_drops_buffer = stats.n_drops_buffer - m_last_stats.n_drops_buffer;
|
||||
delta.n_drops_buffer_clone_fork_enter = stats.n_drops_buffer_clone_fork_enter - m_last_stats.n_drops_buffer_clone_fork_enter;
|
||||
delta.n_drops_buffer_clone_fork_exit = stats.n_drops_buffer_clone_fork_exit - m_last_stats.n_drops_buffer_clone_fork_exit;
|
||||
delta.n_drops_buffer_execve_enter = stats.n_drops_buffer_execve_enter - m_last_stats.n_drops_buffer_execve_enter;
|
||||
delta.n_drops_buffer_execve_exit = stats.n_drops_buffer_execve_exit - m_last_stats.n_drops_buffer_execve_exit;
|
||||
delta.n_drops_buffer_connect_enter = stats.n_drops_buffer_connect_enter - m_last_stats.n_drops_buffer_connect_enter;
|
||||
delta.n_drops_buffer_connect_exit = stats.n_drops_buffer_connect_exit - m_last_stats.n_drops_buffer_connect_exit;
|
||||
delta.n_drops_buffer_open_enter = stats.n_drops_buffer_open_enter - m_last_stats.n_drops_buffer_open_enter;
|
||||
delta.n_drops_buffer_open_exit = stats.n_drops_buffer_open_exit - m_last_stats.n_drops_buffer_open_exit;
|
||||
delta.n_drops_buffer_dir_file_enter = stats.n_drops_buffer_dir_file_enter - m_last_stats.n_drops_buffer_dir_file_enter;
|
||||
delta.n_drops_buffer_dir_file_exit = stats.n_drops_buffer_dir_file_exit - m_last_stats.n_drops_buffer_dir_file_exit;
|
||||
delta.n_drops_buffer_other_interest_enter = stats.n_drops_buffer_other_interest_enter - m_last_stats.n_drops_buffer_other_interest_enter;
|
||||
delta.n_drops_buffer_other_interest_exit = stats.n_drops_buffer_other_interest_exit - m_last_stats.n_drops_buffer_other_interest_exit;
|
||||
delta.n_drops_scratch_map = stats.n_drops_scratch_map - m_last_stats.n_drops_scratch_map;
|
||||
delta.n_drops_pf = stats.n_drops_pf - m_last_stats.n_drops_pf;
|
||||
delta.n_drops_bug = stats.n_drops_bug - m_last_stats.n_drops_bug;
|
||||
@@ -103,8 +91,8 @@ bool syscall_evt_drop_mgr::process_event(std::shared_ptr<sinsp> inspector, sinsp
|
||||
if(delta.n_drops > 0)
|
||||
{
|
||||
double ratio = delta.n_drops;
|
||||
// The `n_evts` always contains the `n_drops`.
|
||||
ratio /= delta.n_evts;
|
||||
// Assuming the number of event does not contains the dropped ones
|
||||
ratio /= delta.n_drops + delta.n_evts;
|
||||
|
||||
// When simulating drops the threshold is always zero
|
||||
if(ratio > m_threshold)
|
||||
@@ -158,35 +146,12 @@ bool syscall_evt_drop_mgr::perform_actions(uint64_t now, scap_stats &delta, bool
|
||||
case syscall_evt_drop_action::ALERT:
|
||||
{
|
||||
std::map<std::string, std::string> output_fields;
|
||||
output_fields["n_evts"] = std::to_string(delta.n_evts); /* Total number of kernel side events actively traced (not including events discarded due to simple consumer mode in eBPF case). */
|
||||
output_fields["n_drops"] = std::to_string(delta.n_drops); /* Number of all kernel side event drops out of n_evts. */
|
||||
output_fields["n_drops_buffer_total"] = std::to_string(delta.n_drops_buffer); /* Total number of kernel side drops due to full buffer, includes all categories below, likely higher than sum of syscall categories. */
|
||||
/* Kernel side drops due to full buffer for categories of system calls. Not all system calls of interest are mapped into one of the categories.
|
||||
* Insights:
|
||||
* (1) Identify statistical properties of workloads (e.g. ratios between categories).
