github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-18 07:51:12 +00:00
Code Issues Projects Releases Wiki Activity

cleanup(app_actions): configure -A w/ new default behavior

Browse Source 
Define new -A behavior in configure_interesting_sets

* default: all syscalls in rules included, sinsp state enforcement without high volume I/O syscalls
* -A flag set: all syscalls in rules included, sinsp state enforcement and allowing high volume I/O syscalls

Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
This commit is contained in:
Melissa Kilby
2023-01-24 23:21:34 +00:00
committed by poiana
parent 91c185a178
commit 30fe065446
1 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
userspace/falco/app/actions/helpers_interesting_sets.cpp
View File

@@ -189,7 +189,35 @@ void falco::app::actions::activate_interesting_syscalls(falco::app::state& s, st
falco_logger::log(LOG_INFO, "+(" + std::to_string(non_rules_syscalls_names.size()) + ") syscalls activated (Falco's set of additional syscalls including syscalls needed for state engine): " + concat_syscalls_names(non_rules_syscalls_names) + "\n");
}
/* -A flag behavior:
* default: all syscalls in rules included, sinsp state enforcement without high volume I/O syscalls
* -A flag set: all syscalls in rules included, sinsp state enforcement and allowing high volume I/O syscalls
*/
if(!s.options.all_events)
{
std::unordered_set<std::string> erased_io_syscalls_names = {};
std::unordered_set<uint32_t> cur_ppm_sc_set = s.ppm_sc_of_interest;
const int bitmask = EC_SYSCALL - 1;
for (const auto &ppm_sc_code : cur_ppm_sc_set)
{
switch(g_infotables.m_syscall_info_table[ppm_sc_code].category & bitmask)
{
case EC_IO_READ:
case EC_IO_WRITE:
s.ppm_sc_of_interest.erase(ppm_sc_code);
erased_io_syscalls_names.insert(g_infotables.m_syscall_info_table[ppm_sc_code].name);
}
}
if (erased_io_syscalls_names.size() > 0)
{
falco_logger::log(LOG_INFO, "-(" + std::to_string(erased_io_syscalls_names.size()) + ") high volume I/O syscalls (`-A` flag not set): " + concat_syscalls_names(erased_io_syscalls_names) + "\n");
}
}
std::unordered_set<std::string> final_syscalls_names = inspector->get_syscalls_names(s.ppm_sc_of_interest);
if (final_syscalls_names.size() > 0)
{
falco_logger::log(LOG_INFO, "(" + std::to_string(final_syscalls_names.size()) + ") syscalls in total activated (final set): " + concat_syscalls_names(final_syscalls_names) + "\n");