mirror of
https://github.com/falcosecurity/falco.git
synced 2025-08-19 22:58:40 +00:00
update(userspace/engine): support searching ppm_sc events in rulesets
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce
poiana
parent
07980b7822
commit
19ffadc763
@ -65,14 +65,14 @@ void evttype_index_ruleset::ruleset_filters::remove_wrapper_from_list(filter_wra
|
|||||||
|
|
||||||
void evttype_index_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_wrapper> wrap)
|
void evttype_index_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_wrapper> wrap)
|
||||||
{
|
{
|
||||||
if(wrap->evttypes.empty())
|
if(wrap->event_codes.empty())
|
||||||
{
|
{
|
||||||
// Should run for all event types
|
// Should run for all event types
|
||||||
add_wrapper_to_list(m_filter_all_event_types, wrap);
|
add_wrapper_to_list(m_filter_all_event_types, wrap);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
for(auto &etype : wrap->evttypes)
|
for(auto &etype : wrap->event_codes)
|
||||||
{
|
{
|
||||||
if(m_filter_by_event_type.size() <= etype)
|
if(m_filter_by_event_type.size() <= etype)
|
||||||
{
|
{
|
||||||
@ -88,13 +88,13 @@ void evttype_index_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_w
|
|||||||
|
|
||||||
void evttype_index_ruleset::ruleset_filters::remove_filter(std::shared_ptr<filter_wrapper> wrap)
|
void evttype_index_ruleset::ruleset_filters::remove_filter(std::shared_ptr<filter_wrapper> wrap)
|
||||||
{
|
{
|
||||||
if(wrap->evttypes.empty())
|
if(wrap->event_codes.empty())
|
||||||
{
|
{
|
||||||
remove_wrapper_from_list(m_filter_all_event_types, wrap);
|
remove_wrapper_from_list(m_filter_all_event_types, wrap);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
for(auto &etype : wrap->evttypes)
|
for(auto &etype : wrap->event_codes)
|
||||||
{
|
{
|
||||||
if( etype < m_filter_by_event_type.size() )
|
if( etype < m_filter_by_event_type.size() )
|
||||||
{
|
{
|
||||||
@ -138,17 +138,24 @@ bool evttype_index_ruleset::ruleset_filters::run(gen_event *evt, falco_rule& mat
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
void evttype_index_ruleset::ruleset_filters::evttypes_for_ruleset(std::set<uint16_t> &evttypes)
|
libsinsp::events::set<ppm_sc_code> evttype_index_ruleset::ruleset_filters::sc_codes()
|
||||||
{
|
{
|
||||||
evttypes.clear();
|
libsinsp::events::set<ppm_sc_code> res;
|
||||||
|
|
||||||
for(auto &wrap : m_filters)
|
for(auto &wrap : m_filters)
|
||||||
{
|
{
|
||||||
for (const auto& e : wrap->evttypes)
|
res.insert(wrap->sc_codes.begin(), wrap->sc_codes.end());
|
||||||
|
}
|
||||||
|
return res;
|
||||||
|
}
|
||||||
|
|
||||||
|
libsinsp::events::set<ppm_event_code> evttype_index_ruleset::ruleset_filters::event_codes()
|
||||||
|
{
|
||||||
|
libsinsp::events::set<ppm_event_code> res;
|
||||||
|
for(auto &wrap : m_filters)
|
||||||
{
|
{
|
||||||
evttypes.insert((uint16_t) e);
|
res.insert(wrap->event_codes.begin(), wrap->event_codes.end());
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
return res;
|
||||||
}
|
}
|
||||||
|
|
||||||
void evttype_index_ruleset::add(
|
void evttype_index_ruleset::add(
|
||||||
@ -163,11 +170,15 @@ void evttype_index_ruleset::add(
|
|||||||
wrap->filter = filter;
|
wrap->filter = filter;
|
||||||
if(rule.source == falco_common::syscall_source)
|
if(rule.source == falco_common::syscall_source)
|
||||||
{
|
{
|
||||||
wrap->evttypes = libsinsp::filter::ast::ppm_event_codes(condition.get());
|
wrap->sc_codes = libsinsp::filter::ast::ppm_sc_codes(condition.get());
|
||||||
|
// todo(jasondellaluce): once libsinsp has its fixes, optimize this
|
||||||
|
// by using libsinsp::events::ppm_set_to_event_set(wrap->sc_codes)
|
||||||
|
wrap->event_codes = libsinsp::filter::ast::ppm_event_codes(condition.get());
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
wrap->evttypes = { ppm_event_code::PPME_PLUGINEVENT_E };
|
wrap->sc_codes = { };
|
||||||
|
wrap->event_codes = { ppm_event_code::PPME_PLUGINEVENT_E };
|
||||||
}
|
}
|
||||||
m_filters.insert(wrap);
|
m_filters.insert(wrap);
|
||||||
}
|
}
|
||||||
@ -300,10 +311,27 @@ bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t rule
|
|||||||
|
|
||||||
void evttype_index_ruleset::enabled_evttypes(std::set<uint16_t> &evttypes, uint16_t ruleset_id)
|
void evttype_index_ruleset::enabled_evttypes(std::set<uint16_t> &evttypes, uint16_t ruleset_id)
|
||||||
{
|
{
|
