falco version bump

2023-11-07 16:31:20 +00:00 · 2023-11-07 16:31:20 +00:00 · f5c51cd71c
parent 62a146f1a2
commit f5c51cd71c
5 changed files with 825 additions and 5275 deletions
--- a/kubezero/falco/:w
+++ b/kubezero/falco/:w
@ -1,73 +0,0 @@
-# Contributor: Stefan Reimer <stefan@zero-downtime.net>
-# Maintainer: Stefan Reimer <stefan@zero-downtime.net>
-pkgname=falco
-pkgver=0.36.2
-pkgrel=0
-pkgdesc="Falco is the open source solution for runtime security for hosts, containers, Kubernetes and the cloud"
-url="https://github.com/falcosecurity/falco"
-arch="x86_64 aarch64"
-license="AGPL-3.0"
-makedepends="cmake linux-headers bash perl autoconf elfutils-dev libtool argp-standalone musl-fts-dev musl-libintl musl-obstack-dev
-             protobuf-dev jq-dev openssl-dev curl-dev c-ares-dev grpc-dev yaml-dev yaml-cpp-dev zlib-dev jsoncpp-dev re2-dev onetbb-dev@edge-community"
-options="!check"
-depends="falco-kernel~$pkgver"
-
-# Original config
-# https://raw.githubusercontent.com/falcosecurity/rules/main/rules/falco_rules.yaml
-# https://raw.githubusercontent.com/falcosecurity/falco/master/falco.yaml
-
-source="
-  $pkgname-$pkgver.tar.gz::https://github.com/falcosecurity/falco/archive/refs/tags/$pkgver.tar.gz
-  alpine.patch
-  falco.patch
-  rules.patch
-  "
-
-prepare() {
-  [[ -d build ]] || mkdir build
-
-  # Disable static binaries
-  patch -i $srcdir/alpine.patch
-}
-
-build() {
-  cd build
-
-  cmake \
-    -DCPACK_GENERATOR=TGZ \
-    -DCMAKE_BUILD_TYPE=Release \
-    -DFALCO_VERSION=$pkgver \
-    -DCMAKE_INSTALL_PREFIX=/usr \
-    -DFALCO_ETC_DIR=/etc/falco \
-    -DUSE_BUNDLED_DEPS=Off \
-    -DBUILD_SHARED_LIBS=On \
-    -DMUSL_OPTIMIZED_BUILD=On \
-    -DBUILD_DRIVER=Off \
-    -DBUILD_BPF=Off \
-    -DBUILD_LIBSCAP_MODERN_BPF=Off \
-    ..
-
-  make falco falcoctl
-}
-
-package() {
-  cd build
-  make DESTDIR="${pkgdir}" install
-
-  # patch falco config
-  cd $pkgdir/etc/falco
-  patch -i $srcdir/falco.patch
-  patch -i $srcdir/rules.patch
-  
-  # We dont build anything on targets so remove sources
-  rm -rf $pkgdir/usr/src
-  rm -rf $pkgdir/usr/lib
-  rm -rf $pkgdir/usr/include
-}
-
-sha512sums="
-a3fef235ab4f3121bd0400827712652530ec417498c44ada8b6bf565f7631d035673b53dad94ea6ae9c854d45202ed71b2771f19e0c92eea3fc3503e5b75b02e  falco-0.36.2.tar.gz
-8ff7a677f723f2d4a09808939500ddff81f15b8a62a2e091d8042765d105d30b67f9993d05ef129dfad6c866ea37d608a3ae9bc7e99730995542f8b5181ba594  alpine.patch
-b152fcf6cd81895efa37797ab7ff1aac7350b5f51f2648aa9e3cce9d5ece55791ddf82c396e9da216293e2379a785a294cc972f28a91162dc5bc88ab09e1ab08  falco.patch
-d8f71ca7c6d854a866826b3f2f5630b6f30448f794c4c5a56a9ea656ee03c3645a1cf7663b5e79d3ea63d4fab8bd44f91a80b1752c8239c8310efa08b495f2e2  rules.patch
-"
--- a/kubezero/falco/APKBUILD
+++ b/kubezero/falco/APKBUILD
@ -1,14 +1,18 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=falco
-pkgver=0.35.1
+pkgver=0.36.2
 pkgrel=0
 pkgdesc="Falco is the open source solution for runtime security for hosts, containers, Kubernetes and the cloud"
 url="https://github.com/falcosecurity/falco"
 arch="x86_64 aarch64"
 license="AGPL-3.0"
-makedepends="cmake linux-headers bash perl autoconf elfutils-dev libtool argp-standalone musl-fts-dev musl-libintl musl-obstack-dev
-             protobuf-dev jq-dev openssl-dev curl-dev c-ares-dev grpc-dev yaml-dev yaml-cpp-dev jsoncpp-dev re2-dev"
+makedepends="cmake linux-headers bash perl autoconf elfutils-dev libtool argp-standalone
+             musl-fts-dev
+             musl-libintl
+             musl-legacy-error
+             musl-obstack-dev
+            "
 options="!check"
 depends="falco-kernel~$pkgver"

