From e321d7c8debed84639997e70289209fe15283112 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Fri, 9 Nov 2018 17:28:16 +0100 Subject: [PATCH 01/19] Fix script documentation and parameters --- .../kubernetes-response-engine/playbooks/deploy_playbook_aws | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/integrations/kubernetes-response-engine/playbooks/deploy_playbook_aws b/integrations/kubernetes-response-engine/playbooks/deploy_playbook_aws index 3382d1db31c..7003fd90d28 100755 --- a/integrations/kubernetes-response-engine/playbooks/deploy_playbook_aws +++ b/integrations/kubernetes-response-engine/playbooks/deploy_playbook_aws @@ -16,7 +16,7 @@ You must pass the playbook and at least one topic to subscribe. Example: -deploy_playbook -p slack -t "falco.error.*" -e SLACK_WEBHOOK_URL=http://foobar.com/... -k sysdig_eks +deploy_playbook -p slack -e SLACK_WEBHOOK_URL=http://foobar.com/... -k sysdig_eks EOF exit 1 } @@ -27,7 +27,7 @@ playbook="" environment=("KUBECONFIG=kubeconfig" "KUBERNETES_LOAD_KUBE_CONFIG=1") eks_cluster="${EKS_CLUSTER}" -while getopts "r:e:t:" arg; do +while getopts "p:e:k:" arg; do case $arg in p) playbook="${OPTARG}" From 4696519debc59b5d1409df8da4002f10f08640ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Fri, 9 Nov 2018 17:44:04 +0100 Subject: [PATCH 02/19] Honor the principle of least privilege for AWS deployment Configure needed permisssions instead of using one too permissive. --- .../deployment/aws/.gitignore | 2 +- .../deployment/aws/Makefile | 12 ++++++--- .../deployment/aws/cluster-role-binding.yaml | 12 +++++++++ .../deployment/aws/outputs.tf | 2 +- .../deployment/cluster-role.yaml | 25 +++++++++++++++++++ 5 files changed, 48 insertions(+), 5 deletions(-) create mode 100644 integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml create mode 100644 integrations/kubernetes-response-engine/deployment/cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/aws/.gitignore b/integrations/kubernetes-response-engine/deployment/aws/.gitignore index e95d270e26b..5b70b6d365d 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/.gitignore +++ b/integrations/kubernetes-response-engine/deployment/aws/.gitignore @@ -1,4 +1,4 @@ .terraform/* .terraform.* terraform.* -*.yaml +aws-auth-patch.yml diff --git a/integrations/kubernetes-response-engine/deployment/aws/Makefile b/integrations/kubernetes-response-engine/deployment/aws/Makefile index ff640c9ccc8..1f512c97c81 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/Makefile +++ b/integrations/kubernetes-response-engine/deployment/aws/Makefile @@ -1,11 +1,17 @@ -all: create configure +all: rbac create configure + +rbac: + kubectl apply -f ../cluster-role.yaml + kubectl apply -f cluster-role-binding.yaml create: - terraform apply + terraform apply -auto-approve configure: kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$(shell terraform output patch_for_aws_auth)\";next}1" > aws-auth-patch.yml kubectl -n kube-system replace -f aws-auth-patch.yml clean: - terraform destroy + terraform destroy -force + kubectl delete -f cluster-role-binding.yaml + kubectl delete -f ../cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml b/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml new file mode 100644 index 00000000000..5b264a23ec2 --- /dev/null +++ b/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-response-engine-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-response-engine-cluster-role +subjects: +- kind: User + apiGroup: rbac.authorization.k8s.io + name: kubernetes-response-engine diff --git a/integrations/kubernetes-response-engine/deployment/aws/outputs.tf b/integrations/kubernetes-response-engine/deployment/aws/outputs.tf index c793c2d2e7b..0cbc8b98b40 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/outputs.tf +++ b/integrations/kubernetes-response-engine/deployment/aws/outputs.tf @@ -1,7 +1,7 @@ locals { patch_for_aws_auth = < Date: Fri, 9 Nov 2018 17:45:30 +0100 Subject: [PATCH 03/19] Honor the principle of least privilege for CNCF deployment Instead of giving a lot of permissions set only the needed ones --- .../kubernetes-response-engine/deployment/cncf/Makefile | 3 ++- .../deployment/cncf/{rbac.yaml => cluster-role-binding.yaml} | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) rename integrations/kubernetes-response-engine/deployment/cncf/{rbac.yaml => cluster-role-binding.yaml} (60%) diff --git a/integrations/kubernetes-response-engine/deployment/cncf/Makefile b/integrations/kubernetes-response-engine/deployment/cncf/Makefile index 33d9e8b658d..87c7a3e0594 100644 --- a/integrations/kubernetes-response-engine/deployment/cncf/Makefile +++ b/integrations/kubernetes-response-engine/deployment/cncf/Makefile @@ -1,10 +1,11 @@ deploy: kubectl apply -f nats/ kubectl apply -f kubeless/ - kubectl apply -f network-policy.yaml + kubectl apply -f ../cluster-role.yaml kubectl apply -f . clean: kubectl delete -f kubeless/ kubectl delete -f nats/ kubectl delete -f . + kubectl delete -f ../cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/cncf/rbac.yaml b/integrations/kubernetes-response-engine/deployment/cncf/cluster-role-binding.yaml similarity index 60% rename from integrations/kubernetes-response-engine/deployment/cncf/rbac.yaml rename to integrations/kubernetes-response-engine/deployment/cncf/cluster-role-binding.yaml index a97702c783f..fd5df52a5b2 100644 --- a/integrations/kubernetes-response-engine/deployment/cncf/rbac.yaml +++ b/integrations/kubernetes-response-engine/deployment/cncf/cluster-role-binding.yaml @@ -1,12 +1,13 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: - name: sysdig-kubeless + name: kubernetes-response-engine-cluster-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: kubernetes-response-engine-cluster-role subjects: - kind: ServiceAccount name: default namespace: default + apiGroup: rbac.authorization.k8s.io From e15ee1d28d9cc9dd73b31f1954d0722f19dbd39a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Fri, 9 Nov 2018 17:48:51 +0100 Subject: [PATCH 04/19] Use deploy as target instead of name Maintain consistency between deployments --- integrations/kubernetes-response-engine/deployment/aws/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integrations/kubernetes-response-engine/deployment/aws/Makefile b/integrations/kubernetes-response-engine/deployment/aws/Makefile index 1f512c97c81..2a317ac28e5 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/Makefile +++ b/integrations/kubernetes-response-engine/deployment/aws/Makefile @@ -1,4 +1,4 @@ -all: rbac create configure +deploy: rbac create configure rbac: kubectl apply -f ../cluster-role.yaml From c24fa324d2a16e40d8c1c43855e4cf8ec4e2cac8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Fri, 9 Nov 2018 19:23:54 +0100 Subject: [PATCH 05/19] Use a newly created system account instead of my personal one This restricts attack surface, and work better in term of automation. --- .../kubernetes-response-engine/deployment/aws/lambda.tf | 6 +++++- .../kubernetes-response-engine/deployment/aws/variables.tf | 3 --- 2 files changed, 5 insertions(+), 4 deletions(-) delete mode 100644 integrations/kubernetes-response-engine/deployment/aws/variables.tf diff --git a/integrations/kubernetes-response-engine/deployment/aws/lambda.tf b/integrations/kubernetes-response-engine/deployment/aws/lambda.tf index 375a2ef3eba..cc2f724cc3a 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/lambda.tf +++ b/integrations/kubernetes-response-engine/deployment/aws/lambda.tf @@ -1,3 +1,7 @@ +resource "aws_iam_user" "kubernetes-response-engine-user" { + name = "kubernetes_response_engine" +} + resource "aws_iam_role" "iam-for-lambda" { name = "iam_for_lambda" @@ -9,7 +13,7 @@ resource "aws_iam_role" "iam-for-lambda" { "Action": "sts:AssumeRole", "Principal": { "Service": "lambda.amazonaws.com", - "AWS": "${var.iam-user-arn}" + "AWS": "${aws_iam_user.kubernetes-response-engine-user.arn}" }, "Effect": "Allow", "Sid": "" diff --git a/integrations/kubernetes-response-engine/deployment/aws/variables.tf b/integrations/kubernetes-response-engine/deployment/aws/variables.tf deleted file mode 100644 index b9fb4052477..00000000000 --- a/integrations/kubernetes-response-engine/deployment/aws/variables.tf +++ /dev/null @@ -1,3 +0,0 @@ -variable "iam-user-arn" { - type = "string" -} From 1308d7fc35a36ae0062c57cef16340162b012c5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Mon, 12 Nov 2018 17:34:21 +0100 Subject: [PATCH 06/19] Put RBAC configuration together Although it duplicates some code, we prefer duplicate some code and place this files together. --- .../deployment/aws/Makefile | 4 +-- .../deployment/{ => aws}/cluster-role.yaml | 0 .../deployment/cncf/Makefile | 2 -- .../deployment/cncf/cluster-role.yaml | 25 +++++++++++++++++++ 4 files changed, 27 insertions(+), 4 deletions(-) rename integrations/kubernetes-response-engine/deployment/{ => aws}/cluster-role.yaml (100%) create mode 100644 integrations/kubernetes-response-engine/deployment/cncf/cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/aws/Makefile b/integrations/kubernetes-response-engine/deployment/aws/Makefile index 2a317ac28e5..fc7c14a6f7e 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/Makefile +++ b/integrations/kubernetes-response-engine/deployment/aws/Makefile @@ -1,7 +1,7 @@ deploy: rbac create configure rbac: - kubectl apply -f ../cluster-role.yaml + kubectl apply -f cluster-role.yaml kubectl apply -f cluster-role-binding.yaml create: @@ -14,4 +14,4 @@ configure: clean: terraform destroy -force kubectl delete -f cluster-role-binding.yaml - kubectl delete -f ../cluster-role.yaml + kubectl delete -f cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/cluster-role.yaml b/integrations/kubernetes-response-engine/deployment/aws/cluster-role.yaml similarity index 100% rename from integrations/kubernetes-response-engine/deployment/cluster-role.yaml rename to integrations/kubernetes-response-engine/deployment/aws/cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/cncf/Makefile b/integrations/kubernetes-response-engine/deployment/cncf/Makefile index 87c7a3e0594..4d72e65168a 100644 --- a/integrations/kubernetes-response-engine/deployment/cncf/Makefile +++ b/integrations/kubernetes-response-engine/deployment/cncf/Makefile @@ -1,11 +1,9 @@ deploy: kubectl apply -f nats/ kubectl apply -f kubeless/ - kubectl apply -f ../cluster-role.yaml kubectl apply -f . clean: kubectl delete -f kubeless/ kubectl delete -f nats/ kubectl delete -f . - kubectl delete -f ../cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/cncf/cluster-role.yaml b/integrations/kubernetes-response-engine/deployment/cncf/cluster-role.yaml new file mode 100644 index 00000000000..4c76c26b995 --- /dev/null +++ b/integrations/kubernetes-response-engine/deployment/cncf/cluster-role.yaml @@ -0,0 +1,25 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kubernetes-response-engine-cluster-role +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - delete + - list + - patch + - apiGroups: + - "" + resources: + - nodes + verbs: + - patch + - apiGroups: + - batch + resources: + - jobs + verbs: + - create From d1329af3bdc65d460bee2f017f2a7013cb28e572 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 15 Nov 2018 16:42:14 -0800 Subject: [PATCH 07/19] Avoid going past end of ruleset/etag arrays (#468) It's possible to call event_tags_for_ruleset/evttypes_for_ruleset for a ruleset that hasn't been loaded. In this case, it's possible to go past the end of the m_rulesets array. After fixing that, it's also possible to go past