mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-01 15:56:57 +00:00
1f28f85bdf
* Add new json/webserver libs, embedded webserver
Add two new external libraries:
- nlohmann-json is a better json library that has stronger use of c++
features like type deduction, better conversion from stl structures,
etc. We'll use it to hold generic json objects instead of jsoncpp.
- civetweb is an embeddable webserver that will allow us to accept
posted json data.
New files webserver.{cpp,h} start an embedded webserver that listens for
POSTS on a configurable url and passes the json data to the falco
engine.
New falco config items are under webserver:
- enabled: true|false. Whether to start the embedded webserver or not.
- listen_port. Port that webserver listens on
- k8s_audit_endpoint: uri on which to accept POSTed k8s audit events.
(This commit doesn't compile entirely on its own, but we're grouping
these related changes into one commit for clarity).
* Don't use relative paths to find lua code
You can look directly below PROJECT_SOURCE_DIR.
* Reorganize compiler lua code
The lua compiler code is generic enough to work on more than just
sinsp-based rules, so move the parts of the compiler related to event
types and filterchecks out into a standalone lua file
sinsp_rule_utils.lua.
The checks for event types/filterchecks are now done from rule_loader,
and are dependent on a "source" attribute of the rule being
"sinsp". We'll be adding additional types of events next that come from
sources other than system calls.
* Manage separate syscall/k8s audit rulesets
Add the ability to manage separate sets of rules (syscall and
k8s_audit). Stop using the sinsp_evttype_filter object from the sysdig
repo, replacing it with falco_ruleset/falco_sinsp_ruleset from
ruleset.{cpp,h}. It has the same methods to add rules, associate them
with rulesets, and (for syscall) quickly find the relevant rules for a
given syscall/event type.
At the falco engine level, there are new parallel interfaces for both
types of rules (syscall and k8s_audit) to:
- add a rule: add_k8s_audit_filter/add_sinsp_filter
- match an event against rules, possibly returning a result:
process_sinsp_event/process_k8s_audit_event
At the rule loading level, the mechanics of creating filterchecks
objects is handled two factories (sinsp_filter_factory and
json_event_filter_factory), both of which are held by the engine.
* Handle multiple rule types when parsing rules
Modify the steps of parsing a rule's filter expression to handle
multiple types of rules. Notable changes:
- In the rule loader/ast traversal, pass a filter api object down,
which is passed back up in the lua parser api calls like nest(),
bool_op(), rel_expr(), etc.
- The filter api object is either the sinsp factory or k8s audit
factory, depending on the rule type.
- When the rule is complete, the complete filter is passed to the
engine using either add_sinsp_filter()/add_k8s_audit_filter().
* Add multiple output formatting types
Add support for multiple output formatters. Notable changes:
- The falco engine is passed along to falco_formats to gain access to
the engine's factories.
- When creating a formatter, the source of the rule is passed along
with the format string, which controls which kind of output formatter
is created.
Also clean up exception handling a bit so all lua callbacks catch all
exceptions and convert them into lua errors.
* Add support for json, k8s audit filter fields
With some corresponding changes in sysdig, you can now create general
purpose filter fields and events, which can be tied together with
nesting, expressions, and relational operators. The classes here
represent an instance of these fields devoted to generic json objects as
well as k8s audit events. Notable changes:
- json_event: holds a json object, used by all of the below
- json_event_filter_check: Has the ability to extract values out of a
json_event object and has the ability to define macros that associate
a field like "group.field" with a json pointer expression that
extracts a single property's value out of the json object. The basic
field definition also allows creating an index
e.g. group.field[index], where a std::function is responsible for
performing the indexing. This class has virtual void methods so it
must be overridden.
- jevt_filter_check: subclass of json_event_filter_check and defines
the following fields:
- jevt.time/jevt.rawtime: extracts the time from the underlying json object.
- jevt.value[<json pointer>]: general purpose way to extract any
json value out of the underlying object. <json pointer> is a json
pointer expression
- jevt.obj: Return the entire object, stringified.
- k8s_audit_filter_check: implements fields that extract values from
k8s audit events. Most of the implementation is in the form of macros
like ka.user.name, ka.uri, ka.target.name, etc. that just use json
pointers to extact the appropriate value from a k8s audit event. More
advanced fields like ka.uri.param, ka.req.container.image use
indexing to extract individual values out of maps or arrays.
- json_event_filter_factory: used by things like the lua parser api,
output formatter, etc to create the necessary objects and return
them.
- json_event_formatter: given a format string, create the necessary
fields that will be used to create a resolved string when given a
json_event object.
* Add ability to list fields
Similar to sysdig's -l option, add --list (<source>) to list the fields
supported by falco. With no source specified, will print all
fields. Source can be "syscall" for inspector fields e.g. what is
supported by sysdig, or "k8s_audit" to list fields supported only by the
k8s audit support in falco.
* Initial set of k8s audit rules
Add an initial set of k8s audit rules. They're broken into 3 classes of
rules:
- Suspicious activity: this includes things like:
- A disallowed k8s user performing an operation
- A disallowed container being used in a pod.