||||||
if(m_rulesets.size() < (size_t)ruleset_id + 1)
|
evttypes.clear();
|
||||||
|
for (const auto& e : enabled_event_codes(ruleset_id))
|
||||||
{
|
{
|
||||||
return;
|
evttypes.insert((uint16_t) e);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return m_rulesets[ruleset_id]->evttypes_for_ruleset(evttypes);
|
|
||||||
|
libsinsp::events::set<ppm_sc_code> evttype_index_ruleset::enabled_sc_codes(uint16_t ruleset)
|
||||||
|
{
|
||||||
|
if(m_rulesets.size() < (size_t)ruleset + 1)
|
||||||
|
{
|
||||||
|
return {};
|
||||||
|
}
|
||||||
|
return m_rulesets[ruleset]->sc_codes();
|
||||||
|
}
|
||||||
|
|
||||||
|
libsinsp::events::set<ppm_event_code> evttype_index_ruleset::enabled_event_codes(uint16_t ruleset)
|
||||||
|
{
|
||||||
|
if(m_rulesets.size() < (size_t)ruleset + 1)
|
||||||
|
{
|
||||||
|
return {};
|
||||||
|
}
|
||||||
|
return m_rulesets[ruleset]->event_codes();
|
||||||
}
|
}
|
||||||
|
|||||||
@ -70,11 +70,17 @@ public:
|
|||||||
const std::set<std::string> &tags,
|
const std::set<std::string> &tags,
|
||||||
uint16_t rulset_id) override;
|
uint16_t rulset_id) override;
|
||||||
|
|
||||||
// evttypes for a ruleset
|
// note(jasondellaluce): this is deprecated, must use the new
|
||||||
|
// typing-improved `enabled_event_codes` and `enabled_sc_codes` instead
|
||||||
|
// todo(jasondellaluce): remove this in future code refactors
|
||||||
void enabled_evttypes(
|
void enabled_evttypes(
|
||||||
std::set<uint16_t> &evttypes,
|
std::set<uint16_t> &evttypes,
|
||||||
uint16_t ruleset) override;
|
uint16_t ruleset) override;
|
||||||
|
|
||||||
|
libsinsp::events::set<ppm_sc_code> enabled_sc_codes(uint16_t ruleset) override;
|
||||||
|
|
||||||
|
libsinsp::events::set<ppm_event_code> enabled_event_codes(uint16_t ruleset) override;
|
||||||
|
|
||||||
private:
|
private:
|
||||||
|
|
||||||
// Helper used by enable()/disable()
|
// Helper used by enable()/disable()
|
||||||
@ -93,7 +99,8 @@ private:
|
|||||||
struct filter_wrapper
|
struct filter_wrapper
|
||||||
{
|
{
|
||||||
falco_rule rule;
|
falco_rule rule;
|
||||||
libsinsp::events::set<ppm_event_code> evttypes;
|
libsinsp::events::set<ppm_sc_code> sc_codes;
|
||||||
|
libsinsp::events::set<ppm_event_code> event_codes;
|
||||||
std::shared_ptr<gen_event_filter> filter;
|
std::shared_ptr<gen_event_filter> filter;
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -113,7 +120,9 @@ private:
|
|||||||
|
|
||||||
bool run(gen_event *evt, falco_rule& match);
|
bool run(gen_event *evt, falco_rule& match);
|
||||||
|
|
||||||
void evttypes_for_ruleset(std::set<uint16_t> &evttypes);
|
libsinsp::events::set<ppm_sc_code> sc_codes();
|
||||||
|
|
||||||
|
libsinsp::events::set<ppm_event_code> event_codes();
|
||||||
|
|
||||||
private:
|
private:
|
||||||
void add_wrapper_to_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap);
|
void add_wrapper_to_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap);
|
||||||
|
|||||||
@ -327,6 +327,16 @@ void falco_engine::evttypes_for_ruleset(std::string &source, std::set<uint16_t>
|
|||||||
find_source(source)->ruleset->enabled_evttypes(evttypes, find_ruleset_id(ruleset));
|
find_source(source)->ruleset->enabled_evttypes(evttypes, find_ruleset_id(ruleset));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
libsinsp::events::set<ppm_sc_code> falco_engine::sc_codes_for_ruleset(const std::string &source, const std::string &ruleset)
|
||||||
|
{
|
||||||
|
return find_source(source)->ruleset->enabled_sc_codes(find_ruleset_id(ruleset));
|
||||||
|
}
|
||||||
|
|
||||||
|
libsinsp::events::set<ppm_event_code> falco_engine::event_codes_for_ruleset(const std::string &source, const std::string &ruleset)
|
||||||
|
{
|
||||||
|
return find_source(source)->ruleset->enabled_event_codes(find_ruleset_id(ruleset));
|
||||||
|
}
|
||||||
|
|
||||||
std::shared_ptr<gen_event_formatter> falco_engine::create_formatter(const std::string &source,
|
std::shared_ptr<gen_event_formatter> falco_engine::create_formatter(const std::string &source,
|
||||||
const std::string &output) const
|
const std::string &output) const
|
||||||
{
|
{
|
||||||
|
|||||||
@ -222,11 +222,30 @@ public:
|
|||||||
//
|
//
|
||||||
// Given an event source and ruleset, fill in a bitset
|
// Given an event source and ruleset, fill in a bitset
|
||||||
// containing the event types for which this ruleset can run.
