From d31216c09c322e610d454cacbe09442d3f3bcbeb Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:47:55 -0500 Subject: [PATCH 01/62] spelling: allowed Signed-off-by: Josh Soref --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index bfd91f06c35..61cda8ad59a 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2305,7 +2305,7 @@ # explicitly enumerate the container images that you want to allow # access to EC2 metadata. In this main falco rules file, there isn't # any way to know all the containers that should have access, so any -# container is alllowed, by repeating the "container" macro. In the +# container is allowed, by repeating the "container" macro. In the # overridden macro, the condition would look something like # (container.image.repository = vendor/container-1 or # container.image.repository = vendor/container-2 or ...) From 29278431b611eb36ac2b92fb5f344837f8415a0b Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:47:56 -0500 Subject: [PATCH 02/62] spelling: altogether Signed-off-by: Josh Soref --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 61cda8ad59a..b7648843405 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2623,7 +2623,7 @@ items: [hyperkube, kubelet, k3s-agent] # This macro should be overridden in user rules as needed. This is useful if a given application -# should not be ignored alltogether with the user_known_chmod_applications list, but only in +# should not be ignored altogether with the user_known_chmod_applications list, but only in # specific conditions. - macro: user_known_set_setuid_or_setgid_bit_conditions condition: (never_true) From eee41994a610995552e1992b778d1dc9b73353b6 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:47:56 -0500 Subject: [PATCH 03/62] spelling: among Signed-off-by: Josh Soref --- .cmake-format | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cmake-format b/.cmake-format index 4c3d5ad2dfc..ddf2fa5a8df 100644 --- a/.cmake-format +++ b/.cmake-format @@ -21,7 +21,7 @@ separate_fn_name_with_space = False dangle_parens = False # If the statement spelling length (including space and parenthesis is larger -# than the tab width by more than this amoung, then force reject un-nested +# than the tab width by more than this among, then force reject un-nested # layouts. max_prefix_chars = 2 From 56918a013ee93cc597038e254a487409ee5320cd Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 02:06:47 -0500 Subject: [PATCH 04/62] spelling: archiving Signed-off-by: Josh Soref --- proposals/20200901-artifacts-cleanup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20200901-artifacts-cleanup.md b/proposals/20200901-artifacts-cleanup.md index 1d9a14d7ef9..e4be27703f5 100644 --- a/proposals/20200901-artifacts-cleanup.md +++ b/proposals/20200901-artifacts-cleanup.md @@ -90,7 +90,7 @@ This way, assuming the number of prebuilt drivers does not skyrocket, we can rea Notice that, in case a Falco stable release will not depend on a new driver version, this means the last two driver versions will, in this case, cover more than the two Falco stable releases. -### Archivation +### Archiving Since the process of building drivers is time and resource consuming, this document also proposes to move the driver versions in other storage facilities. From a887d9cab1c707ddfc3b6a1b025495494acf8d5c Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 02:11:17 -0500 Subject: [PATCH 05/62] spelling: arg lists Signed-off-by: Josh Soref --- .cmake-format | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cmake-format b/.cmake-format index ddf2fa5a8df..82391823501 100644 --- a/.cmake-format +++ b/.cmake-format @@ -7,7 +7,7 @@ line_width = 120 # How many spaces to tab for indent tab_size = 2 -# If arglists are longer than this, break them always +# If arg lists are longer than this, break them always max_subargs_per_line = 3 # If true, separate flow control names from their parentheses with a space From 0afb7c273cd817ce8a661cf0c9495ad8531f05ef Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:47:57 -0500 Subject: [PATCH 06/62] spelling: attribute Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 909067c55d1..d41d8f4d620 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1308,7 +1308,7 @@ Released 2018-07-24 ### Minor Changes -* Rules may now have an `skip-if-unknown-filter` property. If set to true, a rule will be skipped if its condition/output property refers to a filtercheck (e.g. `fd.some-new-attibute`) that is not present in the current falco version. [[#364](https://github.com/draios/falco/pull/364)] [[#345](https://github.com/draios/falco/issues/345)] +* Rules may now have an `skip-if-unknown-filter` property. If set to true, a rule will be skipped if its condition/output property refers to a filtercheck (e.g. `fd.some-new-attribute`) that is not present in the current falco version. [[#364](https://github.com/draios/falco/pull/364)] [[#345](https://github.com/draios/falco/issues/345)] * Small changes to Falco `COPYING` file so github automatically recognizes license [[#380](https://github.com/draios/falco/pull/380)] * New example integration showing how to connect Falco with Anchore to dynamically create falco rules based on negative scan results [[#390](https://github.com/draios/falco/pull/390)] * New example integration showing how to connect Falco, [nats](https://nats.io/), and K8s to run flexible "playbooks" based on Falco events [[#389](https://github.com/draios/falco/pull/389)] From 995195d0685e500a88dcf94be3d7cf295c32166b Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:47:57 -0500 Subject: [PATCH 07/62] spelling: berkeley Signed-off-by: Josh Soref --- brand/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/brand/README.md b/brand/README.md index 392c9ed7917..802f0506c35 100644 --- a/brand/README.md +++ b/brand/README.md @@ -56,7 +56,7 @@ If a rule has been violated, Falco triggers an alert. ### How does Falco work? Falco traces kernel events and reports information about the system calls being executed at runtime. -Falco leverages the extended berkley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. +Falco leverages the extended berkeley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. Falco enriches these kernel events with information about containers running on the system. Falco also can consume signals from other input streams such as the containerd socket, the Kubernetes API server and the Kubernetes audit log. At runtime, Falco will reason about these events and assert them against configured security rules. From 50bef8d2abad14d036dd9521ec90ef086dd6a95a Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:47:58 -0500 Subject: [PATCH 08/62] spelling: between Signed-off-by: Josh Soref --- proposals/20190909-psp-rules-support.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20190909-psp-rules-support.md b/proposals/20190909-psp-rules-support.md index 3aaa1c9d8f2..d0a21a8f7ad 100644 --- a/proposals/20190909-psp-rules-support.md +++ b/proposals/20190909-psp-rules-support.md @@ -51,6 +51,6 @@ No diagrams yet. * We'll use [inja](https://github.com/pantor/inja) as the templating engine. -* For the most part, we can rely on the existing framework of rules, filter expressions, and output expressions that already exist in Falco. One significant change will be that filter fields can extract more than one "value" per event, and we'll need to define new operators to perform set comparisions betweeen values in an event and values in the comparison right-hand-side. +* For the most part, we can rely on the existing framework of rules, filter expressions, and output expressions that already exist in Falco. One significant change will be that filter fields can extract more than one "value" per event, and we'll need to define new operators to perform set comparisions between values in an event and values in the comparison right-hand-side. * This will rely heavily on existing support for [K8s Audit Events](https://falco.org/docs/event-sources/kubernetes-audit/) in Falco. From fb89ac83ecc70438e20b5785152a39b15b0a01ee Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:17:32 -0500 Subject: [PATCH 09/62] spelling: cmake Signed-off-by: Josh Soref --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 2097e32b5d2..63e0c0c7f77 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -13,7 +13,7 @@ jobs: command: apk update - run: name: Install build dependencies - command: apk add g++ gcc cmake cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils + command: apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils - run: name: Prepare project command: | From a40379d520a58cb92763c27e4cd81bf280aa5a88 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:47:58 -0500 Subject: [PATCH 10/62] spelling: command lines Signed-off-by: Josh Soref --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index b7648843405..2281a9892e3 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2255,7 +2255,7 @@ activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. Activity in containers is also excluded--some containers create custom users on top of a base linux distribution at startup. - Some innocuous commandlines that don't actually change anything are excluded. + Some innocuous command lines that don't actually change anything are excluded. condition: > spawned_process and proc.name in (user_mgmt_binaries) and not proc.name in (su, sudo, lastlog, nologin, unix_chkpwd) and not container and From 82198ef1e23e9ee9f5ee6577687d1e922a362454 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:47:58 -0500 Subject: [PATCH 11/62] spelling: command Signed-off-by: Josh Soref --- proposals/20191030-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20191030-api.md b/proposals/20191030-api.md index 6e92b9c39ce..0c0e93be148 100644 --- a/proposals/20191030-api.md +++ b/proposals/20191030-api.md @@ -94,7 +94,7 @@ This translates in having the following set of `proto` files. } ``` -- one or more `.proto` containing the commond models - ie., the already existing `schema.proto` containing source enum, etc. +- one or more `.proto` containing the command models - ie., the already existing `schema.proto` containing source enum, etc. ```proto3 # schema.proto From 822b6c9fb2a729eb102083530bde5659a4bde939 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:47:59 -0500 Subject: [PATCH 12/62] spelling: commands Signed-off-by: Josh Soref --- cmake/modules/CatchAddTests.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmake/modules/CatchAddTests.cmake b/cmake/modules/CatchAddTests.cmake index 3d08bc626ab..6c9592744e8 100644 --- a/cmake/modules/CatchAddTests.cmake +++ b/cmake/modules/CatchAddTests.cmake @@ -45,7 +45,7 @@ string(REPLACE "\n" ";" output "${output}") # Parse output foreach(line ${output}) set(test ${line}) - # use escape commas to handle properly test cases with commans inside the name + # use escape commas to handle properly test cases with commands inside the name string(REPLACE "," "\\," test_name ${test}) # ...and add to script add_command(add_test "${prefix}${test}${suffix}" ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" "${test_name}" ${extra_args}) From 6dc2080cf7c8e4d267f20c12c35c38dd9d2954a7 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:47:59 -0500 Subject: [PATCH 13/62] spelling: comparisons Signed-off-by: Josh Soref --- proposals/20190909-psp-rules-support.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20190909-psp-rules-support.md b/proposals/20190909-psp-rules-support.md index d0a21a8f7ad..28129620823 100644 --- a/proposals/20190909-psp-rules-support.md +++ b/proposals/20190909-psp-rules-support.md @@ -51,6 +51,6 @@ No diagrams yet. * We'll use [inja](https://github.com/pantor/inja) as the templating engine. -* For the most part, we can rely on the existing framework of rules, filter expressions, and output expressions that already exist in Falco. One significant change will be that filter fields can extract more than one "value" per event, and we'll need to define new operators to perform set comparisions between values in an event and values in the comparison right-hand-side. +* For the most part, we can rely on the existing framework of rules, filter expressions, and output expressions that already exist in Falco. One significant change will be that filter fields can extract more than one "value" per event, and we'll need to define new operators to perform set comparisons between values in an event and values in the comparison right-hand-side. * This will rely heavily on existing support for [K8s Audit Events](https://falco.org/docs/event-sources/kubernetes-audit/) in Falco. From 762564be4113a543b18332b828ba24b7decab23e Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:00 -0500 Subject: [PATCH 14/62] spelling: complaints Signed-off-by: Josh Soref --- userspace/falco/webserver.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/falco/webserver.cpp b/userspace/falco/webserver.cpp index 6405d0ca16e..5ecec271cf7 100644 --- a/userspace/falco/webserver.cpp +++ b/userspace/falco/webserver.cpp @@ -130,7 +130,7 @@ bool k8s_audit_handler::handleGet(CivetServer *server, struct mg_connection *con return true; } -// The version in CivetServer.cpp has valgrind compliants due to +// The version in CivetServer.cpp has valgrind complaints due to // unguarded initialization of c++ string from buffer. static void get_post_data(struct mg_connection *conn, std::string &postdata) { From cacd40f873e0658e6b6545254cfeb41168cfa6c2 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:00 -0500 Subject: [PATCH 15/62] spelling: constitute Signed-off-by: Josh Soref --- proposals/20191030-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20191030-api.md b/proposals/20191030-api.md index 0c0e93be148..cf0a8e006ba 100644 --- a/proposals/20191030-api.md +++ b/proposals/20191030-api.md @@ -8,7 +8,7 @@ The Falco API is a set of contracts describing how users can interacts with Falc By definiing a set of interfaces the Falco Authors intend to decouple Falco from other softwares and data (eg., from the input sources) and, at the same time, make it more extensible. -Thus, this document intent is to propose a list of services that contistute the Falco API (targeting the first stable version of Falco, v1.0.0). +Thus, this document intent is to propose a list of services that constitute the Falco API (targeting the first stable version of Falco, v1.0.0). ## Motivation From 17a965fcd0dd05215c698d777812cd354acdfa81 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 02:17:22 -0500 Subject: [PATCH 16/62] spelling: content type Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d41d8f4d620..547a2dd6fd3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -44,7 +44,7 @@ Released on 2022-01-31 * fix(userspace/engine): support jsonpointer escaping in rule parser [[#1777](https://github.com/falcosecurity/falco/pull/1777)] - [@jasondellaluce](https://github.com/jasondellaluce) * fix(scripts/falco-driver-loader): support kernel object files in `.zst` and `.gz` compression formats [[#1863](https://github.com/falcosecurity/falco/pull/1863)] - [@leogr](https://github.com/leogr) * fix(engine): correctly format json output in json_event [[#1847](https://github.com/falcosecurity/falco/pull/1847)] - [@jasondellaluce](https://github.com/jasondellaluce) -* fix: set http output contenttype to text/plain when json output is disabled [[#1829](https://github.com/falcosecurity/falco/pull/1829)] - [@FedeDP](https://github.com/FedeDP) +* fix: set http output content type to text/plain when json output is disabled [[#1829](https://github.com/falcosecurity/falco/pull/1829)] - [@FedeDP](https://github.com/FedeDP) * fix(userspace/falco): accept 'Content-Type' header that contains "application/json", but it is not strictly equal to it [[#1800](https://github.com/falcosecurity/falco/pull/1800)] - [@FedeDP](https://github.com/FedeDP) * fix(userspace/engine): supporting enabled-only overwritten rules [[#1775](https://github.com/falcosecurity/falco/pull/1775)] - [@jasondellaluce](https://github.com/jasondellaluce) From 4308936b1eb393eb31a4d7fc5681d5e9d7be48f2 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:01 -0500 Subject: [PATCH 17/62] spelling: defining Signed-off-by: Josh Soref --- proposals/20191030-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20191030-api.md b/proposals/20191030-api.md index cf0a8e006ba..9dffdc84443 100644 --- a/proposals/20191030-api.md +++ b/proposals/20191030-api.md @@ -6,7 +6,7 @@ This is a proposal to better structure the Falco API. The Falco API is a set of contracts describing how users can interacts with Falco. -By definiing a set of interfaces the Falco Authors intend to decouple Falco from other softwares and data (eg., from the input sources) and, at the same time, make it more extensible. +By defining a set of interfaces the Falco Authors intend to decouple Falco from other softwares and data (eg., from the input sources) and, at the same time, make it more extensible. Thus, this document intent is to propose a list of services that constitute the Falco API (targeting the first stable version of Falco, v1.0.0). From d0c608dab70dcd3aae69b7c3b72f6b40cad415f6 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:01 -0500 Subject: [PATCH 18/62] spelling: discretion Signed-off-by: Josh Soref --- rules/k8s_audit_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml index 73611abf3dc..739e54ffd1a 100644 --- a/rules/k8s_audit_rules.yaml +++ b/rules/k8s_audit_rules.yaml @@ -572,7 +572,7 @@ # cluster creation. This may signify a permission setting too broader. # As we can't check for role of the user on a general ka.