mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 16:17:32 +00:00

Cloud Native Runtime Security

cloud-native cncf containers ebpf falco hacktoberfest kubernetes security

Go to file

Mark Stemm afa1e02c57 Rule updates 2019 04.v5 (#579 ) * Fix mistake in always_true macro comparison operator was wrong. * Whitespace diffs * Add opt-in rules for interp procs + networking New rules "Interpreted procs inbound network activity" and "Interpreted procs outbound network activity" check for any network activity being done by interpreted programs like ruby, python, etc. They aren't enabled by default, as there are many legitimate cases where these programs might perform inbound or outbound networking. Macros "consider_interpreted_inbound" and "consider_interpreted_outbound" can be used to enable them. * Opt-in rule for running network tools on host New rule Lauch Suspicious Network Tool on Host is similar to "Lauch Suspicious Network Tool in Container" [sic] but works on the host. It's not enabled by default, but can be enabled using the macro consider_network_tools_on_host. * Add parens around container macro * Make Modify User Context generic to shell configs Rename Modify User Context to Modify Shell Configuration File to note that it's limited to shell configuration files, and expand the set of files to cover a collection of file names and files for zsh, csh, and bash. * Also prevent shells from directly opening conns Bash can directly open network connections by writing to /dev/{tcp,udp}/<addr>/<port>. These aren't actual files, but are interpreted by bash as instructions to open network connections. * Add rule to detect shell config reads New rule Read Shell Configuration File is analogous to Write Shell Configuration File, but handles reads by programs other than shell programs. It's also disabled by default using consider_shell_config_reads. * Add rule to check ssh directory/file reads New rule Read ssh information looks for any open of a file or directory below /root/.ssh or a user ssh directory. ssh binaries (new list ssh_binaries) are excluded. The rule is also opt-in via the macro consider_ssh_reads. * Rule to check for disallowed ssh proxies New rule "Program run with disallowed http proxy env" looks for spawned programs that have a HTTP_PROXY environment variable, but the value of the HTTP_PROXY is not an expected value. This handles attempts to redirect traffic to unexpected locations. * Add rules showing how to categorize outbound conns New rules Unexpected outbound connection destination and Unexpected outbound connection source show how to categorize network connections by either destination or source ip address, netmask, or domain name. In order to be effective, they require a comprehensive set of allowed sources and/or destinations, so they both require customization and are gated by the macro consider_all_outbound_conns. * Add .bash_history to bash config files * Restrict http proxy rule to specific procs Only considering wget, curl for now. * Shell programs can directly modify config Most notably .bash_history. * Use right system_procs/binaries system_binaries doesn't exist, so use system_procs + an additional test for shell_binaries.		2019-04-11 21:00:55 -07:00
.github	fix stale.yml file extension (#548 )	2019-03-05 10:03:07 -05:00
cla	adding govt CLA	2017-08-04 13:59:17 -07:00
cpack/debian	Add ability to read rules files from directories (#348 )	2018-04-05 17:03:37 -07:00
docker	Change log timestamp to ISO8601 w/ timezone (#518 )	2019-04-09 09:41:00 -07:00
examples	delete all duplicate empty blanks (#542 )	2019-02-27 11:53:40 -05:00
integrations	Add KUBERNETES_SERVICE_HOST (#562 )	2019-03-13 17:40:41 -07:00
rules	Rule updates 2019 04.v5 (#579 )	2019-04-11 21:00:55 -07:00
scripts	delete all duplicate empty blanks (#542 )	2019-02-27 11:53:40 -05:00
test	Change log timestamp to ISO8601 w/ timezone (#518 )	2019-04-09 09:41:00 -07:00
userspace	Change log timestamp to ISO8601 w/ timezone (#518 )	2019-04-09 09:41:00 -07:00
.gitignore	Allow SSL for k8s audit endpoint (#471 )	2019-01-23 20:21:37 -08:00
.travis.yml	Support container event to denote container starts (#550 )	2019-03-08 13:23:10 -08:00
CHANGELOG.md	Update for 0.14.0 (#519 )	2019-02-06 16:37:55 -08:00
CMakeCPackOptions.cmake	Better copyright notices (#426 )	2018-09-26 19:49:19 -07:00
CMakeLists.txt	Define GRPC_CPP_PLUGIN (#569 )	2019-04-02 10:34:54 -07:00
CODE_OF_CONDUCT	Clean up Readme, Add CNCF requested files for project. (#440 )	2018-10-10 01:50:17 -05:00
COPYING	Change license to Apache 2.0 (#419 )	2018-09-20 11:47:10 -07:00
falco.yaml	Change log timestamp to ISO8601 w/ timezone (#518 )	2019-04-09 09:41:00 -07:00
GOVERNANCE	delete all duplicate empty blanks (#542 )	2019-02-27 11:53:40 -05:00
MAINTAINERS	Clean up Readme, Add CNCF requested files for project. (#440 )	2018-10-10 01:50:17 -05:00
README.md	Update contribute doc (#524 )	2019-02-11 13:22:00 -08:00

