fix(build): add registry argument

Signed-off-by: Luca Guerra <luca@guerra.sh>

.github/FALCO_VERSIONS

@@ -1 +1 @@
-master
+0.35.0

.github/compare-rule-files.sh

@@ -1,16 +1,18 @@
-#!/usr/bin/env bash
+#!/bin/bash
 
 RULES_FILE=$1
 RESULT_FILE=$2
 CHECKER_TOOL=$3
 FALCO_DOCKER_IMAGE=$4
 
+set -e pipefail
+
 rm -f $RESULT_FILE
 touch $RESULT_FILE
 
 cur_branch=`git rev-parse HEAD`
 echo Current branch is \"$cur_branch\"
-echo Checking version for $RULES_FILE...
+echo Checking version for rules file \"$RULES_FILE\"...
 cp $RULES_FILE tmp_rule_file.yaml
 
 rules_name=`echo $RULES_FILE | sed -re 's/rules\/(.*)_rules\.yaml/\1/'`
@@ -26,20 +28,25 @@ else
 fi
 
 git checkout tags/$latest_tag
+chmod +x $CHECKER_TOOL
 $CHECKER_TOOL \
     compare \
     --falco-image=$FALCO_DOCKER_IMAGE \
-    $RULES_FILE \
+    -l $RULES_FILE \
-    tmp_rule_file.yaml \
+    -r tmp_rule_file.yaml \
 1>tmp_res.txt
 git switch --detach $cur_branch
 
-if [ -s tmp_res.txt ]; then
+echo '##' $(basename $RULES_FILE) >> $RESULT_FILE
-    echo '##' $RULES_FILE >> $RESULT_FILE
+echo Comparing \`$cur_branch\` with latest tag \`$latest_tag\` >> $RESULT_FILE
-    echo Comparing \`$cur_branch\` with latest tag \`$latest_tag\` >> $RESULT_FILE
+echo "" >> $RESULT_FILE
-    echo "" >> $RESULT_FILE
+if [ -s tmp_res.txt ]
+then
     cat tmp_res.txt >> $RESULT_FILE
-    echo "" >> $RESULT_FILE
+else
+    echo "No changes detected" >> $RESULT_FILE
 fi
+echo "" >> $RESULT_FILE
+
 rm -f tmp_rule_file.yaml
 rm -f tmp_res.txt

.github/workflows/release.yaml

@@ -9,25 +9,31 @@ on:
 jobs:
   release-rulesfile:
     runs-on: ubuntu-latest
+
     env:
+      OCI_REGISTRY: ghcr.io
+
       AWS_S3_BUCKET: falco-distribution
       AWS_S3_PREFIX: rules
       AWS_S3_REGION: eu-west-1
 
-    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
     permissions:
+      # These permissions are needed to interact with GitHub's OIDC Token endpoint.
       id-token: write
       contents: read
       packages: write
 
     steps:
+
+      # Get rules repository
       - name: Checkout Rules
         uses: actions/checkout@v3
 
+      # Get registry artifact tool
       - name: Setup Golang
         uses: actions/setup-go@v3
         with:
-          go-version: '^1.19'
+          go-version-file: build/registry/go.mod
 
       - name: Build registry artifact tool
         working-directory: build/registry
@@ -38,13 +44,29 @@ jobs:
           echo "OCI_REPO_PREFIX=ghcr.io/${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
 
       - name: Upload OCI artifacts to GitHub packages
+        id: oci_build
         env:
           REGISTRY_USER: ${{ github.repository_owner }}
           REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_REPO_URL: ${{ github.server_url }}/${{ github.repository }}.git
 
         # uses OCI_REPO_PREFIX environment variable
-        run: build/registry/rules-registry push-to-oci registry.yaml ${{ github.ref_name }}
+        run: >-
+          echo "ARTIFACT_REPO_DIGEST=$(
+            build/registry/rules-registry push-to-oci registry.yaml ${{ github.ref_name }}
+          )" >> $GITHUB_OUTPUT
+
+      # Create a signature of the rules artifact as OCI artifact
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.1.0
+        with:
+          cosign-release: 'v2.1.0'
+
+      - name: Login with cosign
+        run: cosign login $OCI_REGISTRY --username ${{ github.repository_owner }} --password ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Sign the images with GitHub OIDC Token
+        run: cosign sign --yes ${{ steps.oci_build.outputs.ARTIFACT_REPO_DIGEST }}
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1
@@ -53,6 +75,5 @@ jobs:
           aws-region: ${{ env.AWS_S3_REGION }}
 
