github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-16 23:08:16 +00:00
Code Issues Projects Releases Wiki Activity

update(userspace/falco): moved to a config option.

Browse Source 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This commit is contained in:
Federico Di Pierro
2022-05-06 11:20:16 +02:00
committed by poiana
parent a9fe979071
commit 293a6c2b40
7 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
falco.yaml
View File

@@ -1,5 +1,5 @@
# #
# Copyright (C) 2021 The Falco Authors. # Copyright (C) 2022 The Falco Authors.
# #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
@@ -65,6 +65,11 @@ plugins:
# load_plugins: [cloudtrail, json] # load_plugins: [cloudtrail, json]
load_plugins: [] load_plugins: []
# Watch config file and rules files for modification.
# When a file is modified, Falco will propagate new config,
# by reloading itself.
watch_config_files: true
# If true, the times displayed in log messages and output messages # If true, the times displayed in log messages and output messages
# will be in ISO 8601. By default, times are displayed in the local # will be in ISO 8601. By default, times are displayed in the local
# time zone, as governed by /etc/localtime. # time zone, as governed by /etc/localtime.

2
userspace/falco/app_actions/create_signal_handlers.cpp
View File

@@ -91,7 +91,7 @@ application::run_result application::create_signal_handlers()
application::run_result application::attach_inotify_signals() application::run_result application::attach_inotify_signals()
{ {
run_result ret; run_result ret;
if (m_options.monitor_files) if (m_state->config->m_watch_config_files)
{ {
ret.proceed = false; ret.proceed = false;
ret.success = false; ret.success = false;

10
userspace/falco/app_actions/load_rules_files.cpp
View File

@@ -86,12 +86,12 @@ application::run_result application::load_rules_files()
} }
falco_logger::log(LOG_DEBUG, "Configured rules filenames:\n"); falco_logger::log(LOG_DEBUG, "Configured rules filenames:\n");
for (auto filename : m_state->config->m_rules_filenames) for (const auto& filename : m_state->config->m_rules_filenames)
{ {
falco_logger::log(LOG_DEBUG, string(" ") + filename + "\n"); falco_logger::log(LOG_DEBUG, string(" ") + filename + "\n");
} }
for (auto filename : m_state->config->m_rules_filenames) for (const auto& filename : m_state->config->m_rules_filenames)
{ {
falco_logger::log(LOG_INFO, "Loading rules from file " + filename + ":\n"); falco_logger::log(LOG_INFO, "Loading rules from file " + filename + ":\n");
uint64_t required_engine_version; uint64_t required_engine_version;
@@ -125,13 +125,13 @@ application::run_result application::load_rules_files()
// Free-up memory for the rule loader, which is not used from now on // Free-up memory for the rule loader, which is not used from now on
m_state->engine->clear_loader(); m_state->engine->clear_loader();
for (auto substring : m_options.disabled_rule_substrings) for (const auto& substring : m_options.disabled_rule_substrings)
{ {
falco_logger::log(LOG_INFO, "Disabling rules matching substring: " + substring + "\n"); falco_logger::log(LOG_INFO, "Disabling rules matching substring: " + substring + "\n");
m_state->engine->enable_rule(substring, false); m_state->engine->enable_rule(substring, false);
} }
if(m_options.disabled_rule_tags.size() > 0) if(!m_options.disabled_rule_tags.empty())
{ {
for(auto &tag : m_options.disabled_rule_tags) for(auto &tag : m_options.disabled_rule_tags)
{ {
@@ -140,7 +140,7 @@ application::run_result application::load_rules_files()
m_state->engine->enable_rule_by_tag(m_options.disabled_rule_tags, false); m_state->engine->enable_rule_by_tag(m_options.disabled_rule_tags, false);
} }
if(m_options.enabled_rule_tags.size() > 0) if(!m_options.enabled_rule_tags.empty())
{ {
// Since we only want to enable specific // Since we only want to enable specific
// rules, first disable all rules. // rules, first disable all rules.

