diff --git a/falco.yaml b/falco.yaml index 21b9a166..acfd3fef 100644 --- a/falco.yaml +++ b/falco.yaml @@ -1,5 +1,5 @@ # -# Copyright (C) 2021 The Falco Authors. +# Copyright (C) 2022 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -65,6 +65,11 @@ plugins: # load_plugins: [cloudtrail, json] load_plugins: [] +# Watch config file and rules files for modification. +# When a file is modified, Falco will propagate new config, +# by reloading itself. +watch_config_files: true + # If true, the times displayed in log messages and output messages # will be in ISO 8601. By default, times are displayed in the local # time zone, as governed by /etc/localtime. diff --git a/userspace/falco/app_actions/create_signal_handlers.cpp b/userspace/falco/app_actions/create_signal_handlers.cpp index 01f2122c..377eec82 100644 --- a/userspace/falco/app_actions/create_signal_handlers.cpp +++ b/userspace/falco/app_actions/create_signal_handlers.cpp @@ -91,7 +91,7 @@ application::run_result application::create_signal_handlers() application::run_result application::attach_inotify_signals() { run_result ret; - if (m_options.monitor_files) + if (m_state->config->m_watch_config_files) { ret.proceed = false; ret.success = false; diff --git a/userspace/falco/app_actions/load_rules_files.cpp b/userspace/falco/app_actions/load_rules_files.cpp index b3495e6f..5633c05c 100644 --- a/userspace/falco/app_actions/load_rules_files.cpp +++ b/userspace/falco/app_actions/load_rules_files.cpp @@ -86,12 +86,12 @@ application::run_result application::load_rules_files() } falco_logger::log(LOG_DEBUG, "Configured rules filenames:\n"); - for (auto filename : m_state->config->m_rules_filenames) + for (const auto& filename : m_state->config->m_rules_filenames) { falco_logger::log(LOG_DEBUG, string(" ") + filename + "\n"); } - for (auto filename : m_state->config->m_rules_filenames) + for (const auto& filename : m_state->config->m_rules_filenames) { falco_logger::log(LOG_INFO, "Loading rules from file " + filename + ":\n"); uint64_t required_engine_version; @@ -125,13 +125,13 @@ application::run_result application::load_rules_files() // Free-up memory for the rule loader, which is not used from now on m_state->engine->clear_loader(); - for (auto substring : m_options.disabled_rule_substrings) + for (const auto& substring : m_options.disabled_rule_substrings) { falco_logger::log(LOG_INFO, "Disabling rules matching substring: " + substring + "\n"); m_state->engine->enable_rule(substring, false); } - if(m_options.disabled_rule_tags.size() > 0) + if(!m_options.disabled_rule_tags.empty()) { for(auto &tag : m_options.disabled_rule_tags) { @@ -140,7 +140,7 @@ application::run_result application::load_rules_files() m_state->engine->enable_rule_by_tag(m_options.disabled_rule_tags, false); } - if(m_options.enabled_rule_tags.size() > 0) + if(!m_options.enabled_rule_tags.empty()) { // Since we only want to enable specific // rules, first disable all rules. diff --git a/userspace/falco/app_cmdline_options.cpp b/userspace/falco/app_cmdline_options.cpp index f278636c..4855305b 100644 --- a/userspace/falco/app_cmdline_options.cpp +++ b/userspace/falco/app_cmdline_options.cpp @@ -181,7 +181,6 @@ void cmdline_options::define() #endif ("M", "Stop collecting after reached.", cxxopts::value(duration_to_tot)->default_value("0"), "") ("markdown", "When used with --list/--list-syscall-events, print the content in Markdown format", cxxopts::value(markdown)) - ("monitor_files", "Monitor rules and config files to reload Falco on change.", cxxopts::value(monitor_files)) ("N", "When used with --list, only print field names.", cxxopts::value(names_only)->default_value("false")) ("o,option", "Set the value of option to . Overrides values in configuration file. can be identified using its location in configuration file using dot notation. Elements which are entries of lists can be accessed via square brackets [].\n E.g. base.id = val\n base.subvalue.subvalue2 = val\n base.list[1]=val", cxxopts::value(cmdline_config_options), "=") ("p,print", "Add additional information to each falco notification's output.\nWith -pc or -pcontainer will use a container-friendly format.\nWith -pk or -pkubernetes will use a kubernetes-friendly format.\nWith -pm or -pmesos will use a mesos-friendly format.\nAdditionally, specifying -pc/-pk/-pm will change the interpretation of %container.info in rule output fields.", cxxopts::value(print_additional), "") diff --git a/userspace/falco/app_cmdline_options.h b/userspace/falco/app_cmdline_options.h index c774f89e..240356ff 100644 --- a/userspace/falco/app_cmdline_options.h +++ b/userspace/falco/app_cmdline_options.h @@ -35,7 +35,6 @@ public: // Each of these maps directly to a command line option. bool help; std::string conf_filename; - bool monitor_files; bool all_events; sinsp_evt::param_fmt event_buffer_format; std::vector cri_socket_paths; diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index 89030541..85820c34 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -301,6 +301,8 @@ void falco_configuration::init(string conf_filename, const vector &cmdli m_plugins.push_back(p); } } + + m_watch_config_files = m_config->get_scalar("watch_config_files", true); } void falco_configuration::read_rules_file_directory(const string &path, list &rules_filenames) diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index 88e7730b..4a000d2c 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -232,6 +232,7 @@ public: falco_common::priority_type m_min_priority; + bool m_watch_config_files; bool m_buffered_outputs; bool m_time_format_iso_8601; uint32_t m_output_timeout;