       - name: Upload files to S3
-
         # uses AWS_S3_BUCKET, AWS_S3_PREFIX, AWS_S3_REGION environment variables
         run: build/registry/rules-registry upload-to-s3 registry.yaml ${{ github.ref_name }}

.github/workflows/rules.yaml

@@ -5,6 +5,9 @@ on:
     branches:
       - main
       - release/*
+  push:
+    branches:
+      - main
 
 jobs:
   # retrieves the changed rules files and the Falco versions to be used
@@ -18,8 +21,9 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Get changed files
-        uses: jitterbit/get-changed-files@v1
         id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: Ana06/get-changed-files@v2.2.0
         with:
           format: space-delimited
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -27,12 +31,19 @@ jobs:
       - name: Find changed rules files
         id: set-changed-files
         run: |
+          # if we skip changed-files because we're not in a pull-request,
+          # then we consider all the rules contained in the repo
+          all_files="${{ steps.changed-files.outputs.all }}"
           values=""
-          for changed_file in ${{ steps.changed-files.outputs.all }}; do
+          if [ -z "$all_files" ]; then
-            if [[ ${changed_file} =~ ^rules/.* ]]; then
+            values=$(ls rules/*.yaml)
-              values="${values}${changed_file}"
+          else
-            fi
+            for changed_file in $all_files; do
-          done
+              if [[ "${changed_file}" =~ ^rules/.* ]]; then
+                values=${values}${changed_file}$'\n'
+              fi
+            done
+          fi
           echo "changed-files=$(echo "${values}" | jq -R -s -c 'split("\n")' | jq -c 'map(select(length > 0))')" >> $GITHUB_OUTPUT
 
       - name: Read Falco versions
@@ -58,7 +69,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v3
         with:
-          go-version: '^1.19'
+          go-version: "1.19.0"
 
       - name: Checkout rules
         uses: actions/checkout@v3
@@ -66,7 +77,7 @@ jobs:
       - name: Build checker tool
         working-directory: build/checker
         run: go build -o rules-check
-      
+
       - name: Test checker tool
         working-directory: build/checker
         run: go test ./... -cover
@@ -76,10 +87,10 @@ jobs:
           build/checker/rules-check \
               validate \
               --falco-image="falcosecurity/falco-no-driver:${{ matrix.falco-version }}" \
-              ${{ matrix.rules-file }}
+              -r ${{ matrix.rules-file }}
 
   check-version:
-    if: needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != ''
+    if: github.event_name == 'pull_request' && needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != ''
     needs: get-values
     env:
       # note(jasondellaluce): using the most recent targeted Falco version
@@ -93,7 +104,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v3
         with:
-          go-version: '^1.19'
+          go-version: "1.19.0"
 
       - name: Checkout rules
         uses: actions/checkout@v3
@@ -102,7 +113,7 @@ jobs:
         run: git fetch --tags origin
 
       - name: Get changed files
-        uses: jitterbit/get-changed-files@v1
+        uses: Ana06/get-changed-files@v2.2.0
         id: changed
         with:
           format: space-delimited
@@ -111,7 +122,7 @@ jobs:
       - name: Build checker tool
         working-directory: build/checker
         run: go build -o rules-check
-      
+
       - name: Test checker tool
         working-directory: build/checker
         run: go test ./... -cover
@@ -120,7 +131,7 @@ jobs:
         id: compare
         run: |
           ./.github/compare-rule-files.sh \
-              ${{ matrix.rules-file }} \
+              "${{ matrix.rules-file }}" \
               result.txt \
               build/checker/rules-check \
               "falcosecurity/falco-no-driver:$FALCO_VERSION"
@@ -132,12 +143,46 @@ jobs:
         if: steps.compare.outputs.comment_file != ''
         run: |
           mkdir -p ./pr
-          echo ${{ github.event.number }} > ./pr/NR
+          cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ strategy.job-index }}
-          cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT
 