* event, this # may or may not be an administrator. Customize the full_admin_k8s_users -# list to your needs, and activate at your discrection. +# list to your needs, and activate at your discretion. # # How to test: # # Execute any kubectl command connected using default cluster user, as: From 9c5837294929577d43e4ae7490f2d2758dace66d Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:01 -0500 Subject: [PATCH 19/62] spelling: error Signed-off-by: Josh Soref --- userspace/engine/lua/modules/parser.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/engine/lua/modules/parser.lua b/userspace/engine/lua/modules/parser.lua index 8814cd80e26..27fc5955bcc 100644 --- a/userspace/engine/lua/modules/parser.lua +++ b/userspace/engine/lua/modules/parser.lua @@ -57,7 +57,7 @@ local function geterrorinfo() end end --- creates an errror message using the farthest failure position +-- creates an error message using the farthest failure position local function errormsg() return geterrorinfo() / function(t) local p = t.ffp or 1 From 160156d65599e6d7b689981568d8eb26cd1aafc6 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:02 -0500 Subject: [PATCH 20/62] spelling: expand Signed-off-by: Josh Soref --- rules/k8s_audit_rules.yaml | 2 +- test/rules/k8s_audit/engine_v4_k8s_audit_rules.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml index 739e54ffd1a..0052a8a8acf 100644 --- a/rules/k8s_audit_rules.yaml +++ b/rules/k8s_audit_rules.yaml @@ -366,7 +366,7 @@ tags: [k8s] # Detect any attempt to create a ClusterRoleBinding to the cluster-admin user -# (exapand this to any built-in cluster role that does "sensitive" things) +# (expand this to any built-in cluster role that does "sensitive" things) - rule: Attach to cluster-admin Role desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin diff --git a/test/rules/k8s_audit/engine_v4_k8s_audit_rules.yaml b/test/rules/k8s_audit/engine_v4_k8s_audit_rules.yaml index b93771729cb..f95d485ad60 100644 --- a/test/rules/k8s_audit/engine_v4_k8s_audit_rules.yaml +++ b/test/rules/k8s_audit/engine_v4_k8s_audit_rules.yaml @@ -246,7 +246,7 @@ tags: [k8s] # Detect any attempt to create a ClusterRoleBinding to the cluster-admin user -# (exapand this to any built-in cluster role that does "sensitive" things) +# (expand this to any built-in cluster role that does "sensitive" things) - rule: Attach to cluster-admin Role desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin From 7c9caf3a00515f6aa74dd29eecf3efe0ab46dca3 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:02 -0500 Subject: [PATCH 21/62] spelling: extractor Signed-off-by: Josh Soref --- proposals/20210501-plugin-system.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proposals/20210501-plugin-system.md b/proposals/20210501-plugin-system.md index 58a12f673bf..b8c35b40ff7 100644 --- a/proposals/20210501-plugin-system.md +++ b/proposals/20210501-plugin-system.md @@ -66,7 +66,7 @@ Source plugins also provide an "id", which is globally unique and is used in cap An extractor plugin focuses only on field extraction from events generated by other plugins, or by the core libraries. It does *not* provide an event source, but can extract fields from other event sources. An example is json field extraction, where a plugin might be able to extract fields from arbitrary json payloads. -An extractor plugin provides an optional set of event sources. When the framework receives an event with an event source in the plugin's set of event sources, fields in expressions/Falco outputs will be extracted from events using the plugin. An extractor plugin can also *not* name a set of event sources. In this case, fields will be extracted from *all* events, regardless of source. In this case, the exctractor plugin must detect the format of arbitrary payloads and be able to return NULL/no value when the payload is not supported. +An extractor plugin provides an optional set of event sources. When the framework receives an event with an event source in the plugin's set of event sources, fields in expressions/Falco outputs will be extracted from events using the plugin. An extractor plugin can also *not* name a set of event sources. In this case, fields will be extracted from *all* events, regardless of source. In this case, the extractor plugin must detect the format of arbitrary payloads and be able to return NULL/no value when the payload is not supported. ### Support for Plugin Events in Capture Files. @@ -474,7 +474,7 @@ typedef struct // Return value: a json array of strings containing event // sources returned by a source plugin's get_event_source() // function. - // This function is optional--if NULL then the exctractor + // This function is optional--if NULL then the extractor // plugin will receive every event. // char* (*get_extract_event_sources)(); From 9eedf213e7e31669de1e7795729d9b13d9b27f88 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:03 -0500 Subject: [PATCH 22/62] spelling: falcosecurity Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 547a2dd6fd3..8354a6cf7b2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ Released on 2022-01-31 * new: add support for plugins to extend Falco functionality to new event sources and custom fields [[#1753](https://github.com/falcosecurity/falco/pull/1753)] - [@mstemm](https://github.com/mstemm) -* new: add ability to set User-Agent http header when sending http output. Provide default value of 'falcosecurit/falco'. [[#1850](https://github.com/falcosecurity/falco/pull/1850)] - [@yoshi314](https://github.com/yoshi314) +* new: add ability to set User-Agent http header when sending http output. Provide default value of 'falcosecurity/falco'. [[#1850](https://github.com/falcosecurity/falco/pull/1850)] - [@yoshi314](https://github.com/yoshi314) * new(configuration): support defining plugin init config as a YAML [[#1852](https://github.com/falcosecurity/falco/pull/1852)] - [@jasondellaluce](https://github.com/jasondellaluce) From e2b16adc3c45a900cf2771adb5d9f8ff21245451 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:17:52 -0500 Subject: [PATCH 23/62] spelling: github Signed-off-by: Josh Soref --- RELEASE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE.md b/RELEASE.md index f09e7a0d58e..dd9ae26be29 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -95,7 +95,7 @@ Now assume `x.y.z` is the new version. #### Release Manager - + ``` - Finally, publish the release! From a41a6358210633a745a4deb142beca411c4f0730 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:03 -0500 Subject: [PATCH 24/62] spelling: hierarchy Signed-off-by: Josh Soref --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 2281a9892e3..70f0c0c9783 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -564,7 +564,7 @@ # Qualys seems to run a variety of shell subprocesses, at various # levels. This checks at a few levels without the cost of a full -# proc.aname, which traverses the full parent heirarchy. +# proc.aname, which traverses the full parent hierarchy. - macro: run_by_qualys condition: > (proc.pname=qualys-cloud-ag or From d4b6a7f8d8fb3a8dd1bc990291ddd23b359b0768 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:04 -0500 Subject: [PATCH 25/62] spelling: hipaa Signed-off-by: Josh Soref --- ADOPTERS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ADOPTERS.md