the end of the event_tags array in event_tags_for_ruleset(). So in both cases, check the index against the array size before indexing. --- userspace/engine/ruleset.cpp | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/userspace/engine/ruleset.cpp b/userspace/engine/ruleset.cpp index a43ffb33f22..27cb0a42a88 100644 --- a/userspace/engine/ruleset.cpp +++ b/userspace/engine/ruleset.cpp @@ -234,6 +234,11 @@ bool falco_ruleset::run(gen_event *evt, uint32_t etag, uint16_t ruleset) void falco_ruleset::event_tags_for_ruleset(vector &evttypes, uint16_t ruleset) { + if(m_rulesets.size() < (size_t) ruleset + 1) + { + return; + } + return m_rulesets[ruleset]->event_tags_for_ruleset(evttypes); } @@ -314,7 +319,7 @@ void falco_sinsp_ruleset::evttypes_for_ruleset(vector &evttypes, uint16_t { uint32_t etag = evttype_to_event_tag(etype); - if(event_tags[etag]) + if(etag < event_tags.size() && event_tags[etag]) { evttypes[etype] = true; } @@ -333,7 +338,7 @@ void falco_sinsp_ruleset::syscalls_for_ruleset(vector &syscalls, uint16_t { uint32_t etag = evttype_to_event_tag(syscallid); - if(event_tags[etag]) + if(etag < event_tags.size() && event_tags[etag]) { syscalls[syscallid] = true; } From f7c17bb1a5a7e28f702cada72bebb5925cf32b57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Tue, 27 Nov 2018 17:02:02 +0100 Subject: [PATCH 08/19] This apiGroup is not needed on the CNCF flavor I remove it for avoiding breaking stuff. --- .../deployment/cncf/cluster-role-binding.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/integrations/kubernetes-response-engine/deployment/cncf/cluster-role-binding.yaml b/integrations/kubernetes-response-engine/deployment/cncf/cluster-role-binding.yaml index fd5df52a5b2..86c6c63ccb5 100644 --- a/integrations/kubernetes-response-engine/deployment/cncf/cluster-role-binding.yaml +++ b/integrations/kubernetes-response-engine/deployment/cncf/cluster-role-binding.yaml @@ -10,4 +10,3 @@ subjects: - kind: ServiceAccount name: default namespace: default - apiGroup: rbac.authorization.k8s.io From e4e6d8845d801c37991a71424df7fad8d91cc783 Mon Sep 17 00:00:00 2001 From: Andy Dalton <751263+adalton@users.noreply.github.com> Date: Tue, 27 Nov 2018 20:38:10 -0500 Subject: [PATCH 09/19] Add optional support for -Wextra and -Werror (#479) The -Wextra compile-time option will enable additional diagnostic warnigns. The -Werror option will cause the compiler to treat warnings as errors. This change adds a build time option, BUILD_WARNINGS_AS_ERRORS, to conditionally enable those flags. Note that depending on the compiler you're using, if you enable this option, compilation may fail (some compiler version have additional warnings that have not yet been resolved). Testing with these options in place identified a destructor that was throwing an exception. C++11 doesn't allow destructors to throw exceptions, so those throw's would have resulted in calls to terminate(). I replace them with an error log and a call to assert(). --- CMakeLists.txt | 13 +++++++++++-- userspace/falco/falco_outputs.cpp | 11 +++++++++-- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 3c7e965d9d9..662dab91b5a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -19,6 +19,8 @@ cmake_minimum_required(VERSION 2.8.2) project(falco) +option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags") + if(NOT DEFINED FALCO_VERSION) set(FALCO_VERSION "0.1.1dev") endif() @@ -35,8 +37,15 @@ if(NOT DRAIOS_DEBUG_FLAGS) set(DRAIOS_DEBUG_FLAGS "-D_DEBUG") endif() -set(CMAKE_C_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}") -set(CMAKE_CXX_FLAGS "-Wall -ggdb --std=c++0x ${DRAIOS_FEATURE_FLAGS}") +set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}") + +if(BUILD_WARNINGS_AS_ERRORS) + set(CMAKE_SUPPRESSED_WARNINGS "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation") + set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra -Werror ${CMAKE_SUPPRESSED_WARNINGS}") +endif() + +set(CMAKE_C_FLAGS "${CMAKE_COMMON_FLAGS}") +set(CMAKE_CXX_FLAGS "--std=c++0x ${CMAKE_COMMON_FLAGS}") set(CMAKE_C_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}") set(CMAKE_CXX_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}") diff --git a/userspace/falco/falco_outputs.cpp b/userspace/falco/falco_outputs.cpp index 3ef21d620ef..97341e0b1b8 100644 --- a/userspace/falco/falco_outputs.cpp +++ b/userspace/falco/falco_outputs.cpp @@ -37,19 +37,26 @@ falco_outputs::falco_outputs(falco_engine *engine) falco_outputs::~falco_outputs() { + // Note: The assert()s in this destructor were previously places where + // exceptions were thrown. C++11 doesn't allow destructors to + // emit exceptions; if they're thrown, they'll trigger a call + // to 'terminate()'. To maintain similar behavior, the exceptions + // were replace with calls to 'assert()' if(m_initialized) { lua_getglobal(m_ls, m_lua_output_cleanup.c_str()); if(!lua_isfunction(m_ls, -1)) { - throw falco_exception("No function " + m_lua_output_cleanup + " found. "); + falco_logger::log(LOG_ERR, std::string("No function ") + m_lua_output_cleanup + " found. "); + assert(nullptr == "Missing lua cleanup function in ~falco_outputs"); } if(lua_pcall(m_ls, 0, 0, 0) != 0) { const char* lerr = lua_tostring(m_ls, -1); - throw falco_exception(string(lerr)); + falco_logger::log(LOG_ERR, std::string("lua_pcall failed, err: ") + lerr); + assert(nullptr == "lua_pcall failed in ~falco_outputs"); } } } From 67cde2980d3733831e882158ccf21e1d3cde9df5 Mon Sep 17 00:00:00 2001 From: Michael Ducy Date: Tue, 27 Nov 2018 19:44:01 -0600 Subject: [PATCH 10/19] Add k8s.ns.name to output when -k flag passed (#472) --- userspace/falco/falco.