       - name: Upload PR info as artifact
         uses: actions/upload-artifact@v2
         if: steps.compare.outputs.comment_file != ''
+        with:
+          name: pr-${{ strategy.job-index }}
+          path: pr/
+          retention-days: 1
+
+  upload-pr-info:
+    needs: [get-values, check-version]
+    if: ${{ !cancelled() && github.event_name == 'pull_request' && needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != '' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download PR infos
+        uses: actions/download-artifact@v3
+        with:
+          path: tmp-artifacts
+
+      - name: Save PR info
+        run: |
+          mkdir -p ./pr
+          echo ${{ github.event.number }} > ./pr/NR
+          touch ./pr/COMMENT
+          echo "# Rules files suggestions" >> ./pr/COMMENT
+          echo "" >> ./pr/COMMENT
+          files=$(find ./tmp-artifacts/)
+          for file in $files; do
+            if [[ "$file" =~ "COMMENT" ]]; then
+              cat "$file" >> ./pr/COMMENT
+            fi
+          done
+          echo Uploading PR info...
+          cat ./pr/COMMENT
+          echo ""
+
+      - name: Upload PR info as artifact
+        uses: actions/upload-artifact@v2
         with:
           name: pr
           path: pr/
+          retention-days: 1

build/registry/cmd.go

@@ -86,7 +86,7 @@ func doUploadToS3(registryFilename, gitTag string) error {
 
 	rulesfileInfo := reg.RulesfileByName(pt.Name)
 	if rulesfileInfo == nil {
-		return fmt.Errorf("could not find rulesfile %s in registry", pt.Name)
+		return fmt.Errorf("could not find rulesfile %s in the registry (reserved or archived are ignored)", pt.Name)
 	}
 
 	tmpDir, err := os.MkdirTemp("", "falco-artifacts-to-upload")
@@ -109,29 +109,29 @@ func doUploadToS3(registryFilename, gitTag string) error {
 	return nil
 }
 
-func doPushToOCI(registryFilename, gitTag string) error {
+func doPushToOCI(registryFilename, gitTag string) (*string, error) {
 	var ociRepoPrefix, repoGit, user, token string
 	var found bool
 
 	if token, found = os.LookupEnv(RegistryTokenEnv); !found {
-		return fmt.Errorf("environment variable with key %q not found, please set it before running this tool", RegistryTokenEnv)
+		return nil, fmt.Errorf("environment variable with key %q not found, please set it before running this tool", RegistryTokenEnv)
 	}
 
 	if user, found = os.LookupEnv(RegistryUserEnv); !found {
-		return fmt.Errorf("environment variable with key %q not found, please set it before running this tool", RegistryUserEnv)
+		return nil, fmt.Errorf("environment variable with key %q not found, please set it before running this tool", RegistryUserEnv)
 	}
 
 	if ociRepoPrefix, found = os.LookupEnv(OCIRepoPrefixEnv); !found {
-		return fmt.Errorf("environment variable with key %q not found, please set it before running this tool", OCIRepoPrefixEnv)
+		return nil, fmt.Errorf("environment variable with key %q not found, please set it before running this tool", OCIRepoPrefixEnv)
 	}
 
 	if repoGit, found = os.LookupEnv(RepoGithubEnv); !found {
-		return fmt.Errorf("environment variable with key %q not found, please set it before running this tool", RepoGithubEnv)
+		return nil, fmt.Errorf("environment variable with key %q not found, please set it before running this tool", RepoGithubEnv)
 	}
 
 	pt, err := parseGitTag(gitTag)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	cred := &auth.Credential{
@@ -144,18 +144,18 @@ func doPushToOCI(registryFilename, gitTag string) error {
 
 	reg, err := loadRegistryFromFile(registryFilename)
 	if err != nil {
-		return fmt.Errorf("could not read registry from %s: %w", registryFilename, err)
+		return nil, fmt.Errorf("could not read registry from %s: %w", registryFilename, err)
 	}
 
 	rulesfileInfo := reg.RulesfileByName(pt.Name)
 	if rulesfileInfo == nil {
-		return fmt.Errorf("could not find rulesfile %s in registry", pt.Name)
+		return nil, fmt.Errorf("could not find rulesfile %s in the registry (reserved or archived are ignored)", pt.Name)
 	}
 
