falco version bump

2023-11-07 16:31:20 +00:00 · 2023-11-07 16:31:20 +00:00 · f5c51cd71c
commit f5c51cd71c
parent 62a146f1a2
5 changed files with 825 additions and 5275 deletions
--- a/kubezero/falco/:w
+++ b/kubezero/falco/:w
@ -1,73 +0,0 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=falco
 pkgver=0.36.2
 pkgrel=0
 pkgdesc="Falco is the open source solution for runtime security for hosts, containers, Kubernetes and the cloud"
 url="https://github.com/falcosecurity/falco"
 arch="x86_64 aarch64"
 license="AGPL-3.0"
 makedepends="cmake linux-headers bash perl autoconf elfutils-dev libtool argp-standalone musl-fts-dev musl-libintl musl-obstack-dev
             protobuf-dev jq-dev openssl-dev curl-dev c-ares-dev grpc-dev yaml-dev yaml-cpp-dev zlib-dev jsoncpp-dev re2-dev onetbb-dev@edge-community"
 options="!check"
 depends="falco-kernel~$pkgver"
 # Original config
 # https://raw.githubusercontent.com/falcosecurity/rules/main/rules/falco_rules.yaml
 # https://raw.githubusercontent.com/falcosecurity/falco/master/falco.yaml
 source="
  $pkgname-$pkgver.tar.gz::https://github.com/falcosecurity/falco/archive/refs/tags/$pkgver.tar.gz
  alpine.patch
  falco.patch
  rules.patch
  "
 prepare() {
  [[ -d build ]] || mkdir build
  # Disable static binaries
  patch -i $srcdir/alpine.patch
 }
 build() {
  cd build
  cmake \
    -DCPACK_GENERATOR=TGZ \
    -DCMAKE_BUILD_TYPE=Release \
    -DFALCO_VERSION=$pkgver \
    -DCMAKE_INSTALL_PREFIX=/usr \
    -DFALCO_ETC_DIR=/etc/falco \
    -DUSE_BUNDLED_DEPS=Off \
    -DBUILD_SHARED_LIBS=On \
    -DMUSL_OPTIMIZED_BUILD=On \
    -DBUILD_DRIVER=Off \
    -DBUILD_BPF=Off \
    -DBUILD_LIBSCAP_MODERN_BPF=Off \
    ..
  make falco falcoctl
 }
 package() {
  cd build
  make DESTDIR="${pkgdir}" install
  # patch falco config
  cd $pkgdir/etc/falco
  patch -i $srcdir/falco.patch
  patch -i $srcdir/rules.patch
  # We dont build anything on targets so remove sources
  rm -rf $pkgdir/usr/src
  rm -rf $pkgdir/usr/lib
  rm -rf $pkgdir/usr/include
 }
 sha512sums="
 a3fef235ab4f3121bd0400827712652530ec417498c44ada8b6bf565f7631d035673b53dad94ea6ae9c854d45202ed71b2771f19e0c92eea3fc3503e5b75b02e  falco-0.36.2.tar.gz
 8ff7a677f723f2d4a09808939500ddff81f15b8a62a2e091d8042765d105d30b67f9993d05ef129dfad6c866ea37d608a3ae9bc7e99730995542f8b5181ba594  alpine.patch
 b152fcf6cd81895efa37797ab7ff1aac7350b5f51f2648aa9e3cce9d5ece55791ddf82c396e9da216293e2379a785a294cc972f28a91162dc5bc88ab09e1ab08  falco.patch
 d8f71ca7c6d854a866826b3f2f5630b6f30448f794c4c5a56a9ea656ee03c3645a1cf7663b5e79d3ea63d4fab8bd44f91a80b1752c8239c8310efa08b495f2e2  rules.patch
 "
--- a/kubezero/falco/APKBUILD
+++ b/kubezero/falco/APKBUILD
@ -1,14 +1,18 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=falco
-pkgver=0.35.1
