github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-27 10:28:54 +00:00
Code Issues Projects Releases Wiki Activity

cleanup(userspace/falco): deprecate -p option.

Browse Source 
Also, `-pc` and `-pk` won't do anything now.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This commit is contained in:
Federico Di Pierro 2025-04-30 11:02:18 +02:00 committed by poiana
parent 11f6fc5d14
commit 0326210f49
2 changed files with 18 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
userspace/falco/app/actions/init_falco_engine.cpp
View File

@ -94,40 +94,25 @@ void configure_output_format(falco::app::state& s) {
}
// See https://falco.org/docs/rules/style-guide/
const std::string container_info =
"container_image=%container.image.repository "
"container_image_tag=%container.image.tag";
const std::string k8s_info = "k8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name";
const std::string gvisor_info = "vpid=%proc.vpid vtid=%thread.vtid";
if(s.options.print_additional == "c" || s.options.print_additional == "container") {
s.engine->add_extra_output_format(container_info,
falco_common::syscall_source,
{},
"",
true);
} else if(s.options.print_additional == "cg" ||
s.options.print_additional == "container-gvisor") {
s.engine->add_extra_output_format(gvisor_info + " " + container_info,
falco_common::syscall_source,
{},
"",
true);
} else if(s.options.print_additional == "k" || s.options.print_additional == "kubernetes") {
s.engine->add_extra_output_format(container_info + " " + k8s_info,
falco_common::syscall_source,
{},
"",
true);
} else if(s.options.print_additional == "kg" ||
s.options.print_additional == "kubernetes-gvisor") {
s.engine->add_extra_output_format(gvisor_info + " " + container_info + " " + k8s_info,
falco_common::syscall_source,
{},
"",
true);
} else if(!s.options.print_additional.empty()) {
s.engine->add_extra_output_format(s.options.print_additional, "", {}, "", false);
if(!s.options.print_additional.empty()) {
falco_logger::log(falco_logger::level::WARNING,
"The -p/--print option is deprecated and will be removed. Use -o "
"append_output=... instead.\n");
if(s.options.print_additional == "c" || s.options.print_additional == "container" ||
s.options.print_additional == "k" || s.options.print_additional == "kubernetes") {
// Don't do anything, we don't need these anymore
// since container plugin takes care of suggesting the output format fields itself.
} else if(s.options.print_additional == "cg" ||
s.options.print_additional == "container-gvisor" ||
s.options.print_additional == "kg" ||
s.options.print_additional == "kubernetes-gvisor") {
s.engine->add_extra_output_format(gvisor_info, falco_common::syscall_source, {}, "", true);
} else {
s.engine->add_extra_output_format(s.options.print_additional, "", {}, "", false);
}
}
}

2
userspace/falco/app/options.cpp
View File

@ -117,7 +117,7 @@ void options::define(cxxopts::Options& opts)
("N", "Only print field names when used in conjunction with the --list option. It has no effect when used with other options.", cxxopts::value(names_only)->default_value("false"))
("o,option", "Set the value of option <opt> to <val>. Overrides values in the configuration file. <opt> can be identified using its location in the configuration file using dot notation. Elements of list entries can be accessed via square brackets [].\n E.g. base.id = val\n base.subvalue.subvalue2 = val\n base.list[1]=val", cxxopts::value(cmdline_config_options), "<opt>=<val>")
("plugin-info", "Print info for the plugin specified by <plugin_name> and exit.\nThis includes all descriptive information like name and author, along with the\nschema format for the init configuration and a list of suggested open parameters.\n<plugin_name> can be the plugin's name or its configured 'library_path'.", cxxopts::value(print_plugin_info), "<plugin_name>")
("p,print", "Print (or replace) additional information in the rule's output.\nUse -pc or -pcontainer to append container details to syscall events.\nUse -pk or -pkubernetes to add both container and Kubernetes details to syscall events.\nIf using gVisor, choose -pcg or -pkg variants (or -pcontainer-gvisor and -pkubernetes-gvisor, respectively).\nIf a syscall rule's output contains %container.info, it will be replaced with the corresponding details. Otherwise, these details will be directly appended to the rule's output.\nAlternatively, use -p <output_format> for a custom format. In this case, the given <output_format> will be appended to the rule's output without any replacement to all events, including plugin events.", cxxopts::value(print_additional), "<output_format>")
("p,print", "DEPRECATED: use -o append_output... instead. Print (or replace) additional information in the rule's output.\nUse -pc or -pcontainer to append container details to syscall events.\nUse -pk or -pkubernetes to add both container and Kubernetes details to syscall events.\nIf using gVisor, choose -pcg or -pkg variants (or -pcontainer-gvisor and -pkubernetes-gvisor, respectively).\nIf a syscall rule's output contains %container.info, it will be replaced with the corresponding details. Otherwise, these details will be directly appended to the rule's output.\nAlternatively, use -p <output_format> for a custom format. In this case, the given <output_format> will be appended to the rule's output without any replacement to all events, including plugin events.", cxxopts::value(print_additional), "<output_format>")
("P,pidfile", "Write PID to specified <pid_file> path. By default, no PID file is created.", cxxopts::value(pidfilename)->default_value(""), "<pid_file>")
("r", "Rules file or directory to be loaded. This option can be passed multiple times. Falco defaults to the values in the configuration file when this option is not specified.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
("support", "Print support information, including version, rules files used, loaded configuration, etc., and exit. The output is in JSON format.", cxxopts::value(print_support)->default_value("false"))