-
Notifications
You must be signed in to change notification settings - Fork 897
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merging for 0.6.0 #229
Merging for 0.6.0 #229
Commits on Aug 6, 2016
-
Configuration menu - View commit details
-
Copy full SHA for a769373 - Browse repository at this point
Copy the full SHA a769373View commit details -
Configuration menu - View commit details
-
Copy full SHA for f82288f - Browse repository at this point
Copy the full SHA f82288fView commit details
Commits on Aug 9, 2016
-
Add ignores for test-related files.
Ignore results.json and similar names. Also ignore the file created when running phoronix tests.
Configuration menu - View commit details
-
Copy full SHA for b57eb86 - Browse repository at this point
Copy the full SHA b57eb86View commit details -
Don't run the spawned program in a shell.
Instead, run it directly. This avoids false positives when running non-bash commands and false negatives when trying to run a shell.
Configuration menu - View commit details
-
Copy full SHA for bf431cf - Browse repository at this point
Copy the full SHA bf431cfView commit details -
Merge pull request #111 from draios/update-nodejs-example
Don't run the spawned program in a shell.
Configuration menu - View commit details
-
Copy full SHA for 03e6c1b - Browse repository at this point
Copy the full SHA 03e6c1bView commit details
Commits on Aug 10, 2016
-
Create embeddable falco engine.
Create standalone classes falco_engine/falco_outputs that can be embedded in other programs. falco_engine is responsible for matching events against rules, and falco_output is responsible for formatting an alert string given an event and writing the alert string to all configured outputs. falco_engine's main interfaces are: - load_rules/load_rules_file: Given a path to a rules file or a string containing a set of rules, load the rules. Also loads needed lua code. - process_event(): check the event against the set of rules and return the results of a match, if any. - describe_rule(): print details on a specific rule or all rules. - print_stats(): print stats on the rules that matched. - enable_rule(): enable/disable any rules matching a pattern. New falco command line option -D allows you to disable one or more rules on the command line. falco_output's main interfaces are: - init(): load needed lua code. - add_output(): add an output channel for alert notifications. - handle_event(): given an event that matches one or more rules, format an alert message and send it to any output channels. Each of falco_engine/falco_output maintains a separate lua state and loads separate sets of lua files. The code to create and initialize the lua state is in a base class falco_common. falco_engine no longer logs anything. In the case of errors, it throws exceptions. falco_logger is now only used as a logging mechanism for falco itself and as an output method for alert messages. (This should really probably be split, but it's ok for now). falco_engine contains an sinsp_evttype_filter object containing the set of eventtype filters. Instead of calling m_inspector->add_evttype_filter() to add a filter created by the compiler, call falco_engine::add_evttype_filter() instead. This means that the inspector runs with a NULL filter and all events are returned from do_inspect. This depends on draios/sysdig#633 which has a wrapper around a set of eventtype filters. Some additional changes along with creating these classes: - Some cleanups of unnecessary header files, cmake include_directory()s, etc to only include necessary includes and only include them in header files when required. - Try to avoid 'using namespace std' in header files, or assuming someone else has done that. Generally add 'using namespace std' to all source files. - Instead of using sinsp_exception for all errors, define a falco_engine_exception class for exceptions coming from the falco engine and use it instead. For falco program code, switch to general exceptions under std::exception and catch + display an error for all exceptions, not just sinsp_exceptions. - Remove fields.{cpp,h}. This was dead code. - Start tracking counts of rules by priority string (i.e. what's in the falco rules file) as compared to priority level (i.e. roughtly corresponding to a syslog level). This keeps the rule processing and rule output halves separate. This led to some test changes. The regex used in the test is now case insensitive to be a bit more flexible. - Now that draios/sysdig#632 is merged, we can delete the rules object (and its lua_parser) safely. - Move loading the initial lua script to the constructor. Otherwise, calling load_rules() twice re-loads the lua script and throws away any state like the mapping from rule index to rule. - Allow an empty rules file. Finally, fix most memory leaks found by valgrind: - falco_configuration wasn't deleting the allocated m_config yaml config. - several ifstreams were being created simply to test which falco config file to use. - In the lua output methods, an event formatter was being created using falco.formatter() but there was no corresponding free_formatter(). This depends on changes in draios/sysdig#640.
Configuration menu - View commit details
-
Copy full SHA for fc9690b - Browse repository at this point
Copy the full SHA fc9690bView commit details -
Move falco engine to its own library.
Move the c++ and lua code implementing falco engine/falco common to its own directory userspace/engine. It's compiled as a static library libfalco_engine.a, and has its own CMakeLists.txt so it can be included by other projects. The engine's CMakeLists.txt has a add_subdirectory for the falco rules directory, so including the engine also builds the rules. The variables you need to set to use the engine's CMakeLists.txt are: - CMAKE_INSTALL_PREFIX: the root directory below which everything is installed. - FALCO_ETC_DIR: where to install the rules file. - FALCO_SHARE_DIR: where to install lua code, relative to the - install/package root. - LUAJIT_INCLUDE: where to find header files for lua. - FALCO_SINSP_LIBRARY: the library containing sinsp code. It will be - considered a dependency of the engine. - LPEG_LIB/LYAML_LIB/LIBYAML_LIB: locations for third-party libraries. - FALCO_COMPONENT: if set, will be included as a part of any install() commands. Instead of specifying /usr/share/falco in config_falco_*.h.in, use CMAKE_INSTALL_PREFIX and FALCO_SHARE_DIR. The lua code for the engine has also moved, so the two lua source directories (userspace/engine/lua and userspace/falco/lua) need to be available separately via falco_common, so make it an argument to falco_common::init. As a part of making it easy to include in another project, also clean up LPEG build/defs. Modify build-lpeg to add a PREFIX argument to allow for object files/libraries being in an alternate location, and when building lpeg, put object files in a build/ subdirectory.
Configuration menu - View commit details
-
Copy full SHA for b1857ef - Browse repository at this point
Copy the full SHA b1857efView commit details -
Add configurable event dropping for falco engine.
Add the ability to drop events at the falco engine level in a way that can scale with the dropping that already occurs at the kernel/inspector level. New inline function should_drop_evt() controls whether or not events are matched against the set of rules, and is controlled by two values--sampling ratio and sampling multiplier. Here's how the sampling ratio and multiplier influence whether or not an event is dropped in should_drop_evt(). The intent is that m_sampling_ratio is generally changing external to the engine e.g. in the main inspector class based on how busy the inspector is. A sampling ratio implies no dropping. Values > 1 imply increasing levels of dropping. External to the engine, the sampling ratio results in events being dropped at the kernel/inspector interface. The sampling multiplier is an amplification to the sampling factor in m_sampling_ratio. If 0, no additional events are dropped other than those that might be dropped by the kernel/inspector interface. If 1, events that make it past the kernel module are subject to an additional level of dropping at the falco engine, scaling with the sampling ratio in m_sampling_ratio. Unlike the dropping that occurs at the kernel level, where the events in the first part of each second are dropped, this dropping is random.
Configuration menu - View commit details
-
Copy full SHA for 09405e4 - Browse repository at this point
Copy the full SHA 09405e4View commit details -
Add tests for multiple files, disabled rules.
Add test that cover reading from multiple sets of rule files and disabling rules. Specific changes: - Modify falco to allow multiple -r arguments to read from multiple files. - In the test multiplex file, add a disabled_rules attribute, containing a sequence of rules to disable. Result in -D arguments when running falco. - In the test multiplex file, 'rules_file' can be a sequence. It results in multiple -r arguments when running falco. - In the test multiplex file, 'detect_level' can be a squence of multiple severity levels. All levels will be checked for in the output. - Move all test rules files to a rules subdirectory and all trace files to a traces subdirectory. - Add a small trace file for a simple cat of /dev/null. Used by the new tests. - Add the following new tests: - Reading from multiple files, with the first file being empty. Ensure that the rules from the second file are properly loaded. - Reading from multiple files with the last being empty. Ensures that the empty file doesn't overwrite anything from the first file. - Reading from multiple files with varying severity levels for each rule. Ensures that both files are properly read. - Disabling rules from a rules file, both with full rule names and regexes. Will result in not detecting anything.
