Skip to content

Commit

Permalink
Centralized allowlists support
Browse files Browse the repository at this point in the history
  • Loading branch information
blotus committed Dec 9, 2024
1 parent 92662ed commit dbb9adc
Show file tree
Hide file tree
Showing 170 changed files with 13,064 additions and 809 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/go-tests-windows.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,6 @@ jobs:
- name: golangci-lint
uses: golangci/golangci-lint-action@v6
with:
version: v1.61
version: v1.62
args: --issues-exit-code=1 --timeout 10m
only-new-issues: false
2 changes: 1 addition & 1 deletion .github/workflows/go-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,6 @@ jobs:
- name: golangci-lint
uses: golangci/golangci-lint-action@v6
with:
version: v1.61
version: v1.62
args: --issues-exit-code=1 --timeout 10m
only-new-issues: false
38 changes: 31 additions & 7 deletions .golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,6 @@ linters-settings:
- ifElseChain
- importShadow
- hugeParam
- rangeValCopy
- commentedOutCode
- commentedOutImport
- unnamedResult
Expand Down Expand Up @@ -211,9 +210,7 @@ linters:
#
# DEPRECATED by golangi-lint
#
- execinquery
- exportloopref
- gomnd

#
# Redundant
Expand Down Expand Up @@ -348,10 +345,6 @@ issues:
- errorlint
text: "type switch on error will fail on wrapped errors. Use errors.As to check for specific errors"

- linters:
- errorlint
text: "comparing with .* will fail on wrapped errors. Use errors.Is to check for a specific error"

- linters:
- nosprintfhostport
text: "host:port in url should be constructed with net.JoinHostPort and not directly with fmt.Sprintf"
Expand Down Expand Up @@ -460,3 +453,34 @@ issues:
- revive
path: "cmd/crowdsec/win_service.go"
text: "deep-exit: .*"

- linters:
- recvcheck
path: "pkg/csplugin/hclog_adapter.go"
text: 'the methods of "HCLogAdapter" use pointer receiver and non-pointer receiver.'

# encoding to json/yaml requires value receivers
- linters:
- recvcheck
path: "pkg/cwhub/item.go"
text: 'the methods of "Item" use pointer receiver and non-pointer receiver.'

- linters:
- gocritic
path: "cmd/crowdsec-cli"
text: "rangeValCopy: .*"

- linters:
- gocritic
path: "pkg/(cticlient|hubtest)"
text: "rangeValCopy: .*"

- linters:
- gocritic
path: "(.+)_test.go"
text: "rangeValCopy: .*"

- linters:
- gocritic
path: "pkg/(appsec|acquisition|dumps|alertcontext|leakybucket|exprhelpers)"
text: "rangeValCopy: .*"
61 changes: 38 additions & 23 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ BUILD_RE2_WASM ?= 0
# for your distribution (look for libre2.a). See the Dockerfile for an example of how to build it.
BUILD_STATIC ?= 0

# List of plugins to build
# List of notification plugins to build
PLUGINS ?= $(patsubst ./cmd/notification-%,%,$(wildcard ./cmd/notification-*))

#--------------------------------------
Expand Down Expand Up @@ -80,45 +80,46 @@ endif
#expr_debug tag is required to enable the debug mode in expr
GO_TAGS := netgo,osusergo,sqlite_omit_load_extension,expr_debug

# Allow building on ubuntu 24.10, see https://github.com/golang/go/issues/70023
export CGO_LDFLAGS_ALLOW=-Wl,--(push|pop)-state.*

# this will be used by Go in the make target, some distributions require it
export PKG_CONFIG_PATH:=/usr/local/lib/pkgconfig:$(PKG_CONFIG_PATH)

#--------------------------------------
#
# Choose the re2 backend.
#

ifeq ($(call bool,$(BUILD_RE2_WASM)),0)
ifeq ($(PKG_CONFIG),)
$(error "pkg-config is not available. Please install pkg-config.")
endif

ifeq ($(RE2_CHECK),)
RE2_FAIL := "libre2-dev is not installed, please install it or set BUILD_RE2_WASM=1 to use the WebAssembly version"
# if you prefer to build WASM instead of a critical error, comment out RE2_FAIL and uncomment RE2_MSG.
# RE2_MSG := Fallback to WebAssembly regexp library. To use the C++ version, make sure you have installed libre2-dev and pkg-config.
else
# += adds a space that we don't want
GO_TAGS := $(GO_TAGS),re2_cgo
LD_OPTS_VARS += -X '$(GO_MODULE_NAME)/pkg/cwversion.Libre2=C++'
RE2_MSG := Using C++ regexp library
endif
endif