- A pod created with a privileged pod.
- A pod created with a sensitive mount.
- A pod using host networking
- Creating a NodePort Service
- A configmap containing private credentials
- A request being made by an unauthenticated user.
- Attach/exec to a pod. (We eventually want to also do privileged
pods, but that will require some state management that we don't
currently have).
- Creating a new namespace outside of an allowed set
- Creating a pod in either of the kube-system/kube-public namespaces
- Creating a serviceaccount in either of the kube-system/kube-public
namespaces
- Modifying any role starting with "system:"
- Creating a clusterrolebinding to the cluster-admin role
- Creating a role that wildcards verbs or resources
- Creating a role with writable permissions/pod exec permissions.
- Resource tracking. This includes noting when a deployment, service,
- configmap, cluster role, service account, etc are created or destroyed.
- Audit tracking: This tracks all audit events.
To support these rules, add macros/new indexing functions as needed to
support the required fields and ways to index the results.
* Add ability to read trace files of k8s audit evts
Expand the use of the -e flag to cover both .scap files containing
system calls as well as jsonl files containing k8s audit events:
If a trace file is specified, first try to read it using the
inspector. If that throws an exception, try to read the first line as
json. If both fail, return an error.
Based on the results of the open, the main loop either calls
do_inspect(), looping over system events, or
read_k8s_audit_trace_file(), reading each line as json and passing it to
the engine and outputs.
* Example showing how to enable k8s audit logs.
An example of how to enable k8s audit logging for minikube.
* Add unit tests for k8s audit support
Initial unit test support for k8s audit events. A new multiplex file
falco_k8s_audit_tests.yaml defines the tests. Traces (jsonl files) are
in trace_files/k8s_audit and new rules files are in
test/rules/k8s_audit.
Current test cases include:
- User outside allowed set
- Creating disallowed pod.
- Creating a pod explicitly on the allowed list
- Creating a pod w/ a privileged container (or second container), or a
pod with no privileged container.
- Creating a pod w/ a sensitive mount container (or second container), or a
pod with no sensitive mount.
- Cases for a trace w/o the relevant property + the container being
trusted, and hostnetwork tests.
- Tests that create a Service w/ and w/o a NodePort type.
- Tests for configmaps: tries each disallowed string, ensuring each is
detected, and the other has a configmap with no disallowed string,
ensuring it is not detected.
- The anonymous user creating a namespace.
- Tests for all kactivity rules e.g. those that create/delete
resources as compared to suspicious activity.
- Exec/Attach to Pod
- Creating a namespace outside of an allowed set
- Creating a pod/serviceaccount in kube-system/kube-public namespaces
- Deleting/modifying a system cluster role
- Creating a binding to the cluster-admin role
- Creating a cluster role binding that wildcards verbs or resources
- Creating a cluster role with write/pod exec privileges
* Don't manually install gcc 4.8
gcc 4.8 should already be installed by default on the vm we use for
travis.
841 lines
23 KiB
C++
841 lines
23 KiB
C++
/*
|
|
Copyright (C) 2018 Draios inc.
|
|
|
|
This file is part of falco.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
#include <ctype.h>
|
|
|
|
#include "utils.h"
|
|
#include "uri.h"
|
|
|
|
#include "falco_common.h"
|
|
#include "json_evt.h"
|
|
|
|
using json = nlohmann::json;
|
|
using namespace std;
|
|
|
|
json_event::json_event()
|
|
{
|
|
|
|
}
|
|
|
|
json_event::~json_event()
|
|
{
|
|
}
|
|
|
|
void json_event::set_jevt(json &evt, uint64_t ts)
|
|
{
|
|
m_jevt = evt;
|
|
m_event_ts = ts;
|
|
}
|
|
|
|
const json &json_event::jevt()
|
|
{
|
|
return m_jevt;
|
|
}
|
|
|
|
uint64_t json_event::get_ts()
|
|
{
|
|
return m_event_ts;
|
|
}
|
|
|
|
std::string json_event_filter_check::def_format(const json &j, std::string &field, std::string &idx)
|
|
{
|
|
return json_as_string(j);
|
|
}
|
|
|
|
std::string json_event_filter_check::json_as_string(const json &j)
|
|
{
|
|
if (j.type() == json::value_t::string)
|
|
{
|
|
return j;
|
|
}
|
|
else
|
|
{
|
|
return j.dump();
|
|
}
|
|
}
|
|
|
|
json_event_filter_check::alias::alias()
|
|
: m_idx_mode(IDX_NONE), m_idx_type(IDX_NUMERIC)
|
|
{
|
|
}
|
|
|
|
json_event_filter_check::alias::alias(nlohmann::json::json_pointer ptr)
|
|
: m_jptr(ptr), m_format(def_format),
|
|
m_idx_mode(IDX_NONE), m_idx_type(IDX_NUMERIC)
|
|
{
|
|
}
|
|
|
|
json_event_filter_check::alias::alias(nlohmann::json::json_pointer ptr,
|
|
format_t format)
|
|
: m_jptr(ptr), m_format(format),
|
|
m_idx_mode(IDX_NONE), m_idx_type(IDX_NUMERIC)
|
|
{
|
|
}
|
|
|
|
json_event_filter_check::alias::alias(nlohmann::json::json_pointer ptr,
|
|
format_t format,
|
|
index_mode mode,
|
|
index_type itype)
|
|
: m_jptr(ptr), m_format(format),
|
|
m_idx_mode(mode), m_idx_type(itype)
|
|
{
|
|
}
|
|
|
|
json_event_filter_check::alias::~alias()
|
|
{
|
|
}
|
|
|
|
json_event_filter_check::json_event_filter_check()
|
|
: m_format(def_format)
|
|
{
|
|
}
|
|
|
|
json_event_filter_check::~json_event_filter_check()
|
|
{
|
|
}
|
|
|
|
int32_t json_event_filter_check::parse_field_name(const char *str, bool alloc_state, bool needed_for_filtering)
|
|
{
|
|
// Look for the longest match amongst the aliases. str is not
|
|
// necessarily terminated on a filtercheck boundary.