+pkgver=0.36.2
 pkgrel=0
 pkgdesc="Falco is the open source solution for runtime security for hosts, containers, Kubernetes and the cloud"
 url="https://github.com/falcosecurity/falco"
 arch="x86_64 aarch64"
 license="AGPL-3.0"
-makedepends="cmake linux-headers bash perl autoconf elfutils-dev libtool argp-standalone musl-fts-dev musl-libintl musl-obstack-dev
+makedepends="cmake linux-headers bash perl autoconf elfutils-dev libtool argp-standalone
-             protobuf-dev jq-dev openssl-dev curl-dev c-ares-dev grpc-dev yaml-dev yaml-cpp-dev jsoncpp-dev re2-dev"
+             musl-fts-dev
             musl-libintl
             musl-legacy-error
             musl-obstack-dev
            "
 options="!check"
 depends="falco-kernel~$pkgver"
@ -18,16 +22,12 @@ depends="falco-kernel~$pkgver"
 source="
  $pkgname-$pkgver.tar.gz::https://github.com/falcosecurity/falco/archive/refs/tags/$pkgver.tar.gz
  alpine.patch
  falco.patch
  rules.patch
  "
 prepare() {
  [[ -d build ]] || mkdir build
  # Disable static binaries
  patch -i $srcdir/alpine.patch
 }
 build() {
@ -39,16 +39,14 @@ build() {
    -DFALCO_VERSION=$pkgver \
    -DCMAKE_INSTALL_PREFIX=/usr \
    -DFALCO_ETC_DIR=/etc/falco \
-    -DMINIMAL_BUILD=On \
+    -DUSE_BUNDLED_DEPS=On \
    -DUSE_BUNDLED_DEPS=Off \
    -DMUSL_OPTIMIZED_BUILD=On \
    -DBUILD_DRIVER=Off \
    -DBUILD_BPF=Off \
    -DBUILD_LIBSCAP_MODERN_BPF=Off \
    ..
    #-DBUILD_SHARED_LIBS=On \
-  make falco falcoctl
+  make falco
 }
 package() {
@ -57,8 +55,8 @@ package() {
  # patch falco config
  cd $pkgdir/etc/falco
-  patch -i $srcdir/falco.patch
+  patch -i --no-backup-if-mismatch $srcdir/falco.patch
-  patch -i $srcdir/rules.patch
+  patch -i --no-backup-if-mismatch $srcdir/rules.patch
  # We dont build anything on targets so remove sources
  rm -rf $pkgdir/usr/src
@ -67,8 +65,7 @@ package() {
 }
 sha512sums="
-dc648d9b0a625a02320ff0235bbf4f4940e7ba40c684a8a1f972d34f0a3447b4a34e665d7fbc0ee1ec9a014f65f81a304dc76b4ec804fc7b4e448f330b9474af  falco-0.35.1.tar.gz
+a3fef235ab4f3121bd0400827712652530ec417498c44ada8b6bf565f7631d035673b53dad94ea6ae9c854d45202ed71b2771f19e0c92eea3fc3503e5b75b02e  falco-0.36.2.tar.gz
 8ff7a677f723f2d4a09808939500ddff81f15b8a62a2e091d8042765d105d30b67f9993d05ef129dfad6c866ea37d608a3ae9bc7e99730995542f8b5181ba594  alpine.patch
 b152fcf6cd81895efa37797ab7ff1aac7350b5f51f2648aa9e3cce9d5ece55791ddf82c396e9da216293e2379a785a294cc972f28a91162dc5bc88ab09e1ab08  falco.patch
-d8f71ca7c6d854a866826b3f2f5630b6f30448f794c4c5a56a9ea656ee03c3645a1cf7663b5e79d3ea63d4fab8bd44f91a80b1752c8239c8310efa08b495f2e2  rules.patch
+88e722ddbfe8da1f2341d8da66223271987bf7fab0fb907a343010c2af85f637e2621f42c9973863c33f586a2f823f53984ca7358673fc99596d3dc83669a7f1  rules.patch
 "