b/ADOPTERS.md index 4e8139c0d02..cd8bbcc209e 100644 --- a/ADOPTERS.md +++ b/ADOPTERS.md @@ -39,7 +39,7 @@ This is a list of production adopters of Falco (in alphabetical order): * [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions. -* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements. +* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPAA compliance requirements. * https://hipaa.preferral.com/01-preferral_hipaa_compliance/ * [Qonto](https://qonto.com) - Qonto is a modern banking for SMEs and freelancers. Qonto provides a fully featured business account with a simplified accounting flow. Falco is used by our SecOps team to detect suspicous behaviors in our clusters. From 38ee45bc6f33aed55a3504f94b3e1fec74ccba2a Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:22:40 -0500 Subject: [PATCH 26/62] spelling: https://cryptoioc.ch Signed-off-by: Josh Soref --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 70f0c0c9783..78dc359573c 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2818,7 +2818,7 @@ desc: Miners typically connect to miner pools on common ports. condition: net_miner_pool and not trusted_images_query_miner_domain_dns enabled: false - output: Outbound connection to IP/Port flagged by cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository) + output: Outbound connection to IP/Port flagged by https://cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository) priority: CRITICAL tags: [network, mitre_execution] From 456b365a201bba7edb606ef4544d8c7ba43f8abc Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:04 -0500 Subject: [PATCH 27/62] spelling: implicit Signed-off-by: Josh Soref --- proposals/20200828-structured-exception-handling.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20200828-structured-exception-handling.md b/proposals/20200828-structured-exception-handling.md index 5827c8afb55..eb03da99077 100644 --- a/proposals/20200828-structured-exception-handling.md +++ b/proposals/20200828-structured-exception-handling.md @@ -202,7 +202,7 @@ Finally, note that the structure of the values property differs between the item ### Implementation -For exception items where the fields property is a list of field names, each exception can be thought of as an implicit "and not (field1 cmp1 val1 and field2 cmp2 val2 and...)" appended to the rule's condition. For exception items where the fields property is a single field name, the exception can be thought of as an implict "and not field cmp (val1, val2, ...)". In practice, that's how exceptions will be implemented. +For exception items where the fields property is a list of field names, each exception can be thought of as an implicit "and not (field1 cmp1 val1 and field2 cmp2 val2 and...)" appended to the rule's condition. For exception items where the fields property is a single field name, the exception can be thought of as an implicit "and not field cmp (val1, val2, ...)". In practice, that's how exceptions will be implemented. When a rule is parsed, the original condition will be wrapped in an extra layer of parentheses and all exception values will be appended to the condition. For example, using the example above, the resulting condition will be: From bfd582a0c9887de9bfff8ac28a79d5d7de750b3f Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:04 -0500 Subject: [PATCH 28/62] spelling: launch Signed-off-by: Josh Soref --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8354a6cf7b2..ef75d3d4b27 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1220,7 +1220,7 @@ Released 2019-01-16 * Fix FPs related to `apt-config`/`apt-cache`, `apk` [[#490](https://github.com/falcosecurity/falco/pull/490)] -* New rules `Launch Package Management Process in Container`, `Netcat Remote Code Execution in Container`, `Lauch Suspicious Network Tool in Container` look for host-level network tools like `netcat`, package management tools like `apt-get`, or network tool binaries being run in a container. [[#490](https://github.com/falcosecurity/falco/pull/490)] +* New rules `Launch Package Management Process in Container`, `Netcat Remote Code Execution in Container`, `Launch Suspicious Network Tool in Container` look for host-level network tools like `netcat`, package management tools like `apt-get`, or network tool binaries being run in a container. [[#490](https://github.com/falcosecurity/falco/pull/490)] * Fix the `inbound` and `outbound` macros so they work with sendto/recvfrom/sendmsg/recvmsg. [[#470](https://github.com/falcosecurity/falco/pull/470)] @@ -1253,7 +1253,7 @@ Released 2018-11-09 * Better coverage (e.g. reduced FPs) for critical stack, hids systems, ufw, cloud-init, etc. [[#445](https://github.com/falcosecurity/falco/pull/445)] -* New rules `Launch Package Management Process in Container`, `Netcat Remote Code Execution in Container`, and `Lauch Suspicious Network Tool in Container` look for running various suspicious programs in a container. [[#461](https://github.com/falcosecurity/falco/pull/461)] +* New rules `Launch Package Management Process in Container`, `Netcat Remote Code Execution in Container`, and `Launch Suspicious Network Tool in Container` look for running various suspicious programs in a container. [[#461](https://github.com/falcosecurity/falco/pull/461)] * Misc changes to address false positives in GKE, Istio, etc. [[#455](https://github.com/falcosecurity/falco/pull/455)] [[#439](https://github.com/falcosecurity/falco/issues/439)] From 772963619e9de54fd302032759e09db06c1a3078 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:05 -0500 Subject: [PATCH 29/62] spelling: lexicographically Signed-off-by: Josh Soref --- .cmake-format | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cmake-format b/.cmake-format index 82391823501..268cb0543b3 100644 --- a/.cmake-format +++ b/.cmake-format @@ -54,7 +54,7 @@ always_wrap = [] algorithm_order = [0, 1, 2, 3, 4] # If true, the argument lists which are known to be sortable will be sorted -# lexicographicall +# lexicographically enable_sort = True # If true, the parsers may infer whether or not an argument list is sortable From a106213d99cbb6b49ed89efb05cc1a5012677ab2 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:06 -0500 Subject: [PATCH 30/62] spelling: manageable Signed-off-by: Josh Soref --- proposals/20210501-plugin-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20210501-plugin-system.md b/proposals/20210501-plugin-system.md index b8c35b40ff7..7b65ab7378f 100644 --- a/proposals/20210501-plugin-system.md +++ b/proposals/20210501-plugin-system.md @@ -526,7 +526,7 @@ We will also make a change to compile rules/macros/lists selectively based on th ### Handling Duplicate/Overlapping Fields in Plugins/Libraries Core -At an initial glance, adding plugins introduces the possibility of tens/hundreds of new filtercheck fields that could potentially overlap/conflict. For example, what happens if a plugin defines a "proc.name" field? However, the notion of "event source" makes these potential conflicts managable. +At an initial glance, adding plugins introduces the possibility of tens/hundreds of new filtercheck fields that could potentially overlap/conflict. For example, what happens if a plugin defines a "proc.name" field? However, the notion of "event source" makes these potential conflicts manageable. Remember that field extraction is always done in the context of an event, and each event can be mapped back to an event source. So we only need to ensure that filtercheck fields are distinct for a given event source. For example, it's perfectly valid for an AWS Cloudtrail plugin to define a proc.name field, as the events generated by that plugin are wholly separate from syscall events. For syscall events, the AWS Cloudtrail plugin is not involved and the core libraries extract the process name for the tid performing a syscall. For AWS Cloudtrail events, the core libraries are not involved in field extraction and is performed by the AWS Cloudtrail plugin instead. From 9b61a0d92d644af68cd9ce0d8aecd9f87ba9e742 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:06 -0500 Subject: [PATCH 31/62] spelling: minikube Signed-off-by: Josh Soref --- proposals/20200506-artifacts-scope-part-1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20200506-artifacts-scope-part-1.md b/proposals/20200506-artifacts-scope-part-1.md index 4f5a547d444..ca127c24d56 100644 --- a/proposals/20200506-artifacts-scope-part-1.md +++ b/proposals/20200506-artifacts-scope-part-1.md @@ -111,4 +111,4 @@ Update documentation in [falco-website#184](https://github.com/falcosecurity/fal ### Adjusting projects - YAML manifest documentation to be moved to `contrib` - - Minkube, Kind, Puppet, Ansible, etc documentation to be moved to `contrib` + - Minikube, Kind, Puppet, Ansible, etc documentation to be moved to `contrib` From 68c9065d6dd68967f4caed3a51b23495ad3a580d Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:07 -0500 Subject: [PATCH 32/62] spelling: multitrailing Signed-off-by: Josh Soref --- test/falco_tests.yaml | 4 ++-- test/rules/falco_rules_warnings.