github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-19 11:32:20 +00:00
Code Issues Projects Releases Wiki Activity

Merge 6c114e359a into 4074148435

Browse Source
This commit is contained in:
Federico Di Pierro 2025-05-16 14:34:33 +02:00 committed by GitHub
commit 0287bada3a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 28 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmake/modules/falcosecurity-libs.cmake
View File

@ -42,9 +42,9 @@ else()
# version (or branch, or commit) just pass the variable - ie., `cmake # version (or branch, or commit) just pass the variable - ie., `cmake
# -DFALCOSECURITY_LIBS_VERSION=dev ..` # -DFALCOSECURITY_LIBS_VERSION=dev ..`
if(NOT FALCOSECURITY_LIBS_VERSION) if(NOT FALCOSECURITY_LIBS_VERSION)
set(FALCOSECURITY_LIBS_VERSION "6c5659b814f775bdbb3831577b2aeb2bad909289") set(FALCOSECURITY_LIBS_VERSION "227346f7eb4133b6f7463193cfdb346aa06e06f7")
set(FALCOSECURITY_LIBS_CHECKSUM set(FALCOSECURITY_LIBS_CHECKSUM
"SHA256=5286d10b90fa687d2c81e35814eaa6cd1969166af4e702655e04f72d2d15186b" # "SHA256=5286d10b90fa687d2c81e35814eaa6cd1969166af4e702655e04f72d2d15186b"
) )
endif() endif()

13
falco.yaml
View File

@ -691,7 +691,7 @@ outputs_queue:
# affect the regular Falco message in any way. These can be specified as a # affect the regular Falco message in any way. These can be specified as a
# custom name with a custom format or as any supported field # custom name with a custom format or as any supported field
# (see: https://falco.org/docs/reference/rules/supported-fields/) # (see: https://falco.org/docs/reference/rules/supported-fields/)
# `suggested_output`: enable the use of extractor plugins suggested fields for the matching source output. # `suggested_output`: automatically append fields that are suggested to rules output
# #
# Example: # Example:
# #
@ -715,6 +715,17 @@ outputs_queue:
append_output: append_output:
- suggested_output: true - suggested_output: true
# [Sandbox] `static_fields`
#
# Add statically defined fields to the Falco engine.
# Then, they can be used as normal rule conditions, by prepending `static.` prefix,
# eg: evt.type=open and static.foo=bar
# Also, if `append_output.suggested_output` is true,
# they'll be automatically appended to each rule output,
# in the form "static_foo=bar"
# static_fields:
# foo: bar
# foo2: ${env}
########################## ##########################
# Falco outputs channels # # Falco outputs channels #

7
userspace/falco/app/actions/init_inspectors.cpp
View File

@ -21,6 +21,7 @@ limitations under the License.
#include <unordered_set> #include <unordered_set>
#include <libsinsp/plugin_manager.h> #include <libsinsp/plugin_manager.h>
#include <libsinsp/sinsp_filtercheck_static.h>
using namespace falco::app; using namespace falco::app;
using namespace falco::app::actions; using namespace falco::app::actions;
@ -53,6 +54,7 @@ static bool populate_filterchecks(const std::shared_ptr<sinsp>& inspector,
const std::string& source, const std::string& source,
filter_check_list& filterchecks, filter_check_list& filterchecks,
std::unordered_set<std::string>& used_plugins, std::unordered_set<std::string>& used_plugins,
std::map<std::string, std::string> static_fields,
std::string& err) { std::string& err) {
std::vector<const filter_check_info*> infos; std::vector<const filter_check_info*> infos;
for(const auto& plugin : inspector->get_plugin_manager()->plugins()) { for(const auto& plugin : inspector->get_plugin_manager()->plugins()) {
@ -82,6 +84,10 @@ static bool populate_filterchecks(const std::shared_ptr<sinsp>& inspector,
filterchecks.add_filter_check(sinsp_plugin::new_filtercheck(plugin)); filterchecks.add_filter_check(sinsp_plugin::new_filtercheck(plugin));
used_plugins.insert(plugin->name()); used_plugins.insert(plugin->name());
} }
if(!static_fields.empty()) {
filterchecks.add_filter_check(std::make_unique<sinsp_filter_check_static>(static_fields));
}
return true; return true;
} }
@ -162,6 +168,7 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
src, src,
*src_info->filterchecks, *src_info->filterchecks,
used_plugins, used_plugins,
s.config->m_static_fields,
err)) { err)) {
return run_result::fatal(err); return run_result::fatal(err);
} }

3
userspace/falco/config_json_schema.h
View File

@ -35,6 +35,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
"$ref": "#/definitions/AppendOutput" "$ref": "#/definitions/AppendOutput"
} }
}, },
"static_fields": {
"type": "object"
},
"config_files": { "config_files": {
"type": "array", "type": "array",
"items": { "items": {

2
userspace/falco/configuration.cpp
View File

@ -663,6 +663,8 @@ void falco_configuration::load_yaml(const std::string &config_name) {
} }
} }
m_static_fields = m_config.get_scalar<std::map<std::string, std::string>>("static_fields", {});
std::vector<std::string> load_plugins; std::vector<std::string> load_plugins;
bool load_plugins_node_defined = m_config.is_defined("load_plugins"); bool load_plugins_node_defined = m_config.is_defined("load_plugins");

2
userspace/falco/configuration.h
View File

@ -147,6 +147,8 @@ public:
std::vector<rule_selection_config> m_rules_selection; std::vector<rule_selection_config> m_rules_selection;
// Append output configuration passed by the user // Append output configuration passed by the user
std::vector<append_output_config> m_append_output; std::vector<append_output_config> m_append_output;
// Static fields configuration passed by the user
std::map<std::string, std::string> m_static_fields;
bool m_json_output; bool m_json_output;
bool m_json_include_output_property; bool m_json_include_output_property;