 	// Create the repository object for the ref.
 	var repo *repository.Repository
 	if repo, err = repository.NewRepository(ociRepoRef, repository.WithClient(client)); err != nil {
-		return fmt.Errorf("unable to create repository for ref %q: %w", ociRepoRef, err)
+		return nil, fmt.Errorf("unable to create repository for ref %q: %w", ociRepoRef, err)
 	}
 
 	existingTags, _ := repo.Tags(context.Background())
@@ -171,19 +171,24 @@ func doPushToOCI(registryFilename, gitTag string) error {
 
 	tgzFile := filepath.Join(tmpDir, filepath.Base(rulesfileInfo.Path)+".tar.gz")
 	if err = tarGzSingleFile(tgzFile, rulesfileInfo.Path); err != nil {
-		return fmt.Errorf("could not compress %s: %w", rulesfileInfo.Path, err)
+		return nil, fmt.Errorf("could not compress %s: %w", rulesfileInfo.Path, err)
 	}
 	defer os.RemoveAll(tgzFile)
 
 	config, err := rulesfileConfig(rulesfileInfo.Name, pt.Version(), rulesfileInfo.Path)
 	if err != nil {
-		return fmt.Errorf("could not generate configuration layer for rulesfiles %q: %w", rulesfileInfo.Path, err)
+		return nil, fmt.Errorf("could not generate configuration layer for rulesfiles %q: %w", rulesfileInfo.Path, err)
-	}
-	if err = pushCompressedRulesfile(client, tgzFile, ociRepoRef, repoGit, tagsToUpdate, config); err != nil {
-		return fmt.Errorf("could not push %s to %s with source %s and tags %v: %w", tgzFile, ociRepoRef, repoGit, tagsToUpdate, err)
 	}
 
-	return nil
+	digest, err := pushCompressedRulesfile(client, tgzFile, ociRepoRef, repoGit, tagsToUpdate, config)
+	if err != nil {
+		return nil, fmt.Errorf("could not push %s to %s with source %s and tags %v: %w", tgzFile, ociRepoRef, repoGit, tagsToUpdate, err)
+	}
+
+	// ociRepoDigest is a string that looks like ghcr.io/falcosecurity/rules/falco-rules@sha256:123456...
+	ociRepoDigest := fmt.Sprintf("%s@%s", ociRepoRef, *digest)
+
+	return &ociRepoDigest, nil
 }
 
 func rulesOciRepos(registryEntries *Registry, ociRepoPrefix string) (map[string]string, error) {
@@ -263,7 +268,13 @@ func main() {
 		Args:                  cobra.ExactArgs(2),
 		DisableFlagsInUseLine: true,
 		RunE: func(c *cobra.Command, args []string) error {
-			return doPushToOCI(args[0], args[1])
+			ociRepoDigest, err := doPushToOCI(args[0], args[1])
+			if err != nil {
+				return err
+			}
+			fmt.Println(*ociRepoDigest)
+
+			return nil
 		},
 	}
 

build/registry/go.mod

@@ -5,99 +5,50 @@ go 1.19
 require (
 	github.com/aws/aws-sdk-go v1.44.183
 	github.com/blang/semver v3.5.1+incompatible
-	github.com/falcosecurity/falcoctl v0.3.0-rc5
+	github.com/falcosecurity/falcoctl v0.5.1
-	github.com/spf13/cobra v1.6.1
+	github.com/spf13/cobra v1.7.0
-	github.com/stretchr/testify v1.7.2
+	github.com/stretchr/testify v1.8.4
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/klog/v2 v2.80.1
-	oras.land/oras-go/v2 v2.0.0-rc.3
+	oras.land/oras-go/v2 v2.2.1
 )
 
