falco version bump

This commit is contained in:
Stefan Reimer 2023-11-07 16:31:20 +00:00
parent 62a146f1a2
commit f5c51cd71c
5 changed files with 825 additions and 5275 deletions

View File

@ -1,73 +0,0 @@
# Contributor: Stefan Reimer <stefan@zero-downtime.net>
# Maintainer: Stefan Reimer <stefan@zero-downtime.net>
pkgname=falco
pkgver=0.36.2
pkgrel=0
pkgdesc="Falco is the open source solution for runtime security for hosts, containers, Kubernetes and the cloud"
url="https://github.com/falcosecurity/falco"
arch="x86_64 aarch64"
license="AGPL-3.0"
makedepends="cmake linux-headers bash perl autoconf elfutils-dev libtool argp-standalone musl-fts-dev musl-libintl musl-obstack-dev
protobuf-dev jq-dev openssl-dev curl-dev c-ares-dev grpc-dev yaml-dev yaml-cpp-dev zlib-dev jsoncpp-dev re2-dev onetbb-dev@edge-community"
options="!check"
depends="falco-kernel~$pkgver"
# Original config
# https://raw.githubusercontent.com/falcosecurity/rules/main/rules/falco_rules.yaml
# https://raw.githubusercontent.com/falcosecurity/falco/master/falco.yaml
source="
$pkgname-$pkgver.tar.gz::https://github.com/falcosecurity/falco/archive/refs/tags/$pkgver.tar.gz
alpine.patch
falco.patch
rules.patch
"
prepare() {
[[ -d build ]] || mkdir build
# Disable static binaries
patch -i $srcdir/alpine.patch
}
build() {
cd build
cmake \
-DCPACK_GENERATOR=TGZ \
-DCMAKE_BUILD_TYPE=Release \
-DFALCO_VERSION=$pkgver \
-DCMAKE_INSTALL_PREFIX=/usr \
-DFALCO_ETC_DIR=/etc/falco \
-DUSE_BUNDLED_DEPS=Off \
-DBUILD_SHARED_LIBS=On \
-DMUSL_OPTIMIZED_BUILD=On \
-DBUILD_DRIVER=Off \
-DBUILD_BPF=Off \
-DBUILD_LIBSCAP_MODERN_BPF=Off \
..
make falco falcoctl
}
package() {
cd build
make DESTDIR="${pkgdir}" install
# patch falco config
cd $pkgdir/etc/falco
patch -i $srcdir/falco.patch
patch -i $srcdir/rules.patch
# We dont build anything on targets so remove sources
rm -rf $pkgdir/usr/src
rm -rf $pkgdir/usr/lib
rm -rf $pkgdir/usr/include
}
sha512sums="
a3fef235ab4f3121bd0400827712652530ec417498c44ada8b6bf565f7631d035673b53dad94ea6ae9c854d45202ed71b2771f19e0c92eea3fc3503e5b75b02e falco-0.36.2.tar.gz
8ff7a677f723f2d4a09808939500ddff81f15b8a62a2e091d8042765d105d30b67f9993d05ef129dfad6c866ea37d608a3ae9bc7e99730995542f8b5181ba594 alpine.patch
b152fcf6cd81895efa37797ab7ff1aac7350b5f51f2648aa9e3cce9d5ece55791ddf82c396e9da216293e2379a785a294cc972f28a91162dc5bc88ab09e1ab08 falco.patch
d8f71ca7c6d854a866826b3f2f5630b6f30448f794c4c5a56a9ea656ee03c3645a1cf7663b5e79d3ea63d4fab8bd44f91a80b1752c8239c8310efa08b495f2e2 rules.patch
"