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml index cad3029b9fd..c853662456d 100644 --- a/test/falco_tests.yaml +++ b/test/falco_tests.yaml @@ -44,8 +44,8 @@ trace_files: !mux - not_equals_after_evttype: [execve] - not_after_evttype: [execve] - leading_trailing_evttypes: [execve,open] - - leading_multtrailing_evttypes: [connect,execve,open] - - leading_multtrailing_evttypes_using_in: [connect,execve,open] + - leading_multitrailing_evttypes: [connect,execve,open] + - leading_multitrailing_evttypes_using_in: [connect,execve,open] - not_equals_at_end: [all] - not_at_end: [all] - not_before_trailing_evttype: [all] diff --git a/test/rules/falco_rules_warnings.yaml b/test/rules/falco_rules_warnings.yaml index ba44d971ba6..38d390d6819 100644 --- a/test/rules/falco_rules_warnings.yaml +++ b/test/rules/falco_rules_warnings.yaml @@ -56,13 +56,13 @@ output: "None" priority: WARNING -- rule: leading_multtrailing_evttypes +- rule: leading_multitrailing_evttypes desc: one evttype at beginning, multiple at end condition: evt.type=execve and proc.name=foo or evt.type=open or evt.type=connect output: "None" priority: WARNING -- rule: leading_multtrailing_evttypes_using_in +- rule: leading_multitrailing_evttypes_using_in desc: one evttype at beginning, multiple at end, using in condition: evt.type=execve and proc.name=foo or evt.type in (open, connect) output: "None" From 110aeba2351d22b3d5b2a64d2110b35e47cbe029 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:07 -0500 Subject: [PATCH 33/62] spelling: official Signed-off-by: Josh Soref --- proposals/20200506-artifacts-scope-part-1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20200506-artifacts-scope-part-1.md b/proposals/20200506-artifacts-scope-part-1.md index ca127c24d56..9d79a81df0b 100644 --- a/proposals/20200506-artifacts-scope-part-1.md +++ b/proposals/20200506-artifacts-scope-part-1.md @@ -82,7 +82,7 @@ This is done as needed, and can best be measured by the need to cut a release an ### official support -As the need for a project grows, it can ultimately achieve the highest and most coveted status within The Falco Project. "_Offical support_." +As the need for a project grows, it can ultimately achieve the highest and most coveted status within The Falco Project. "_Official support_." The artifacts listed above are part of the official Falco release process. These artifact will be refined and amended by the [Part 2](./20200506-artifacts-scope-part-2.md). From 028e15111d5900ea80aef3d55a05e44b230fca6c Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:08 -0500 Subject: [PATCH 34/62] spelling: parentheses Signed-off-by: Josh Soref --- proposals/20200828-structured-exception-handling.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20200828-structured-exception-handling.md b/proposals/20200828-structured-exception-handling.md index eb03da99077..cc3c49aef2f 100644 --- a/proposals/20200828-structured-exception-handling.md +++ b/proposals/20200828-structured-exception-handling.md @@ -196,7 +196,7 @@ Exception values will most commonly be defined in rules with append: true. Here' A rule exception applies if for a given event, the fields in a rule.exception match all of the values in some exception.item. For example, if a program `apk` writes to a file below `/usr/lib/alpine`, the rule will not trigger, even if the condition is met. -Notice that an item in a values list can be a list. This allows building exceptions with operators like "in", "pmatch", etc. that work on a list of items. The item can also be a name of an existing list. If not present surrounding parantheses will be added. +Notice that an item in a values list can be a list. This allows building exceptions with operators like "in", "pmatch", etc. that work on a list of items. The item can also be a name of an existing list. If not present surrounding parentheses will be added. Finally, note that the structure of the values property differs between the items where fields is a list of fields (proc_writer/container_writer/proc_filenames) and when it is a single field (procs_only). This changes how the condition snippet is constructed. From 448e7595ed727118efe931d997088ff067f77331 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 19:37:26 -0500 Subject: [PATCH 35/62] spelling: prerequisites Signed-off-by: Josh Soref --- userspace/falco/application.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/falco/application.h b/userspace/falco/application.h index b4e3ede9b00..9a2fb41d112 100644 --- a/userspace/falco/application.h +++ b/userspace/falco/application.h @@ -18,7 +18,7 @@ limitations under the License. // falco.cpp. We expect it will be responsible for the following: // - Parsing/validating command line options // - Parsing/validing falco config -// - Initialize prerequsites (inspector, falco engine, webserver, etc) +// - Initialize prerequisites (inspector, falco engine, webserver, etc) // - Loading plugins // - Loading/validating rules // - Command/subcommand execution (e.g. --list/--list-fields, or From d2d6c031ab90a1d3360f18357fd2592cf168efd9 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:08 -0500 Subject: [PATCH 36/62] spelling: priorities Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ef75d3d4b27..6f7a2189e12 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -910,7 +910,7 @@ Released 2019-07-31 * Fix a problem that would cause prevent container metadata lookups when falco was daemonized [[#731](https://github.com/falcosecurity/falco/pull/731)] -* Allow rule priorites to be expressed as lowercase and a mix of lower/uppercase [[#737](https://github.com/falcosecurity/falco/pull/737)] +* Allow rule priorities to be expressed as lowercase and a mix of lower/uppercase [[#737](https://github.com/falcosecurity/falco/pull/737)] ### Rule Changes From a3de3e7a5694430d8b28d1b83425524c9406a375 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:09 -0500 Subject: [PATCH 37/62] spelling: privileged Signed-off-by: Josh Soref --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 78dc359573c..18fe779bdb9 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3062,7 +3062,7 @@ condition: (proc.args="" or proc.args intersects ("-V", "-l", "-h")) - rule: Mount Launched in Privileged Container - desc: Detect file system mount happened inside a privilegd container which might lead to container escape. + desc: Detect file system mount happened inside a privileged container which might lead to container escape. condition: > spawned_process and container and container.privileged=true From 5d6662430f00e8d0fe03fb2c86af1e2a978b98bf Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:09 -0500 Subject: [PATCH 38/62] spelling: processing Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f7a2189e12..1e57df02bee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -795,7 +795,7 @@ Released on 2020-01-23 ### Bug Fixes * fix: providing clang into docker-builder [[#972](https://github.com/falcosecurity/falco/pull/972)] -* fix: prevent throwing json type error c++ exceptions outside of the falco engine when procesing k8s audit events. [[#928](https://github.com/falcosecurity/falco/pull/928)] +* fix: prevent throwing json type error c++ exceptions outside of the falco engine when processing k8s audit events. [[#928](https://github.com/falcosecurity/falco/pull/928)] * fix(docker/kernel/linuxkit): correct from for falco minimal image [[#913](https://github.com/falcosecurity/falco/pull/913)] ### Rule Changes From 67963a5f2fa6584a54f8ea86f5535ad429de2f52 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:09 -0500 Subject: [PATCH 39/62] spelling: provided Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e57df02bee..ffb89e36770 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -88,7 +88,7 @@ Released on 2022-01-31 * fix(build): use consistent 7-character build abbrev sha [[#1830](https://github.com/falcosecurity/falco/pull/1830)] - [@LucaGuerra](https://github.com/LucaGuerra) * add Phoenix to adopters list [[#1806](https://github.com/falcosecurity/falco/pull/1806)] - [@kaldyka](https://github.com/kaldyka) * remove unused files in test directory [[#1801](https://github.com/falcosecurity/falco/pull/1801)] - [@jasondellaluce](https://github.com/jasondellaluce) -* drop Falco luajit module, use the one provied by libs [[#1788](https://github.com/falcosecurity/falco/pull/1788)] - [@FedeDP](https://github.com/FedeDP) +* drop Falco luajit module, use the one provided by libs [[#1788](https://github.com/falcosecurity/falco/pull/1788)] - [@FedeDP](https://github.com/FedeDP) * chore(build): update libs version to 7906f7e [[#1790](https://github.com/falcosecurity/falco/pull/1790)] - [@LucaGuerra](https://github.com/LucaGuerra) * Add SysFlow to list of libs adopters [[#1747](https://github.com/falcosecurity/falco/pull/1747)] - [@araujof](https://github.com/araujof) * build: dropped centos8 circleci build because it is useless [[#1882](https://github.com/falcosecurity/falco/pull/1882)] - [@FedeDP](https://github.com/FedeDP) From 1e95eaeb8e39d59c632f49af7d0cf4f05adfa1ba Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:10 -0500 Subject: [PATCH 40/62] spelling: readability Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ffb89e36770..063d91ba48e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1105,7 +1105,7 @@ Released 2019-05-13 * Docker-based builder/tester: You can now build Falco using the [falco-builder](https://falco.org/docs/source/#build-using-falco-builder-container) docker image, and run regression tests using the [falco-tester](https://falco.org/docs/source/#test-using-falco-tester-container) docker image. [[#522](https://github.com/falcosecurity/falco/pull/522)] [[#584](https://github.com/falcosecurity/falco/pull/584)] -* Several small docs changes to improve clarity and readibility [[#524](https://github.com/falcosecurity/falco/pull/524)] [[#540](https://github.com/falcosecurity/falco/pull/540)] [[#541](https://github.com/falcosecurity/falco/pull/541)] [[#542](https://github.com/falcosecurity/falco/pull/542)] +* Several small docs changes to improve clarity and readability [[#524](https://github.com/falcosecurity/falco/pull/524)] [[#540](https://github.com/falcosecurity/falco/pull/540)] [[#541](https://github.com/falcosecurity/falco/pull/541)] [[#542](https://github.com/falcosecurity/falco/pull/542)] * Add instructions on how to enable K8s Audit Logging for kops [[#535](https://github.com/falcosecurity/falco/pull/535)] From 7ac6f2e76f8b08cf5bb0b5eb5471eaeaf0563911 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:10 -0500 Subject: [PATCH 41/62] spelling: resolutions Signed-off-by: Josh Soref --- userspace/engine/lua/modules/compiler.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/engine/lua/modules/compiler.lua b/userspace/engine/lua/modules/compiler.lua index 52d22a1e378..7f9ffa2895d 100644 --- a/userspace/engine/lua/modules/compiler.lua +++ b/userspace/engine/lua/modules/compiler.lua @@ -41,7 +41,7 @@ end The return value is a boolean which is true if any macro was substitued. This allows a caller to re-traverse until no more macros are - found, a simple strategy for recursive resoltuions (e.g. when a macro + found, a simple strategy for recursive resolutions (e.g. when a macro definition uses another macro). --]] From 8d8bd6d9a8bbebc60b69b46cc0c4c9e062be504c Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:11 -0500 Subject: [PATCH 42/62] spelling: rules Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 063d91ba48e..9962c2dac8f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1409,7 +1409,7 @@ Released 2017-10-10 Released 2017-10-10 -**Important**: the location for falco's configuration file has moved from `/etc/falco.yaml` to `/etc/falco/falco.yaml`. The default rules file has moved from `/etc/falco_rules.yaml` to `/etc/falco/falco_rules.yaml`. In addition, 0.8.0 has added a _local_ ruls file to `/etc/falco/falco_rules.local.yaml`. See [the documentation](https://github.com/draios/falco/wiki/Falco-Default-and-Local-Rules-Files) for more details. +**Important**: the location for falco's configuration file has moved from `/etc/falco.yaml` to `/etc/falco/falco.yaml`. The default rules file has moved from `/etc/falco_rules.yaml` to `/etc/falco/falco_rules.yaml`. In addition, 0.8.0 has added a _local_ rules file to `/etc/falco/falco_rules.local.yaml`. See [the documentation](https://github.com/draios/falco/wiki/Falco-Default-and-Local-Rules-Files) for more details. ### Major Changes From fd61a4c91ffedd5c077eea8a926d30bf2dff3c83 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:11 -0500 Subject: [PATCH 43/62] spelling: separate Signed-off-by: Josh Soref --- userspace/engine/lua/rule_loader.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/engine/lua/rule_loader.lua b/userspace/engine/lua/rule_loader.lua index c6902f38c6f..d8db151aaca 100644 --- a/userspace/engine/lua/rule_loader.lua +++ b/userspace/engine/lua/rule_loader.lua @@ -609,7 +609,7 @@ function load_rules_doc(rules_mgr, doc, load_state) return false, build_error_with_context(v['context'], "Rule exception item must have name property"), warnings end - -- Seperate case when a exception name is not found + -- Separate case when a exception name is not found -- This means that a new exception is being appended local new_exception = true From b10592553cd166607036ad93cc8653167a8796e3 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:11 -0500 Subject: [PATCH 44/62] spelling: substituted Signed-off-by: Josh Soref --- userspace/engine/lua/modules/compiler.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/engine/lua/modules/compiler.lua b/userspace/engine/lua/modules/compiler.lua index 7f9ffa2895d..3e2cf283343 100644 --- a/userspace/engine/lua/modules/compiler.lua +++ b/userspace/engine/lua/modules/compiler.lua @@ -40,7 +40,7 @@ end The AST is changed in-place. The return value is a boolean which is true if any macro was - substitued. This allows a caller to re-traverse until no more macros are + substituted. This allows a caller to re-traverse until no more macros are found, a simple strategy for recursive resolutions (e.g. when a macro definition uses another macro). From 83e37c8b3a4a3fcdf31e9ac207caeb8db9a79d58 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:12 -0500 Subject: [PATCH 45/62] spelling: successfully Signed-off-by: Josh Soref --- test/README.md | 2 +- userspace/falco/falco.cpp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/README.md b/test/README.md index a3e5bbd6da3..feae2dceecb 100644 --- a/test/README.md +++ b/test/README.md @@ -71,7 +71,7 @@ The `falco_traces.yaml` test suite gets generated through the `falco_traces.yaml ### falco_tests_package -The `falco_tests_package.yaml` test suite requires some additional setup steps to be succesfully run on your local machine. +The `falco_tests_package.yaml` test suite requires some additional setup steps to be successfully run on your local machine. In particular, it requires some runners (ie., docker images) to be already built and present into your local machine. diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index 74ae7a4c954..3a0cfbd8af9 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -242,7 +242,7 @@ uint64_t do_inspect(falco_engine *engine, throw sinsp_exception(inspector->getlasterr().c_str()); } - // Reset the timeouts counter, Falco succesfully got an event to process + // Reset the timeouts counter, Falco successfully got an event to process timeouts_since_last_success_or_msg = 0; if(duration_start == 0) { From e4398c398ef5e10a81c0d6608ffb070a4ae56096 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:12 -0500 Subject: [PATCH 46/62] spelling: superseded Signed-off-by: Josh Soref --- proposals/20200901-artifacts-cleanup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20200901-artifacts-cleanup.md b/proposals/20200901-artifacts-cleanup.md index e4be27703f5..c1f7891252e 