|
// containing the event types for which this ruleset can run.
|
||||||
|
// note(jasondellaluce): this is deprecated, must use the new
|
||||||
|
// typing-improved `enabled_event_codes` and `enabled_sc_codes` instead
|
||||||
|
// todo(jasondellaluce): remove this in future code refactors
|
||||||
//
|
//
|
||||||
void evttypes_for_ruleset(std::string &source,
|
void evttypes_for_ruleset(std::string &source,
|
||||||
std::set<uint16_t> &evttypes,
|
std::set<uint16_t> &evttypes,
|
||||||
const std::string &ruleset = s_default_ruleset);
|
const std::string &ruleset = s_default_ruleset);
|
||||||
|
|
||||||
|
//
|
||||||
|
// Given an event source and ruleset, return the set of ppm_sc_codes
|
||||||
|
// for which this ruleset can run and match events.
|
||||||
|
//
|
||||||
|
libsinsp::events::set<ppm_sc_code> sc_codes_for_ruleset(
|
||||||
|
const std::string &source,
|
||||||
|
const std::string &ruleset = s_default_ruleset);
|
||||||
|
|
||||||
|
//
|
||||||
|
// Given an event source and ruleset, return the set of ppm_event_codes
|
||||||
|
// for which this ruleset can run and match events.
|
||||||
|
//
|
||||||
|
libsinsp::events::set<ppm_event_code> event_codes_for_ruleset(
|
||||||
|
const std::string &source,
|
||||||
|
const std::string &ruleset = s_default_ruleset);
|
||||||
|
|
||||||
//
|
//
|
||||||
// Given a source and output string, return an
|
// Given a source and output string, return an
|
||||||
// gen_event_formatter that can format output strings for an
|
// gen_event_formatter that can format output strings for an
|
||||||
|
|||||||
@ -21,6 +21,7 @@ limitations under the License.
|
|||||||
#include <filter.h>
|
#include <filter.h>
|
||||||
#include <event.h>
|
#include <event.h>
|
||||||
#include <gen_filter.h>
|
#include <gen_filter.h>
|
||||||
|
#include <events/sinsp_events.h>
|
||||||
|
|
||||||
/*!
|
/*!
|
||||||
\brief Manages a set of rulesets. A ruleset is a set of
|
\brief Manages a set of rulesets. A ruleset is a set of
|
||||||
@ -83,11 +84,30 @@ public:
|
|||||||
\brief Returns the union of the evttypes of all the rules enabled
|
\brief Returns the union of the evttypes of all the rules enabled
|
||||||
in a given ruleset
|
in a given ruleset
|
||||||
\param ruleset_id The id of the ruleset to be used
|
\param ruleset_id The id of the ruleset to be used
|
||||||
|
\deprecated Must use the new typing-improved `enabled_event_codes`
|
||||||
|
and `enabled_sc_codes` instead
|
||||||
|
\note todo(jasondellaluce): remove this in future refactors
|
||||||
*/
|
*/
|
||||||
virtual void enabled_evttypes(
|
virtual void enabled_evttypes(
|
||||||
std::set<uint16_t> &evttypes,
|
std::set<uint16_t> &evttypes,
|
||||||
uint16_t ruleset) = 0;
|
uint16_t ruleset) = 0;
|
||||||
|
|
||||||
|
/*!
|
||||||
|
\brief Returns the all the ppm_sc_codes matching the rules
|
||||||
|
enabled in a given ruleset.
|
||||||
|
\param ruleset_id The id of the ruleset to be used
|
||||||
|
*/
|
||||||
|
virtual libsinsp::events::set<ppm_sc_code> enabled_sc_codes(
|
||||||
|
uint16_t ruleset) = 0;
|
||||||
|
|
||||||
|
/*!
|
||||||
|
\brief Returns the all the ppm_event_codes matching the rules
|
||||||
|
enabled in a given ruleset.
|
||||||
|
\param ruleset_id The id of the ruleset to be used
|
||||||
|
*/
|
||||||
|
virtual libsinsp::events::set<ppm_event_code> enabled_event_codes(
|
||||||
|
uint16_t ruleset) = 0;
|
||||||
|
|
||||||
/*!
|
/*!
|
||||||
\brief Find those rules matching the provided substring and enable
|
\brief Find those rules matching the provided substring and enable
|
||||||
them in the provided ruleset.
|
them in the provided ruleset.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user