@ -18,16 +22,12 @@ depends="falco-kernel~$pkgver"

 source="
  $pkgname-$pkgver.tar.gz::https://github.com/falcosecurity/falco/archive/refs/tags/$pkgver.tar.gz
-  alpine.patch
  falco.patch
  rules.patch
  "

 prepare() {
  [[ -d build ]] || mkdir build
-
-  # Disable static binaries
-  patch -i $srcdir/alpine.patch
 }

 build() {
@ -39,16 +39,14 @@ build() {
    -DFALCO_VERSION=$pkgver \
    -DCMAKE_INSTALL_PREFIX=/usr \
    -DFALCO_ETC_DIR=/etc/falco \
-    -DMINIMAL_BUILD=On \
-    -DUSE_BUNDLED_DEPS=Off \
+    -DUSE_BUNDLED_DEPS=On \
    -DMUSL_OPTIMIZED_BUILD=On \
    -DBUILD_DRIVER=Off \
    -DBUILD_BPF=Off \
    -DBUILD_LIBSCAP_MODERN_BPF=Off \
    ..
-    #-DBUILD_SHARED_LIBS=On \

-  make falco falcoctl
+  make falco
 }

 package() {
@ -57,8 +55,8 @@ package() {

  # patch falco config
  cd $pkgdir/etc/falco
-  patch -i $srcdir/falco.patch
-  patch -i $srcdir/rules.patch
+  patch -i --no-backup-if-mismatch $srcdir/falco.patch
+  patch -i --no-backup-if-mismatch $srcdir/rules.patch
  
  # We dont build anything on targets so remove sources
  rm -rf $pkgdir/usr/src
@ -67,8 +65,7 @@ package() {
 }

 sha512sums="
-dc648d9b0a625a02320ff0235bbf4f4940e7ba40c684a8a1f972d34f0a3447b4a34e665d7fbc0ee1ec9a014f65f81a304dc76b4ec804fc7b4e448f330b9474af  falco-0.35.1.tar.gz
-8ff7a677f723f2d4a09808939500ddff81f15b8a62a2e091d8042765d105d30b67f9993d05ef129dfad6c866ea37d608a3ae9bc7e99730995542f8b5181ba594  alpine.patch
+a3fef235ab4f3121bd0400827712652530ec417498c44ada8b6bf565f7631d035673b53dad94ea6ae9c854d45202ed71b2771f19e0c92eea3fc3503e5b75b02e  falco-0.36.2.tar.gz
 b152fcf6cd81895efa37797ab7ff1aac7350b5f51f2648aa9e3cce9d5ece55791ddf82c396e9da216293e2379a785a294cc972f28a91162dc5bc88ab09e1ab08  falco.patch
-d8f71ca7c6d854a866826b3f2f5630b6f30448f794c4c5a56a9ea656ee03c3645a1cf7663b5e79d3ea63d4fab8bd44f91a80b1752c8239c8310efa08b495f2e2  rules.patch
+88e722ddbfe8da1f2341d8da66223271987bf7fab0fb907a343010c2af85f637e2621f42c9973863c33f586a2f823f53984ca7358673fc99596d3dc83669a7f1  rules.patch
 "
--- a/kubezero/falco/falco_rules.yaml
+++ b/kubezero/falco/falco_rules.yaml
--- a/kubezero/falco/rules.patch
+++ b/kubezero/falco/rules.patch
@ -1,60 +1,29 @@
--- falco_rules.yaml	2023-07-05 11:42:09.732973942 +0000
-+++ zdt_falco_rules.yaml	2023-07-05 13:30:14.184038126 +0000
-@@ -270,7 +270,7 @@
+--- falco_rules.yaml	2023-11-07 16:26:40.171716913 +0000
+++ zdt_falco_rules.yaml	2023-11-07 16:30:24.912804117 +0000
+@@ -171,7 +171,7 @@
 # A canonical set of processes that run other programs with different
 # privileges or as a different user.
 - list: userexec_binaries
 -  items: [sudo, su, suexec, critical-stack, dzdo]
 +  items: [doas, sudo, su, suexec, critical-stack, dzdo]
 
