github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-20 15:23:30 +00:00
Code Issues Projects Releases Wiki Activity

Move json -> k8s audit event conversion out of falco engine

Browse Source 
Move the code that splits a json object into a list of k8s audit/json
events out of falco engine and into json_evt.

This, along with other changes, allows the falco engine to be more
general purpose and not directly tied to the notion of syscall vs k8s
audit events.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2021-08-25 16:20:24 -07:00 committed by poiana
parent 044a7c153e
commit 1c60dab87e
5 changed files with 89 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
userspace/engine/falco_engine.cpp
View File

@ -386,84 +386,6 @@ void falco_engine::populate_rule_result(unique_ptr<struct rule_result> &res, gen
} }
} }
bool falco_engine::parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts, bool top)
{
// Note that nlohmann::basic_json::value can throw nlohmann::basic_json::type_error (302, 306)
try
{
// If the object is an array, call parse_k8s_audit_json again for each item.
if(j.is_array())
{
if(top)
{
for(auto &item : j)
{
// Note we only handle a single top level array, to
// avoid excessive recursion.
if(! parse_k8s_audit_json(item, evts, false))
{
return false;
}
}
return true;
}
else
{
return false;
}
}
// If the kind is EventList, split it into individual events
if(j.value("kind", "<NA>") == "EventList")
{
for(auto &je : j["items"])
{
evts.emplace_back();
je["kind"] = "Event";
uint64_t ns = 0;
if(!sinsp_utils::parse_iso_8601_utc_string(je.value(k8s_audit_time, "<NA>"), ns))
{
return false;
}
std::string tmp;
sinsp_utils::ts_to_string(ns, &tmp, false, true);
evts.back().set_jevt(je, ns);
}
return true;
}
else if(j.value("kind", "<NA>") == "Event")
{
evts.emplace_back();
uint64_t ns = 0;
if(!sinsp_utils::parse_iso_8601_utc_string(j.value(k8s_audit_time, "<NA>"), ns))
{
return false;
}
evts.back().set_jevt(j, ns);
return true;
}
else
{
return false;
}
}
catch(exception &e)
{
return false;
}
}
unique_ptr<falco_engine::rule_result> falco_engine::process_k8s_audit_event(json_event *ev)
{
return process_k8s_audit_event(ev, m_default_ruleset_id);
}
void falco_engine::describe_rule(string *rule) void falco_engine::describe_rule(string *rule)
{ {
return m_rules->describe_rule(rule); return m_rules->describe_rule(rule);

10
userspace/engine/falco_engine.h
View File

@ -164,16 +164,6 @@ public:
std::set<std::string> tags; std::set<std::string> tags;
}; };
//
// Given a raw json object, return a list of k8s audit event
// objects that represent the object. This method handles
// things such as EventList splitting.
//
// Returns true if the json object was recognized as a k8s
// audit event(s), false otherwise.
//
bool parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts, bool top=true);
// //
// Given an event, check it against the set of rules in the // Given an event, check it against the set of rules in the
// engine and if a matching rule is found, return details on // engine and if a matching rule is found, return details on

75
userspace/engine/json_evt.cpp
View File

@ -50,6 +50,81 @@ uint64_t json_event::get_ts() const
return m_event_ts; return m_event_ts;
} }
static nlohmann::json::json_pointer k8s_audit_time = "/stageTimestamp"_json_pointer;
bool falco_k8s_audit::parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts, bool top)
{
// Note that nlohmann::basic_json::value can throw nlohmann::basic_json::type_error (302, 306)
try
{
// If the object is an array, call parse_k8s_audit_json again for each item.
if(j.is_array())
{
if(top)
{
for(auto &item : j)
{
// Note we only handle a single top level array, to
// avoid excessive recursion.
if(! parse_k8s_audit_json(item, evts, false))
{
return false;
}
}
return true;
}
else
{
return false;
}
}
// If the kind is EventList, split it into individual events
if(j.value("kind", "<NA>") == "EventList")
{
for(auto &je : j["items"])
{
evts.emplace_back();
je["kind"] = "Event";
uint64_t ns = 0;
if(!sinsp_utils::parse_iso_8601_utc_string(je.value(k8s_audit_time, "<NA>"), ns))
{
return false;
}
std::string tmp;
sinsp_utils::ts_to_string(ns, &tmp, false, true);
evts.back().set_jevt(je, ns);
}
return true;
}
else if(j.value("kind", "<NA>") == "Event")
{
evts.emplace_back();
uint64_t ns = 0;
if(!sinsp_utils::parse_iso_8601_utc_string(j.value(k8s_audit_time, "<NA>"), ns))
{
return false;
}
evts.back().set_jevt(j, ns);
return true;
}
else
{
return false;
}
}
catch(exception &e)
{
return false;
}
}
json_event_value::json_event_value() json_event_value::json_event_value()
{ {
} }

13
userspace/engine/json_evt.h
View File

@ -57,6 +57,19 @@ protected:
uint64_t m_event_ts; uint64_t m_event_ts;
}; };
namespace falco_k8s_audit {
//
// Given a raw json object, return a list of k8s audit event
// objects that represent the object. This method handles
// things such as EventList splitting.
//
// Returns true if the json object was recognized as a k8s
// audit event(s), false otherwise.
//
bool parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts, bool top=true);
};
// A class representing an extracted value or a value on the rhs of a // A class representing an extracted value or a value on the rhs of a
// filter_check. This intentionally doesn't use the same types as // filter_check. This intentionally doesn't use the same types as
// ppm_events_public.h to take advantage of actual classes instead of // ppm_events_public.h to take advantage of actual classes instead of

2
userspace/falco/webserver.cpp
View File

@ -69,7 +69,7 @@ bool k8s_audit_handler::accept_data(falco_engine *engine,
bool ok; bool ok;
try try
{ {
ok = engine->parse_k8s_audit_json(j, jevts); ok = falco_k8s_audit::parse_k8s_audit_json(j, jevts);
} }
catch(json::type_error &e) catch(json::type_error &e)
{ {