 require (
-	atomicgo.dev/cursor v0.1.1 // indirect
+	atomicgo.dev/cursor v0.2.0 // indirect
-	atomicgo.dev/keyboard v0.2.8 // indirect
+	atomicgo.dev/keyboard v0.2.9 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	atomicgo.dev/schedule v0.1.0 // indirect
-	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
-	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
 	github.com/containerd/console v1.0.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v20.10.17+incompatible // indirect
+	github.com/docker/cli v24.0.5+incompatible // indirect
-	github.com/docker/docker v20.10.17+incompatible // indirect
+	github.com/docker/docker v24.0.5+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.6.4 // indirect
+	github.com/docker/docker-credential-helpers v0.8.0 // indirect
-	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
+	github.com/gookit/color v1.5.4 // indirect
-	github.com/go-errors/errors v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/go-logr/logr v1.2.2 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.19.5 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/btree v1.0.1 // indirect
-	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/google/uuid v1.2.0 // indirect
-	github.com/gookit/color v1.5.0 // indirect
-	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/lithammer/fuzzysearch v1.1.8 // indirect
-	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
-	github.com/lithammer/fuzzysearch v1.1.5 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
-	github.com/mattn/go-isatty v0.0.16 // indirect
-	github.com/mattn/go-runewidth v0.0.13 // indirect
-	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
-	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
-	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc4 // indirect
-	github.com/oras-project/artifacts-spec v1.0.0-rc.2 // indirect
-	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/pterm/pterm v0.12.45 // indirect
+	github.com/pterm/pterm v0.12.66 // indirect
-	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
-	github.com/russross/blackfriday v1.5.2 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
+	golang.org/x/net v0.14.0 // indirect
-	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
+	golang.org/x/oauth2 v0.11.0 // indirect
-	golang.org/x/net v0.2.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
-	golang.org/x/oauth2 v0.2.0 // indirect
+	golang.org/x/sys v0.11.0 // indirect
-	golang.org/x/sync v0.0.0-20220907140024-f12130a52804 // indirect
+	golang.org/x/term v0.11.0 // indirect
-	golang.org/x/sys v0.2.0 // indirect
+	golang.org/x/text v0.12.0 // indirect
-	golang.org/x/term v0.2.0 // indirect
-	golang.org/x/text v0.4.0 // indirect
-	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.28.0 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
-	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	gotest.tools/v3 v3.4.0 // indirect
-	k8s.io/api v0.24.3 // indirect
-	k8s.io/apimachinery v0.24.3 // indirect
-	k8s.io/cli-runtime v0.24.3 // indirect
-	k8s.io/client-go v0.24.3 // indirect
-	k8s.io/component-base v0.24.3 // indirect
-	k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect
-	k8s.io/kubectl v0.24.3 // indirect
-	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
-	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
-	sigs.k8s.io/kustomize/api v0.11.4 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.13.6 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
-	sigs.k8s.io/yaml v1.2.0 // indirect
 )

build/registry/oci.go

@@ -27,19 +27,25 @@ import (
 	ocipusher "github.com/falcosecurity/falcoctl/pkg/oci/pusher"
 )
 
-func pushCompressedRulesfile(ociClient remote.Client, filePath, repoRef, repoGit string, tags []string, config *oci.ArtifactConfig) error {
+// pushCompressedRulesfile publishes rulesfile as OCI artifact and returns its digest.
+// It possibly returns an error.
+func pushCompressedRulesfile(
+	ociClient remote.Client,
+	filePath, repoRef, repoGit string,
+	tags []string,
+	config *oci.ArtifactConfig) (*string, error) {
 	klog.Infof("Processing compressed rulesfile %q for repo %q and tags %s...", filePath, repoRef, tags)
 
 	pusher := ocipusher.NewPusher(ociClient, false, nil)
-	_, err := pusher.Push(context.Background(), oci.Rulesfile, repoRef,
+	artifact, err := pusher.Push(context.Background(), oci.Rulesfile, repoRef,
 		ocipusher.WithTags(tags...),
 		ocipusher.WithFilepaths([]string{filePath}),
 		ocipusher.WithAnnotationSource(repoGit),
 		ocipusher.WithArtifactConfig(*config))
 
 	if err != nil {
-		return fmt.Errorf("an error occurred while pushing: %w", err)
+		return nil, fmt.Errorf("an error occurred while pushing: %w", err)
 	}
 
-	return nil
+	return &artifact.Digest, nil
 }

build/registry/registry.go

@@ -42,6 +42,7 @@ type Rulesfile struct {
 	URL      string   `yaml:"url"`
 	License  string   `yaml:"license"`
 	Reserved bool     `yaml:"reserved"`
+	Archived bool     `yaml:"archived"`
 }
 
 type Registry struct {
@@ -67,6 +68,9 @@ func (r *Registry) Validate() error {
 // RulesfileByName returns the rulesfile in the index with the specified name, or nil if not found
 func (r *Registry) RulesfileByName(name string) *Rulesfile {
 	for _, rf := range r.Rulesfiles {
+		if rf.Reserved || rf.Archived {
+			continue
+		}
 		if rf.Name == name {
 			return &rf
 		}

rules/falco_rules.yaml

@@ -496,30 +496,6 @@
     WARNING
   tags: [host, container, filesystem, mitre_discovery, T1546.004]
 