README.md

Falco

Latest release

v0.14.0 Read the change log

Dev Branch:
Master Branch:
CII Best Practices:

Overview

Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by sysdig’s system call capture infrastructure, Falco lets you continuously monitor and detect container, application, host, and network activity... all in one place, from one source of data, with one set of rules.

Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the Falco CNCF project proposal.

What kind of behaviors can Falco detect?

Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, you can easily detect things like:

A shell is run inside a container
A container is running in privileged mode, or is mounting a sensitive path like /proc from the host.
A server process spawns a child process of an unexpected type
Unexpected read of a sensitive file (like /etc/shadow)
A non-device file is written to /dev
A standard system binary (like ls) makes an outbound network connection

How Falco Compares to Other Security Tools like SELinux, Auditd, etc.

One of the questions we often get when we talk about Falco is “How does it compare to other tools like SELinux, AppArmor, Auditd, etc. that also have security policies?”. We wrote a blog post comparing Falco to other tools.

Documentation

Visit the wiki for full documentation on falco.

Join the Community

Website for Falco.
We are working on a blog for the Falco project. In the meantime you can find Falco posts over on the Sysdig blog.
Join our Public Slack channel for open source sysdig and Falco announcements and discussions.

License Terms

Falco is licensed to you under the Apache 2.0 open source license.

Contributor License Agreements

Background

We are formalizing the way that we accept contributions of code from the contributing community. We must now ask that contributions to falco be provided subject to the terms and conditions of a Contributor License Agreement (CLA). The CLA comes in two forms, applicable to contributions by individuals, or by legal entities such as corporations and their employees. We recognize that entering into a CLA with us involves real consideration on your part, and we’ve tried to make this process as clear and simple as possible.

We’ve modeled our CLA off of industry standards, such as the CLA used by Kubernetes. Note that this agreement is not a transfer of copyright ownership, this simply is a license agreement for contributions, intended to clarify the intellectual property license granted with contributions from any person or entity. It is for your protection as a contributor as well as the protection of falco; it does not change your rights to use your own contributions for any other purpose.

For some background on why contributor license agreements are necessary, you can read FAQs from many other open source projects:

As always, we are grateful for your past and present contributions to falco.

What do I need to do in order to contribute code?

At first, you need do all changes based on dev branch not master branch.

Individual contributions: Individuals who wish to make contributions must review the Individual Contributor License Agreement and indicate agreement by adding the following line to every GIT commit message:

falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>

Use your real name; pseudonyms or anonymous contributions are not allowed.

Corporate contributions: Employees of corporations, members of LLCs or LLPs, or others acting on behalf of a contributing entity, must review the Corporate Contributor License Agreement, must be an authorized representative of the contributing entity, and indicate agreement to it on behalf of the contributing entity by adding the following lines to every GIT commit message:

falco-CLA-1.0-contributing-entity: Full Legal Name of Entity
falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>

Use a real name of a natural person who is an authorized representative of the contributing entity; pseudonyms or anonymous contributions are not allowed.

Government contributions: Employees or officers of the United States Government, must review the Government Contributor License Agreement, must be an authorized representative of the contributing entity, and indicate agreement to it on behalf of the contributing entity by adding the following lines to every GIT commit message:

falco-CLA-1.0-contributing-govt-entity: Full Legal Name of Entity
falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
This file is a work of authorship of an employee or officer of the United States Government and is not subject to copyright in the United States under 17 USC 105.