Configuration menu - View commit details
-
Copy full SHA for f174806 - Browse repository at this point
Copy the full SHA f174806View commit details -
Configuration menu - View commit details
-
Copy full SHA for dcaeebd - Browse repository at this point
Copy the full SHA dcaeebdView commit details -
Docker 1.12 split docker into docker and dockerd, so add dockerd as a docker binary. Also be consistent about using docker_binares instead of just references to docker. Also add ldconfig as a program that can write to files below /etc.
Configuration menu - View commit details
-
Copy full SHA for 12391ee - Browse repository at this point
Copy the full SHA 12391eeView commit details -
Handle dbus-daemon-launch-helper.
It starts dbus-daemon. Process names are truncated, though, so use dbus-daemon-lau.
Configuration menu - View commit details
-
Copy full SHA for 39ae768 - Browse repository at this point
Copy the full SHA 39ae768View commit details -
Merge pull request #112 from draios/fix-addl-false-positives
Eliminate FPs.
Configuration menu - View commit details
-
Copy full SHA for 2aa8a5c - Browse repository at this point
Copy the full SHA 2aa8a5cView commit details
Commits on Aug 12, 2016
-
Program/docker image that performs bad activities.
C++ program that performs bad activities related to the current falco ruleset. There are configurable actions for almost all of the current ruleset, via the --action argument. By default runs in a loop forever. Can be overridden via --once. Also add a Dockerfile that compiles event_generator.cpp within an alpine linux image and copies it to /usr/local/bin. This image has been pushed to docker hub as "sysdig/falco-event-generator:latest". Add a Makefile that runs the right docker build command.
Configuration menu - View commit details
-
Copy full SHA for 6e1f23b - Browse repository at this point
Copy the full SHA 6e1f23bView commit details -
Improve ruleset based on falco event-generator.
Improve ruleset after using with falco event_generator: - Instead of assuming all shells are bash, add a list shell_binaries and macro shell_procs, and replace references to bash with shell_procs. This revealed some other programs that can spawn shells. - Add "login" as an interactive command. systemd-login isn't in alpine linux, which is the linux distro used for the container. - Move read_sensitive_file_untrusted before read_sensitive_file_trusted_after_startup, so it can hit first.
Configuration menu - View commit details
-
Copy full SHA for 65f3725 - Browse repository at this point
Copy the full SHA 65f3725View commit details -
Merge pull request #113 from draios/add-event-simulator
Add event simulator
Configuration menu - View commit details
-
Copy full SHA for 822770a - Browse repository at this point
Copy the full SHA 822770aView commit details
Commits on Aug 17, 2016
-
Install falco rules with configurable filename.
New variable FALCO_RULES_DEST_FILENAME allows the rules file to be installed with a different filename. Not set in the falco repo, but in the agent repo it's installed as falco_rules.default.yaml.
Configuration menu - View commit details
-
Copy full SHA for 34fcce7 - Browse repository at this point
Copy the full SHA 34fcce7View commit details -
Merge pull request #114 from draios/configurable-rules-filename
Install falco rules with configurable filename.
Configuration menu - View commit details
-
Copy full SHA for e717e3e - Browse repository at this point
Copy the full SHA e717e3eView commit details
Commits on Aug 23, 2016
-
Verifying rule names can have spaces.
Related to discussion on draios/agent#160, verifying we can have rule names with spaces.
Configuration menu - View commit details
-
Copy full SHA for 2731fd5 - Browse repository at this point
Copy the full SHA 2731fd5View commit details -
Change rule names to be human readable.
Given the prior test, change all rule names to be human readable. This is especially important for the agent integration as they are visible.
Configuration menu - View commit details
-
Copy full SHA for ceedd77 - Browse repository at this point
Copy the full SHA ceedd77View commit details -
Merge pull request #116 from draios/rule-names-with-spaces
Make rule names human readable
Configuration menu - View commit details
-
Copy full SHA for ceee146 - Browse repository at this point
Copy the full SHA ceee146View commit details -
Don't alert on falco program notifications.
Falco itself spawns a shell when using program notifications, so add falco to the set of trusted programs. (Also add some other programs like make, awk, configure, that are run while building).
Configuration menu - View commit details
-
Copy full SHA for 3ee1c0f - Browse repository at this point
Copy the full SHA 3ee1c0fView commit details -
Fix output methods that take configurations.
The falco engine changes broke the output methods that take configuration (like the filename for file output, or the program for program output). Fix that by properly passing the options argument to each method's output function.
Configuration menu - View commit details
-
Copy full SHA for 23a9b6e - Browse repository at this point
Copy the full SHA 23a9b6eView commit details -
Add regression tests for configurable outputs.
- In the regression tests, make the config file configurable in the multiplex file via 'conf_file'. - A new multiplex file item 'outputs' containing a list of <filename>: <regex> tuples. For each item, the test reads the file and matches each line against the regex. A match must be found for the test to pass. - Add 2 new tests that test file output and program output. They write to files below /tmp/falco_outputs/ and the contents are checked to ensure that alerts are written.
Configuration menu - View commit details
-
Copy full SHA for ef52e62 - Browse repository at this point
Copy the full SHA ef52e62View commit details
Commits on Aug 24, 2016
-
Configuration menu - View commit details
-
Copy full SHA for 08c3bef - Browse repository at this point
Copy the full SHA 08c3befView commit details
Commits on Sep 3, 2016
-
Support enabled flag for rules.
If a rule has a enabled attribute, and if the value is false, call the engine's enable_rule() method to disable the rule. Like add_filter, there's a static method which takes the object as the first argument and a non-static method that calls the engine. This fixes #72.
Configuration menu - View commit details
-
Copy full SHA for f974922 - Browse repository at this point
Copy the full SHA f974922View commit details -
New test case disables a rule that would otherwise match.
Configuration menu - View commit details
-
Copy full SHA for 5644919 - Browse repository at this point
Copy the full SHA 5644919View commit details
Commits on Sep 7, 2016
-
Configuration menu - View commit details
-
Copy full SHA for fbcddba - Browse repository at this point
Copy the full SHA fbcddbaView commit details
Commits on Sep 8, 2016
-
Include condition in compilation errors.
When a macro/rule condition can't be compiled, include the condition in the error message.
Configuration menu - View commit details
-
Copy full SHA for 33b9ef5 - Browse repository at this point
Copy the full SHA 33b9ef5View commit details
Commits on Sep 9, 2016
-
Parser changes to support new sysdig features
Support "glob" as an operator and allow pathnames to be the index into bracketed selectors of fields.
Configuration menu - View commit details
-
Copy full SHA for f632fa6 - Browse repository at this point
Copy the full SHA f632fa6View commit details -
New rules related to containers.
New rule 'File Open by Privileged Container' triggers when a container that is running privileged opens a file. New rule 'Sensitive Mount by Container' triggers when a container that has a sensitive mount opens a file. Currently, a sensitive mount is a mount of /proc. This depends on draios/sysdig#655.
Configuration menu - View commit details
-
Copy full SHA for 23e3e99 - Browse repository at this point
Copy the full SHA 23e3e99View commit details
Commits on Sep 12, 2016
-
Merge pull request #120 from draios/addl-container-rules
Addl container rules
Configuration menu - View commit details
-
Copy full SHA for 6e9241a - Browse repository at this point
Copy the full SHA 6e9241aView commit details
Commits on Sep 14, 2016
-
Reduce FPs related to Kubernetes.
The new privileged falco rule was noisy when running kubernetes, which can run privileged. Add it to the trusted_containers list. Also eliminate a couple spurious warnings related to spawning shells in containers.
Configuration menu - View commit details
-
Copy full SHA for 164d501 - Browse repository at this point
Copy the full SHA 164d501View commit details
Commits on Sep 15, 2016
-
Merge pull request #121 from draios/improve-docker-rules
Reduce FPs related to Kubernetes.