|
||||
* (2) Data-driven optimization opportunity for kernel side filtering and prioritization.
|
||||
* (3) Response: Coarse grained insights into syscalls dropped.
|
||||
* (4) Bonus: Cost associated with syscall category (typically `open` system call category is highest by orders of magnitude).
|
||||
*/
|
||||
output_fields["n_drops_buffer_clone_fork_enter"] = std::to_string(delta.n_drops_buffer_clone_fork_enter);
|
||||
output_fields["n_drops_buffer_clone_fork_exit"] = std::to_string(delta.n_drops_buffer_clone_fork_exit);
|
||||
output_fields["n_drops_buffer_execve_enter"] = std::to_string(delta.n_drops_buffer_execve_enter);
|
||||
output_fields["n_drops_buffer_execve_exit"] = std::to_string(delta.n_drops_buffer_execve_exit);
|
||||
output_fields["n_drops_buffer_connect_enter"] = std::to_string(delta.n_drops_buffer_connect_enter);
|
||||
output_fields["n_drops_buffer_connect_exit"] = std::to_string(delta.n_drops_buffer_connect_exit);
|
||||
output_fields["n_drops_buffer_open_enter"] = std::to_string(delta.n_drops_buffer_open_enter);
|
||||
output_fields["n_drops_buffer_open_exit"] = std::to_string(delta.n_drops_buffer_open_exit);
|
||||
output_fields["n_drops_buffer_dir_file_enter"] = std::to_string(delta.n_drops_buffer_dir_file_enter);
|
||||
output_fields["n_drops_buffer_dir_file_exit"] = std::to_string(delta.n_drops_buffer_dir_file_exit);
|
||||
/* `n_drops_buffer_other_interest_*` Category consisting of other system calls of interest,
|
||||
* not all other system calls that did not match a category from above.
|
||||
* Ideal for a custom category if needed - simply patch switch statement in kernel driver code (`falcosecurity/libs` repo).
|
||||
*/
|
||||
output_fields["n_drops_buffer_other_interest_enter"] = std::to_string(delta.n_drops_buffer_other_interest_enter);
|
||||
output_fields["n_drops_buffer_other_interest_exit"] = std::to_string(delta.n_drops_buffer_other_interest_exit);
|
||||
output_fields["n_drops_scratch_map"] = std::to_string(delta.n_drops_scratch_map); /* Number of kernel side scratch map drops. */
|
||||
output_fields["n_drops_page_faults"] = std::to_string(delta.n_drops_pf); /* Number of kernel side page faults drops (invalid memory access). */
|
||||
output_fields["n_drops_bug"] = std::to_string(delta.n_drops_bug); /* Number of kernel side bug drops (invalid condition in the kernel instrumentation). */
|
||||
output_fields["n_evts"] = std::to_string(delta.n_evts);
|
||||
output_fields["n_drops"] = std::to_string(delta.n_drops);
|
||||
output_fields["n_drops_buffer"] = std::to_string(delta.n_drops_buffer);
|
||||
output_fields["n_drops_scratch_map"] = std::to_string(delta.n_drops_scratch_map);
|
||||
output_fields["n_drops_pf"] = std::to_string(delta.n_drops_pf);
|
||||
output_fields["n_drops_bug"] = std::to_string(delta.n_drops_bug);
|
||||
output_fields["ebpf_enabled"] = std::to_string(bpf_enabled);
|
||||
m_outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, output_fields);
|
||||
break;
|
||||
|
||||
@@ -16,11 +16,9 @@ limitations under the License.
|
||||
|
||||
#include <sys/time.h>
|
||||
#include <signal.h>
|
||||
#include <nlohmann/json.hpp>
|
||||
|
||||
#include "statsfilewriter.h"
|
||||
#include "banned.h" // This raises a compilation error when certain functions are used
|
||||
#include "logger.h"
|
||||
|
||||
using namespace std;
|
||||
|
||||
@@ -30,6 +28,8 @@ static void timer_handler (int signum)
|
||||
g_save_stats = true;
|
||||
}
|
||||
|
||||
extern char **environ;
|
||||
|
||||
StatsFileWriter::StatsFileWriter()
|
||||
: m_num_stats(0)
|
||||
{
|
||||
@@ -67,6 +67,30 @@ bool StatsFileWriter::init(std::shared_ptr<sinsp> inspector, string &filename, u
|
||||
return false;
|
||||
}
|
||||
|
||||
// (Undocumented) feature. Take any environment keys prefixed
|
||||
// with FALCO_STATS_EXTRA_XXX and add them to the output. Used by
|
||||
// run_performance_tests.sh.
