falco
文章平均质量分 52
guoguangwu
这个作者很懒,什么都没留下…
展开
-
falco 敏感信息检测
falco 检测不受信任程序读取敏感文件。运行方式:./userspace/falco/falco -c ../falco.yaml -r ../rules/falco_rules.yaml测试命令: sudo cat /etc/shadow日志06:07:23.678922444: Warning Sensitive file opened for reading by non-trusted program (user=<NA> user_loginuid=1000 p原创 2022-05-05 22:16:13 · 1390 阅读 · 0 评论 -
Falco 命令行参数解析
Falco使用cxxopts库来解析命令行参数比如之前的运行方式为sudo ./userspace/falco/falco -c ../falco.yaml -r ../rules/falco_rules.yaml所以需要对-c 和-r两个参数进行解析。对应代码在app_cmdline_options.cpp中:void cmdline_options::define(){ m_cmdline_opts.add_options() ("h,help",原创 2022-05-02 22:34:23 · 1716 阅读 · 0 评论 -
falco 编译失败
错误信息:Consolidate compiler generated dependencies of target falco[ 84%] Linking CXX executable falcoComparing engine fields checksum in falco_engine.h to actual fieldsSun May 1 21:14:51 2022: Falco version 0.31.1-162+dbbc93f (driver version c778e4529原创 2022-05-02 12:22:06 · 844 阅读 · 0 评论 -
falco/userspace/engine/rule_reader.cpp:31:21: error: ‘class YAML::Node’ has no member named ‘Mark’
源码编译Falco时报错/home/jack/code/falco/falco/userspace/engine/rule_reader.cpp: In function ‘rule_loader::context yaml_get_context(const string&, const std::vector<YAML::Node>&, std::vector<YAML::Node>::iterator, YAML::iterator)’:/home/ja原创 2022-04-30 12:05:48 · 411 阅读 · 0 评论 -
falco 测试
参考https://falco.org/docs/getting-started/source/在Ubuntu 18.04.2 LTS搭建对应环境。我用内核模块作为数据源:insmod driver/falco.ko运行Falco:sudo ./userspace/falco/falco -c ../falco.yaml -r ../rules/falco_rules.yaml参考readme描述然后执行:cat /etc/shadowdocker run -..原创 2022-04-30 21:06:01 · 602 阅读 · 0 评论