|
|
size_t match_len = 0;
|
|
|
|
size_t idx_len = 0;
|
|
|
|
for(auto &pair : m_aliases)
|
|
{
|
|
// What follows the match must not be alphanumeric or a dot
|
|
if(strncmp(pair.first.c_str(), str, pair.first.size()) == 0 &&
|
|
!isalnum((int) str[pair.first.size()]) &&
|
|
str[pair.first.size()] != '.' &&
|
|
pair.first.size() > match_len)
|
|
{
|
|
m_jptr = pair.second.m_jptr;
|
|
m_field = pair.first;
|
|
m_format = pair.second.m_format;
|
|
match_len = pair.first.size();
|
|
|
|
const char *start = str + m_field.size();
|
|
|
|
// Check for an optional index
|
|
if(*start == '[')
|
|
{
|
|
start++;
|
|
const char *end = strchr(start, ']');
|
|
|
|
if(end != NULL)
|
|
{
|
|
m_idx = string(start, end-start);
|
|
}
|
|
|
|
idx_len = (end - start + 2);
|
|
}
|
|
|
|
if(m_idx.empty() && pair.second.m_idx_mode == alias::IDX_REQUIRED)
|
|
{
|
|
throw falco_exception(string("When parsing filtercheck ") + string(str) + string(": ") + m_field + string(" requires an index but none provided"));
|
|
}
|
|
|
|
if(!m_idx.empty() && pair.second.m_idx_mode == alias::IDX_NONE)
|
|
{
|
|
throw falco_exception(string("When parsing filtercheck ") + string(str) + string(": ") + m_field + string(" forbids an index but one provided"));
|
|
}
|
|
|
|
if(!m_idx.empty() &&
|
|
pair.second.m_idx_type == alias::IDX_NUMERIC &&
|
|
m_idx.find_first_not_of("0123456789") != string::npos)
|
|
{
|
|
throw falco_exception(string("When parsing filtercheck ") + string(str) + string(": ") + m_field + string(" requires a numeric index"));
|
|
}
|
|
}
|
|
}
|
|
|
|
return match_len + idx_len;
|
|
}
|
|
|
|
void json_event_filter_check::add_filter_value(const char* str, uint32_t len, uint32_t i)
|
|
{
|
|
m_values.push_back(string(str));
|
|
}
|
|
|
|
bool json_event_filter_check::compare(gen_event *evt)
|
|
{
|
|
json_event *jevt = (json_event *) evt;
|
|
|
|
std::string value = extract(jevt);
|
|
|
|
switch(m_cmpop)
|
|
{
|
|
case CO_EQ:
|
|
return (value == m_values[0]);
|
|
break;
|
|
case CO_NE:
|
|
return (value != m_values[0]);
|
|
break;
|
|
case CO_CONTAINS:
|
|
return (value.find(m_values[0]) != string::npos);
|
|
break;
|
|
case CO_STARTSWITH:
|
|
return (value.compare(0, m_values[0].size(), m_values[0]) == 0);
|
|
break;
|
|
case CO_IN:
|
|
for(auto &val : m_values)
|
|
{
|
|
if (value == val)
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
break;
|
|
case CO_EXISTS:
|
|
// Any non-empty, non-"<NA>" value is ok
|
|
return (value != "" && value != "<NA>");
|
|
break;
|
|
default:
|
|
throw falco_exception("filter error: unsupported comparison operator");
|
|
}
|
|
}
|
|
|
|
const std::string &json_event_filter_check::field()
|
|
{
|
|
return m_field;
|
|
}
|
|
|
|
const std::string &json_event_filter_check::idx()
|
|
{
|
|
return m_idx;
|
|
}
|
|
|
|
size_t json_event_filter_check::parsed_size()
|
|
{
|
|
if(m_idx.empty())
|
|
{
|
|
return m_field.size();
|
|
}
|
|
else
|
|
{
|
|
return m_field.size() + m_idx.size() + 2;
|
|
}
|
|
}
|
|
|
|
json_event_filter_check::check_info &json_event_filter_check::get_fields()
|
|
{
|
|
return m_info;
|
|
}
|
|
|
|
uint8_t* json_event_filter_check::extract(gen_event *evt, uint32_t* len, bool sanitize_strings)
|
|
{
|
|
json_event *jevt = (json_event *) evt;
|
|
|
|
try {
|
|
const json &j = jevt->jevt().at(m_jptr);
|
|
|
|
// Only format when the value was actually found in
|
|
// the object.