|
||||
for(uint32_t i=0; environ[i]; i++)
|
||||
{
|
||||
char *p = strstr(environ[i], "=");
|
||||
if(!p)
|
||||
{
|
||||
errstr = string("Could not find environment separator in ") + string(environ[i]);
|
||||
return false;
|
||||
}
|
||||
string key(environ[i], p-environ[i]);
|
||||
string val(p+1, strlen(environ[i])-(p-environ[i])-1);
|
||||
if(key.compare(0, 18, "FALCO_STATS_EXTRA_") == 0)
|
||||
{
|
||||
string sub = key.substr(18);
|
||||
if (m_extra != "")
|
||||
{
|
||||
m_extra += ", ";
|
||||
}
|
||||
m_extra += "\"" + sub + "\": " + "\"" + val + "\"";
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -76,7 +100,6 @@ void StatsFileWriter::handle()
|
||||
{
|
||||
scap_stats cstats;
|
||||
scap_stats delta;
|
||||
nlohmann::json jmsg;
|
||||
|
||||
g_save_stats = false;
|
||||
m_num_stats++;
|
||||
@@ -93,23 +116,21 @@ void StatsFileWriter::handle()
|
||||
delta.n_preemptions = cstats.n_preemptions - m_last_stats.n_preemptions;
|
||||
}
|
||||
|
||||
try
|
||||
m_output << "{\"sample\": " << m_num_stats;
|
||||
if(m_extra != "")
|
||||
{
|
||||
jmsg["sample"] = m_num_stats;
|
||||
jmsg["cur"]["events"] = cstats.n_evts;
|
||||
jmsg["cur"]["drops"] = cstats.n_drops;
|
||||
jmsg["cur"]["preemptions"] = cstats.n_preemptions;
|
||||
jmsg["cur"]["drop_pct"] = (cstats.n_evts == 0 ? 0 : (100.0*cstats.n_drops/cstats.n_evts));
|
||||
jmsg["delta"]["events"] = delta.n_evts;
|
||||
jmsg["delta"]["drops"] = delta.n_drops;
|
||||
jmsg["delta"]["preemptions"] = delta.n_preemptions;
|
||||
jmsg["delta"]["drop_pct"] = (delta.n_evts == 0 ? 0 : (100.0*delta.n_drops/delta.n_evts));
|
||||
m_output << jmsg.dump() << endl;
|
||||
}
|
||||
catch(const exception &e)
|
||||
{
|
||||
falco_logger::log(LOG_ERR, "StatsFileWriter (handle): " + string(e.what()) + "\n");
|
||||
m_output << ", " << m_extra;
|
||||
}
|
||||
m_output << ", \"cur\": {" <<
|
||||
"\"events\": " << cstats.n_evts <<
|
||||
", \"drops\": " << cstats.n_drops <<
|
||||
", \"preemptions\": " << cstats.n_preemptions <<
|
||||
"}, \"delta\": {" <<
|
||||
"\"events\": " << delta.n_evts <<
|
||||
", \"drops\": " << delta.n_drops <<
|
||||
", \"preemptions\": " << delta.n_preemptions <<
|
||||
"}, \"drop_pct\": " << (delta.n_evts == 0 ? 0 : (100.0*delta.n_drops/delta.n_evts)) <<
|
||||
"}," << endl;
|
||||
|
||||
m_last_stats = cstats;
|
||||
}
|
||||
|
||||
@@ -43,5 +43,6 @@ protected:
|
||||
uint32_t m_num_stats;
|
||||
std::shared_ptr<sinsp> m_inspector;
|
||||
std::ofstream m_output;
|
||||
std::string m_extra;
|
||||
scap_stats m_last_stats;
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user