-# List of allowed container images that are known to execute binaries not part of their base image.
-# Users can use this list to better tune the rule below (i.e reducing false positives) by considering their workloads, 
-# since this requires application specific knowledge.
-- list: known_drop_and_execute_containers
-  items: []
-
-- rule: Drop and execute new binary in container
-  desc:
-    Detect if an executable not belonging to the base image of a container is being executed.
-    The drop and execute pattern can be observed very often after an attacker gained an initial foothold.
-    is_exe_upper_layer filter field only applies for container runtimes that use overlayfs as union mount filesystem.
-  condition: >
-    spawned_process
-    and container
-    and proc.is_exe_upper_layer=true 
-    and not container.image.repository in (known_drop_and_execute_containers)
-  output: > 
-    Executing binary not part of base image (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline exe=%proc.exe container_id=%container.id
-    image=%container.image.repository proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags
-    proc.exe_ino=%proc.exe_ino proc.exe_ino.ctime=%proc.exe_ino.ctime proc.exe_ino.mtime=%proc.exe_ino.mtime proc.exe_ino.ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start
-    proc.exepath=%proc.exepath proc.cwd=%proc.cwd proc.tty=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid evt.res=%evt.res)
-  priority: CRITICAL 
-  tags: [container, mitre_persistence, TA0003]
-
 - macro: user_known_cron_jobs
   condition: (never_true)
 
@@ -1559,7 +1535,7 @@
     and not user_known_db_spawned_processes
   output: >
     Database-related program spawned process other than itself (user=%user.name user_loginuid=%user.loginuid
-    program=%proc.cmdline pid=%proc.pid parent=%proc.pname container_id=%container.id image=%container.image.repository)
+    program=%proc.cmdline pid=%proc.pid parent=%proc.pname container_id=%container.id image=%container.image.repository exe_flags=%evt.arg.flags)
   priority: NOTICE
   tags: [host, container, process, database, mitre_execution, T1190]
 
@@ -1777,7 +1753,7 @@
   output: >
     Shell spawned by untrusted binary (user=%user.name user_loginuid=%user.loginuid shell=%proc.name parent=%proc.pname
     cmdline=%proc.cmdline pid=%proc.pid pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
-    aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] container_id=%container.id image=%container.image.repository)
+    aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] container_id=%container.id image=%container.image.repository exe_flags=%evt.arg.flags)
   priority: DEBUG
   tags: [host, container, process, shell, mitre_execution, T1059.004]
 
@@ -2082,7 +2058,7 @@
 - rule: System user interactive
   desc: an attempt to run interactive commands by a system (i.e. non-login) user
   condition: spawned_process and system_users and interactive and not user_known_system_user_login
-  output: "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid container_id=%container.id image=%container.image.repository)"
+  output: "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid container_id=%container.id image=%container.image.repository exe_flags=%evt.arg.flags)"
   priority: INFO
   tags: [host, container, users, mitre_execution, T1059]
 
@@ -2100,7 +2076,7 @@
     and not user_expected_terminal_shell_in_container_conditions
   output: >
     A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info
-    shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid terminal=%proc.tty container_id=%container.id image=%container.image.repository)
+    shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid terminal=%proc.tty container_id=%container.id image=%container.image.repository exe_flags=%evt.arg.flags)
   priority: NOTICE
   tags: [container, shell, mitre_execution, T1059]
 
@@ -2215,7 +2191,7 @@
   enabled: false
   output: >
     Program run with disallowed HTTP_PROXY environment variable
-    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository)
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository exe_flags=%evt.arg.flags)
   priority: NOTICE
   tags: [host, container, users, mitre_command_and_control, T1090, T1204]
 
@@ -2373,7 +2349,7 @@
     not user_known_user_management_activities
   output: >
     User management binary command run outside of container
-    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] exe_flags=%evt.arg.flags)
   priority: NOTICE
   tags: [host, container, users, software_mgmt, mitre_persistence, T1543, T1098]
 
@@ -2541,7 +2517,7 @@
     and not pkg_mgmt_in_kube_proxy
   output: >
     Package management process launched in container (user=%user.name user_loginuid=%user.loginuid
-    command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+    command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags)
   priority: ERROR
   tags: [container, process, software_mgmt, mitre_persistence, T1505]
 
@@ -2555,7 +2531,7 @@
     )
   output: >
     Netcat runs inside container that allows remote code execution (user=%user.name user_loginuid=%user.loginuid
-    command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+    command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags)
   priority: WARNING
   tags: [container, network, process, mitre_execution, T1059]
 