|
|
m_tstr = m_format(j, m_field, m_idx);
|
|
}
|
|
catch(json::out_of_range &e)
|
|
{
|
|
m_tstr = "<NA>";
|
|
}
|
|
|
|
*len = m_tstr.size();
|
|
|
|
return (uint8_t *) m_tstr.c_str();
|
|
}
|
|
|
|
std::string json_event_filter_check::extract(json_event *evt)
|
|
{
|
|
uint8_t *res;
|
|
uint32_t len;
|
|
std::string ret;
|
|
|
|
res = extract(evt, &len, true);
|
|
|
|
if(res != NULL)
|
|
{
|
|
ret.assign((const char *) res, len);
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
std::string jevt_filter_check::s_jevt_time_field = "jevt.time";
|
|
std::string jevt_filter_check::s_jevt_rawtime_field = "jevt.rawtime";
|
|
std::string jevt_filter_check::s_jevt_value_field = "jevt.value";
|
|
std::string jevt_filter_check::s_jevt_obj_field = "jevt.obj";
|
|
|
|
jevt_filter_check::jevt_filter_check()
|
|
{
|
|
m_info = {"jevt",
|
|
"generic ways to access json events",
|
|
{
|
|
{s_jevt_time_field, "json event timestamp as a string that includes the nanosecond part"},
|
|
{s_jevt_rawtime_field, "absolute event timestamp, i.e. nanoseconds from epoch."},
|
|
{s_jevt_value_field, "General way to access single property from json object. The syntax is [<json pointer expression>]. The property is returned as a string"},
|
|
{s_jevt_obj_field, "The entire json object, stringified"}
|
|
}};
|
|
}
|
|
|
|
jevt_filter_check::~jevt_filter_check()
|
|
{
|
|
|
|
}
|
|
|
|
int32_t jevt_filter_check::parse_field_name(const char *str, bool alloc_state, bool needed_for_filtering)
|
|
{
|
|
if(strncmp(s_jevt_time_field.c_str(), str, s_jevt_time_field.size()) == 0)
|
|
{
|
|
m_field = s_jevt_time_field;
|
|
return s_jevt_time_field.size();
|
|
}
|
|
|
|
if(strncmp(s_jevt_rawtime_field.c_str(), str, s_jevt_rawtime_field.size()) == 0)
|
|
{
|
|
m_field = s_jevt_rawtime_field;
|
|
return s_jevt_rawtime_field.size();
|
|
}
|
|
|
|
if(strncmp(s_jevt_obj_field.c_str(), str, s_jevt_obj_field.size()) == 0)
|
|
{
|
|
m_field = s_jevt_obj_field;
|
|
return s_jevt_obj_field.size();
|
|
}
|
|
|
|
if(strncmp(s_jevt_value_field.c_str(), str, s_jevt_value_field.size()) == 0)
|
|
{
|
|
const char *end;
|
|
|
|
// What follows must be [<json pointer expression>]
|
|
if (*(str + s_jevt_value_field.size()) != '[' ||
|
|
((end = strchr(str + 1, ']')) == NULL))
|
|
|
|
{
|
|
throw falco_exception(string("Could not parse filtercheck field \"") + str + "\". Did not have expected format with 'jevt.value[<json pointer>]'");
|
|
}
|
|
|
|
try {
|
|
m_jptr = json::json_pointer(string(str + (s_jevt_value_field.size()+1), (end-str-(s_jevt_value_field.size()+1))));
|
|
}
|
|
catch (json::parse_error& e)
|
|
{
|
|
throw falco_exception(string("Could not parse filtercheck field \"") + str + "\". Invalid json selector (" + e.what() + ")");
|
|
}
|
|
|
|
// The +1 accounts for the closing ']'
|
|
m_field = string(str, end-str + 1);
|
|
return (end - str + 1);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
uint8_t* jevt_filter_check::extract(gen_event *evt, uint32_t* len, bool sanitize_stings)
|
|
{
|
|
if(m_field == s_jevt_rawtime_field)
|
|
{
|
|
m_tstr = to_string(evt->get_ts());
|
|
*len = m_tstr.size();
|
|
return (uint8_t *) m_tstr.c_str();
|
|
}
|
|
else if(m_field == s_jevt_time_field)
|
|
{
|
|
sinsp_utils::ts_to_string(evt->get_ts(), &m_tstr, false, true);
|
|
*len = m_tstr.size();
|
|
return (uint8_t *) m_tstr.c_str();
|
|
}
|
|
else if(m_field == s_jevt_obj_field)
|
|
{
|
|
json_event *jevt = (json_event *) evt;
|
|
m_tstr = jevt->jevt().dump();
|
|
*len = m_tstr.size();
|
|
return (uint8_t *) m_tstr.c_str();
|
|
}
|
|
|
|
return json_event_filter_check::extract(evt, len, sanitize_stings);
|
|
}
|
|
|
|
json_event_filter_check *jevt_filter_check::allocate_new()
|
|
{
|
|
jevt_filter_check *chk = new jevt_filter_check();
|
|
|
|
return (json_event_filter_check *) chk;
|
|
}
|
|
|
|
std::string k8s_audit_filter_check::index_image(const json &j, std::string &field, std::string &idx)
|
|
{
|
|
uint64_t idx_num = (idx.empty() ? 0 : stoi(idx));
|
|
|
|
string image;
|
|
|
|
try {
|
|
image = j[idx_num].at("image");
|
|
}
|
|
catch(json::out_of_range &e)
|
|
{
|
|
return string("<NA>");
|
|
}
|
|
|
|
// If the filtercheck ends with .repository, we want only the
|
|
// repo name from the image.
