github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-31 06:01:52 +00:00
Code Issues Projects Releases Wiki Activity
Cloud Native Runtime Security
1,983 Commits 119 Branches 173 Tags 105 MiB
C++ 83.4%
CMake 8.5%
C 3.5%
Shell 3.1%
Dockerfile 1.2%
Other 0.3%
7a4d790458
Go to file
Mark Stemm 7a4d790458 rule(Change thread namespace): Require proc name 
In some cases, dropped events around the time a new container is started
can result in missing the exec/clone for a process that does a setns to
enter the namespace of a container. Here's an example from an oss
capture:

```

282273 09:01:22.098095673 30 runc:[0:PARENT] (168555) < setns res=0
282283 09:01:22.098138869 30 runc:[0:PARENT] (168555) < setns res=0
282295 09:01:22.098179685 30 runc:[0:PARENT] (168555) < setns res=0
517284 09:01:30.128723777 13 <NA> (168909) < setns res=0
517337 09:01:30.129054963 13 <NA> (168909) < setns res=0
517451 09:01:30.129560037 2 <NA> (168890) < setns res=0
524597 09:01:30.162741004 19 <NA> (168890) < setns res=0
527433 09:01:30.179786170 18 runc:[0:PARENT] (168927) < setns res=0
527448 09:01:30.179852428 18 runc:[0:PARENT] (168927) < setns res=0
535566 09:01:30.232420372 25 nsenter (168938) < setns res=0
537412 09:01:30.246200357 0 nsenter (168941) < setns res=0
554163 09:01:30.347158783 17 nsenter (168950) < setns res=0
659908 09:01:31.064622960 12 runc:[0:PARENT] (169023) < setns res=0
659919 09:01:31.064665759 12 runc:[0:PARENT] (169023) < setns res=0
732062 09:01:31.608297074 4 nsenter (169055) < setns res=0
812985 09:01:32.217527319 6 runc:[0:PARENT] (169077) < setns res=0
812991 09:01:32.217579396 6 runc:[0:PARENT] (169077) < setns res=0
813000 09:01:32.217632211 6 runc:[0:PARENT] (169077) < setns res=0
```

When this happens, it can cause false positives for the "Change thread
namespace" rule as it allows certain process names like "runc",
"containerd", etc to perform setns calls.

Other rules already use the proc_name_exists macro to require that the
process name exists. This change adds proc_name_exists to the Change
Thread Namespace rule as well.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2020-09-03 18:56:51 +02:00
.circleci build: CentOS 8 dependencies 2020-08-20 19:26:56 +02:00
.github build: stale bot adjustements 2020-07-07 12:20:55 +02:00
audits move audit doc 2019-12-17 09:15:41 +01:00
brand docs: teal logo is svg 2020-06-29 09:14:50 -07:00
cmake build: update sysdig version to ae104eb20ff0198a5dcb0c91cc36c86e7c3f25c7 2020-08-24 20:32:24 +02:00
docker update(docker/tester): use the new run_regression_tests.sh CLI flags 2020-07-20 22:48:00 +02:00
proposals bc(userspace/falco): the Falco gRPC Outputs API are now "falco.outputs.service/get" and "falco.outputs.service/sub" 2020-06-29 20:42:50 +02:00
rules rule(Change thread namespace): Require proc name 2020-09-03 18:56:51 +02:00
scripts falco-driver-loader: fix conflicting $1 argument usage 2020-07-28 09:58:39 +02:00
test Adding user.loginuid to the default falco rules in any place user.name exists 2020-08-28 10:02:19 +02:00
tests update(tests/engine): test is_unix_scheme 2020-05-21 18:15:46 +02:00
userspace fix(userspace/falco): do not always rethrow the exception 2020-08-25 14:27:40 +02:00
.clang-format chore: clang format following the current style 2019-07-03 09:07:00 +02:00
.cmake-format new: cmake format colums to 120 2020-01-17 19:09:31 +01:00
.gitignore update(docker/event-generator): remove the event-generator from the Falco repo 2020-04-24 15:40:50 +02:00
.luacheckrc new: luacheck basic config 2019-07-10 18:49:02 +02:00
.yamllint.conf new: YAML lint configuration 2019-07-10 13:00:03 +02:00
ADOPTERS.md Add GitLab to ADOPTERS.md 2020-06-30 11:45:58 +02:00
CHANGELOG.md docs: changelog for 0.25.0 2020-08-25 16:19:21 +02:00
CMakeLists.txt build: make sure lyaml is linked with the bundled libyaml 2020-08-20 19:26:56 +02:00
COPYING docs: update COPYING 2019-10-08 16:02:26 +02:00
falco.yaml docs: auto threadiness comment into Falco config 2020-07-07 13:42:09 +02:00
GOVERNANCE.md docs: markdown governance 2019-09-13 12:57:17 +02:00
OWNERS docs: add myself to owners 2020-07-03 16:37:17 +02:00
README.md docs(README.md): correct CONTRIBUTING.md URL 2020-08-31 17:08:06 +02:00
RELEASE.md docs(RELEASE.md): correct typo in YYYY 2020-08-31 17:08:06 +02:00

README.md

Cloud Native Runtime Security.

Build Status CII Best Practices Summary GitHub

Latest releases

Read the change log.

development stable
rpm rpm-dev rpm
deb deb-dev deb
binary bin-dev bin

The Falco Project, originally created by Sysdig, is an incubating CNCF open source cloud native runtime security tool. Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. Falco has a rich rule set of security rules specifically built for Kubernetes, Linux, and cloud-native. If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.

Installing Falco

If you would like to run Falco in production please adhere to the official installation guide.

Kubernetes
Tool Link Note
Helm Chart Repository The Falco community offers regular helm chart releases.
Minikube Tutorial The Falco driver has been baked into minikube for easy deployment.
Kind Tutorial Running Falco with kind requires a driver on the host system.
GKE Tutorial We suggest using the eBPF driver for running Falco on GKE.

Developing

Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.

Falco has a gRPC endpoint and an API defined in protobuf. The Falco Project supports various SDKs for this endpoint.

SDKs
Language Repository
Go client-go
Rust client-rs
Python client-py

What can Falco detect?

Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:

  • A shell is running inside a container or pod in Kubernetes.
  • A container is running in privileged mode, or is mounting a sensitive path, such as /proc, from the host.
  • A server process is spawning a child process of an unexpected type.
  • Unexpected read of a sensitive file, such as /etc/shadow.
  • A non-device file is written to /dev.
  • A standard system binary, such as ls, is making an outbound network connection.

Documentation

The Official Documentation is the best resource to learn about Falco.

Join the Community

To get involved with The Falco Project please visit the community repository to find more.

Contributing

See the CONTRIBUTING.md.

Security Audit

A third party security audit was performed by Cure53, you can see the full report here.

Reporting security vulnerabilities

Please report security vulnerabilities following the community process documented here.

License Terms

Falco is licensed to you under the Apache 2.0 open source license.