• Stars
    star
    200
  • Rank 195,325 (Top 4 %)
  • Language
    C
  • License
    Apache License 2.0
  • Created almost 4 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs

Falco Core Repository Stable License

CI Build Architectures Drivers Kernel Tests Github Pages

This repository contains libsinsp, libscap, the kernel module and the eBPF probes sources.

These components are at the foundation of Falco and other projects that work with the same kind of data.

This component stack mainly operates on a data source: system calls. This data source is collected using either a kernel module or an eBPF probe, which we call drivers. On top of the drivers, libscap manages the data capture process, libsinsp enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a plugin framework that extends this stack to potentially any other data sources.

An image is worth a thousand words, they say:

diagram

Project Layout

  • driver/ contains kernel module and eBPF probe source code, so-called drivers.
  • userspace/ contains libscap and libsinsp libraries code, plus chisels related code and common utilities.
    • libscap (aka lib for System CAPture) is the userspace library that directly communicates with the drivers, reading syscall events from the ring buffer (where drivers place them), and forwarding them up to libsinsp. Moreover, libscap implements OS state collection and supports reading/writing to scap files.
    • libsinsp (aka lib for System INSPection) receives events from libscap and enriches them with machine state: moreover, it performs events filtering with rule evaluation through its internal rule engine. Finally, it manages outputs.
    • chisels are just little Lua scripts to analyze an event stream and perform useful actions. In this subfolder, the backend code for chisels support can be found.
  • proposals/ unexpectedly contains the list of proposals.
  • cmake/modules/ contains modules to build external dependencies, plus the libscap and libsinsp ones; consumers (like Falco) use those modules to build the libs in their projects.

For an overview of the event sources that are implemented by the libs see also the official Falco documentation.

Versioning

This project uses two different versioning schemes for the libs and driver components. In particular, the driver versions are suffixed with +driver to distinguish them from the libs ones. Both adhere to the Semantic Versioning 2.0.0. You can find more detail about how we version those components in our release process documentation.

If you build this project from a git working directory, the main CMakeLists.txt will automatically compute the appropriate version for all components. Otherwise, if you use a source code copy with no the git information or pull the sources of the libs or the drivers directly in your project, it's up to you to correctly set the appropriate cmake variables (for example, -DFALCOSECURITY_LIBS_VERSION=x.y.z -DDRIVER_VERSION=a.b.c+driver).

Drivers officially supported architectures

Right now our drivers officially support the following architectures:

Kernel module eBPF probe Modern eBPF probe Status
x86_64 >= 2.6 >= 4.14 >= 5.8 STABLE
aarch64 >= 3.16 >= 4.17 >= 5.8 STABLE
s390x >= 2.6 >= 5.5 >= 5.8 EXPERIMENTAL

For a list of supported syscalls through specific events, please refer to report.

NOTE: while we strive to achieve maximum compatibility, we cannot assure that drivers correctly build against a new kernel version minutes after it gets released, since we might need to make some adjustments.
To get properly notified whenever drivers stop building, we have a CI workflow that tests the build against the latest mainline kernel (RC too!)

NOTE: STABLE state means that we have CI covering drivers tests on the architecture. EXPERIMENTAL means that we are not able to run any CI test against it.

Build

Libs relies upon cmake build system.
Lots of make targets will be available; the most important ones are:

  • driver -> to build the kmod
  • bpf -> to build the eBPF probe
  • scap -> to build libscap
  • sinsp -> to build libsinsp (depends upon scap target)
  • scap-open -> to build a small libscap example to quickly test drivers (depends upon scap)

To start, first create and move inside build/ folder:

mkdir build && cd build

Bundled deps

The easiest way to build the project is to use BUNDLED_DEPS option, meaning that most of the dependencies will be fetched and compiled during the process:

cmake -DUSE_BUNDLED_DEPS=true -DCREATE_TEST_TARGETS=OFF ../
make sinsp

NOTE: take a break as this will take quite a bit of time (around 15 mins, dependent on the hardware obviously).

System deps

To build using the system deps instead, first, make sure to have all the needed packages installed.
Refer to https://falco.org/docs/getting-started/source/ for the list of dependencies.

Then, simply issue:

cmake ../
make sinsp

NOTE: using system libraries is useful to cut compile times down, as this way it will only build libs, and not all deps.
On the other hand, system deps version may have an impact, and we cannot guarantee everything goes smoothly while using them.

Build kmod

To build the kmod driver, you need your kernel headers installed. Again, check out the Falco documentation for this step.
Then it will be just a matter of running:

make driver

Build eBPF probe

To build the eBPF probe, you need clang and llvm packages.
Then, issue:

cmake -DBUILD_BPF=true ../
make bpf

WARNING: clang-7 is the oldest supported version to build our BPF probe, since it is the one used by our infrastructure.

Build modern eBPF probe

To build the modern eBPF probe, you need:

  • a recent clang version (>=12).

  • a recent bpftool version, typing bpftool gen you should see at least these features:

    Usage: bpftool gen object OUTPUT_FILE INPUT_FILE [INPUT_FILE...]    <---
           bpftool gen skeleton FILE [name OBJECT_NAME]                 <---
           bpftool gen help
    

    If you want to use the bpftool mirror repo, version 6.7 should be enough.

    If you want to compile it directly from the kernel tree you should pick at least the 5.13 tag.

  • BTF exposed by your kernel, you can check it through ls /sys/kernel/btf/vmlinux. You should see this line:

    /sys/kernel/btf/vmlinux
    
  • A kernel version >=5.8.