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index b9e26a5e928..8140a736a35 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -559,7 +559,7 @@ int falco_init(int argc, char **argv) } else if(string(optarg) == "k" || string(optarg) == "kubernetes") { - output_format = "k8s.pod=%k8s.pod.name container=%container.id"; + output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id"; replace_container_info = true; } else if(string(optarg) == "m" || string(optarg) == "mesos") From ea303ba32fda96435c3d1599511a9777cf908072 Mon Sep 17 00:00:00 2001 From: Loris Degioanni Date: Mon, 10 Dec 2018 11:54:47 -0800 Subject: [PATCH 11/19] noise suppression: calico writing config files into /etc (#481) --- rules/falco_rules.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 167a1ddf250..19ea82e7ae5 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -841,6 +841,10 @@ - macro: ufw_writing_conf condition: proc.name=ufw and fd.directory=/etc/ufw +- macro: calico_writing_conf + condition: > + (proc.name = calico-node and fd.name startswith /etc/calico) + # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of # programs writing below specific directories below @@ -943,6 +947,7 @@ and not iscsi_writing_conf and not istio_writing_conf and not ufw_writing_conf + and not calico_writing_conf - rule: Write below etc desc: an attempt to write to any file below /etc From 840fc4bb41d80b168fc729b86bf2ab0c3af2f379 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 27 Dec 2018 21:15:00 -0800 Subject: [PATCH 12/19] Kh add process rules v2 (#490) * add new rules for package management process launched and network tool process launched * fix typo and improve readability * v3 --- rules/falco_rules.yaml | 50 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 48 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 19ea82e7ae5..78dbf1359a3 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -178,17 +178,23 @@ - list: deb_binaries items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude, frontend, preinst, add-apt-reposit, apt-auto-remova, apt-key, - apt-listchanges, unattended-upgr, apt-add-reposit + apt-listchanges, unattended-upgr, apt-add-reposit, apt-config, apt-cache ] # The truncated dpkg-preconfigu is intentional, process names are # truncated at the sysdig level. - list: package_mgmt_binaries - items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client] + items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk] - macro: package_mgmt_procs condition: proc.name in (package_mgmt_binaries) +- macro: package_mgmt_ancestor_procs + condition: proc.pname in (package_mgmt_binaries) or + proc.aname[2] in (package_mgmt_binaries) or + proc.aname[3] in (package_mgmt_binaries) or + proc.aname[4] in (package_mgmt_binaries) + - macro: coreos_write_ssh_dir condition: (proc.name=update-ssh-keys and fd.name startswith /home/core/.ssh) @@ -1747,6 +1753,46 @@ priority: NOTICE tags: [network, k8s, container] +- list: network_tool_binaries + items: [nc, ncat, nmap] + +- macro: network_tool_procs + condition: proc.name in (network_tool_binaries) + +# Container is supposed to be immutable. Package management should be done in building the image. +- rule: Launch Package Management Process in Container + desc: Package management process ran inside container + condition: > + spawned_process and container and user.name != "_apt" and package_mgmt_procs and not package_mgmt_ancestor_procs + output: > + Package management process launched in container (user=%user.name + command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image) + priority: ERROR + tags: [process] + +- rule: Netcat Remote Code Execution in Container + desc: Netcat Program runs inside container that allows remote code execution + condition: > + spawned_process and container and + ((proc.name = "nc" and (proc.args contains "-e" or proc.args contains "-c")) or + (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec")) + ) + output: > + Netcat runs inside container that allows remote code execution (user=%user.name + command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image) + priority: WARNING + tags: [network, process] + +- rule: Lauch Suspicious Network Tool in Container + desc: Detect network tools launched inside container + condition: > + spawned_process and container and network_tool_procs + output: > + Network tool launched in container (user=%user.name + command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image) + priority: NOTICE + tags: [network, process] + # Application rules have moved to application_rules.yaml. Please look # there if you want to enable them by adding to # falco_rules.local.yaml. From 29b597dd9cafc495bc6032c771b2d547cfa6bcd0 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 9 Jan 2019 12:27:46 -0800 Subject: [PATCH 13/19] Improved inbound/outbound macros (#470) * Improved inbound/outbound macros Improved versions of inbound/outbound macros that add coverage for recvfrom/recvmsg, sendto/sendmsg and also ignore non-blocking syscalls in a different way. * Let nginx-ingress-c(ontroller) write to /etc/nginx Process truncated due to comm limit. Also fix some parentheses for another write_etc_common macro. * Let calico setns also. * Let prometheus-conf write its config Let prometheus-conf write its config below /etc/prometheus. * Let openshift oc write to /etc/origin/node --- rules/falco_rules.yaml | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 78dbf1359a3..901e9b01b58 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -268,14 +268,18 @@ # Network - macro: inbound condition: > - (((evt.type in (accept,listen) and evt.dir=<)) or + (((evt.type in (accept,listen) and evt.dir=<) or + (evt.type in (recvfrom,recvmsg) and evt.dir=< and + fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and (fd.typechar = 4 or fd.typechar = 6) and (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS)) - macro: outbound condition: > - (((evt.type = connect and evt.dir=<)) or + (((evt.type = connect and evt.dir=<) or + (evt.type in (sendto,sendmsg) and evt.dir=< and + fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and (fd.typechar = 4 or fd.typechar = 6) and (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS)) @@ -634,7 +638,7 @@ condition: (veritas_progs and (fd.name startswith /etc/vx or fd.name startswith /etc/opt/VRTS or fd.name startswith /etc/vom)) - macro: nginx_writing_conf - condition: (proc.name=nginx and fd.name startswith /etc/nginx) + condition: (proc.name in (nginx,nginx-ingress-c) and fd.name startswith /etc/nginx) - macro: nginx_writing_certs condition: > @@ -845,12 +849,18 @@ condition: (proc.aname[2] in (dpkg-reconfigur, dpkg-preconfigu)) - macro: ufw_writing_conf - condition: proc.name=ufw and fd.directory=/etc/ufw + condition: (proc.name=ufw and fd.directory=/etc/ufw) - macro: calico_writing_conf condition: > (proc.name = calico-node and fd.name startswith /etc/calico) - + +- macro: prometheus_conf_writing_conf + condition: (proc.name=prometheus-conf and fd.directory=/etc/prometheus/config_out) + +- macro: openshift_writing_conf + condition: (proc.name=oc and fd.name=/etc/origin/node/node.kubeconfig) + # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of # programs writing below specific directories below @@ -954,6 +964,8 @@ and not istio_writing_conf and not ufw_writing_conf and not calico_writing_conf + and not prometheus_conf_writing_conf + and not openshift_writing_conf - rule: Write below etc desc: an attempt to write to any file below /etc @@ -1164,7 +1176,7 @@ as a part of creating a container) by calling setns. condition: > evt.type = setns - and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter) + and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter, calico) and not proc.name in (user_known_change_thread_namespace_binaries) and not proc.name startswith "runc:" and not proc.pname in (sysdigcloud_binaries) From 611877e4d31bdb6b0a2361f5471629e9a179dec3 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 14 Jan 2019 10:00:23 -0800 Subject: [PATCH 14/19] Unbuffer outputs by default (#494) In the common case, falco doesn't generate much output, so it's desirable to not buffer it in case you're tail -fing some logs. So change the default for buffered outputs to false. --- falco.yaml | 4 ++-- userspace/falco/configuration.cpp | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/falco.yaml b/falco.yaml index 0ed9202b994..986f6de21e1 100644 --- a/falco.yaml +++ b/falco.yaml @@ -60,8 +60,8 @@ log_level: info priority: debug # Whether or not output to any of the output channels below is -# buffered. Defaults to true -buffered_outputs: true +# buffered. Defaults to false +buffered_outputs: false # A throttling mechanism implemented as a token bucket limits the # rate of falco notifications. This throttling is controlled by the following configuration diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index 5b7706207a0..1894946cee8 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -30,7 +30,7 @@ limitations under the License. using namespace std; falco_configuration::falco_configuration() - : m_buffered_outputs(true), + : m_buffered_outputs(false), m_webserver_enabled(false), m_webserver_listen_port(8765), m_webserver_k8s_audit_endpoint("/k8s_audit"), @@ -155,7 +155,7 @@ void falco_configuration::init(string conf_filename, list &cmdline_optio } m_min_priority = (falco_common::priority_type) (it - falco_common::priority_names.begin()); - m_buffered_outputs = m_config->get_scalar("buffered_outputs", true); + m_buffered_outputs = m_config->get_scalar("buffered_outputs", false); falco_logger::log_stderr = m_config->get_scalar("log_stderr", false); falco_logger::log_syslog = m_config->get_scalar("log_syslog", true); From 5e5742f87d4732fafbec509eeddb26c2a8a81b3e Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 14 Jan 2019 10:00:43 -0800 Subject: [PATCH 15/19] Only have -pc/-pk apply to syscall rules (#495) Currently, -pc/-pk results in extra fields added to the output field of all rules. They should only be added for syscall rules. --- userspace/engine/lua/rule_loader.lua | 32 +++++++++++++++------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/userspace/engine/lua/rule_loader.lua b/userspace/engine/lua/rule_loader.lua index 9fb96fd00a1..8c81d62b9a2 100644 --- a/userspace/engine/lua/rule_loader.lua +++ b/userspace/engine/lua/rule_loader.lua @@ -493,24 +493,26 @@ function load_rules(sinsp_lua_parser, -- If the format string contains %container.info, replace it -- with extra. Otherwise, add extra onto the end of the format -- string. - if string.find(v['output'], "%container.info", nil, true) ~= nil then - - -- There may not be any extra, or we're not supposed - -- to replace it, in which case we use the generic - -- "%container.name (id=%container.id)" - if replace_container_info == false then - v['output'] = string.gsub(v['output'], "%%container.info", "%%container.name (id=%%container.id)") + if v['source'] == "syscall" then + if string.find(v['output'], "%container.info", nil, true) ~= nil then + + -- There may not be any extra, or we're not supposed + -- to replace it, in which case we use the generic + -- "%container.name (id=%container.id)" + if replace_container_info == false then + v['output'] = string.gsub(v['output'], "%%container.info", "%%container.name (id=%%container.id)") + if extra ~= "" then + v['output'] = v['output'].." "..extra + end + else + safe_extra = string.gsub(extra, "%%", "%%%%") + v['output'] = string.gsub(v['output'], "%%container.info", safe_extra) + end + else + -- Just add the extra to the end if extra ~= "" then v['output'] = v['output'].." "..extra end - else - safe_extra = string.gsub(extra, "%%", "%%%%") - v['output'] = string.gsub(v['output'], "%%container.info", safe_extra) - end - else - -- Just add the extra to the end - if extra ~= "" then - v['output'] = v['output'].." "..extra end end From c28892eba3dd18fb69e6d0175113689894c3e484 Mon Sep 17 00:00:00 2001 From: ztz Date: Thu, 17 Jan 2019 09:42:58 +0800 Subject: [PATCH 16/19] Fix missing arguments (#485) * Fix missing arguments. sysdig-CLA-1.0-signed-off-by: Yue Feng falco-CLA-1.0-signed-off-by: Yue Feng * Re-add base64 encoding feature into formats.cpp sysdig-CLA-1.0-signed-off-by: Yue Feng falco-CLA-1.0-signed-off-by: Yue Feng --- userspace/engine/formats.cpp | 24 +++++++++++++++++++++--- userspace/falco/falco.cpp | 3 ++- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/userspace/engine/formats.cpp b/userspace/engine/formats.cpp index cc1c416b395..904e856cb64 100644 --- a/userspace/engine/formats.cpp +++ b/userspace/engine/formats.cpp @@ -152,7 +152,27 @@ int falco_formats::format_event (lua_State *ls) if(s_json_output) { - s_inspector->set_buffer_format(sinsp_evt::PF_JSON); + switch(s_inspector->get_buffer_format()) + { + case sinsp_evt::PF_NORMAL: + s_inspector->set_buffer_format(sinsp_evt::PF_JSON); + break; + case sinsp_evt::PF_EOLS: + s_inspector->set_buffer_format(sinsp_evt::PF_JSONEOLS); + break; + case sinsp_evt::PF_HEX: + s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEX); + break; + case sinsp_evt::PF_HEXASCII: + s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEXASCII); + break; + case sinsp_evt::PF_BASE64: + s_inspector->set_buffer_format(sinsp_evt::PF_JSONBASE64); + break; + default: + // do nothing + break; + } s_formatters->tostring((sinsp_evt *) evt, sformat, &json_line); // The formatted string might have a leading newline. If it does, remove it. @@ -160,8 +180,6 @@ int falco_formats::format_event (lua_State *ls) { json_line.erase(0, 1); } - - s_inspector->set_buffer_format(sinsp_evt::PF_NORMAL); } } catch (sinsp_exception& e) diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index 8140a736a35..ddeb85f7d78 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -458,6 +458,7 @@ int falco_init(int argc, char **argv) static struct option long_options[] = { {"help", no_argument, 0, 'h' }, + {"print-base64", no_argument, 0, 'b'}, {"daemon", no_argument, 0, 'd' }, {"k8s-api", required_argument, 0, 'k'}, {"k8s-api-cert", required_argument, 0, 'K' }, @@ -488,7 +489,7 @@ int falco_init(int argc, char **argv) // Parse the args // while((op = getopt_long(argc, argv, - "hc:AdD:e:ik:K:Ll:m:M:o:P:p:r:s:T:t:UvV:w:", + "hc:AbdD:e:F:ik:K:Ll:m:M:o:P:p:r:S:s:T:t:UvV:w:", long_options, &long_index)) != -1) { switch(op) From 6863675b76db87424bbde9627c3f74105064f721 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Thu, 17 Jan 2019 02:43:38 +0100 Subject: [PATCH 17/19] Remove kubernetes-response-engine from system:masters (#488) As long as we are using rbac for allowing actions on several resources, we can restrict this a bit more. --- .../kubernetes-response-engine/deployment/aws/outputs.tf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/integrations/kubernetes-response-engine/deployment/aws/outputs.tf b/integrations/kubernetes-response-engine/deployment/aws/outputs.tf index 0cbc8b98b40..0423215785b 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/outputs.tf +++ b/integrations/kubernetes-response-engine/deployment/aws/outputs.tf @@ -1,9 +1,7 @@ locals { patch_for_aws_auth = < Date: Wed, 16 Jan 2019 18:12:02 -0800 Subject: [PATCH 18/19] Add falco service k8s (#496) * Add falco service to k8s install/update labels Update the instructions for K8s RBAC installation to also create a service that maps to port 8765 of the falco pod. This allows other services to access the embedded webserver within falco. Also clean up the set of labels to use a consistent app: falco-example, role:security for each object. * Cange K8s Audit Example to use falco daemonset Change the K8s Audit Example instructions to use minikube in conjunction with a falco daemonset running inside of minikube. (We're going to start prebuilding kernel modules for recent minikube variants to make this possible). When running inside of minikube in conjunction with a service, you have to go through some additional steps to find the ClusterIP associated with the falco service and use that ip when configuring the k8s audit webhook. Overall it's still a more self-contained set of instructions, though. --- examples/k8s_audit_config/README.md | 25 +++++++++++++++---- ...ook-config.yaml => webhook-config.yaml.in} | 2 +- integrations/k8s-using-daemonset/README.md | 13 ++++++++-- .../k8s-with-rbac/falco-account.yaml | 9 +++++++ .../falco-daemonset-configmap.yaml | 9 +++---- .../k8s-with-rbac/falco-service.yaml | 13 ++++++++++ 6 files changed, 58 insertions(+), 13 deletions(-) rename examples/k8s_audit_config/{webhook-config.yaml => webhook-config.yaml.in} (77%) create mode 100644 integrations/k8s-using-daemonset/k8s-with-rbac/falco-service.yaml diff --git a/examples/k8s_audit_config/README.md b/examples/k8s_audit_config/README.md index 481a590f672..709ce2cac67 100644 --- a/examples/k8s_audit_config/README.md +++ b/examples/k8s_audit_config/README.md @@ -3,21 +3,36 @@ The files in this directory can be used to configure k8s audit logging. The relevant files are: * [audit-policy.yaml](./audit-policy.yaml): The k8s audit log configuration we used to create the rules in [k8s_audit_rules.yaml](../../rules/k8s_audit_rules.yaml). You may find it useful as a reference when creating your own K8s Audit Log configuration. -* [webhook-config.yaml](./webhook-config.yaml): A webhook configuration that sends audit events to localhost, port 8765. You may find it useful as a starting point when deciding how to route audit events to the embedded webserver within falco. +* [webhook-config.yaml.in](./webhook-config.yaml.in): A (templated) webhook configuration that sends audit events to an ip associated with the falco service, port 8765. It is templated in that the *actual* ip is defined in an environment variable `FALCO_SERVICE_CLUSTERIP`, which can be plugged in using a program like `envsubst`. You may find it useful as a starting point when deciding how to route audit events to the embedded webserver within falco. -This file is only needed when using Minikube, which doesn't currently +These files are only needed when using Minikube, which doesn't currently have the ability to provide an audit config/webhook config directly from the minikube commandline. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details. * [apiserver-config.patch.sh](./apiserver-config.patch.sh): A script that changes the configuration file `/etc/kubernetes/manifests/kube-apiserver.yaml` to add necessary config options and mounts for the kube-apiserver container that runs within the minikube vm. -A way to use these files with minikube to enable audit logging would be to run the following commands, from this directory: +A way to use these files with minikube to run falco and enable audit logging would be the following: + +#### Start Minikube with Audit Logging Enabled + +Run the following to start minikube with Audit Logging Enabled: ``` minikube start --kubernetes-version v1.11.0 --mount --mount-string $PWD:/tmp/k8s_audit_config --feature-gates AdvancedAuditing=true +``` + +#### Create a Falco DaemonSet and Supporting Accounts/Services + +Follow the [K8s Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a falco service account, service, configmap, and daemonset. + +#### Configure Audit Logging with a Policy and Webhook + +Run the following commands to fill in the template file with the ClusterIP ip address you created with the `falco-service` service above, and configure audit logging to use a policy and webhook that directs the right events to the falco daemonset. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the ClusterIPs associated with those services are routable. + +``` +FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.clusterIP}) envsubst < webhook-config.yaml.in > webhook-config.yaml ssh -i $(minikube ssh-key) docker@$(minikube ip) sudo bash /tmp/k8s_audit_config/apiserver-config.patch.sh -ssh -i $(minikube ssh-key) -R 8765:localhost:8765 docker@$(minikube ip) ``` -K8s audit events will then be sent to localhost on the host (not minikube vm) machine, port 8765. +K8s audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`. diff --git a/examples/k8s_audit_config/webhook-config.yaml b/examples/k8s_audit_config/webhook-config.yaml.in similarity index 77% rename from examples/k8s_audit_config/webhook-config.yaml rename to examples/k8s_audit_config/webhook-config.yaml.in index f188dbdb5d5..3ace6a964bd 100644 --- a/examples/k8s_audit_config/webhook-config.yaml +++ b/examples/k8s_audit_config/webhook-config.yaml.in @@ -3,7 +3,7 @@ kind: Config clusters: - name: falco cluster: - server: http://127.0.0.1:8765/k8s_audit + server: http://$FALCO_SERVICE_CLUSTERIP:8765/k8s_audit contexts: - context: cluster: falco diff --git a/integrations/k8s-using-daemonset/README.md b/integrations/k8s-using-daemonset/README.md index e55fbd9ac29..e224fa7367c 100644 --- a/integrations/k8s-using-daemonset/README.md +++ b/integrations/k8s-using-daemonset/README.md @@ -4,7 +4,7 @@ This directory gives you the required YAML files to stand up Sysdig Falco on Kub The two options are provided to deploy a Daemon Set: - `k8s-with-rbac` - This directory provides a definition to deploy a Daemon Set on Kubernetes with RBAC enabled. -- `k8s-without-rbac` - This directory provides a definition to deploy a Daemon Set on Kubernetes without RBAC enabled. +- `k8s-without-rbac` - This directory provides a definition to deploy a Daemon Set on Kubernetes without RBAC enabled. **This method is deprecated in favor of RBAC-based installs, and won't be updated going forward.** Also provided: - `falco-event-generator-deployment.yaml` - A Kubernetes Deployment to generate sample events. This is useful for testing, but note it will generate a large number of events. @@ -21,11 +21,20 @@ clusterrolebinding "falco-cluster-role-binding" created k8s-using-daemonset$ ``` +We also create a service that allows other services to reach the embedded webserver in falco, which listens on https port 8765: + +``` +k8s-using-daemonset$ kubectl create -f k8s-with-rbac/falco-service.yaml +service/falco-service created +k8s-using-daemonset$ +``` + The Daemon Set also relies on a Kubernetes ConfigMap to store the Falco configuration and make the configuration available to the Falco Pods. This allows you to manage custom configuration without rebuilding and redeploying the underlying Pods. In order to create the ConfigMap you'll need to first need to copy the required configuration from their location in this GitHub repo to the `k8s-with-rbac/falco-config/` directory. Any modification of the configuration should be performed on these copies rather than the original files. ``` k8s-using-daemonset$ cp ../../falco.yaml k8s-with-rbac/falco-config/ k8s-using-daemonset$ cp ../../rules/falco_rules.