100644 --- a/proposals/20200901-artifacts-cleanup.md +++ b/proposals/20200901-artifacts-cleanup.md @@ -2,7 +2,7 @@ This document reflects when and how we clean up the Falco artifacts from their storage location. -**Superseeded by**: [drivers-storage-s3 proposal](https://github.com/falcosecurity/falco/blob/master/proposals/20201025-drivers-storage-s3.md). +**Superseded by**: [drivers-storage-s3 proposal](https://github.com/falcosecurity/falco/blob/master/proposals/20201025-drivers-storage-s3.md). ## Motivation From 8722802f44882f953ebdf2e72dbb44d282e6e001 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:12 -0500 Subject: [PATCH 47/62] spelling: suspicious Signed-off-by: Josh Soref --- ADOPTERS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ADOPTERS.md b/ADOPTERS.md index cd8bbcc209e..2d8344d6d7a 100644 --- a/ADOPTERS.md +++ b/ADOPTERS.md @@ -42,7 +42,7 @@ This is a list of production adopters of Falco (in alphabetical order): * [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPAA compliance requirements. * https://hipaa.preferral.com/01-preferral_hipaa_compliance/ -* [Qonto](https://qonto.com) - Qonto is a modern banking for SMEs and freelancers. Qonto provides a fully featured business account with a simplified accounting flow. Falco is used by our SecOps team to detect suspicous behaviors in our clusters. +* [Qonto](https://qonto.com) - Qonto is a modern banking for SMEs and freelancers. Qonto provides a fully featured business account with a simplified accounting flow. Falco is used by our SecOps team to detect suspicious behaviors in our clusters. * [Raft](https://goraft.tech) - Raft is a government contractor that offers cloud-native solutions across many different agencies including DoD (Department of Defense), HHS (Health and Human Services), as well as within CFPB (Consumer Finance Protection Bureau). Raft leverages Falco to detect threats in our client's Kubernetes clusters and as a Host Intrusion Detection System. Raft proudly recommends Falco across all our different projects. From d4aaac180f305059ec62e2a751ec8a5001def9c6 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:13 -0500 Subject: [PATCH 48/62] spelling: syntactic Signed-off-by: Josh Soref --- proposals/20200828-structured-exception-handling.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20200828-structured-exception-handling.md b/proposals/20200828-structured-exception-handling.md index cc3c49aef2f..5df4d487f98 100644 --- a/proposals/20200828-structured-exception-handling.md +++ b/proposals/20200828-structured-exception-handling.md @@ -214,7 +214,7 @@ When a rule is parsed, the original condition will be wrapped in an extra layer (fd.filename in (python, go)))) ``` -The exceptions are effectively syntatic sugar that allows expressing sets of exceptions in a concise way. +The exceptions are effectively syntactic sugar that allows expressing sets of exceptions in a concise way. ### Advantages From 71783ae986a14a111d224f6aa3c6f6f4f5299738 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:13 -0500 Subject: [PATCH 49/62] spelling: temporarily Signed-off-by: Josh Soref --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 63e0c0c7f77..9afbcb353c8 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -661,7 +661,7 @@ workflows: only: master requires: - publish/docker-dev - # - "quality/static-analysis" # This is temporarly disabled: https://github.com/falcosecurity/falco/issues/1526 + # - "quality/static-analysis" # This is temporarily disabled: https://github.com/falcosecurity/falco/issues/1526 release: jobs: - "build/musl": From 41834eeba699cd5826589f2f5e887b924e049c08 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:18:23 -0500 Subject: [PATCH 50/62] spelling: that Signed-off-by: Josh Soref --- proposals/20190909-psp-rules-support.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20190909-psp-rules-support.md b/proposals/20190909-psp-rules-support.md index 28129620823..b12fbc20a0a 100644 --- a/proposals/20190909-psp-rules-support.md +++ b/proposals/20190909-psp-rules-support.md @@ -27,7 +27,7 @@ That's where Falco comes in. We want to make it possible for Falco to perform a Transparently read a candidate PSP into an equivalent set of Falco rules that can look for the conditions in the PSP. -The PSP is converted into a set of Falco rules which can be either saved as a file for later use/inspection, or loaded directly so they they can monitor system calls and k8s audit activity. +The PSP is converted into a set of Falco rules which can be either saved as a file for later use/inspection, or loaded directly so that they can monitor system calls and k8s audit activity. ### Non-Goals From f59c9e2dab6b4c8a971ff3d474e38d9d885cdaaf Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:14 -0500 Subject: [PATCH 51/62] spelling: the extraction Signed-off-by: Josh Soref --- userspace/engine/json_evt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/engine/json_evt.h b/userspace/engine/json_evt.h index e7c637d085f..40fe85f1a45 100644 --- a/userspace/engine/json_evt.h +++ b/userspace/engine/json_evt.h @@ -278,7 +278,7 @@ class json_event_filter_check : public gen_event_filter_check // events. See alias struct for usage. std::list m_jptrs; - // Theextraction function to use. May not be defined, in which + // The extraction function to use. May not be defined, in which // case the default function is used. extract_t m_extract; From 3ef4e7b0d81f4625e9a16a41e31d4ef118c64213 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:18:41 -0500 Subject: [PATCH 52/62] spelling: the Signed-off-by: Josh Soref --- userspace/engine/falco_engine.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp index f473d17b1f5..a5ef6ee38d3 100644 --- a/userspace/engine/falco_engine.cpp +++ b/userspace/engine/falco_engine.cpp @@ -387,7 +387,7 @@ void falco_engine::describe_rule(string *rule) return m_rules->describe_rule(rule); } -// Print statistics on the the rules that triggered +// Print statistics on the rules that triggered void falco_engine::print_stats() { lua_getglobal(m_ls, lua_print_stats.c_str()); From 848c33e1891f56b4fc34b4d957f625960bf2a9d3 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:49:21 -0500 Subject: [PATCH 53/62] spelling: themselves Signed-off-by: Josh Soref --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 18fe779bdb9..35d58c075b0 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2193,7 +2193,7 @@ # output: "sshd sent error message to syslog (error=%evt.buffer)" # priority: WARNING -- macro: somebody_becoming_themself +- macro: somebody_becoming_themselves condition: ((user.name=nobody and evt.arg.uid=nobody) or (user.name=www-data and evt.arg.uid=www-data) or (user.name=_apt and evt.arg.uid=_apt) or @@ -2231,7 +2231,7 @@ evt.type=setuid and evt.dir=> and (known_user_in_container or not container) and not (user.name=root or user.uid=0) - and not somebody_becoming_themself + and not somebody_becoming_themselves and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries, nomachine_binaries) and not proc.name startswith "runc:" From ef016003df61c54d18d0b7161721308e9eb0a0a5 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:14 -0500 Subject: [PATCH 54/62] spelling: third Signed-off-by: Josh Soref --- proposals/20191030-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20191030-api.md b/proposals/20191030-api.md index 9dffdc84443..6d6a6a7a9d5 100644 --- a/proposals/20191030-api.md +++ b/proposals/20191030-api.md @@ -12,7 +12,7 @@ Thus, this document intent is to propose a list of services that constitute the ## Motivation -We want to enable users to use thirdy-party clients to interface with Falco outputs, inputs, rules, and configurations. +We want to enable users to use third-party clients to interface with Falco outputs, inputs, rules, and configurations. Such ability would enable the community to create a whole set of OSS tools, built on top of Falco. From 04b5e2f6eee110d9754812624bd3beaf38ea665b Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:15 -0500 Subject: [PATCH 55/62] spelling: trailing Signed-off-by: Josh Soref --- userspace/falco/logger.