Configuration menu - View commit details
-
Copy full SHA for 889b252 - Browse repository at this point
Copy the full SHA 889b252View commit details
Commits on Sep 22, 2016
-
Make changes to the lua-specific rule parser/compiler to handle the pmatch operator.
Configuration menu - View commit details
-
Copy full SHA for 930b38b - Browse repository at this point
Copy the full SHA 930b38bView commit details
Commits on Sep 23, 2016
-
Need to pop the results of process_event so the stack doesn't grow without bound.
Configuration menu - View commit details
-
Copy full SHA for 9a5e08d - Browse repository at this point
Copy the full SHA 9a5e08dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 08d204d - Browse repository at this point
Copy the full SHA 08d204dView commit details
Commits on Sep 30, 2016
-
Install gcc-4.9 from Debian Jessie repositories
As luca did for the agent, install gcc 4.9 from the debian jesse repository, as it has been removed from unstable.
Configuration menu - View commit details
-
Copy full SHA for 4354043 - Browse repository at this point
Copy the full SHA 4354043View commit details -
Merge pull request #124 from draios/fix-docker-gcc
Install gcc-4.9 from Debian Jessie repositories
Configuration menu - View commit details
-
Copy full SHA for 82597c9 - Browse repository at this point
Copy the full SHA 82597c9View commit details
Commits on Oct 3, 2016
-
Merge pull request #125 from draios/add-pmatch
Add the new pmatch operator.
Configuration menu - View commit details
-
Copy full SHA for 5008003 - Browse repository at this point
Copy the full SHA 5008003View commit details
Commits on Oct 7, 2016
-
Add license comments to all source code.
Add comment blocks to all source code w/ our gpl copyright notice.
Configuration menu - View commit details
-
Copy full SHA for 644f017 - Browse repository at this point
Copy the full SHA 644f017View commit details -
Merge pull request #126 from draios/add-licenses
Add license comments to all source code.
Configuration menu - View commit details
-
Copy full SHA for 1447894 - Browse repository at this point
Copy the full SHA 1447894View commit details
Commits on Oct 13, 2016
-
Add exfiltration action, env-specified actions.
Add an exfiltration action that reads /etc/shadow and sends the contents to a arbitrary ip address and port via a udp datagram. Add the ability to specify actions via the environment instead of the command line. If actions are specified via the environment, they replace any actions specified on the command line.
Configuration menu - View commit details
-
Copy full SHA for 8290335 - Browse repository at this point
Copy the full SHA 8290335View commit details -
Add jq to the docker image containing falco. jq is very handy for transforming json, which comes into play if you want to post to slack (or other) webhooks.
Configuration menu - View commit details
-
Copy full SHA for f6720d3 - Browse repository at this point
Copy the full SHA f6720d3View commit details -
Add notes on how to post to slack webhooks.
Add comments for program_output that show how to post to a slack webhook and an alernate logging method--came up in one of the github issues.
Configuration menu - View commit details
-
Copy full SHA for 2044091 - Browse repository at this point
Copy the full SHA 2044091View commit details -
Merge pull request #132 from draios/event-generator-env
Add exfiltration action, env-specified actions.
Configuration menu - View commit details
-
Copy full SHA for 1a78e45 - Browse repository at this point
Copy the full SHA 1a78e45View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7e60b4b - Browse repository at this point
Copy the full SHA 7e60b4bView commit details -
Alphabetize command line options.
There are a lot of command line options now, so sort them alphabetically in the usage and getopt handling to make them easier to find. Also rename -p <pidfile> to -P <pidfile>, thinking ahead to the next commit.
Configuration menu - View commit details
-
Copy full SHA for 3bb84f5 - Browse repository at this point
Copy the full SHA 3bb84f5View commit details -
Add k8s/mesos/container info to rule outputs
Copy handling of -pk/-pm/-pc/-k/-m arguments from sysdig. All of the relevant code was already in the inspector so that was easy. The information from k8s/mesos/containers is used in two ways: - In rule outputs, if the format string contains %container.info, that is replaced with the value from -pk/-pm/-pc, if one of those options was provided. If no option was provided, %container.info is replaced with a generic %container.name (id=%container.id) instead. - If the format string does not contain %container.info, and one of -pk/-pm/-pc was provided, that is added to the end of the formatting string. - If -p was specified with a general value (i.e. not kubernetes/mesos/container), the value is simply added to the end and any %container.info is replaced with the generic value.
Configuration menu - View commit details
-
Copy full SHA for 880c396 - Browse repository at this point
Copy the full SHA 880c396View commit details -
Merge pull request #134 from draios/add-k8s-mesos-support
Add k8s/mesos/container info to rule outputs.
Configuration menu - View commit details
-
Copy full SHA for 1f7c711 - Browse repository at this point
Copy the full SHA 1f7c711View commit details
Commits on Oct 14, 2016
-
Fix logic for detecting conf files.
The logic for detecting if a file exists was backwards. It would treat a file as existing if it could *not* be opened. Reverse that logic so it works. This fixes #135.
Configuration menu - View commit details
-
Copy full SHA for f761ddf - Browse repository at this point
Copy the full SHA f761ddfView commit details -
Allow falco to spawn shells in containers.
Falco is allowed to spawn shells in containers as a part of its program output method.
Configuration menu - View commit details
-
Copy full SHA for e543fbf - Browse repository at this point
Copy the full SHA e543fbfView commit details
Commits on Oct 21, 2016
-
Add k8s binaries as trusted programs
Add a new list k8s_binaries and allow those binaries to do things like setns/spawn shells. It's not the case that all of these binaries actually do these things, but keeping it as a single list makes management easier.
Configuration menu - View commit details
-
Copy full SHA for faef562 - Browse repository at this point
Copy the full SHA faef562View commit details
Commits on Oct 24, 2016
-
Add ability to write trace files.
Bring over functionality from sysdig to write trace files. This is easy as all of the code to actually write the files is in the inspector. This just handles the -w option and arguments. This can be useful to write a trace file in parallel with live event monitoring so you can reproduce it later.
Configuration menu - View commit details
-
Copy full SHA for e0e640c - Browse repository at this point
Copy the full SHA e0e640cView commit details -
Add stats on events processed/dropped.
Collect stats on the number of events processed and dropped. When run with -v, print these stats. This duplicates syddig behavior and can be useful when dianosing problems related to dropped events throwing off internal state tracking.
Configuration menu - View commit details
-
Copy full SHA for 0211a94 - Browse repository at this point
Copy the full SHA 0211a94View commit details -
Make sure falco doesn't detect the things draios-agent does as suspicious. It's possible that you might run open source falco alongside sysdig cloud. App checks spawned by sysdig cloud binaries might also change namespace, so also allow children of sysdigcloud binaries to call setns.
Configuration menu - View commit details
-
Copy full SHA for f98ec60 - Browse repository at this point
Copy the full SHA f98ec60View commit details
Commits on Oct 25, 2016
-
CHANGELOG for release notes, README to update version.
Configuration menu - View commit details
-
Copy full SHA for 8a2924a - Browse repository at this point
Copy the full SHA 8a2924aView commit details
Commits on Nov 2, 2016
-
Added envvar SYSDIG_SKIP_LOAD to Dockerfile to skip kernel module man…
…ipulation This helps when running on a system which has the module loaded, but getting access to the module file is hard for some reason. Since I know that the right version of the module is loaded I just want falco to connect. I tested this with this run command: docker run -e SYSDIG_SKIP_LOAD=1 -it -v /dev:/host/dev -v /proc:/host/proc --privileged falco And it successfully connected to Sysdig and started printing out warnings for my system. falco-CLA-1.0-signed-off-by: Carl Sverre [email protected]
Configuration menu - View commit details
-
Copy full SHA for b1ad9e6 - Browse repository at this point
Copy the full SHA b1ad9e6View commit details
Commits on Nov 10, 2016
-
Honor USE_BUNDLED_DEPS option for third-party libs
Honor a USE_BUNDLED_DEPS option for third-party libraries which can be applied globally. There are also USE_BUNDLED_XXX options that can be used individually for each library. Verified that this works by first building with USE_BUNDLED_DEPS=ON (the default), installing external packages ncurses-dev libssl-dev libcurl4-openssl-dev so CMake's find_package could use them, modifying the CMakeLists.txt to add "PATHS ${PROJECT_BINARY_DIR}/..." options to each find_path()/find_library() command to point to the previously installed third party libraries. It found them as expected. The sysdig fix in draios/sysdig#672 forced this change, but it does also happen to fix a falco feature request #144.
