Add plugins support

.circleci/config.yml

@@ -292,6 +292,7 @@ jobs:
           BUILD_DIR: "/build-static"
           BUILD_TYPE: "release"
           SKIP_PACKAGES_TESTS: "true"
+          SKIP_PLUGINS_TESTS: "true"
     steps:
       - setup_remote_docker
       - attach_workspace:

CMakeLists.txt

@@ -212,6 +212,7 @@ include(static-analysis)
 # Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)
+set(FALCO_PLUGINS_DIR ${FALCO_SHARE_DIR}/plugins)
 set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
 set(FALCO_BIN_DIR bin)
 
@@ -220,5 +221,7 @@ add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)
 add_subdirectory(tests)
 
+include(plugins)
+
 # Packages configuration
 include(CPackConfig)

cmake/modules/falcosecurity-libs.cmake

@@ -20,8 +20,8 @@ file(MAKE_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
 # default below In case you want to test against another falcosecurity/libs version just pass the variable - ie., `cmake
 # -DFALCOSECURITY_LIBS_VERSION=dev ..`
 if(NOT FALCOSECURITY_LIBS_VERSION)
-  set(FALCOSECURITY_LIBS_VERSION "a03ccfda795f2ba711b80f69cb06869f2b63121b")
-  set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=97ce5c30b985b77e1abb04ef7037c69be176cbe2122acf67a7f6ec6b39dbdc27")
+  set(FALCOSECURITY_LIBS_VERSION "340be865d951d1a9ee140daad7fb5a3d40d4d7dc")
+  set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=75b04026ce4090e944df22cfb9ebfa1fc32955222b10339097105ea9db1b3d49")
 endif()
 
 # cd /path/to/build && cmake /path/to/source
@@ -63,5 +63,15 @@ set(USE_BUNDLED_JSONCPP ON CACHE BOOL "")
 
 list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")
 
+include(CheckSymbolExists)
+check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
+if(HAVE_STRLCPY)
+	message(STATUS "Existing strlcpy found, will *not* use local definition by setting -DHAVE_STRLCPY.")
+	add_definitions(-DHAVE_STRLCPY)
+else()
+	message(STATUS "No strlcpy found, will use local definition")
+endif()
+
 include(libscap)
 include(libsinsp)
+

cmake/modules/plugins.cmake

@@ -0,0 +1,36 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+include(ExternalProject)
+
+set(PLUGINS_VERSION "0.1.0-rc1-28-g019437e")
+
+ExternalProject_Add(
+  cloudtrail-plugin
+  URL "https://download.falco.org/plugins/dev/cloudtrail-${PLUGINS_VERSION}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=ad9692957c5435238e07d1625e1b247eabe98b85f54de9218367fdd73a6f3f0b"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so" DESTINATION "${FALCO_PLUGINS_DIR}")
+
+ExternalProject_Add(
+  json-plugin
+  URL "https://download.falco.org/plugins/dev/json-${PLUGINS_VERSION}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=721ea5226b0f623915d0d5c34870589ad33a8ff795b0daa1af72f21a67430077"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/json-plugin-prefix/src/json-plugin/libjson.so" DESTINATION "${FALCO_PLUGINS_DIR}")

falco.yaml

@@ -33,6 +33,32 @@ rules_file:
   - /etc/falco/k8s_audit_rules.yaml
   - /etc/falco/rules.d
 
+
+#
+# Plugins that are available for use. These plugins are not loaded by
+# default, as they require explicit configuration to point to
+# cloudtrail log files.
+#
+
+# To learn more about the supported formats for
+# init_config/open_params for the cloudtrail plugin, see the README at
+# https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md.
+plugins:
+  - name: cloudtrail
+    library_path: libcloudtrail.so
+    init_config: ""
+    open_params: ""
+  - name: json
+    library_path: libjson.so
+    init_config: ""
+
+# Setting this list to empty ensures that the above plugins are *not*
+# loaded and enabled by default. If you want to use the above plugins,
+# set a meaningful init_config/open_params for the cloudtrail plugin
+# and then change this to:
+# load_plugins: [cloudtrail, json]
+load_plugins: []
+
 # If true, the times displayed in log messages and output messages
 # will be in ISO 8601. By default, times are displayed in the local
 # time zone, as governed by /etc/localtime.

rules/CMakeLists.txt

@@ -23,6 +23,7 @@ if(NOT DEFINED FALCO_RULES_DEST_FILENAME)
   set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
   set(FALCO_APP_RULES_DEST_FILENAME "application_rules.yaml")
   set(FALCO_K8S_AUDIT_RULES_DEST_FILENAME "k8s_audit_rules.yaml")
+  set(FALCO_AWS_CLOUDTRAIL_RULES_DEST_FILENAME "aws_cloudtrail_rules.yaml")
 endif()
 
 if(DEFINED FALCO_COMPONENT)
@@ -59,5 +60,10 @@ else()
     DESTINATION "${FALCO_ETC_DIR}/rules.available"
     RENAME "${FALCO_APP_RULES_DEST_FILENAME}")
 
+  install(
+    FILES aws_cloudtrail_rules.yaml
+    DESTINATION "${FALCO_ETC_DIR}"
+    RENAME "${FALCO_AWS_CLOUDTRAIL_RULES_DEST_FILENAME}")
+
   install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d")
 endif()