From e8ba42cae40fb87b5822257401bf5c35546a3a16 Mon Sep 17 00:00:00 2001 From: vani-pareek <38485739+vani-pareek@users.noreply.github.com> Date: Mon, 13 Aug 2018 22:13:26 +0530 Subject: [PATCH 1/4] =?UTF-8?q?Falco=20=20fixes=20for=20SMBACK-1611=20for?= =?UTF-8?q?=20vulnerability=20CVE-2016-9840,=20CVE-201=E2=80=A6=20(#402)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Falco fixes for SMBACK-1611 for vulnerability CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736, CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007 * sysdig-CLA-1.0-contributing-entity: Calsoft Inc sysdig-CLA-1.0-signed-off-by: Vani Pareek Falco fixes for SMBACK-1611 for vulnerability CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736, CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007 --- CMakeLists.txt | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index ad46ee5023b..408803a242c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -78,8 +78,10 @@ else() set(ZLIB_INCLUDE "${ZLIB_SRC}") set(ZLIB_LIB "${ZLIB_SRC}/libz.a") ExternalProject_Add(zlib - URL "http://s3.amazonaws.com/download.draios.com/dependencies/zlib-1.2.8.tar.gz" - URL_MD5 "44d667c142d7cda120332623eab69f40" + # START CHANGE for CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843 + URL "http://s3.amazonaws.com/download.draios.com/dependencies/zlib-1.2.11.tar.gz" + URL_MD5 "1c9f62f0778697a09d36121ead88e08e" + # END CHANGE for CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843 CONFIGURE_COMMAND "./configure" BUILD_COMMAND ${CMD_MAKE} BUILD_IN_SOURCE 1 @@ -215,8 +217,10 @@ else() message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'") ExternalProject_Add(openssl - URL "http://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2j.tar.gz" - URL_MD5 "96322138f0b69e61b7212bc53d5e912b" + # START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736 + URL "http://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz" + URL_MD5 "13bdc1b1d1ff39b6fd42a255e74676a4" + # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736 CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR} BUILD_COMMAND ${CMD_MAKE} BUILD_IN_SOURCE 1 @@ -246,8 +250,10 @@ else() ExternalProject_Add(curl DEPENDS openssl - URL "http://s3.amazonaws.com/download.draios.com/dependencies/curl-7.56.0.tar.bz2" - URL_MD5 "e0caf257103e0c77cee5be7e9ac66ca4" + # START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007 + URL "http://s3.amazonaws.com/download.draios.com/dependencies/curl-7.60.0.tar.bz2" + URL_MD5 "bd2aabf78ded6a9aec8a54532fd6b5d7" + # END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007 CONFIGURE_COMMAND ./configure ${CURL_SSL_OPTION} --disable-shared --enable-optimize --disable-curldebug --disable-rt --enable-http --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-winssl --without-darwinssl --without-polarssl --without-cyassl --without-nss --without-axtls --without-ca-path --without-ca-bundle --without-libmetalink --without-librtmp --without-winidn --without-libidn --without-nghttp2 --without-libssh2 --disable-threaded-resolver BUILD_COMMAND ${CMD_MAKE} BUILD_IN_SOURCE 1 From 071e7dff17302ef228b3bd1ac0ec23e414a87290 Mon Sep 17 00:00:00 2001 From: Grzegorz Nosek Date: Mon, 13 Aug 2018 18:24:45 +0200 Subject: [PATCH 2/4] Allow Lua sample_dir to be passed to falco_engine constructor FALCO_ENGINE_SOURCE_LUA_DIR is still the default but can be overridden now. --- userspace/engine/falco_engine.cpp | 4 ++-- userspace/engine/falco_engine.h | 3 ++- userspace/falco/CMakeLists.txt | 1 + 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp index 511407cb41e..f9c86c7809e 100644 --- a/userspace/engine/falco_engine.cpp +++ b/userspace/engine/falco_engine.cpp @@ -39,7 +39,7 @@ string lua_print_stats = "print_stats"; using namespace std; -falco_engine::falco_engine(bool seed_rng) +falco_engine::falco_engine(bool seed_rng, const std::string& source_dir) : m_rules(NULL), m_next_ruleset_id(0), m_min_priority(falco_common::PRIORITY_DEBUG), m_sampling_ratio(1), m_sampling_multiplier(0), @@ -48,7 +48,7 @@ falco_engine::falco_engine(bool seed_rng) luaopen_lpeg(m_ls); luaopen_yaml(m_ls); - falco_common::init(m_lua_main_filename.c_str(), FALCO_ENGINE_SOURCE_LUA_DIR); + falco_common::init(m_lua_main_filename.c_str(), source_dir.c_str()); falco_rules::init(m_ls); m_evttype_filter.reset(new sinsp_evttype_filter()); diff --git a/userspace/engine/falco_engine.h b/userspace/engine/falco_engine.h index e19fb6e52a5..abf0ac846df 100644 --- a/userspace/engine/falco_engine.h +++ b/userspace/engine/falco_engine.h @@ -27,6 +27,7 @@ along with falco. If not, see . #include "rules.h" +#include "config_falco_engine.h" #include "falco_common.h" // @@ -38,7 +39,7 @@ along with falco. If not, see . class falco_engine : public falco_common { public: - falco_engine(bool seed_rng=true); + falco_engine(bool seed_rng=true, const std::string& rules_dir=FALCO_ENGINE_SOURCE_LUA_DIR); virtual ~falco_engine(); // diff --git a/userspace/falco/CMakeLists.txt b/userspace/falco/CMakeLists.txt index 3ef7d86897e..736f60434cd 100644 --- a/userspace/falco/CMakeLists.txt +++ b/userspace/falco/CMakeLists.txt @@ -5,6 +5,7 @@ include_directories("${PROJECT_SOURCE_DIR}/../sysdig/userspace/libscap") include_directories("${PROJECT_SOURCE_DIR}/../sysdig/userspace/libsinsp") include_directories("${PROJECT_SOURCE_DIR}/userspace/engine") include_directories("${PROJECT_BINARY_DIR}/userspace/falco") +include_directories("${PROJECT_BINARY_DIR}/userspace/engine") include_directories("${CURL_INCLUDE_DIR}") include_directories("${YAMLCPP_INCLUDE_DIR}") include_directories("${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include") From 81e2e672f005bb6c8615db2e8e0a6eba4ef1b3f5 Mon Sep 17 00:00:00 2001 From: Mattia Pagnozzi Date: Tue, 11 Sep 2018 11:59:58 +0200 Subject: [PATCH 3/4] Add TBB dependency (#412) * Add tbb dependency * Change TBB library URL --- CMakeLists.txt | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 408803a242c..c74e8183eae 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -395,6 +395,32 @@ else() INSTALL_COMMAND sh -c "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua") endif() +option(USE_BUNDLED_TBB "Enable building of the bundled tbb" ${USE_BUNDLED_DEPS}) +if(NOT USE_BUNDLED_TBB) + find_path(TBB_INCLUDE tbb.h PATH_SUFFIXES tbb) + find_library(TBB_LIB NAMES tbb) + if(TBB_INCLUDE AND TBB_LIB) + message(STATUS "Found tbb: include: ${TBB_INCLUDE}, lib: ${TBB_LIB}") + else() + message(FATAL_ERROR "Couldn't find system tbb") + endif() +else() + set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb") + + message(STATUS "Using bundled tbb in '${TBB_SRC}'") + + set(TBB_INCLUDE "${TBB_SRC}/include/") + set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a") + ExternalProject_Add(tbb + URL "http://s3.amazonaws.com/download.draios.com/dependencies/tbb-2018_U5.tar.gz" + URL_MD5 "ff3ae09f8c23892fbc3008c39f78288f" + CONFIGURE_COMMAND "" + BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc + BUILD_IN_SOURCE 1 + BUILD_BYPRODUCTS ${TBB_LIB} + INSTALL_COMMAND "") +endif() + install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}") From eaaff5a7734a13bb5febed518f1a29c7e7dcf406 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 11 Sep 2018 10:25:10 -0700 Subject: [PATCH 4/4] Prepare for 0.12.0 (#415) Add to CHANGELOG and updating version in README.md. --- CHANGELOG.md | 25 +++++++++++++++++++++++++ README.md | 2 +- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 43c66f47b2c..3ee5f977c88 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,31 @@ This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org). +## v0.12.0 + +Released 2018-09-11 + +## Major Changes + +* Improved IPv6 Support to fully support use of IPv6 addresses in events, connections and filters [[#sysdig/1204](https://github.com/draios/sysdig/pull/1204)] + +* Ability to associate connections with dns names: new filterchecks `fd.*ip.name` allow looking up the DNS name for a connection's IP address. This can be used to identify or restrict connections by dns names e.g. `evt.type=connect and fd.sip.name=github.com`. [[#412](https://github.com/draios/falco/pull/412)] [[#sysdig/1213](https://github.com/draios/sysdig/pull/1213)] + +* New filterchecks `user.loginuid` and `user.loginname` can be used to match the login uid, which stays consistent across sudo/su. This can be used to find the actual user running a given process [[#sysdig/1189](https://github.com/draios/sysdig/pull/1189)] + +## Minor Changes + +* Upgrade zlib to 1.2.11, openssl to 1.0.2n, and libcurl to 7.60.0 to address software vulnerabilities [[#402](https://github.com/draios/falco/pull/402)] +* New `endswith` operator can be used for suffix matching on strings [[#sysdig/1209](https://github.com/draios/sysdig/pull/1209)] + +## Bug Fixes + +* Better control of specifying location of lua source code [[#406](https://github.com/draios/falco/pull/406)] + +## Rule Changes + +* None for this release. + ## v0.11.1 Released 2018-07-31 diff --git a/README.md b/README.md index f3ed790ce4d..9b127546b84 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ #### Latest release -**v0.11.1** +**v0.12.0** Read the [change log](https://github.com/draios/falco/blob/dev/CHANGELOG.md) Dev Branch: [![Build Status](https://travis-ci.org/draios/falco.svg?branch=dev)](https://travis-ci.org/draios/falco)