Configuration menu - View commit details
-
Copy full SHA for f95a0ea - Browse repository at this point
Copy the full SHA f95a0eaView commit details -
Fully specify FALCO_SHARE_DIR.
Instead of having FALCO_SHARE_DIR be a relative path, fully specify it by prepending CMAKE_INSTALL_PREFIX in the top level CMakeLists.txt and don't prepend CMAKE_INSTALL_PREFIX in config_falco_engine.h.in. This makes it consistent with its use in the agent.
Configuration menu - View commit details
-
Copy full SHA for 8b18315 - Browse repository at this point
Copy the full SHA 8b18315View commit details
Commits on Nov 28, 2016
-
Improve error messages when loading rules.
Related to the changes in draios/agent#267, improve error messages when trying to load sets of rules with errors: - Check that yaml parsing of rules_content actually resulted in something. - Return an error for rules that have an empty name. - Return an error for yaml objects that aren't a rule/macro/list. - When compiling, don't print an error message, simply return one, including a wrapper "can not compile ..." string.
Configuration menu - View commit details
-
Copy full SHA for 9ca8ed9 - Browse repository at this point
Copy the full SHA 9ca8ed9View commit details -
Allow run_performance_tests to run test_mm.
Make necessary changes to allow run_performance_tests to invoke the 'test_mm' program we use internally. Also add ability to run with a build directory separate from the source directory and to specify an alternate rules file. Finally, set up the kubernetes demo using sudo, a result of recent changes.
Configuration menu - View commit details
-
Copy full SHA for 704eb57 - Browse repository at this point
Copy the full SHA 704eb57View commit details
Commits on Dec 1, 2016
-
Move container.info handling to falco engine.
container.info handling used to be handled by the the falco_outputs object. However, this caused problems for applications that only used the falco engine, doing their own output formatting for matching events. Fix this by moving output formatting into the falco engine itself. The part that replaces %container.info/adds extra formatting to the end of a rule's output now happens while loading the rule.
Configuration menu - View commit details
-
Copy full SHA for 2961eb4 - Browse repository at this point
Copy the full SHA 2961eb4View commit details -
Validate rule outputs when loading rules.
Validate rule outputs when loading rules by attempting to create a formatter based on the rule's output field. If there's an error, it will propagate up through load_rules and cause falco to exit rather than discover the problem only when trying to format the event and the rule's output field. This required moving formats.{cpp,h} into the falco engine directory from the falco general directory. Note that these functions are loaded twice in the two lua states used by falco (engine and outputs). There's also a couple of minor cleanups: - falco_formats had a private instance variable that was unused, remove it. - rename the package for the falco_formats functions to formats instead of falco so it's more standalone. - don't throw a c++ exception in falco_formats::formatter. Instead generate a lua error, which is handled more cleanly. - free_formatter doesn't return any values, so set the return value of the function to 0.
Configuration menu - View commit details
-
Copy full SHA for 064b39f - Browse repository at this point
Copy the full SHA 064b39fView commit details -
Add unit test for rule with invalid output.
Add the ability to check falco's return code with exit_status and to generally match stderr with stderr_contains in a test. Use those to create a test that has an invalid output expression using %not_a_real_field. It expects falco to exit with 1 and the output to contain a message about the invalid output.
Configuration menu - View commit details
-
Copy full SHA for ded3ee5 - Browse repository at this point
Copy the full SHA ded3ee5View commit details -
Prevent rule_result from leaking on error.
Change falco_engine::process_event to return a unique_ptr that wraps the rule result, so it won't be leaked if this method throws an exception. This means that callers don't need to create their own.
Configuration menu - View commit details
-
Copy full SHA for b3c691e - Browse repository at this point
Copy the full SHA b3c691eView commit details
Commits on Dec 2, 2016
-
Adding DNF as non-alerting for RPM and package management
falco-CLA-1.0-signed-off-by: Daniel Cross <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a8662c6 - Browse repository at this point
Copy the full SHA a8662c6View commit details -
Merge pull request #153 from djcross/dnf
Adding DNF as non-alerting for RPM and package management
Configuration menu - View commit details
-
Copy full SHA for 2855895 - Browse repository at this point
Copy the full SHA 2855895View commit details -
Push formatter on lua stack only if does not throw exceptions
Luca Marturana committedDec 2, 2016 Configuration menu - View commit details
-
Copy full SHA for 212fd93 - Browse repository at this point
Copy the full SHA 212fd93View commit details
Commits on Dec 6, 2016
-
Add ability to write capture stats to a file.
With -s, periodically fetch capture stats from the inspector and write them to the provided file. Separate class StatsFileWriter handles the details. It does rely on a timer + SIGALRM handler so you can only practically create a single object, but it does keep the code/state separate. The output format has a sample number, the set of current stats, a delta with the difference from the prior sample, and the percentage of events dropped during that sample.
Configuration menu - View commit details
-
Copy full SHA for d1d0dbd - Browse repository at this point
Copy the full SHA d1d0dbdView commit details -
Add ability to write "extra" stuff to stats file.
When run via scripts like run_performance_tests.sh, it's useful to include extra info like the test being run and the specific program variant to the stats file. So support that via the environment. Environment keys starting with FALCO_STATS_EXTRA_XXX will have the XXX and environment value added to the stats file. It's undocumented as I doubt other programs will need this functionality and it keeps the docs simpler.
Configuration menu - View commit details
-
Copy full SHA for 47bd6af - Browse repository at this point
Copy the full SHA 47bd6afView commit details -
Modify plotting script to handle drop stats.
New argument --metric, which can be cpu|drops, controls whether to graph cpu usage or event drop percentage. Titles/axis labels/etc. change appropriately.
Configuration menu - View commit details
-
Copy full SHA for 8e2a3ef - Browse repository at this point
Copy the full SHA 8e2a3efView commit details
Commits on Dec 7, 2016
-
Instead of creating a formatter for each event, cache them and create them only when needed. A new function output_cleanup cleans up the cached formatters, and is called in the destructor if init() was called.
Configuration menu - View commit details
-
Copy full SHA for a616301 - Browse repository at this point
Copy the full SHA a616301View commit details
Commits on Dec 8, 2016
-
Previously, log messages had levels, but it only influenced the level argument passed to syslog(). Now, add the ability to control log level from falco itself. New falco.yaml argument "log_level" can be one of the strings corresponding to the well-known syslog levels, which is converted to a syslog-style level as integer. In falco_logger::log(), skip messages below the specified level.
Configuration menu - View commit details
-
Copy full SHA for ef08478 - Browse repository at this point
Copy the full SHA ef08478View commit details -
Make google_containers/kube-proxy a trusted image.
Add google_containers/kube-proxy as a trusted image (can be run privileged, can mount sensitive filesystems). While our k8s deployments run kube-proxy via the hyperkube image, evidently it's sometimes run via its own image. This is one of the fixes for #156. Also update the output message for this rule.
Configuration menu - View commit details
-
Copy full SHA for af8d6c9 - Browse repository at this point
Copy the full SHA af8d6c9View commit details -
The second argument to handle_event is actually a rule name, but the variable was a misleading "level". Fix.
