github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-29 19:23:16 +00:00
Code Issues Projects Releases Wiki Activity

update(userspace/falco): print out current time when a timeouts notification gets emitted

Browse Source 
Also, print out the time of the last processed event in the output
fields of the notification.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
This commit is contained in:
Leonardo Di Donato 2021-04-16 09:47:49 +00:00 committed by poiana
parent c1da6d21b9
commit 0df18fd786
2 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
falco.yaml
View File

@ -110,6 +110,7 @@ syscall_event_drops:
# Here you can configure the maximum number of consecutive timeouts without an event # Here you can configure the maximum number of consecutive timeouts without an event
# after which you want Falco to alert. # after which you want Falco to alert.
# By default this value is set to 1000 consecutive timeouts without an event at all. # By default this value is set to 1000 consecutive timeouts without an event at all.
# How this value maps to a time interval depends on the CPU frequency.
syscall_event_timeouts: syscall_event_timeouts:
max_consecutives: 1000 max_consecutives: 1000

16
userspace/falco/falco.cpp
View File

@ -23,6 +23,7 @@ limitations under the License.
#include <vector> #include <vector>
#include <algorithm> #include <algorithm>
#include <string> #include <string>
#include <chrono>
#include <functional> #include <functional>
#include <signal.h> #include <signal.h>
#include <fcntl.h> #include <fcntl.h>
@ -253,7 +254,7 @@ uint64_t do_inspect(falco_engine *engine,
sinsp_evt* ev; sinsp_evt* ev;
StatsFileWriter writer; StatsFileWriter writer;
uint64_t duration_start = 0; uint64_t duration_start = 0;
uint64_t timeouts_since_last_success_or_msg = 0; uint32_t timeouts_since_last_success_or_msg = 0;
sdropmgr.init(inspector, sdropmgr.init(inspector,
outputs, outputs,
@ -304,12 +305,17 @@ uint64_t do_inspect(falco_engine *engine,
if(unlikely(ev == nullptr)) if(unlikely(ev == nullptr))
{ {
timeouts_since_last_success_or_msg++; timeouts_since_last_success_or_msg++;
if(timeouts_since_last_success_or_msg > 100) if(timeouts_since_last_success_or_msg > config.m_syscall_evt_timeout_max_consecutives)
{ {
std::string rule = "Falco internal: timeouts notification"; std::string rule = "Falco internal: timeouts notification";
std::string msg = rule + ". 100 consecutive timeouts without event."; std::string msg = rule + ". " + std::to_string(config.m_syscall_evt_timeout_max_consecutives) + " consecutive timeouts without event.";
std::map<std::string, std::string> of; std::string last_event_time_str;
outputs->handle_msg(duration_start, falco_common::PRIORITY_DEBUG, msg, rule, of); sinsp_utils::ts_to_string(duration_start, &last_event_time_str, false, true);
std::map<std::string, std::string> o = {
{"last_event_time", last_event_time_str},
};
auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(std::chrono::system_clock::now().time_since_epoch()).count();
outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, o);
// Reset the timeouts counter, Falco alerted // Reset the timeouts counter, Falco alerted
timeouts_since_last_success_or_msg = 0; timeouts_since_last_success_or_msg = 0;
} }