github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-04 08:04:49 +00:00
Code Issues Projects Releases Wiki Activity

Move json -> k8s audit event conversion out of falco engine

Browse Source 
Move the code that splits a json object into a list of k8s audit/json
events out of falco engine and into json_evt.

This, along with other changes, allows the falco engine to be more
general purpose and not directly tied to the notion of syscall vs k8s
audit events.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm
2021-08-25 16:20:24 -07:00
committed by poiana
parent 044a7c153e
commit 1c60dab87e
5 changed files with 89 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
userspace/engine/falco_engine.h
View File

@@ -164,16 +164,6 @@ public:
std::set<std::string> tags;
};
//
// Given a raw json object, return a list of k8s audit event
// objects that represent the object. This method handles
// things such as EventList splitting.
//
// Returns true if the json object was recognized as a k8s
// audit event(s), false otherwise.
//
bool parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts, bool top=true);
//
// Given an event, check it against the set of rules in the
// engine and if a matching rule is found, return details on