Configuration menu - View commit details
-
Copy full SHA for b509c4f - Browse repository at this point
Copy the full SHA b509c4fView commit details -
Add rate-limiting for notifications
Add token-bucket based rate limiting for falco notifications. The token bucket is implemented in token_bucket.cpp (actually in the engine directory, just to make it easier to include in other programs). It maintains a current count of tokens (i.e. right to send a notification). Its main method is claim(), which attemps to claim a token and returns true if one was claimed successfully. It has a configurable configurable max burst size and rate. The token bucket gains "rate" tokens per second, up to a maximum of max_burst tokens. These parameters are configurable in falco.yaml via the config options (defaults shown): outputs: rate: 1 max_burst: 1000 In falco_outputs::handle_event(), try to claim a token, and if unsuccessful log a debug message and return immediately.
Configuration menu - View commit details
-
Copy full SHA for 54b30bc - Browse repository at this point
Copy the full SHA 54b30bcView commit details -
Use sinsp utils version of get time.
sinsp_utils::get_current_time_ns() has the same purpose as get_epoch_ns(), and now that we're including the token bucket in falco_engine, it's easy to package the dependency. So use that function instead.
Configuration menu - View commit details
-
Copy full SHA for 4f645c4 - Browse repository at this point
Copy the full SHA 4f645c4View commit details
Commits on Dec 14, 2016
-
Add fail2ban-server as spawn shell trusted binary
fail2ban spawns a shell to adjust iptables in order to ban/unban IP addresses.
Configuration menu - View commit details
-
Copy full SHA for bed5ab4 - Browse repository at this point
Copy the full SHA bed5ab4View commit details
Commits on Dec 15, 2016
-
Merge pull request #163 from jcoetzee/dev
Add fail2ban-server as spawn shell trusted binary
Configuration menu - View commit details
-
Copy full SHA for f4abec4 - Browse repository at this point
Copy the full SHA f4abec4View commit details -
Configuration menu - View commit details
-
Copy full SHA for 39e9043 - Browse repository at this point
Copy the full SHA 39e9043View commit details -
Merge pull request #164 from draios/revert-163-dev
Revert "Add fail2ban-server as spawn shell trusted binary"
Configuration menu - View commit details
-
Copy full SHA for 09a9ab4 - Browse repository at this point
Copy the full SHA 09a9ab4View commit details
Commits on Dec 16, 2016
-
Add fail2ban-server as trusted binary
fail2ban spawns shells to modify iptables falco-CLA-1.0-signed-off-by: Jonathan Coetzee <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2bad529 - Browse repository at this point
Copy the full SHA 2bad529View commit details -
SSH'ing into an Ubuntu 16.04 box triggers a bunch of "Sensitive file opened for reading by non-trusted program" errors caused by systemd falco-CLA-1.0-signed-off-by: Jonathan Coetzee [email protected]
Configuration menu - View commit details
-
Copy full SHA for 64ecd15 - Browse repository at this point
Copy the full SHA 64ecd15View commit details -
Merge pull request #168 from jcoetzee/fail2ban
Add fail2ban-server as trusted binary
Configuration menu - View commit details
-
Copy full SHA for 8aa9c21 - Browse repository at this point
Copy the full SHA 8aa9c21View commit details -
Merge pull request #169 from jcoetzee/systemd
Add systemd as a login binary
Configuration menu - View commit details
-
Copy full SHA for 1d0c9b1 - Browse repository at this point
Copy the full SHA 1d0c9b1View commit details
Commits on Dec 28, 2016
-
Add confd/fleetctl as acceptable programs.
Add confd as a program that can write files below /etc and fleetctl as a program that can spawn shells.
Configuration menu - View commit details
-
Copy full SHA for 3cbf641 - Browse repository at this point
Copy the full SHA 3cbf641View commit details
Commits on Dec 29, 2016
-
Add ability to clear loaded rules.
Add the ability to clear the set of loaded rules from lua. It simply recreates the sinsp_evttype_filter instance m_evttype_filter, which is now a unique_ptr.
Configuration menu - View commit details
-
Copy full SHA for 767f2d5 - Browse repository at this point
Copy the full SHA 767f2d5View commit details -
Allow any macro/list/rule to be overridden
Allow any list/macro/rule to be overridden by a subsequent file. The persistent state that lives across invocations of load_rules are the 3 arrays ordered_{list,macro,rule}_names, which have the lists/macros/rules in the order in which they first appear, and tables {rules,macros,lists}_by_name, which maps from a name to a yaml object. With each call to load_rules, the set of loaded rules is reset and the state of expanded lists, compiled macros, compiled rules, and rule metadata are recreated from scratch, using the ordered_*_names arrays and *_by_name tables. That way, any list/macro/rule can be redefined in a subsequent file with new values.
Configuration menu - View commit details
-
Copy full SHA for 7c419b6 - Browse repository at this point
Copy the full SHA 7c419b6View commit details -
tests for overriding rules/macros/lists
New tests that test every possible override: - Overriding a rule with one that doesn't match - Overriding a macro to one that doesn't match - Overriding a top level list to a binary that doesn't match - Overriding an embedded list to one that doesn't match In each case, the override results in no longer matching an open by the program "cat".
Configuration menu - View commit details
-
Copy full SHA for 9ecdf30 - Browse repository at this point
Copy the full SHA 9ecdf30View commit details
Commits on Dec 30, 2016
-
Add cchh/sysdig as a trusted container.
Add cchh/sysdig as a trusted container. We'll probably remove this once the next agent release occurs that has the fix #177. Also reformat to avoid long lines.
Configuration menu - View commit details
-
Copy full SHA for 77a5429 - Browse repository at this point
Copy the full SHA 77a5429View commit details
Commits on Jan 3, 2017
-
Prefix outputs with * within the engine.
Prefix output strings with * so they are always permissive in the engine. In falco outputs, which adds its own prefix, remove any leading * before adding the custom prefix.
Configuration menu - View commit details
-
Copy full SHA for 362a6b7 - Browse repository at this point
Copy the full SHA 362a6b7View commit details -
Add test for truncated outputs.
Add a test that specifically tests truncated outputs. A rule contains an output field %fd.cport which has no value for an open event. Ensure that the rule's output has <NA> for the cport and the remainder of the rule's output is filled in.
Configuration menu - View commit details
-
Copy full SHA for f4bb49f - Browse repository at this point
Copy the full SHA f4bb49fView commit details
Commits on Jan 4, 2017
-
Luca Marturana committed
Jan 4, 2017 Configuration menu - View commit details
-
Copy full SHA for af3a708 - Browse repository at this point
Copy the full SHA af3a708View commit details
Commits on Jan 12, 2017
-
Add exechealthz as a k8s binary.
For customers who use https://github.com/kubernetes/contrib/tree/master/exec-healthz to perform liveness checking, exechealthz will spawn shells in a container. Add it to the k8s_binaries list.
Configuration menu - View commit details
-
Copy full SHA for 43d53bb - Browse repository at this point
Copy the full SHA 43d53bbView commit details
Commits on Jan 17, 2017
-
Merge branch 'agent-master' into dev
agent-master went out of sync, probably some rebase/forcepush happened on dev. Used `git merge -s ours agent-master` here to put all the commits of agent-master on dev and ignoring anything from agent-master. So now we can merge from dev to agent-master with fast forward and no conflicts
Luca Marturana committedJan 17, 2017 Configuration menu - View commit details
-
Copy full SHA for 4139370 - Browse repository at this point
Copy the full SHA 4139370View commit details -
Avoid FPs resulting from ubuntu weekly cron jobs
Feedback from a falco user: -- to more findings from last night: logrotate cronjob (Debian default): Shell spawned by untrusted binary (user=root shell=sh parent=logrotate cmdline=sh -c invoke-rc.d rsyslog rotate > /dev/null logrotate_script /var/log/syslog) passwd cronjob (Debian default): Sensitive file opened for reading by non-trusted program (user=root name=cmp command=cmp -s shadow.bak /etc/shadow file=/etc/shadow) -- New macro cmp_cp_by_passwd allows cmp/cp to be run by passwd to examine sensitive files. Add logrotate as a program that can spawn a shell. Also do some cleanups, moving items to lists and splitting long single-line conditions into multiple lines.
