-
Notifications
You must be signed in to change notification settings - Fork 312
/
Copy pathfalco.yaml
216 lines (203 loc) · 5.87 KB
/
falco.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
package:
name: falco
version: "0.40.0"
epoch: 2
description: Cloud Native Runtime Security
copyright:
- license: Apache-2.0
dependencies:
runtime:
- falco-rules
- falcoctl
vars:
llvm-vers: 19
environment:
contents:
packages:
- abseil-cpp-dev
- autoconf
- automake
- bash
- binutils
- bpftool
- build-base
- busybox
- c-ares-dev
- ca-certificates-bundle
- clang-${{vars.llvm-vers}}
- cmake
- cpp-httplib
- curl-dev
- cxxopts-dev
- elfutils-dev
- git
# <= 0.39.1 is incompatible with grpc 1.67 due to a removal of deprecated symbols falco was relying on.
# We should remove this pinning once falco is updated to use the new abseil API.
- grpc-1.66-dev
- icu-dev
- jq-dev
- jsoncpp-dev
- libbpf-dev
- libcurl-openssl4
- libelf
- libsystemd
- libtbb-dev
- libtool
- libzstd1
- linux-headers
- llvm-${{vars.llvm-vers}}
- m4
- make
- nlohmann-json
- openssl-dev
- patch
- perl
- protobuf-dev
- re2-dev
- systemd-dev
# TODO: Believe these are needed for 'make sinsp' to succeed.
- tinydir
- uthash
- valijson
- yaml-cpp-dev
- yaml-dev
- zlib-dev
- zstd
- zstd-dev
pipeline:
- uses: git-checkout
with:
repository: https://github.com/falcosecurity/falco
tag: ${{package.version}}
expected-commit: ce4b4408988dc0be4aaff4bb06aa184ee1f14da3
recurse-submodules: true
- uses: patch
with:
# to prevent usage of vendored tbb
patches: tbb.patch libcurl-include.patch
- runs: |
mkdir -p "${{targets.destdir}}"/etc/falco
install -Dm755 ./falco.yaml "${{targets.destdir}}"/etc/falco/falco.yaml
- runs: |
sed -i '165s/${FALCO_LIBRARIES}/${FALCO_LIBRARIES} zstd/' userspace/falco/CMakeLists.txt
- working-directory: /home/build/build
# NOTE: These flags have been specifically set. Do not go changing these
# as part of development! They need to be set as they are.
# TODO: REMOVE THIS COMMENT ABOVE BEFORE MERGING
pipeline:
- runs: |
cmake \
-Wno-dev \
-DCMAKE_INSTALL_PREFIX=/usr \
-DCMAKE_INSTALL_LIBDIR=lib \
-DCMAKE_BUILD_TYPE=MinSizeRel \
-DUSE_BUNDLED_TBB=OFF \
-DUSE_BUNDLED_RE2=OFF \
-DUSE_BUNDLED_JSONCPP=OFF \
-DBUILD_FALCO_MODERN_BPF=ON \
-DBUILD_STATIC_LIBS=OFF \
-DUSE_BUNDLED_DEPS=OFF \
-DBUILD_SHARED_LIBS=ON \
-DBUILD_DRIVER=OFF \
-DFALCOSECURITY_SHARED_LIBS_VERSION=0 \
-DFALCOSECURITY_SHARED_LIBS_SOVERSION=0 \
..
- runs: |
make falco -j$(nproc)
make install PREFIX="/usr" DESTDIR="${{targets.destdir}}"
install -Dm755 ./userspace/falco/falco "${{targets.destdir}}"/usr/bin/falco
# TODO: This should be removed after falcosecurity/libs is fixed to build pman staticly.
# We use an exit 0 to allow the install failure to be suppressed so that nothing breaks once
# falcosecurity/libs is fixed.
- runs: |
install -D -m755 ./libpman/libpman.so "${{targets.destdir}}"/usr/lib || exit 0
# Do not conflict with the falco-rules and falcoctl package.
- runs: |
rm -f "${{targets.destdir}}"/etc/falco/falco_rules.yaml
rm -f "${{targets.destdir}}"/usr/bin/falcoctl
- uses: strip
subpackages:
- name: falco-src
description: Falco kernel module sources
pipeline:
- runs: |
mkdir -p "${{targets.contextdir}}"/usr
mv "${{targets.destdir}}"/usr/src "${{targets.contextdir}}"/usr/src
- name: falco-dev
description: Falco development headers
pipeline:
- uses: split/dev
test:
pipeline:
- uses: test/pkgconf
- uses: test/tw/ldd-check
update:
enabled: true
github:
identifier: falcosecurity/falco
test:
environment:
contents:
packages:
- bash
- coreutils
- falco-rules
- procps
- curl
pipeline:
- name: "Create configuration file"
runs: |
cat > /etc/falco/falco.yaml << 'EOF'
rules_file:
- /etc/falco/falco_rules.yaml
json_output: false
stdout_output:
enabled: true
log_level: info
priority: warning
EOF
- name: "Verify falco version"
runs: |
falco --version
- name: "Validate configuration"
runs: |
falco -c /etc/falco/falco.yaml --dry-run
- name: "List available rules"
runs: |
falco -L
- name: "Test JSON rule output format"
runs: |
falco -o json_output=true -L
- name: "List available events"
runs: |
falco --list-events
- name: "Check loaded plugins"
runs: |
falco --list-plugins
- name: "Display support information"
runs: |
falco --support
- name: "List syscall fields"
runs: |
falco --list syscall
- name: "Validate custom rule file"
runs: |
echo '- rule: test_rule
desc: Test rule
condition: evt.type=execve
output: Execution detected
priority: WARNING' > /tmp/test.yaml
falco -V /tmp/test.yaml
- name: "Print configuration schema"
runs: |
falco --config-schema
- name: "Print rule schema"
runs: |
falco --rule-schema
- name: "Test verbose output"
runs: |
falco -v --dry-run
- name: "Check ignored events"
runs: |
falco -i
- uses: test/tw/ldd-check