Then, issue:

cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_LIBSCAP_GVISOR=OFF .. 
make ProbeSkeleton

Please note: these are not the requirements to use the BPF probe but to build it from source!

As you have seen the modern bpf probe has strict requirements to be built that maybe are not easy to satisfy on old machines. The workaround you can use is to build the probe skeleton on a recent machine and than link it during the building phase on an older machine. To do that you have to use the cmake variable MODERN_BPF_SKEL_DIR. Supposing you have built the skeleton under the directory /tmp/skel-dir, you should use the option in this way:

cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR="/tmp/skel-dir" -DBUILD_LIBSCAP_GVISOR=OFF .. 

gVisor support

Libscap contains additional library functions to allow integration with system call events coming from gVisor. Compilation of this functionality can be disabled with -DBUILD_LIBSCAP_GVISOR=Off.

Test drivers and userspace sinsp

  • libscap ships a small example that is quite handy to quickly check that drivers are working fine. Explore the scap-open program documentation.
  • libsinsp ships another small example to quickly test userspace sinsp. Explore the sinsp-example program documentation.

Test Suites (drivers and userspace sinsp)

libs features dedicated test suites (unit tests, e2e tests, localhost VM testing) for additional driver and userspace functionality tests. Navigate the test folder to learn more about each test suite.

Contribute

Any contribution is incredibly helpful and warmly accepted; be it code, documentation, or just ideas, please feel free to share it!
For a contribution guideline, refer to: https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md.

Adding syscalls

Implementing new syscalls is surely one of the highest frequency requests.
While it is indeed important for libs to support as many syscalls as possible, most of the time it is not a high priority task.
But you can speed up things by opening a PR for it!
Luckily enough, a Falco blog post explains the process very thoroughly: https://falco.org/blog/falco-monitoring-new-syscalls/.

License

This project is licensed to you under the Apache 2.0 open source license. Some subcomponents might be licensed separately. You can find licensing notices here.

More Repositories

1

falco

Cloud Native Runtime Security
C++
6,860
star
2

falcosidekick

Connect Falco to your ecosystem
Go
502
star
3

charts

Community managed Helm charts for running Falco with Kubernetes
Go
220
star
4

falco-talon

Response Engine for managing threats in your Kubernetes
Go
112
star
5

falco-exporter

Prometheus Metrics Exporter for Falco output events
Go
108
star
6

falcosidekick-ui

A simple WebUI with latest events from Falco
Vue
97
star
7

rules

Falco rule repository
Go
92
star
8

falcoctl

Administrative tooling for Falco
Go
81
star
9

event-generator

Generate a variety of suspect actions that are detected by Falco rulesets
Go
73
star
10

plugins

Falco plugins registry
Go
69
star
11

pdig

ptrace-based event producer for udig
C
65
star
12

driverkit

Kit for building Falco drivers: kernel modules or eBPF probes
Go
61
star
13

client-go

Go client and SDK for Falco
Go
52
star
14

community

The Falco Project Community
50
star
15

evolution

Evolution process of The Falco Project
Go
45
star
16

falco-website

Source code of the official Falco website
HTML
32
star
17

test-infra

Falco workflow & testing infrastructure
Jsonnet
30
star
18

plugin-sdk-go

Falco plugins SDK for Go
Go
23
star
19

client-py

Python client and SDK for Falco
Python
19
star
20

falco-playground

Web-application used to validate Falco rules and test against scap file
TypeScript
19
star
21

kernel-crawler

A tool to crawl Linux kernel versions
Python
17
star
22

k8s-metacollector

Fetches the metadata from kubernetes API server and dispatches them to Falco instances
Go
14
star
23

client-rs

The rust language implementation of the Falco client
Rust
14
star
24

kilt

Kilt is a project that defines how to inject foreign apps into containers
Go
13
star
25

testing

All-purpose test suite for Falco and its ecosystem
Go
11
star
26

kernel-testing

Ansible playbooks to provision firecracker VMs and run Falco kernel tests
Dockerfile
11
star
27

deploy-kubernetes

Kubernetes deployment resources for Falco
10
star
28

libs-sdk-go

Go SDK for Falco libs
Go
5
star
29

syscalls-bumper

A tool to automatically update supported syscalls in libs
Go
5
star
30

falco-aws-terraform

Terraform Module for Falco AWS Resources
HCL
5
star
31

plugin-sdk-rs

Falco plugins SDK for Rust
Rust
5
star
32

.github

Default community health files
4
star
33

pigeon

Secrets and config manager for Falco's infrastructure
Go
3
star
34

ebpf-probe

eBPF probe for syscall events
3
star
35

kernel-module

3
star
36

dbg-go

A go tool to work with falcosecurity drivers build grid
Go
2
star
37

plugin-sdk-cpp

Falco plugins SDK for C++
C++
2
star
38

libsinsp

System inspection library
2
star
39

libscap

2
star
40

cncf-green-review-testing

Falco configurations intended for testing with the CNCF Green Reviews Working Group
2
star
41

template-repository

Acts as a template for new repositories
1
star
42

advocacy

Advocacy machinery
1
star
43

peribolos-syncer

Tool to synchronize Peribolos configuration with GitHub people sources of truth.
Go
1
star
44

contrib

Community sandbox to test-drive ideas/projects/code
Python
1
star
45

flycheck-falco-rules

Falco Rules Syntax Checker for Emacs, Using Flycheck
Emacs Lisp
1
star