|
|
std::string suffix = ".repository";
|
|
if(suffix.size() <= field.size() &&
|
|
std::equal(suffix.rbegin(), suffix.rend(), field.rbegin()))
|
|
{
|
|
std::string hostname, port, name, tag, digest;
|
|
|
|
sinsp_utils::split_container_image(image,
|
|
hostname,
|
|
port,
|
|
name,
|
|
tag,
|
|
digest,
|
|
false);
|
|
|
|
return name;
|
|
}
|
|
|
|
return image;
|
|
}
|
|
|
|
std::string k8s_audit_filter_check::index_has_name(const json &j, std::string &field, std::string &idx)
|
|
{
|
|
for(auto &subject : j)
|
|
{
|
|
if(subject.value("name", "N/A") == idx)
|
|
{
|
|
return string("true");
|
|
}
|
|
}
|
|
|
|
return string("false");
|
|
}
|
|
|
|
|
|
std::string k8s_audit_filter_check::index_query_param(const json &j, std::string &field, std::string &idx)
|
|
{
|
|
string uri = j;
|
|
std::vector<std::string> uri_parts, query_parts;
|
|
|
|
uri_parts = sinsp_split(uri, '?');
|
|
|
|
if(uri_parts.size() != 2)
|
|
{
|
|
return string("<NA>");
|
|
}
|
|
|
|
query_parts = sinsp_split(uri_parts[1], '&');
|
|
|
|
for(auto &part : query_parts)
|
|
{
|
|
std::vector<std::string> param_parts = sinsp_split(part, '=');
|
|
|
|
if(param_parts.size() == 2 && uri::decode(param_parts[0], true)==idx)
|
|
{
|
|
return uri::decode(param_parts[1]);
|
|
}
|
|
}
|
|
|
|
return string("<NA>");
|
|
}
|
|
|
|
|
|
std::string k8s_audit_filter_check::index_generic(const json &j, std::string &field, std::string &idx)
|
|
{
|
|
json item;
|
|
|
|
if(idx.empty())
|
|
{
|
|
item = j;
|
|
}
|
|
else
|
|
{
|
|
uint64_t idx_num = (idx.empty() ? 0 : stoi(idx));
|
|
|
|
try {
|
|
item = j[idx_num];
|
|
}
|
|
catch(json::out_of_range &e)
|
|
{
|
|
return string("<NA>");
|
|
}
|
|
}
|
|
|
|
return json_event_filter_check::json_as_string(item);
|
|
}
|
|
|
|
std::string k8s_audit_filter_check::index_select(const json &j, std::string &field, std::string &idx)
|
|
{
|
|
json item;
|
|
|
|
// Use the suffix of the field to determine which property to
|
|
// select from each object.