1
userspace/falco/app_cmdline_options.cpp
View File

@@ -181,7 +181,6 @@ void cmdline_options::define()
#endif #endif
("M", "Stop collecting after <num_seconds> reached.", cxxopts::value(duration_to_tot)->default_value("0"), "<num_seconds>") ("M", "Stop collecting after <num_seconds> reached.", cxxopts::value(duration_to_tot)->default_value("0"), "<num_seconds>")
("markdown", "When used with --list/--list-syscall-events, print the content in Markdown format", cxxopts::value<bool>(markdown)) ("markdown", "When used with --list/--list-syscall-events, print the content in Markdown format", cxxopts::value<bool>(markdown))
("monitor_files", "Monitor rules and config files to reload Falco on change.", cxxopts::value<bool>(monitor_files))
("N", "When used with --list, only print field names.", cxxopts::value(names_only)->default_value("false")) ("N", "When used with --list, only print field names.", cxxopts::value(names_only)->default_value("false"))
("o,option", "Set the value of option <opt> to <val>. Overrides values in configuration file. <opt> can be identified using its location in configuration file using dot notation. Elements which are entries of lists can be accessed via square brackets [].\n E.g. base.id = val\n base.subvalue.subvalue2 = val\n base.list[1]=val", cxxopts::value(cmdline_config_options), "<opt>=<val>") ("o,option", "Set the value of option <opt> to <val>. Overrides values in configuration file. <opt> can be identified using its location in configuration file using dot notation. Elements which are entries of lists can be accessed via square brackets [].\n E.g. base.id = val\n base.subvalue.subvalue2 = val\n base.list[1]=val", cxxopts::value(cmdline_config_options), "<opt>=<val>")
("p,print", "Add additional information to each falco notification's output.\nWith -pc or -pcontainer will use a container-friendly format.\nWith -pk or -pkubernetes will use a kubernetes-friendly format.\nWith -pm or -pmesos will use a mesos-friendly format.\nAdditionally, specifying -pc/-pk/-pm will change the interpretation of %container.info in rule output fields.", cxxopts::value(print_additional), "<output_format>") ("p,print", "Add additional information to each falco notification's output.\nWith -pc or -pcontainer will use a container-friendly format.\nWith -pk or -pkubernetes will use a kubernetes-friendly format.\nWith -pm or -pmesos will use a mesos-friendly format.\nAdditionally, specifying -pc/-pk/-pm will change the interpretation of %container.info in rule output fields.", cxxopts::value(print_additional), "<output_format>")

1
userspace/falco/app_cmdline_options.h
View File

@@ -35,7 +35,6 @@ public:
// Each of these maps directly to a command line option. // Each of these maps directly to a command line option.
bool help; bool help;
std::string conf_filename; std::string conf_filename;
bool monitor_files;
bool all_events; bool all_events;
sinsp_evt::param_fmt event_buffer_format; sinsp_evt::param_fmt event_buffer_format;
std::vector<std::string> cri_socket_paths; std::vector<std::string> cri_socket_paths;

2
userspace/falco/configuration.cpp
View File

@@ -301,6 +301,8 @@ void falco_configuration::init(string conf_filename, const vector<string> &cmdli
m_plugins.push_back(p); m_plugins.push_back(p);
} }
} }
m_watch_config_files = m_config->get_scalar<bool>("watch_config_files", true);
} }
void falco_configuration::read_rules_file_directory(const string &path, list<string> &rules_filenames) void falco_configuration::read_rules_file_directory(const string &path, list<string> &rules_filenames)

1
userspace/falco/configuration.h
View File

@@ -232,6 +232,7 @@ public:
falco_common::priority_type m_min_priority; falco_common::priority_type m_min_priority;
bool m_watch_config_files;
bool m_buffered_outputs; bool m_buffered_outputs;
bool m_time_format_iso_8601; bool m_time_format_iso_8601;
uint32_t m_output_timeout; uint32_t m_output_timeout;