Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Demo improvements #205

Merged
merged 2 commits into from
Feb 2, 2017
Merged

Demo improvements #205

merged 2 commits into from
Feb 2, 2017

Commits on Feb 1, 2017

  1. Misc demo improvements. 

    Small changes to improve the use of falco_event_generator with falco:

 - In event_generator, some actions like exec_ls won't trigger
   notifications on their own. So exclude them from -a all.
 - For all actions, print details on what the action will do.
 - For actions that won't result in a falco notification in containers,
   note that in the output.
 - The short version of --once wasn't working, fix the getopt.
 - Explicitly saying -a all wasn't working, fix.
 - Don't rely on an external ruleset in the nodejs docker-compose
   demo--the built in rules are sufficient now.
    @mstemm
    mstemm committed Feb 1, 2017
    Configuration menu
    Copy the full SHA
    6356490 View commit details
    Browse the repository at this point in the history

  2. Ensure falco-event-generator actions are detected. 

    A new trace file falco-event-generator.scap contains the result of
running the falco event generator in docker, via:

docker run --security-opt seccomp=unconfined sysdig/falco-event-generator:latest /usr/local/bin/event_generator --once

Make sure this trace file detects the exact set of events we expect for
each rule. This required adding a new verification method
check_detections_by_rule that finds the per-rule counts and compares
them to the expected counts, which are included in the test description
under the key "detect_counts".

This is the first time a trace file for a test is actually in one of the
downloaded zip files. This means it will be tested twice (one for simple
detect-or-not, once for actual counts).

Adding this test showed a problem with Run shell in container
rule--since sysdig/falco-event-generator startswith sysdig/falco, it was
being treated as a trusted container. Modify the macro
trusted_containers to not allow falco-event-generator to be trusted.
    @mstemm
    mstemm committed Feb 1, 2017
    Configuration menu
    Copy the full SHA
    e0a5034 View commit details
    Browse the repository at this point in the history