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/falco/logger.cpp b/userspace/falco/logger.cpp index 8dcaa9d8e1f..4cf9571dff3 100644 --- a/userspace/falco/logger.cpp +++ b/userspace/falco/logger.cpp @@ -120,7 +120,7 @@ void falco_logger::log(int priority, const string msg) if(atime) { tstr = atime; - tstr = tstr.substr(0, 24);// remove trailling newline + tstr = tstr.substr(0, 24);// remove trailing newline } else { From 1bb935572960ccb0c1a4a8973ca157c4224e8cab Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:16 -0500 Subject: [PATCH 56/62] spelling: triggered Signed-off-by: Josh Soref --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9962c2dac8f..9930381123b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -345,8 +345,8 @@ Released on 2021-01-18 * docs(proposals): Exceptions handling proposal [[#1376](https://github.com/falcosecurity/falco/pull/1376)] - [@mstemm](https://github.com/mstemm) * docs: fix a broken link of README [[#1516](https://github.com/falcosecurity/falco/pull/1516)] - [@oke-py](https://github.com/oke-py) * docs: adding the kubernetes privileged use case to use cases [[#1484](https://github.com/falcosecurity/falco/pull/1484)] - [@fntlnz](https://github.com/fntlnz) -* rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow) -* rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow) +* rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggered when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow) +* rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggered when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow) * docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [[#1518](https://github.com/falcosecurity/falco/pull/1518)] - [@leodido](https://github.com/leodido) * build: falcosecurity/falco:master also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido) * build: falcosecurity/falco:latest also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido) From 493b15398ada412426b103b1c2887637c9deeb6b Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:16 -0500 Subject: [PATCH 57/62] spelling: unambiguously Signed-off-by: Josh Soref --- proposals/20210501-plugin-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/20210501-plugin-system.md b/proposals/20210501-plugin-system.md index 7b65ab7378f..d6fc74e81a3 100644 --- a/proposals/20210501-plugin-system.md +++ b/proposals/20210501-plugin-system.md @@ -91,7 +91,7 @@ The libraries will do everything possible to validate the data coming from the p ### Plugin/Event Source registries -Every source plugin requires its own, unique plugin ID to interoperate with Falco and the other plugins. The plugin ID will be used by the libs to properly process incoming events (for example, when saving events to file and loading them back), and by plugins to unuambiguosly recognize their dependencies. +Every source plugin requires its own, unique plugin ID to interoperate with Falco and the other plugins. The plugin ID will be used by the libs to properly process incoming events (for example, when saving events to file and loading them back), and by plugins to unambiguously recognize their dependencies. To facilitate the allocation and distribution of plugin IDs, we will require that plugin developers request IDs for their plugins to the Falco organization. The mechanism used for plugin allocation is not determined yet and will be discussed in the future. From 941d7331787bbb17070c2b04c2d95d35753bf77f Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:17 -0500 Subject: [PATCH 58/62] spelling: unknown Signed-off-by: Josh Soref --- userspace/falco/grpc_server.cpp | 2 +- userspace/falco/webserver.cpp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/userspace/falco/grpc_server.cpp b/userspace/falco/grpc_server.cpp index 920c5920c52..c064f553f16 100644 --- a/userspace/falco/grpc_server.cpp +++ b/userspace/falco/grpc_server.cpp @@ -119,7 +119,7 @@ void falco::grpc::server::thread_process(int thread_index) ctx->end(this, false); break; default: - // todo(leodido) > log error "unkown completion queue event: tag=tag, state=ctx->m_state" + // todo(leodido) > log error "unknown completion queue event: tag=tag, state=ctx->m_state" break; } diff --git a/userspace/falco/webserver.cpp b/userspace/falco/webserver.cpp index 5ecec271cf7..927f2452901 100644 --- a/userspace/falco/webserver.cpp +++ b/userspace/falco/webserver.cpp @@ -93,7 +93,7 @@ bool k8s_audit_handler::accept_data(falco_engine *engine, } catch(...) { - errstr = string("unkown error processing audit event"); + errstr = string("unknown error processing audit event"); fprintf(stderr, "%s\n", errstr.c_str()); return false; } From 0cd786375ea60d7ee5491a10726b9bc347d9f906 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:17 -0500 Subject: [PATCH 59/62] spelling: unusual Signed-off-by: Josh Soref --- brand/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/brand/README.md b/brand/README.md index 802f0506c35..07ee685de62 100644 --- a/brand/README.md +++ b/brand/README.md @@ -113,7 +113,7 @@ Falco ultimately is a security engine. It reasons about signals coming from a sy ##### Anomaly detection -This refers to an event that occurs with something unsual, concerning, or odd occurs. +This refers to an event that occurs with something unusual, concerning, or odd occurs. We can associate anomalies with unwanted behavior, and alert in their presence. ##### Detection tooling From 4aa122663148510e6f4c2afe40cb07bec92e0ab0 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 19:37:13 -0500 Subject: [PATCH 60/62] spelling: validating Signed-off-by: Josh Soref --- userspace/falco/application.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/falco/application.h b/userspace/falco/application.h index 9a2fb41d112..4448666872f 100644 --- a/userspace/falco/application.h +++ b/userspace/falco/application.h @@ -17,7 +17,7 @@ limitations under the License. // The falco "app" will eventually replace the monolithic code in // falco.cpp. We expect it will be responsible for the following: // - Parsing/validating command line options -// - Parsing/validing falco config +// - Parsing/validating falco config // - Initialize prerequisites (inspector, falco engine, webserver, etc) // - Loading plugins // - Loading/validating rules From b934ec22cd79d4e855a1b976b03f19b3202bd1f9 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:18 -0500 Subject: [PATCH 61/62] spelling: whether Signed-off-by: Josh Soref --- proposals/20191217-rules-naming-convention.md | 2 +- userspace/falco/falco.cpp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/proposals/20191217-rules-naming-convention.md b/proposals/20191217-rules-naming-convention.md index 05ed0b24315..70765f78117 100644 --- a/proposals/20191217-rules-naming-convention.md +++ b/proposals/20191217-rules-naming-convention.md @@ -36,7 +36,7 @@ There will be no intention to cover Falco rule syntax in this proposal. ### Use cases -When new PRs are created in the area of rules, reviewers need to examine whether there are new rules, macros or lists are introduced. If yes, check wether follow the naming convention. +When new PRs are created in the area of rules, reviewers need to examine whether there are new rules, macros or lists are introduced. If yes, check whether follow the naming convention. ### Diagrams diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index 3a0cfbd8af9..b680e9de204 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -484,7 +484,7 @@ int falco_init(int argc, char **argv) inspector->set_cri_socket_path(app.options().cri_socket_path); } - // Decide wether to do sync or async for CRI metadata fetch + // Decide whether to do sync or async for CRI metadata fetch inspector->set_cri_async(!app.options().disable_cri_async); // From 23fea43aae4fb8e4d37efa574fc4d00bf036acda Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Thu, 24 Feb 2022 01:48:19 -0500 Subject: [PATCH 62/62] spelling: workaround Signed-off-by: Josh Soref --- userspace/engine/ruleset.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/engine/ruleset.h b/userspace/engine/ruleset.h index 7df643e7d30..1d31e85edd6 100644 --- a/userspace/engine/ruleset.h +++ b/userspace/engine/ruleset.h @@ -80,7 +80,7 @@ class falco_ruleset std::shared_ptr filter; std::set evttypes() { - // todo(jasondellaluce,leogr): temp workarond, remove when fixed in libs + // todo(jasondellaluce,leogr): temp workaround, remove when fixed in libs if(source == "syscall" || source == "k8s_audit") { return filter->evttypes();