--- a/kubezero/falco/falco_rules.yaml
+++ b/kubezero/falco/falco_rules.yaml
--- a/kubezero/falco/rules.patch
+++ b/kubezero/falco/rules.patch
@ -1,60 +1,29 @@
--- falco_rules.yaml	2023-07-05 11:42:09.732973942 +0000
+--- falco_rules.yaml	2023-11-07 16:26:40.171716913 +0000
-+++ zdt_falco_rules.yaml	2023-07-05 13:30:14.184038126 +0000
+++ zdt_falco_rules.yaml	2023-11-07 16:30:24.912804117 +0000
-@@ -270,7 +270,7 @@
+@@ -171,7 +171,7 @@
 # A canonical set of processes that run other programs with different
 # privileges or as a different user.
 - list: userexec_binaries
 -  items: [sudo, su, suexec, critical-stack, dzdo]
 +  items: [doas, sudo, su, suexec, critical-stack, dzdo]
- - list: known_setuid_binaries
+ - list: user_mgmt_binaries
-   items: [
+   items: [login_binaries, passwd_binaries, shadowutils_binaries]
-@@ -2298,27 +2298,28 @@
+@@ -200,7 +200,7 @@
- - macro: user_known_non_sudo_setuid_conditions
+     ]
   condition: user.name=root
-+# Disabled for now due to buysbox noise 
+ - list: sensitive_file_names
- # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
+-  items: [/etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
-- rule: Non sudo setuid
+  items: [/etc/shadow, /etc/doas.d/doas.conf, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
 -  desc: >
 -    an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
 -    suing to itself are also excluded, as setuid calls typically involve dropping privileges.
 -  condition: >
 -    evt.type=setuid and evt.dir=>
 -    and (known_user_in_container or not container)
 -    and not (user.name=root or user.uid=0)
 -    and not somebody_becoming_themselves
 -    and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
 -                          nomachine_binaries)
 -    and not proc.name startswith "runc:"
 -    and not java_running_sdjagent
 -    and not nrpe_becoming_nagios
 -    and not user_known_non_sudo_setuid_conditions
 -  output: >
 -    Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
 -    command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
 -  priority: NOTICE
 -  tags: [host, container, users, mitre_privilege_escalation, T1548.001]
 +#- rule: Non sudo setuid
 +#  desc: >
 +#    an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
 +#    suing to itself are also excluded, as setuid calls typically involve dropping privileges.
 +#  condition: >
 +#    evt.type=setuid and evt.dir=>
 +#    and (known_user_in_container or not container)
 +#    and not (user.name=root or user.uid=0)
 +#    and not somebody_becoming_themselves
 +#    and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
 +#                          nomachine_binaries)
 +#    and not proc.name startswith "runc:"
 +#    and not java_running_sdjagent
 +#    and not nrpe_becoming_nagios
 +#    and not user_known_non_sudo_setuid_conditions
 +#  output: >
 +#    Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
 +#    command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
 +#  priority: NOTICE
 +#  tags: [host, container, users, mitre_privilege_escalation, T1548.001]
- - macro: user_known_user_management_activities
+ - list: sensitive_directory_names
-   condition: (never_true)
+   items: [/, /etc, /etc/, /root, /root/]
@@ -208,7 +208,7 @@
 - macro: sensitive_files
   condition: >
     ((fd.name startswith /etc and fd.name in (sensitive_file_names)) or
 -      fd.directory in (/etc/sudoers.d, /etc/pam.d))
 +      fd.directory in (/etc/sudoers.d, /etc/pam.d, /etc/doas.d))
 # Indicates that the process is new. Currently detected using time
 # since process was started, using a threshold of 5 seconds.
--- a/kubezero/falco/zdt_falco_rules.yaml
+++ b/kubezero/falco/zdt_falco_rules.yaml