|
|
std::string prop = field.substr(field.find_last_of(".")+1);
|
|
|
|
std::string ret;
|
|
|
|
if(idx.empty())
|
|
{
|
|
for(auto &obj : j)
|
|
{
|
|
if(ret != "")
|
|
{
|
|
ret += " ";
|
|
}
|
|
|
|
try {
|
|
ret += json_event_filter_check::json_as_string(obj.at(prop));
|
|
}
|
|
catch(json::out_of_range &e)
|
|
{
|
|
ret += "N/A";
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
try {
|
|
ret = j[stoi(idx)].at(prop);
|
|
}
|
|
catch(json::out_of_range &e)
|
|
{
|
|
ret = "N/A";
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
std::string k8s_audit_filter_check::index_privileged(const json &j, std::string &field, std::string &idx)
|
|
{
|
|
nlohmann::json::json_pointer jpriv = "/securityContext/privileged"_json_pointer;
|
|
|
|
bool privileged = false;
|
|
|
|
if(!idx.empty())
|
|
{
|
|
try {
|
|
privileged = j[stoi(idx)].at(jpriv);
|
|
}
|
|
catch(json::out_of_range &e)
|
|
{
|
|
}
|
|
}
|
|
else
|
|
{
|
|
for(auto &container : j)
|
|
{
|
|
try {
|
|
if(container.at(jpriv))
|
|
{
|
|
privileged = true;
|
|
}
|
|
}
|
|
catch(json::out_of_range &e)
|
|
{
|
|
}
|
|
}
|
|
}
|
|
|
|
return (privileged ? string("true") : string("false"));
|
|
}
|
|
|
|
std::string k8s_audit_filter_check::check_hostpath_vols(const json &j, std::string &field, std::string &idx)
|
|
{
|
|
|
|
nlohmann::json::json_pointer jpath = "/hostPath/path"_json_pointer;
|
|
|
|
for(auto &vol : j)
|
|
{
|
|
string path = vol.value(jpath, "N/A");
|
|
|
|
if(sinsp_utils::glob_match(idx.c_str(), path.c_str()))
|
|
{
|
|
return string("true");
|
|
}
|
|
}
|
|
|
|
return string("false");
|
|
}
|
|
|
|
k8s_audit_filter_check::k8s_audit_filter_check()
|
|
{
|
|
m_info = {"ka",
|
|
"Access K8s Audit Log Events",
|
|
{
|
|
{"ka.auditid", "The unique id of the audit event"},
|
|
{"ka.stage", "Stage of the request (e.g. RequestReceived, ResponseComplete, etc.)"},
|
|
{"ka.auth.decision", "The authorization decision"},
|
|
{"ka.auth.reason", "The authorization reason"},
|
|
{"ka.user.name", "The user name performing the request"},
|
|
{"ka.user.groups", "The groups to which the user belongs"},
|
|
{"ka.impuser.name", "The impersonated user name"},
|
|
{"ka.verb", "The action being performed"},
|
|
{"ka.uri", "The request URI as sent from client to server"},
|
|
{"ka.uri.param", "The value of a given query parameter in the uri (e.g. when uri=/foo?key=val, ka.uri.param[key] is val)."},
|
|
{"ka.target.name", "The target object name"},
|
|
{"ka.target.namespace", "The target object namespace"},
|
|
{"ka.target.resource", "The target object resource"},
|
|
{"ka.target.subresource", "The target object subresource"},
|
|
{"ka.req.binding.subjects", "When the request object refers to a cluster role binding, the subject (e.g. account/users) being linked by the binding"},
|
|
{"ka.req.binding.subject.has_name", "When the request object refers to a cluster role binding, return true if a subject with the provided name exists"},
|
|
{"ka.req.binding.role", "When the request object refers to a cluster role binding, the role being linked by the binding"},
|
|
{"ka.req.configmap.name", "If the request object refers to a configmap, the configmap name"},
|
|
{"ka.req.configmap.obj", "If the request object refers to a configmap, the entire configmap object"},
|
|
{"ka.req.container.image", "When the request object refers to a container, the container's images. Can be indexed (e.g. ka.req.container.image[0]). Without any index, returns the first image"},
|
|
{"ka.req.container.image.repository", "The same as req.container.image, but only the repository part (e.g. sysdig/falco)"},
|
|
{"ka.req.container.host_network", "When the request object refers to a container, the value of the hostNetwork flag."},
|
|
{"ka.req.container.privileged", "When the request object refers to a container, whether or not any container is run privileged. With an index, return whether or not the ith container is run privileged."},
|
|
{"ka.req.role.rules", "When the request object refers to a role/cluster role, the rules associated with the role"},
|
|
{"ka.req.role.rules.apiGroups", "When the request object refers to a role/cluster role, the api groups associated with the role's rules. With an index, return only the api groups from the ith rule. Without an index, return all api groups concatenated"},
|
|