View File

@ -1,14 +1,18 @@
# Contributor: Stefan Reimer <stefan@zero-downtime.net>
# Maintainer: Stefan Reimer <stefan@zero-downtime.net>
pkgname=falco
pkgver=0.35.1
pkgver=0.36.2
pkgrel=0
pkgdesc="Falco is the open source solution for runtime security for hosts, containers, Kubernetes and the cloud"
url="https://github.com/falcosecurity/falco"
arch="x86_64 aarch64"
license="AGPL-3.0"
makedepends="cmake linux-headers bash perl autoconf elfutils-dev libtool argp-standalone musl-fts-dev musl-libintl musl-obstack-dev
protobuf-dev jq-dev openssl-dev curl-dev c-ares-dev grpc-dev yaml-dev yaml-cpp-dev jsoncpp-dev re2-dev"
makedepends="cmake linux-headers bash perl autoconf elfutils-dev libtool argp-standalone
musl-fts-dev
musl-libintl
musl-legacy-error
musl-obstack-dev
"
options="!check"
depends="falco-kernel~$pkgver"
@ -18,16 +22,12 @@ depends="falco-kernel~$pkgver"
source="
$pkgname-$pkgver.tar.gz::https://github.com/falcosecurity/falco/archive/refs/tags/$pkgver.tar.gz
alpine.patch
falco.patch
rules.patch
"
prepare() {
[[ -d build ]] || mkdir build
# Disable static binaries
patch -i $srcdir/alpine.patch
}
build() {
@ -39,16 +39,14 @@ build() {
-DFALCO_VERSION=$pkgver \
-DCMAKE_INSTALL_PREFIX=/usr \
-DFALCO_ETC_DIR=/etc/falco \
-DMINIMAL_BUILD=On \
-DUSE_BUNDLED_DEPS=Off \
-DUSE_BUNDLED_DEPS=On \
-DMUSL_OPTIMIZED_BUILD=On \
-DBUILD_DRIVER=Off \
-DBUILD_BPF=Off \
-DBUILD_LIBSCAP_MODERN_BPF=Off \
..
#-DBUILD_SHARED_LIBS=On \
make falco falcoctl
make falco
}
package() {
@ -57,8 +55,8 @@ package() {
# patch falco config
cd $pkgdir/etc/falco
patch -i $srcdir/falco.patch
patch -i $srcdir/rules.patch
patch -i --no-backup-if-mismatch $srcdir/falco.patch
patch -i --no-backup-if-mismatch $srcdir/rules.patch
# We dont build anything on targets so remove sources
rm -rf $pkgdir/usr/src
@ -67,8 +65,7 @@ package() {
}
sha512sums="
dc648d9b0a625a02320ff0235bbf4f4940e7ba40c684a8a1f972d34f0a3447b4a34e665d7fbc0ee1ec9a014f65f81a304dc76b4ec804fc7b4e448f330b9474af falco-0.35.1.tar.gz
8ff7a677f723f2d4a09808939500ddff81f15b8a62a2e091d8042765d105d30b67f9993d05ef129dfad6c866ea37d608a3ae9bc7e99730995542f8b5181ba594 alpine.patch
a3fef235ab4f3121bd0400827712652530ec417498c44ada8b6bf565f7631d035673b53dad94ea6ae9c854d45202ed71b2771f19e0c92eea3fc3503e5b75b02e falco-0.36.2.tar.gz
b152fcf6cd81895efa37797ab7ff1aac7350b5f51f2648aa9e3cce9d5ece55791ddf82c396e9da216293e2379a785a294cc972f28a91162dc5bc88ab09e1ab08 falco.patch
d8f71ca7c6d854a866826b3f2f5630b6f30448f794c4c5a56a9ea656ee03c3645a1cf7663b5e79d3ea63d4fab8bd44f91a80b1752c8239c8310efa08b495f2e2 rules.patch
88e722ddbfe8da1f2341d8da66223271987bf7fab0fb907a343010c2af85f637e2621f42c9973863c33f586a2f823f53984ca7358673fc99596d3dc83669a7f1 rules.patch
"

File diff suppressed because it is too large Load Diff

View File

@ -1,60 +1,29 @@
--- falco_rules.yaml 2023-07-05 11:42:09.732973942 +0000
+++ zdt_falco_rules.yaml 2023-07-05 13:30:14.184038126 +0000
@@ -270,7 +270,7 @@
--- falco_rules.yaml 2023-11-07 16:26:40.171716913 +0000
+++ zdt_falco_rules.yaml 2023-11-07 16:30:24.912804117 +0000
@@ -171,7 +171,7 @@
# A canonical set of processes that run other programs with different
# privileges or as a different user.
- list: userexec_binaries
- items: [sudo, su, suexec, critical-stack, dzdo]
+ items: [doas, sudo, su, suexec, critical-stack, dzdo]
- list: known_setuid_binaries
items: [
@@ -2298,27 +2298,28 @@
- macro: user_known_non_sudo_setuid_conditions
condition: user.name=root
- list: user_mgmt_binaries
items: [login_binaries, passwd_binaries, shadowutils_binaries]
@@ -200,7 +200,7 @@
]
+# Disabled for now due to buysbox noise
# sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
-- rule: Non sudo setuid
- desc: >
- an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
- suing to itself are also excluded, as setuid calls typically involve dropping privileges.
- condition: >
- evt.type=setuid and evt.dir=>
- and (known_user_in_container or not container)
- and not (user.name=root or user.uid=0)
- and not somebody_becoming_themselves
- and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
- nomachine_binaries)
- and not proc.name startswith "runc:"
- and not java_running_sdjagent
- and not nrpe_becoming_nagios
- and not user_known_non_sudo_setuid_conditions
- output: >
- Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
- command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
- priority: NOTICE
- tags: [host, container, users, mitre_privilege_escalation, T1548.001]
+#- rule: Non sudo setuid
+# desc: >
+# an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
+# suing to itself are also excluded, as setuid calls typically involve dropping privileges.
+# condition: >
+# evt.type=setuid and evt.dir=>
+# and (known_user_in_container or not container)
+# and not (user.name=root or user.uid=0)
+# and not somebody_becoming_themselves
+# and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
+# nomachine_binaries)
+# and not proc.name startswith "runc:"
+# and not java_running_sdjagent
+# and not nrpe_becoming_nagios
+# and not user_known_non_sudo_setuid_conditions
+# output: >
+# Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
+# command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
+# priority: NOTICE
+# tags: [host, container, users, mitre_privilege_escalation, T1548.001]
- list: sensitive_file_names
- items: [/etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
+ items: [/etc/shadow, /etc/doas.d/doas.conf, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
- macro: user_known_user_management_activities
condition: (never_true)
- list: sensitive_directory_names
items: [/, /etc, /etc/, /root, /root/]
@@ -208,7 +208,7 @@
- macro: sensitive_files
condition: >
((fd.name startswith /etc and fd.name in (sensitive_file_names)) or
- fd.directory in (/etc/sudoers.d, /etc/pam.d))
+ fd.directory in (/etc/sudoers.d, /etc/pam.d, /etc/doas.d))
# Indicates that the process is new. Currently detected using time
# since process was started, using a threshold of 5 seconds.

File diff suppressed because it is too large Load Diff