@@ -2568,7 +2544,7 @@
     spawned_process and container and network_tool_procs and not user_known_network_tool_activities
   output: >
     Network tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent_process=%proc.pname
-    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags)
   priority: NOTICE
   tags: [container, network, process, mitre_discovery, mitre_exfiltration, T1595, T1046]
 
@@ -2587,7 +2563,7 @@
     network_tool_procs and
     not user_known_network_tool_activities
   output: >
-    Network tool launched on host (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent_process=%proc.pname)
+    Network tool launched on host (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent_process=%proc.pname exe_flags=%evt.arg.flags)
   priority: NOTICE
   tags: [host, network, process, mitre_discovery, mitre_exfiltration, T1595, T1046]
 
@@ -2631,7 +2607,7 @@
   output: >
     Grep private keys or passwords activities found
     (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name
-    image=%container.image.repository:%container.image.tag)
+    image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags)
   priority:
     WARNING
   tags: [host, container, process, filesystem, mitre_credential_access, T1552.001]
@@ -2682,7 +2658,7 @@
   desc: Detect process running to clear bulk data from disk
   condition: spawned_process and clear_data_procs and not user_known_remove_data_activities
   output: >
-    Bulk data has been removed from disk (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name container_id=%container.id image=%container.image.repository)
+    Bulk data has been removed from disk (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name container_id=%container.id image=%container.image.repository exe_flags=%evt.arg.flags)
   priority:
     WARNING
   tags: [host, container, process, filesystem, mitre_persistence, T1485]
@@ -2736,7 +2712,7 @@
     ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or
      (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
   output: >
-    Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline pid=%proc.pid fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
+    Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline pid=%proc.pid fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath exe_flags=%evt.arg.flags %container.info)
   priority:
     WARNING
   tags: [host, container, process, filesystem, mitre_defense_evasion, T1070]
@@ -2811,7 +2787,7 @@
     and not user_known_remote_file_copy_activities
   output: >
     Remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent_process=%proc.pname
-    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags)
   priority: NOTICE
   tags: [container, network, process, mitre_lateral_movement, mitre_exfiltration, T1020, T1210]
 
@@ -2943,7 +2919,7 @@
 - rule: Detect crypto miners using the Stratum protocol
   desc: Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp'
   condition: spawned_process and (proc.cmdline contains "stratum+tcp" or proc.cmdline contains "stratum2+tcp" or proc.cmdline contains "stratum+ssl" or proc.cmdline contains "stratum2+ssl")
-  output: Possible miner running (command=%proc.cmdline pid=%proc.pid container=%container.info image=%container.image.repository)
+  output: Possible miner running (command=%proc.cmdline pid=%proc.pid container=%container.info image=%container.image.repository exe_flags=%evt.arg.flags)
   priority: CRITICAL
   tags: [host, container, process, mitre_execution, T1496]
 
@@ -3190,7 +3166,7 @@
   desc: Detected container running as root user
   condition: spawned_process and container and proc.vpid=1 and user.uid=0 and not user_known_run_as_root_container
   enabled: false
-  output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags)
   priority: INFO
   tags: [container, process, users, mitre_execution, T1610]
 
@@ -3199,7 +3175,7 @@
 - rule: Sudo Potential Privilege Escalation
   desc: Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root.
   condition: spawned_process and user.uid != 0 and (proc.name=sudoedit or proc.name = sudo) and (proc.args contains -s or proc.args contains -i or proc.args contains --login) and (proc.args contains "\ " or proc.args endswith \)
-  output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid %container.info)"
+  output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid exe_flags=%evt.arg.flags %container.info)"
   priority: CRITICAL
   tags: [host, container, filesystem, users, mitre_privilege_escalation, T1548.003]
 
@@ -3209,7 +3185,7 @@
     spawned_process and container
     and container.privileged=true
     and proc.name=debugfs
-  output: Debugfs launched started in a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid %container.info image=%container.image.repository:%container.image.tag)
+  output: Debugfs launched started in a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid %container.info image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags)
   priority: WARNING
   tags: [container, cis, process, mitre_execution, mitre_lateral_movement, T1611]
 
@@ -3239,7 +3215,7 @@
     and not known_gke_mount_in_privileged_containers
     and not known_aks_mount_in_privileged_containers
     and not user_known_mount_in_privileged_containers
-  output: Mount was executed inside a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid %container.info image=%container.image.repository:%container.image.tag)
+  output: Mount was executed inside a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid %container.info image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags)
   priority: WARNING
   tags: [container, cis, filesystem, mitre_lateral_movement, T1611]
 