Configuration menu - View commit details
-
Copy full SHA for 85480f3 - Browse repository at this point
Copy the full SHA 85480f3View commit details -
This fixes a set of ~25 security vulnerabilities.
Configuration menu - View commit details
-
Copy full SHA for 4c60b7c - Browse repository at this point
Copy the full SHA 4c60b7cView commit details -
This fixes a set of ~10 security vulnerabilities.
Configuration menu - View commit details
-
Copy full SHA for 7286b50 - Browse repository at this point
Copy the full SHA 7286b50View commit details -
Patch jq 1.5 with a fix for security vulns.
After downloading jq 1.5, apply the changes in jqlang/jq@8eb1367 by downloading the commit as a patch and applying it. This fixes CVE-2015-8863.
Configuration menu - View commit details
-
Copy full SHA for 8f53bcb - Browse repository at this point
Copy the full SHA 8f53bcbView commit details -
Add a local dockerfile variant.
Add a local dockerfile variant that allows creating an image from a local .deb package.
Configuration menu - View commit details
-
Copy full SHA for 10d0c8f - Browse repository at this point
Copy the full SHA 10d0c8fView commit details
Commits on Jan 19, 2017
-
Allow shells spawned by ansible.
Changes to allow shells spawned by ansible. In general this is actually pretty difficult--on the remote managed machine, ansible performs actions simply by running python over ssh without any explicit ansible helper or command line. One (weak) hint is that the python scripts being run are usually under a directory with ansible in the name. So use that as the basis for a macro ansible_running_python. In turn, that macro is used as a negative condition for the run shell untrusted rule. This is a pretty fragile and easily exploited condition, so add a note to the macro saying so.
Configuration menu - View commit details
-
Copy full SHA for bc83ac1 - Browse repository at this point
Copy the full SHA bc83ac1View commit details
Commits on Jan 25, 2017
-
Several changes to reduce spurious alerts when managing machines via ansible: - Add ansible_running_python (that is, ansible-spawned python scripts) as scripts that can read sensitive files and write below /etc. Notably this is the user ansible module. - Also add comments to ansible_running_python suggesting users make it more strict by specifically naming the root directory for ansible scripts. - Add pypy as a python variant that can run ansible-related scripts. Also other changes to reduce FPs: - add apt-add-reposit, apt-auto-remova (truncation intentional), apt-get, apt, apt-key as package management programs, and add package management binaries to the set of shell spawners. The overlapping binaries that were in known_shell_spawn_binaries were removed. - add passwd_binaries, gpg, insserv, apparmor_parser, update-mime, tzdata.{config,postinst}, systemd-machine, and debconf-show to the set of binaries that can write below /etc. - Add vsftpd as a program that can read sensitive files. - Add additional programs (incl. python support programs like pip, pycompile) as ones that can spawn shells. - Allow privileged containers to spawn shells. - Break out the set of files below /dev that are written to with O_CREAT into a separate list, and add /dev/random,urandom,console to the list. - Add python running denyhosts as a program that can write below /etc. - Also add binaries starting with linux-image- as ones that can spawn shells. These are perl scripts run as a part of installing linux-image-N.N packages.
Configuration menu - View commit details
-
Copy full SHA for 34e17cb - Browse repository at this point
Copy the full SHA 34e17cbView commit details
Commits on Jan 26, 2017
-
Set -DNDEBUG for travis debug builds.
Within the sysdig code there are several ASSERTS() that can occur for error paths that aren't truly critical, such as: 17:33:52 DEBUG| [stderr] falco: /home/travis/build/draios/sysdig/userspace/libsinsp/parsers.cpp:1657: static void sinsp_parser::parse_openat_dir(sinsp_evt*, char*, int64_t, std::string*): Assertion `false' failed. Looking at the code, it's not a truly fatal error, just an inability to find fd information: ---- if(evt->m_fdinfo == NULL) { ASSERT(false); *sdir = "<UNKNOWN>"; } ---- When running regression tests in travis, we don't want these ASSERTs to cause falco to exit. To allow this, in CMakeLists.txt only set DRAIOS_DEBUG_FLAGS if it wasn't already set, and in travis's cmake, add -DNDEBUG to DRAIOS_DEBUG_FLAGS.
Configuration menu - View commit details
-
Copy full SHA for 9285aa5 - Browse repository at this point
Copy the full SHA 9285aa5View commit details -
Merge pull request #199 from draios/no-assert-travis-debug
Set -DNDEBUG for travis debug builds.
Configuration menu - View commit details
-
Copy full SHA for ceafeca - Browse repository at this point
Copy the full SHA ceafecaView commit details
Commits on Jan 27, 2017
-
We had added this image while the changes in #177 made it to everyone. This is in a release now, so we'll remove it from the rule set.
Configuration menu - View commit details
-
Copy full SHA for e21fecf - Browse repository at this point
Copy the full SHA e21fecfView commit details -
Configuration menu - View commit details
-
Copy full SHA for b04bccd - Browse repository at this point
Copy the full SHA b04bccdView commit details -
- Add a second possible location for denyhosts - Add PM2 (http://pm2.keymetrics.io/) as a shell spawner. - There was a bug in use of ansible_running_python. We actually need two variants depending on whether ansible is the parent or current process. parent_ansble_running_python is used for Run shell untrusted, ansible_running_python is used for other rules.
Configuration menu - View commit details
-
Copy full SHA for 3f28142 - Browse repository at this point
Copy the full SHA 3f28142View commit details -
Merge pull request #202 from draios/more-spurious-alerts
Address more spurious alerts
Configuration menu - View commit details
-
Copy full SHA for c09b639 - Browse repository at this point
Copy the full SHA c09b639View commit details
Commits on Jan 31, 2017
-
Configuration menu - View commit details
-
Copy full SHA for 6f9f1e4 - Browse repository at this point
Copy the full SHA 6f9f1e4View commit details -
Merge pull request #204 from draios/cmake-dependencies
CMakeLists: add dependencies to lyaml project (fix #130)
Configuration menu - View commit details
-
Copy full SHA for 511d099 - Browse repository at this point
Copy the full SHA 511d099View commit details
Commits on Feb 1, 2017
-
Small changes to improve the use of falco_event_generator with falco: - In event_generator, some actions like exec_ls won't trigger notifications on their own. So exclude them from -a all. - For all actions, print details on what the action will do. - For actions that won't result in a falco notification in containers, note that in the output. - The short version of --once wasn't working, fix the getopt. - Explicitly saying -a all wasn't working, fix. - Don't rely on an external ruleset in the nodejs docker-compose demo--the built in rules are sufficient now.
Configuration menu - View commit details
-
Copy full SHA for 6356490 - Browse repository at this point
Copy the full SHA 6356490View commit details -
Ensure falco-event-generator actions are detected.
A new trace file falco-event-generator.scap contains the result of running the falco event generator in docker, via: docker run --security-opt seccomp=unconfined sysdig/falco-event-generator:latest /usr/local/bin/event_generator --once Make sure this trace file detects the exact set of events we expect for each rule. This required adding a new verification method check_detections_by_rule that finds the per-rule counts and compares them to the expected counts, which are included in the test description under the key "detect_counts". This is the first time a trace file for a test is actually in one of the downloaded zip files. This means it will be tested twice (one for simple detect-or-not, once for actual counts). Adding this test showed a problem with Run shell in container rule--since sysdig/falco-event-generator startswith sysdig/falco, it was being treated as a trusted container. Modify the macro trusted_containers to not allow falco-event-generator to be trusted.