- - list: known_setuid_binaries
-   items: [
-@@ -2298,27 +2298,28 @@
- - macro: user_known_non_sudo_setuid_conditions
-   condition: user.name=root
+ - list: user_mgmt_binaries
+   items: [login_binaries, passwd_binaries, shadowutils_binaries]
+@@ -200,7 +200,7 @@
+     ]
 
-+# Disabled for now due to buysbox noise 
- # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
-- rule: Non sudo setuid
-  desc: >
-    an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
-    suing to itself are also excluded, as setuid calls typically involve dropping privileges.
-  condition: >
-    evt.type=setuid and evt.dir=>
-    and (known_user_in_container or not container)
-    and not (user.name=root or user.uid=0)
-    and not somebody_becoming_themselves
-    and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
-                          nomachine_binaries)
-    and not proc.name startswith "runc:"
-    and not java_running_sdjagent
-    and not nrpe_becoming_nagios
-    and not user_known_non_sudo_setuid_conditions
-  output: >
-    Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
-    command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
-  priority: NOTICE
-  tags: [host, container, users, mitre_privilege_escalation, T1548.001]
-+#- rule: Non sudo setuid
-+#  desc: >
-+#    an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
-+#    suing to itself are also excluded, as setuid calls typically involve dropping privileges.
-+#  condition: >
-+#    evt.type=setuid and evt.dir=>
-+#    and (known_user_in_container or not container)
-+#    and not (user.name=root or user.uid=0)
-+#    and not somebody_becoming_themselves
-+#    and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
-+#                          nomachine_binaries)
-+#    and not proc.name startswith "runc:"
-+#    and not java_running_sdjagent
-+#    and not nrpe_becoming_nagios
-+#    and not user_known_non_sudo_setuid_conditions
-+#  output: >
-+#    Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
-+#    command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
-+#  priority: NOTICE
-+#  tags: [host, container, users, mitre_privilege_escalation, T1548.001]
+ - list: sensitive_file_names
+-  items: [/etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
+  items: [/etc/shadow, /etc/doas.d/doas.conf, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
 
- - macro: user_known_user_management_activities
-   condition: (never_true)
+ - list: sensitive_directory_names
+   items: [/, /etc, /etc/, /root, /root/]
+@@ -208,7 +208,7 @@
+ - macro: sensitive_files
+   condition: >
+     ((fd.name startswith /etc and fd.name in (sensitive_file_names)) or
+-      fd.directory in (/etc/sudoers.d, /etc/pam.d))
+      fd.directory in (/etc/sudoers.d, /etc/pam.d, /etc/doas.d))
+ 
+ # Indicates that the process is new. Currently detected using time
+ # since process was started, using a threshold of 5 seconds.
--- a/kubezero/falco/zdt_falco_rules.yaml
+++ b/kubezero/falco/zdt_falco_rules.yaml