* k8s-with-rbac/falco-config/ +k8s-using-daemonset$ cp ../../rules/k8s_audit_rules.yaml k8s-with-rbac/falco-config/ ``` If you want to send Falco alerts to a Slack channel, you'll want to modify the `falco.yaml` file to point to your Slack webhook. For more information on getting a webhook URL for your Slack team, refer to the [Slack documentation](https://api.slack.com/incoming-webhooks). Add the below to the bottom of the `falco.yaml` config file you just copied to enable Slack messages. @@ -54,7 +63,7 @@ k8s-using-daemonset$ ``` -## Deploying to Kubernetes without RBAC enabled +## Deploying to Kubernetes without RBAC enabled (**Deprecated**) If you are running Kubernetes with Legacy Authorization enabled, you can use `kubectl` to deploy the Daemon Set provided in the `k8s-without-rbac` directory. The example provides the ability to post messages to a Slack channel via a webhook. For more information on getting a webhook URL for your Slack team, refer to the [Slack documentation](https://api.slack.com/incoming-webhooks). Modify the [`args`](https://github.com/draios/falco/blob/dev/examples/k8s-using-daemonset/falco-daemonset.yaml#L21) passed to the Falco container to point to the appropriate URL for your webhook. diff --git a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml index 9d611519522..b3968a79e34 100644 --- a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml +++ b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml @@ -2,11 +2,17 @@ apiVersion: v1 kind: ServiceAccount metadata: name: falco-account + labels: + app: falco-example + role: security --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: falco-cluster-role + labels: + app: falco-example + role: security rules: - apiGroups: ["extensions",""] resources: ["nodes","namespaces","pods","replicationcontrollers","services","events","configmaps"] @@ -19,6 +25,9 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: falco-cluster-role-binding namespace: default + labels: + app: falco-example + role: security subjects: - kind: ServiceAccount name: falco-account diff --git a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml index 406b7892649..b88a8fe56b1 100644 --- a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml +++ b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml @@ -1,16 +1,15 @@ apiVersion: extensions/v1beta1 kind: DaemonSet metadata: - name: falco + name: falco-daemonset labels: - name: falco-daemonset - app: demo + app: falco-example + role: security spec: template: metadata: labels: - name: falco - app: demo + app: falco-example role: security spec: serviceAccount: falco-account diff --git a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-service.yaml b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-service.yaml new file mode 100644 index 00000000000..3ed22658de5 --- /dev/null +++ b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-service.yaml @@ -0,0 +1,13 @@ +kind: Service +apiVersion: v1 +metadata: + name: falco-service + labels: + app: falco-example + role: security +spec: + selector: + app: falco-example + ports: + - protocol: TCP + port: 8765 From b76f60d4192c2c13d49c8d94890b3266c431c1ec Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 17 Jan 2019 07:19:49 -0800 Subject: [PATCH 19/19] Update CHANGELOG/README for 0.13.1 (#497) Changes since last release. --- CHANGELOG.md | 42 ++++++++++++++++++++++++++++++++++++++++++ README.md | 2 +- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index df388bfb71b..4058dac6306 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,48 @@ This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org). +## v0.13.1 + +Released 2019-01-16 + +## Major Changes + + +## Minor Changes + +* Unbuffer outputs by default. This helps make output readable when used in environments like K8s. [[#494](https://github.com/falcosecurity/falco/pull/494)] + +* Improved documentation for running Falco within K8s and getting K8s Audit Logging to work with Minikube and Falco as a Daemonset within K8s. [[#496](https://github.com/falcosecurity/falco/pull/496)] + +* Fix AWS Permissions for Kubernetes Response Engine [[#465](https://github.com/falcosecurity/falco/pull/465)] + +* Tighten compilation flags to include `-Wextra` and `-Werror` [[#479](https://github.com/falcosecurity/falco/pull/479)] + +* Add `k8s.ns.name` to outputs when `-pk` argument is used [[#472](https://github.com/falcosecurity/falco/pull/472)] + +* Remove kubernetes-response-engine from system:masters [[#488](https://github.com/falcosecurity/falco/pull/488)] + +## Bug Fixes + +* Ensure `-pc`/`-pk` only apply to syscall rules and not k8s_audit rules [[#495](https://github.com/falcosecurity/falco/pull/495)] + +* Fix a potential crash that could occur when using the falco engine and rulesets [[#468](https://github.com/falcosecurity/falco/pull/468)] + +* Fix a regression where format output options were mistakenly removed [[#485](https://github.com/falcosecurity/falco/pull/485)] + +## Rule Changes + +* Fix FPs related to calico and writing files below etc [[#481](https://github.com/falcosecurity/falco/pull/481)] + +* Fix FPs related to `apt-config`/`apt-cache`, `apk` [[#490](https://github.com/falcosecurity/falco/pull/490)] + +* New rules `Launch Package Management Process in Container`, `Netcat Remote Code Execution in Container`, `Lauch Suspicious Network Tool in Container` look for host-level network tools like `netcat`, package management tools like `apt-get`, or network tool binaries being run in a container. [[#490](https://github.com/falcosecurity/falco/pull/490)] + +* Fix the `inbound` and `outbound` macros so they work with sendto/recvfrom/sendmsg/recvmsg. [[#470](https://github.com/falcosecurity/falco/pull/470)] + +* Fix FPs related to prometheus/openshift writing config below /etc. [[#470](https://github.com/falcosecurity/falco/pull/470)] + + ## v0.13.0 Released 2018-11-09 diff --git a/README.md b/README.md index d7ebe95fe8a..85878b6565f 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ #### Latest release -**v0.13.0** +**v0.13.1** Read the [change log](https://github.com/falcosecurity/falco/blob/dev/CHANGELOG.md) Dev Branch: [![Build Status](https://travis-ci.org/falcosecurity/falco.svg?branch=dev)](https://travis-ci.org/falcosecurity/falco)