Configuration menu - View commit details
-
Copy full SHA for e0a5034 - Browse repository at this point
Copy the full SHA e0a5034View commit details
Commits on Feb 2, 2017
-
Configuration menu - View commit details
-
Copy full SHA for 1afbaba - Browse repository at this point
Copy the full SHA 1afbabaView commit details -
Rule updates related to other security products
This is a rework of a PR made by @juju4 that had a bunch of additions related to running other security/monitoring products, including aide, bro, icinga2, nagios, ansible, etc. This overlapped a lot with changes I had been making to reduce noisiness, so rather than have @juju4 deal with the conflicts I took the changes and made a separate commit with the non-conflicting additions. A summary of the changes: - Add docker-compose as a docker binary. - Add showq/critical-stack as setuid binaries. - Add lxd binaries - Add some additional package management binaries. - Add support for host intrustion detection systems like aide. - Add support for network intrustion detections systems like bro. - Add support for monitoring systems like nagios, icinga2, npcd. - Other one-off additions to other lists of mail/etc programs.
Configuration menu - View commit details
-
Copy full SHA for b9d0857 - Browse repository at this point
Copy the full SHA b9d0857View commit details -
Merge pull request #200 from draios/ndis-hids-etc-rule-updates
Rule updates related to other security products
Configuration menu - View commit details
-
Copy full SHA for 3d5789a - Browse repository at this point
Copy the full SHA 3d5789aView commit details
Commits on Feb 4, 2017
-
Configuration menu - View commit details
-
Copy full SHA for 1e205db - Browse repository at this point
Copy the full SHA 1e205dbView commit details
Commits on Feb 6, 2017
-
Additional changes to reduce FPs.
- Add flanneld as a privileged container. - Add parentheses grouping around many of the "x running y" containers. I haven't found this strictly necessary with their current use in rules, but this ensures they will be isolated when used. - Allow denyhosts to spawn shells--it runs iptables to add/remove hosts from its deny list.
Configuration menu - View commit details
-
Copy full SHA for 8a1f62c - Browse repository at this point
Copy the full SHA 8a1f62cView commit details
Commits on Feb 7, 2017
-
Merge pull request #207 from draios/address-addl-falco-fps
Additional changes to reduce FPs.
Configuration menu - View commit details
-
Copy full SHA for df08a80 - Browse repository at this point
Copy the full SHA df08a80View commit details
Commits on Feb 8, 2017
-
Add support for tagging rules.
- in lua, look for a tags attribute to each rule. This is passed up in add_filter as a tags argument (as a lua table). If not present, an empty table is used. The tags table is iterated to populate a set of tags as strings, which is passed to add_filter(). - A new method falco_engine::enable_rule_by_tag is similar to enable_rule(), but is given a set of tag strings. Any rules containing one of the tags is enabled/disabled. - The list of event types has been changed to a set to more accurately reflect its purpose. - New argument to falco -T allows disabling all rules matching a given tag, via enable_rule_by_tag(). It can be provided multiple times. - New argument to falco -t allows running those rules matching a given tag. If provided all rules are first disabled. It can be provided multiple times, but can not be combined with -T or -D (disable rules by name) - falco_enging supports the notion of a ruleset. The idea is that you can choose a set of rules that are enabled/disabled by using enable_rule()/enable_rule_by_tag() in combination with a ruleset. Later, in process_event() you include that ruleset and the rules you had previously enabled will be run. - rulsets are provided as strings in enable_rule()/enable_rule_by_tag() and as numbers in process_event()--this avoids the overhead of string lookups per-event. Ruleset ids are created on the fly as needed. A utility method find_ruleset_id() looks up the ruleset id for a given name. The default ruleset is NULL string/0 numeric if not provided. - Although the ruleset is a useful falco engine feature, it isn't that important to the falco standalone program, so it's not documented. However, you can change the ruleset by providing FALCO_RULESET in the environment.
Configuration menu - View commit details
-
Copy full SHA for a0a6914 - Browse repository at this point
Copy the full SHA a0a6914View commit details -
Add automated tests for tagged rules
Add automated tests that verify the ability to tag sets of rules, disable them with -T, and run them with -t, works: - New test option disable_tags adds -T <tag> arguments to the falco command line, and run_tags adds -t <tag> arguments to the falco command line. - A new trace file open-multiple-files.scap opens 13 different files, and a new rules file has 13 different rules with all combinations of the tags a, b, c (both forward and backward), a rule with an empty list of tags, a rule with no tags field, and a rule with a completely different tag d. Using the above, add tests for: - Both disabling all combations of a, b, c using disable_tags as well as run all combinations of a, b, c, using run_tags. - Specifying both disabled (-T/-D) and enabled (-t) rules. Not allowed. - Specifying a ruleset while having tagged rules enabled, rules based on a name disabled, and no particular rules enabled or disabled.
Configuration menu - View commit details
-
Copy full SHA for 88faa7c - Browse repository at this point
Copy the full SHA 88faa7cView commit details -
Tag the existing ruleset to group tags in a meaningful way. The added tags are: - filesystem: the rule relates to reading/writing files - sofware_mgmt: the rule relates to any software/package management tool like rpm, dpkg, etc. - process: the rule relates to starting a new process or changing the state of a current process. - database: the rule relates to databases - host: the rule *only* works outside of containers - shell: the rule specifically relates to starting shells - container: the rule *only* works inside containers - cis: the rule is related to the CIS Docker benchmark. - users: the rule relates to management of users or changing the identity of a running process. - network: the rule relates to network activity Rules can have multiple tags if they relate to multiple of the above. Rules do not have to have tags, although all the current rules do.
Configuration menu - View commit details
-
Copy full SHA for 0a69fc0 - Browse repository at this point
Copy the full SHA 0a69fc0View commit details
Commits on Feb 10, 2017
-
- Instead of having a possibly null string pointer as the argument to enable_* and process_event, have wrapper versions that assume a default falco ruleset. The default ruleset name is a static member of the falco_engine class, and the default ruleset id is created/found in the constructor. - This makes the whole mechanism simple enough that it doesn't require seprarate testing, so remove the capability within falco to read a ruleset from the environment and remove automated tests that specify a ruleset. - Make pattern/tags/ruleset arguments to enable_* functions const. (I'll squash this down before I commit)
Configuration menu - View commit details
-
Copy full SHA for 185729d - Browse repository at this point
Copy the full SHA 185729dView commit details
Commits on Feb 13, 2017
-
Configuration menu - View commit details
-
Copy full SHA for 1c21b3b - Browse repository at this point
Copy the full SHA 1c21b3bView commit details
Commits on Feb 21, 2017
-
- Sometimes systemd changes its process name to '(systemd)', probably for a forked daemon process. Add that version to login_binaries. - Add sv (part of runit) as a program that can write below /etc. - Allow all /dev/tty* files by moving /dev/tty from the list to a "startswith /dev/tty" condition.
Configuration menu - View commit details
-
Copy full SHA for f1aadef - Browse repository at this point
Copy the full SHA f1aadefView commit details
Commits on Feb 22, 2017
-
Merge pull request #209 from draios/address-falco-beta-fps
More changes to address FPs.
Configuration menu - View commit details
-
Copy full SHA for 38f562e - Browse repository at this point
Copy the full SHA 38f562eView commit details -
Configuration menu - View commit details
-
Copy full SHA for c12ab70 - Browse repository at this point
Copy the full SHA c12ab70View commit details -
Configuration menu - View commit details
-
Copy full SHA for f70a7ae - Browse repository at this point
Copy the full SHA f70a7aeView commit details -
Configuration menu - View commit details
-
Copy full SHA for 8b98a61 - Browse repository at this point
Copy the full SHA 8b98a61View commit details -
Configuration menu - View commit details
-
Copy full SHA for 58357d3 - Browse repository at this point
Copy the full SHA 58357d3View commit details
Commits on Feb 23, 2017
-
Configuration menu - View commit details
-
Copy full SHA for 7d711db - Browse repository at this point
Copy the full SHA 7d711dbView commit details
Commits on Feb 27, 2017
-
Return lua errors not falco_exceptions
In C functions that implement lua functions, don't directly throw falco_exceptions, which results in opaque error messages like: Mon Feb 27 10:09:58 2017: Runtime error: Error invoking function output: C++ exception. Exiting. Instead, return lua errors via lua_error().
