github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-26 04:36:48 +00:00
Code Issues Projects Releases Wiki Activity

update(userspace/engine,userspace/falco): improved some string warnings.

Browse Source 
Always print warnings while loading rules.
Print a single line when warning for ignored events.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This commit is contained in:
Federico Di Pierro
2022-01-24 15:01:10 +01:00
committed by poiana
parent 96529300f6
commit 1a485c3447
3 changed files with 27 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
userspace/engine/rules.cpp
View File

@@ -452,7 +452,7 @@ void falco_rules::load_rules(const string &rules_content,
throw falco_exception(os.str()); throw falco_exception(os.str());
} }
if (verbose && os.str() != "") { if (os.str() != "") {
// We don't really have a logging callback // We don't really have a logging callback
// from the falco engine, but this would be a // from the falco engine, but this would be a
// good place to use it. // good place to use it.

3
userspace/engine/ruleset.cpp
View File

@@ -68,6 +68,9 @@ void falco_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_wrapper>
{ {
std::set<uint16_t> fevttypes = wrap->filter->evttypes(); std::set<uint16_t> fevttypes = wrap->filter->evttypes();
// TODO: who fills this one for rules without evt.type specified?
// Can this be actually empty?
// Is m_filter_all_event_types useful?
if(fevttypes.empty()) if(fevttypes.empty())
{ {
// Should run for all event types // Should run for all event types

29
userspace/falco/falco.cpp
View File

@@ -456,11 +456,29 @@ static void check_for_ignored_events(sinsp &inspector, falco_engine &engine)
std::string name = etable[evtnum].name; std::string name = etable[evtnum].name;
if(warn_event_names.find(name) == warn_event_names.end()) if(warn_event_names.find(name) == warn_event_names.end())
{ {
printf("Loaded rules use event %s, but this event is not returned unless running falco with -A\n", name.c_str());
warn_event_names.insert(name); warn_event_names.insert(name);
} }
} }
} }
// Print a single warning with the list of ignored events
if (!warn_event_names.empty())
{
std::string skipped_events;
bool first = true;
for (const auto& evtname : warn_event_names)
{
if (first)
{
skipped_events += evtname;
first = false;
} else
{
skipped_events += "," + evtname;
}
}
fprintf(stderr,"Loaded rules match events (%s), but these events are not returned unless running falco with -A\n", skipped_events.c_str());
}
} }
static void list_source_fields(falco_engine *engine, bool verbose, bool names_only, std::string &source) static void list_source_fields(falco_engine *engine, bool verbose, bool names_only, std::string &source)
@@ -1138,11 +1156,6 @@ int falco_init(int argc, char **argv)
engine->enable_rule_by_tag(enabled_rule_tags, true); engine->enable_rule_by_tag(enabled_rule_tags, true);
} }
// For syscalls, see if any event types used by the
// loaded rules are ones with the EF_DROP_SIMPLE_CONS
// label.
check_for_ignored_events(*inspector, *engine);
if(print_support) if(print_support)
{ {
nlohmann::json support; nlohmann::json support;
@@ -1206,6 +1219,10 @@ int falco_init(int argc, char **argv)
if(!all_events) if(!all_events)
{ {
// For syscalls, see if any event types used by the
// loaded rules are ones with the EF_DROP_SIMPLE_CONS
// label.
check_for_ignored_events(*inspector, *engine);
// Drop EF_DROP_SIMPLE_CONS kernel side // Drop EF_DROP_SIMPLE_CONS kernel side
inspector->set_simple_consumer(); inspector->set_simple_consumer();
// Eventually, drop any EF_DROP_SIMPLE_CONS event // Eventually, drop any EF_DROP_SIMPLE_CONS event