@@ -3284,7 +3260,7 @@
     not user_known_ingress_remote_file_copy_activities
   output: >
     Ingress remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent_process=%proc.pname
-    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags)
   priority: NOTICE
   tags: [container, network, process, mitre_command_and_control, TA0011]
 
@@ -3295,7 +3271,7 @@
   condition:
     spawned_process and user.uid != 0 and proc.name=pkexec and proc.args = ''
   output:
-    "Detect Polkit pkexec Local Privilege Escalation Exploit (CVE-2021-4034) (user=%user.loginname uid=%user.loginuid command=%proc.cmdline pid=%proc.pid args=%proc.args)"
+    "Detect Polkit pkexec Local Privilege Escalation Exploit (CVE-2021-4034) (user=%user.loginname uid=%user.loginuid command=%proc.cmdline pid=%proc.pid args=%proc.args exe_flags=%evt.arg.flags)"
   priority: CRITICAL
   tags: [host, container, process, users, mitre_privilege_escalation, TA0004]
 
@@ -3399,7 +3375,7 @@
     spawned_process and
     ((grep_commands and private_aws_credentials) or
     (proc.name = "find" and proc.args endswith ".aws/credentials"))
-  output: Detected AWS credentials search activity (user.name=%user.name user.loginuid=%user.loginuid proc.cmdline=%proc.cmdline container.id=%container.id container_name=%container.name evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginname=%user.loginname group.gid=%group.gid group.name=%group.name container.name=%container.name image=%container.image.repository:%container.image.tag)
+  output: Detected AWS credentials search activity (user.name=%user.name user.loginuid=%user.loginuid proc.cmdline=%proc.cmdline container.id=%container.id container_name=%container.name evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginname=%user.loginname group.gid=%group.gid group.name=%group.name container.name=%container.name image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags)
   priority: WARNING
   tags: [host, container, mitre_credential_access, process, aws, T1552]
 
@@ -3414,9 +3390,33 @@
     (shell_procs and proc.args startswith "/dev/shm") or 
     (proc.cwd startswith "/dev/shm/" and proc.args startswith "./" )) and 
     not container.image.repository in (falco_privileged_images, trusted_images)
-  output: "File execution detected from /dev/shm (proc.cmdline=%proc.cmdline connection=%fd.name user.name=%user.name user.loginuid=%user.loginuid container.id=%container.id evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginname=%user.loginname group.gid=%group.gid group.name=%group.name container.name=%container.name image=%container.image.repository)"
+  output: "File execution detected from /dev/shm (proc.cmdline=%proc.cmdline connection=%fd.name user.name=%user.name user.loginuid=%user.loginuid container.id=%container.id evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginname=%user.loginname group.gid=%group.gid group.name=%group.name container.name=%container.name image=%container.image.repository exe_flags=%evt.arg.flags)"
   priority: WARNING
   tags: [host, container, mitre_execution, mitre_defense_evasion, T1036.005, T1059.004]
+  
+# List of allowed container images that are known to execute binaries not part of their base image.
+# Users can use this list to better tune the rule below (i.e reducing false positives) by considering their workloads, 
+# since this requires application specific knowledge.
+- list: known_drop_and_execute_containers
+  items: []
+
+- rule: Drop and execute new binary in container
+  desc:
+    Detect if an executable not belonging to the base image of a container is being executed.
+    The drop and execute pattern can be observed very often after an attacker gained an initial foothold.
+    is_exe_upper_layer filter field only applies for container runtimes that use overlayfs as union mount filesystem.
+  condition: >
+    spawned_process
+    and container
+    and proc.is_exe_upper_layer=true 
+    and not container.image.repository in (known_drop_and_execute_containers)
+  output: > 
+    Executing binary not part of base image (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline exe=%proc.exe container_id=%container.id
+    image=%container.image.repository proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags
+    proc.exe_ino=%proc.exe_ino proc.exe_ino.ctime=%proc.exe_ino.ctime proc.exe_ino.mtime=%proc.exe_ino.mtime proc.exe_ino.ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start
+    proc.exepath=%proc.exepath proc.cwd=%proc.cwd proc.tty=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid evt.res=%evt.res)
+  priority: CRITICAL 
+  tags: [container, mitre_persistence, TA0003]
 
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to