{"ka.req.role.rules.nonResourceURLs", "When the request object refers to a role/cluster role, the non resource urls associated with the role's rules. With an index, return only the non resource urls from the ith rule. Without an index, return all non resource urls concatenated"},
|
|
{"ka.req.role.rules.verbs", "When the request object refers to a role/cluster role, the verbs associated with the role's rules. With an index, return only the verbs from the ith rule. Without an index, return all verbs concatenated"},
|
|
{"ka.req.role.rules.resources", "When the request object refers to a role/cluster role, the resources associated with the role's rules. With an index, return only the resources from the ith rule. Without an index, return all resources concatenated"},
|
|
{"ka.req.service.type", "When the request object refers to a service, the service type"},
|
|
{"ka.req.service.ports", "When the request object refers to a service, the service's ports. Can be indexed (e.g. ka.req.service.ports[0]). Without any index, returns all ports"},
|
|
{"ka.req.volume.hostpath", "If the request object contains volume definitions, whether or not a hostPath volume exists that mounts the specified path from the host (...hostpath[/etc]=true if a volume mounts /etc from the host). The index can be a glob, in which case all volumes are considered to find any path matching the specified glob (...hostpath[/usr/*] would match either /usr/local or /usr/bin)"},
|
|
{"ka.resp.name", "The response object name"},
|
|
{"ka.response.code", "The response code"},
|
|
{"ka.response.reason", "The response reason (usually present only for failures)"}
|
|
}};
|
|
|
|
{
|
|
using a = alias;
|
|
|
|
m_aliases = {
|
|
{"ka.auditid", {"/auditID"_json_pointer}},
|
|
{"ka.stage", {"/stage"_json_pointer}},
|
|
{"ka.auth.decision", {"/annotations/authorization.k8s.io~1decision"_json_pointer}},
|
|
{"ka.auth.reason", {"/annotations/authorization.k8s.io~1reason"_json_pointer}},
|
|
{"ka.user.name", {"/user/username"_json_pointer}},
|
|
{"ka.user.groups", {"/user/groups"_json_pointer}},
|
|
{"ka.impuser.name", {"/impersonatedUser/username"_json_pointer}},
|
|
{"ka.verb", {"/verb"_json_pointer}},
|
|
{"ka.uri", {"/requestURI"_json_pointer}},
|
|
{"ka.uri.param", {"/requestURI"_json_pointer, index_query_param, a::IDX_REQUIRED, a::IDX_KEY}},
|
|
{"ka.target.name", {"/objectRef/name"_json_pointer}},
|
|
{"ka.target.namespace", {"/objectRef/namespace"_json_pointer}},
|
|
{"ka.target.resource", {"/objectRef/resource"_json_pointer}},
|
|
{"ka.target.subresource", {"/objectRef/subresource"_json_pointer}},
|
|
{"ka.req.binding.subjects", {"/requestObject/subjects"_json_pointer}},
|
|
{"ka.req.binding.subject.has_name", {"/requestObject/subjects"_json_pointer, index_has_name, a::IDX_REQUIRED, a::IDX_KEY}},
|
|
{"ka.req.binding.role", {"/requestObject/roleRef/name"_json_pointer}},
|
|
{"ka.req.configmap.name", {"/objectRef/name"_json_pointer}},
|
|
{"ka.req.configmap.obj", {"/requestObject/data"_json_pointer}},
|
|
{"ka.req.container.image", {"/requestObject/spec/containers"_json_pointer, index_image, a::IDX_ALLOWED, a::IDX_NUMERIC}},
|
|
{"ka.req.container.image.repository", {"/requestObject/spec/containers"_json_pointer, index_image, a::IDX_ALLOWED, a::IDX_NUMERIC}},
|
|
{"ka.req.container.host_network", {"/requestObject/spec/hostNetwork"_json_pointer}},
|
|
{"ka.req.container.privileged", {"/requestObject/spec/containers"_json_pointer, index_privileged, a::IDX_ALLOWED, a::IDX_NUMERIC}},
|
|
{"ka.req.role.rules", {"/requestObject/rules"_json_pointer}},
|
|
{"ka.req.role.rules.apiGroups", {"/requestObject/rules"_json_pointer, index_select, a::IDX_ALLOWED, a::IDX_NUMERIC}},
|
|
{"ka.req.role.rules.nonResourceURLs", {"/requestObject/rules"_json_pointer, index_select, a::IDX_ALLOWED, a::IDX_NUMERIC}},
|
|
{"ka.req.role.rules.resources", {"/requestObject/rules"_json_pointer, index_select, a::IDX_ALLOWED, a::IDX_NUMERIC}},
|
|
{"ka.req.role.rules.verbs", {"/requestObject/rules"_json_pointer, index_select, a::IDX_ALLOWED, a::IDX_NUMERIC}},
|
|
{"ka.req.service.type", {"/requestObject/spec/type"_json_pointer}},
|
|
{"ka.req.service.ports", {"/requestObject/spec/ports"_json_pointer, index_generic, a::IDX_ALLOWED, a::IDX_NUMERIC}},
|
|
{"ka.req.volume.hostpath", {"/requestObject/spec/volumes"_json_pointer, check_hostpath_vols, a::IDX_REQUIRED, a::IDX_KEY}},