# Build static to avoid the runtime dependency on libre2.so
ifeq ($(call bool,$(BUILD_STATIC)),1)
BUILD_TYPE = static
EXTLDFLAGS := -extldflags '-static'
else
BUILD_TYPE = dynamic
EXTLDFLAGS :=
RE2_MSG := Using WebAssembly regexp library
endif

# Build with debug symbols, and disable optimizations + inlining, to use Delve
ifeq ($(call bool,$(DEBUG)),1)
STRIP_SYMBOLS :=
DISABLE_OPTIMIZATION := -gcflags "-N -l"
ifeq ($(call bool,$(BUILD_RE2_WASM)),1)
else
STRIP_SYMBOLS := -s
DISABLE_OPTIMIZATION :=
ifneq (,$(RE2_CHECK))
endif
endif

#--------------------------------------

#
# Handle optional components and build profiles, to save space on the final binaries.

#
# Keep it safe for now until we decide how to expand on the idea. Either choose a profile or exclude components manually.
# For example if we want to disable some component by default, or have opt-in components (INCLUDE?).

Expand All @@ -131,6 +132,7 @@ COMPONENTS := \
datasource_cloudwatch \
datasource_docker \
datasource_file \
datasource_http \
datasource_k8saudit \
datasource_kafka \
datasource_journalctl \
Expand Down Expand Up @@ -178,6 +180,23 @@ endif

#--------------------------------------

ifeq ($(call bool,$(BUILD_STATIC)),1)
BUILD_TYPE = static
EXTLDFLAGS := -extldflags '-static'
else
BUILD_TYPE = dynamic
EXTLDFLAGS :=
endif

# Build with debug symbols, and disable optimizations + inlining, to use Delve
ifeq ($(call bool,$(DEBUG)),1)
STRIP_SYMBOLS :=
DISABLE_OPTIMIZATION := -gcflags "-N -l"
else
STRIP_SYMBOLS := -s
DISABLE_OPTIMIZATION :=
endif

export LD_OPTS=-ldflags "$(STRIP_SYMBOLS) $(EXTLDFLAGS) $(LD_OPTS_VARS)" \
-trimpath -tags $(GO_TAGS) $(DISABLE_OPTIMIZATION)

Expand All @@ -193,17 +212,13 @@ build: build-info crowdsec cscli plugins ## Build crowdsec, cscli and plugins
.PHONY: build-info
build-info: ## Print build information
$(info Building $(BUILD_VERSION) ($(BUILD_TAG)) $(BUILD_TYPE) for $(GOOS)/$(GOARCH))
$(info Excluded components: $(EXCLUDE_LIST))
$(info Excluded components: $(if $(EXCLUDE_LIST),$(EXCLUDE_LIST),none))

ifneq (,$(RE2_FAIL))
$(error $(RE2_FAIL))
endif

ifneq (,$(RE2_CHECK))
$(info Using C++ regexp library)
else
$(info Fallback to WebAssembly regexp library. To use the C++ version, make sure you have installed libre2-dev and pkg-config.)
endif
$(info $(RE2_MSG))

ifeq ($(call bool,$(DEBUG)),1)
$(info Building with debug symbols and disabled optimizations)
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ The architecture is as follows :
<img src="https://github.com/crowdsecurity/crowdsec-docs/blob/main/crowdsec-docs/static/img/crowdsec_architecture.png" alt="CrowdSec" title="CrowdSec"/>
</p>

Once an unwanted behavior is detected, deal with it through a [bouncer](https://hub.crowdsec.net/browse/#bouncers). The aggressive IP, scenario triggered and timestamp are sent for curation, to avoid poisoning & false positives. (This can be disabled). If verified, this IP is then redistributed to all CrowdSec users running the same scenario.
Once an unwanted behavior is detected, deal with it through a [bouncer](https://app.crowdsec.net/hub/remediation-components). The aggressive IP, scenario triggered and timestamp are sent for curation, to avoid poisoning & false positives. (This can be disabled). If verified, this IP is then redistributed to all CrowdSec users running the same scenario.

## Outnumbering hackers all together

Expand Down
2 changes: 1 addition & 1 deletion azure-pipelines.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ stages:
- task: GoTool@0
displayName: "Install Go"
inputs:
version: '1.23'
version: '1.23.3'

- pwsh: |
choco install -y make
Expand Down
Loading

0 comments on commit dbb9adc

Please sign in to comment.