Configuration menu - View commit details
-
Copy full SHA for fb36af1 - Browse repository at this point
Copy the full SHA fb36af1View commit details -
Use the sinsp_evt_formatter_cache added in draios/sysdig#771 instead of a local cache. This simplifies the lua side quite a bit, as it only needs to call format_output(), and clean up everything via free_formatters() in output_cleanup(). On the C side, use a sinsp_evt_formatter object and use it in format_event().
Configuration menu - View commit details
-
Copy full SHA for db469c6 - Browse repository at this point
Copy the full SHA db469c6View commit details
Commits on Feb 28, 2017
-
Merge pull request #212 from draios/use-formatter-cache
Use formatter cache
Configuration menu - View commit details
-
Copy full SHA for 561c388 - Browse repository at this point
Copy the full SHA 561c388View commit details
Commits on Mar 6, 2017
-
Configuration menu - View commit details
-
Copy full SHA for b2529f1 - Browse repository at this point
Copy the full SHA b2529f1View commit details -
Add support for gitlab omnibus containers/pod
(https://docs.gitlab.com/omnibus/README.html). sysdig-CLA-1.0-signed-off-by: Daniel Kerwin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 537565d - Browse repository at this point
Copy the full SHA 537565dView commit details -
Merge pull request #218 from draios/add-erl-child-setup
Add erl_child_setup as a shell spawner.
Configuration menu - View commit details
-
Copy full SHA for 6b96200 - Browse repository at this point
Copy the full SHA 6b96200View commit details -
Merge pull request #220 from dkerwin/add_gitlab_binaries
Add support for gitlab omnibus containers/pod
Configuration menu - View commit details
-
Copy full SHA for 353defe - Browse repository at this point
Copy the full SHA 353defeView commit details -
Add erl_child_setup to shell spawning binaries in a container.
sysdig-CLA-1.0-signed-off-by: Daniel Kerwin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d29742a - Browse repository at this point
Copy the full SHA d29742aView commit details
Commits on Mar 7, 2017
-
Add falco,event generator files for k8s.
Add example k8s yaml files that allow for running falco as a k8s daemonset and the event generator as a deployment, running on 1 node. Falco is configured to send its output to a slack webhook corresponding to the #demo-falco-alerts channel on sysdig's public slack channel. The output is is k8s friendly by using -pk, -k (k8s api server), and -K (credentials to communicate with api server).
Configuration menu - View commit details
-
Copy full SHA for 5e8dc8b - Browse repository at this point
Copy the full SHA 5e8dc8bView commit details -
Merge pull request #222 from draios/add-k8s-example
Add falco,event generator files for k8s.
Configuration menu - View commit details
-
Copy full SHA for 490a3fe - Browse repository at this point
Copy the full SHA 490a3feView commit details
Commits on Mar 15, 2017
-
Merge pull request #221 from dkerwin/erl_child_setup_spawn_in_container
Add erl_child_setup to shell spawning binaries in a container.
Configuration menu - View commit details
-
Copy full SHA for 1890008 - Browse repository at this point
Copy the full SHA 1890008View commit details
Commits on Mar 20, 2017
-
Build and package standalone falco kernel module
Start packaging (and building when necessary) a falco-specific kernel module in falco releases. Previously, falco would depend on sysdig and use its kernel module instead. The kernel module was already templated to some degree in various places, so we just had to change the templated name from sysdig/sysdig-probe to falco/falco-probe. In containers, run falco-probe-loader instead of sysdig-probe-loader. This is actually a script in the sysdig repository which is modified in draios/sysdig#789, and uses the filename to indicate what kernel module to build and/or load. For the falco package itself, don't depend on sysdig any longer but instead depend on dkms and its dependencies, using sysdig as a guide on the set of required packages. Additionally, for the package pre-install/post-install scripts start running falco-probe-loader. Finally, add a --version argument to falco so it can pass the desired version string to falco-probe-loader.
Configuration menu - View commit details
-
Copy full SHA for ec5adfe - Browse repository at this point
Copy the full SHA ec5adfeView commit details
Commits on Mar 21, 2017
-
Make sure entrypoint runs for docker pod.
If a daemonset specifies a command, this overrides the entrypoint. In falco's case, the entrypoint handles the details of loading the kernel driver, so specifying a command accidently prevents the driver from being loaded. This happens to work if you had a previously loaded sysdig_probe driver lying around. The fix is to specify args instead. In this case, the driver will be loaded via the entrypoint. This fixes #225.
Configuration menu - View commit details
-
Copy full SHA for 8d58589 - Browse repository at this point
Copy the full SHA 8d58589View commit details -
Merge pull request #226 from draios/fix-k8s-daemonset
Make sure entrypoint runs for docker pod.
Configuration menu - View commit details
-
Copy full SHA for f72182d - Browse repository at this point
Copy the full SHA f72182dView commit details
Commits on Mar 24, 2017
-
Add ability to run live for specific duration
Use -M <secs> (same as sysdig) to run falco for a specific duration and exit.
Configuration menu - View commit details
-
Copy full SHA for 52b006e - Browse repository at this point
Copy the full SHA 52b006eView commit details -
Add automated tests for packages/driver installs
Add automated tests for running falco from a package and container. As a result, this will also test building the kernel module as well as runnning falco-probe-loader as a backup. In travis.yml, switch to the docker-enabled vm and install dkms. This changed the environment slightly, so change how avocado's python dependencies are installed. After building falco, copy the .deb package to docker/local and build a local docker image based on that package. Add the following new tests: - docker_package: this uses "docker run" to run the image created in travis.yml. This includes using dkms to build the kernel module and load it. In addition, the conf directory is mounted to /host/conf, the rules directory is mounted to /host/rules, and the traces directory is mounted to /host/traces. - docker_package_local_driver: this disables dkms via a volume mount that maps /dev/null to /usr/sbin/dkms and copies the kernel module by hand into the container to /root/.sysdig/falco-probe-....ko. As a result, falco-probe-loader will use the local kernel module instead of building one itself. - debian_package: this installs the .deb package and runs the installed version of falco. Ideally, there'd also be a test for downloading the driver, but since the driver depends on the kernel as well as the falco version string, you can't put a single driver on download.draios.com that will work long-term. These tests depend on the following new test attributes: - package: if present, this points to the docker image/debian package to install. - addl_docker_run_args: if present, will be added to the docker run command. - copy_local_driver: if present, will copy the built kernel module to ~/.sysdig. ~/.sysdig/* is always cleared out before each test. - run_duration: maps to falco's -M <secs> flag - trace_file is now optional. Also add some misc general test changes: - Clean up our use of process.run. By default it will fail a test if the run program returns non-zero, so we don't have to grab the exit status. In addition, get rid of sudo in the command lines and use the sudo attribute instead. - Fix some tests that were writing to files below /tmp/falco_outputs by creating the directory first. Useful when running avocado directly.
Configuration menu - View commit details
-
Copy full SHA for 73fbbdb - Browse repository at this point
Copy the full SHA 73fbbdbView commit details
Commits on Mar 25, 2017
-
Configuration menu - View commit details
-
Copy full SHA for 3c20511 - Browse repository at this point
Copy the full SHA 3c20511View commit details
Commits on Mar 29, 2017
-
Update changelog/readme for 0.6.0.
Updating with 0.6.0 featues/bug fixes. Also update the formatting of README to honor github's new slightly stricter markdown format.
Configuration menu - View commit details
-
Copy full SHA for a2a707f - Browse repository at this point
Copy the full SHA a2a707fView commit details -
To reflect github's new slightly stricter markdown format.
Configuration menu - View commit details
-
Copy full SHA for 6127ca6 - Browse repository at this point
Copy the full SHA 6127ca6View commit details -
Merge pull request #228 from draios/prepare-for-0.6.0
Update changelog/readme for 0.6.0.
Configuration menu - View commit details
-
Copy full SHA for 0cabedd - Browse repository at this point
Copy the full SHA 0cabeddView commit details