|
|
{"ka.resp.name", {"/responseObject/metadata/name"_json_pointer}},
|
|
{"ka.response.code", {"/responseStatus/code"_json_pointer}},
|
|
{"ka.response.reason", {"/responseStatus/reason"_json_pointer}}
|
|
};
|
|
}
|
|
}
|
|
|
|
k8s_audit_filter_check::~k8s_audit_filter_check()
|
|
{
|
|
|
|
}
|
|
|
|
json_event_filter_check *k8s_audit_filter_check::allocate_new()
|
|
{
|
|
k8s_audit_filter_check *chk = new k8s_audit_filter_check();
|
|
|
|
return (json_event_filter_check *) chk;
|
|
}
|
|
|
|
json_event_filter::json_event_filter()
|
|
{
|
|
}
|
|
|
|
json_event_filter::~json_event_filter()
|
|
{
|
|
}
|
|
|
|
json_event_filter_factory::json_event_filter_factory()
|
|
{
|
|
m_defined_checks.push_back(shared_ptr<json_event_filter_check>(new jevt_filter_check()));
|
|
m_defined_checks.push_back(shared_ptr<json_event_filter_check>(new k8s_audit_filter_check()));
|
|
|
|
for(auto &chk : m_defined_checks)
|
|
{
|
|
m_info.push_back(chk->get_fields());
|
|
}
|
|
}
|
|
|
|
json_event_filter_factory::~json_event_filter_factory()
|
|
{
|
|
}
|
|
|
|
gen_event_filter *json_event_filter_factory::new_filter()
|
|
{
|
|
return new json_event_filter();
|
|
}
|
|
|
|
gen_event_filter_check *json_event_filter_factory::new_filtercheck(const char *fldname)
|
|
{
|
|
for(auto &chk : m_defined_checks)
|
|
{
|
|
json_event_filter_check *newchk = chk->allocate_new();
|
|
|
|
int32_t parsed = newchk->parse_field_name(fldname, false, true);
|
|
|
|
if(parsed > 0)
|
|
{
|
|
return newchk;
|
|
}
|
|
|
|
delete newchk;
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
std::list<json_event_filter_check::check_info> &json_event_filter_factory::get_fields()
|
|
{
|
|
return m_info;
|
|
}
|
|
|
|
json_event_formatter::json_event_formatter(json_event_filter_factory &json_factory, std::string &format)
|
|
: m_format(format),
|
|
m_json_factory(json_factory)
|
|
{
|
|
parse_format();
|
|
}
|
|
|
|
json_event_formatter::~json_event_formatter()
|
|
{
|
|
}
|
|
|
|
std::string json_event_formatter::tostring(json_event *ev)
|
|
{
|
|
std::string ret;
|
|
|
|
std::list<std::pair<std::string,std::string>> resolved;
|
|
|
|
resolve_tokens(ev, resolved);
|
|
|
|
for(auto &res : resolved)
|
|
{
|
|
ret += res.second;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
std::string json_event_formatter::tojson(json_event *ev)
|
|
{
|
|
nlohmann::json ret;
|
|
|
|
std::list<std::pair<std::string,std::string>> resolved;
|
|
|
|
resolve_tokens(ev, resolved);
|
|
|
|
for(auto &res : resolved)
|
|
{
|
|
// Only include the fields and not the raw text blocks.
|
|
if(!res.first.empty())
|
|
{
|
|
ret[res.first] = res.second;
|
|
}
|
|
}
|
|
|
|
return ret.dump();
|
|
}
|
|
|
|
void json_event_formatter::parse_format()
|
|
{
|
|
string tformat = m_format;
|
|
|
|
// Remove any leading '*' if present
|
|
if(tformat.front() == '*')
|
|
{
|
|
tformat.erase(0, 1);
|
|
}
|
|
|
|
while(tformat.size() > 0)
|
|
{
|
|
size_t size;
|
|
struct fmt_token tok;
|
|
|
|
if(tformat.front() == '%')
|
|
{
|
|
// Skip the %
|
|
tformat.erase(0, 1);
|
|
json_event_filter_check *chk = (json_event_filter_check *) m_json_factory.new_filtercheck(tformat.c_str());
|
|
|
|
if(!chk)
|
|
{
|
|
throw falco_exception(string ("Could not parse format string \"") + m_format + "\": unknown filtercheck field " + tformat);
|
|
}
|
|
|
|
size = chk->parsed_size();
|
|
tok.check.reset(chk);
|
|
}
|
|
else
|
|
{
|
|
size = tformat.find_first_of("%");
|
|
if(size == string::npos)
|
|
{
|
|
size = tformat.size();
|
|
}
|
|
}
|
|
|
|
if(size == 0)
|
|
{
|
|
// Empty fields are only allowed at the beginning of the string
|
|
if(m_tokens.size() > 0)
|
|
{
|
|
throw falco_exception(string ("Could not parse format string \"" + m_format + "\": empty filtercheck field"));
|
|
}
|
|
continue;
|
|
}
|
|
|
|
tok.text = tformat.substr(0, size);
|
|
m_tokens.push_back(tok);
|
|
|
|
tformat.erase(0, size);
|
|
}
|
|
}
|
|
|
|
void json_event_formatter::resolve_tokens(json_event *ev, std::list<std::pair<std::string,std::string>> &resolved)
|
|
{
|
|
for(auto tok : m_tokens)
|
|
{
|
|
if(tok.check)
|
|
{
|
|
resolved.push_back(std::make_pair(tok.check->field(), tok.check->extract(ev)));
|
|
}
|
|
else
|
|
{
|
|
resolved.push_back(std::make_pair("", tok.text));
|
|
}
|
|
}
|
|
}
|