From 3b284501714f4e59727f50c5692bffb4818c922c Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Mon, 30 Sep 2024 11:02:50 +0000 Subject: [PATCH] new(falco): add base_syscalls.all option to falco.yaml Signed-off-by: Luca Guerra --- falco.yaml | 8 ++++ .../test_configure_interesting_sets.cpp | 37 +++++++++++++++++++ .../actions/configure_interesting_sets.cpp | 2 +- userspace/falco/config_json_schema.h | 3 ++ userspace/falco/configuration.cpp | 2 + userspace/falco/configuration.h | 1 + 6 files changed, 52 insertions(+), 1 deletion(-) diff --git a/falco.yaml b/falco.yaml index e9e0da6e..c917967e 100644 --- a/falco.yaml +++ b/falco.yaml @@ -1155,6 +1155,14 @@ metrics: # Falco, the `base_syscalls` option allows for finer end-user control of # syscalls traced by Falco. # +# --- [base_syscalls.all] +# +# `base_syscalls.all` enables monitoring of all events supported by Falco and +# defined in rules and configs. +# By default some events, such as `write`, are ignored (run `falco -i` to get +# the full list) unless base_syscalls.all is true. +# This option may negatively impact performance. +# # --- [base_syscalls.custom_set] # # CAUTION: Misconfiguration of this setting may result in incomplete Falco event diff --git a/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp b/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp index 40a62152..2150019e 100644 --- a/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp +++ b/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp @@ -528,6 +528,43 @@ TEST_F(test_falco_engine, selection_empty_custom_base_set_repair) { ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size()); } +TEST_F(test_falco_engine, selection_base_syscalls_all) { + load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml"); + + falco::app::state s7; + s7.engine = m_engine; + + // simulate empty custom set but repair option set. + s7.config->m_base_syscalls_custom_set = {}; + s7.config->m_base_syscalls_repair = true; + s7.config->m_base_syscalls_all = true; + auto result = falco::app::actions::configure_interesting_sets(s7); + auto s7_rules_set = s7.engine->sc_codes_for_ruleset(s_sample_source, s_sample_ruleset); + ASSERT_TRUE(result.success); + ASSERT_EQ(result.errstr, ""); + auto selected_sc_names = libsinsp::events::sc_set_to_event_names(s7.selected_sc_set); + auto expected_sc_names = strset_t({// note: expecting syscalls from mock rules and + // `sinsp_repair_state_sc_set` enforced syscalls + "connect", + "accept", + "accept4", + "umount2", + "open", + "ptrace", + "mmap", + "execve", + "procexit", + "bind", + "socket", + "clone3", + "close", + "setuid"}); + ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names); + auto s7_state_set = libsinsp::events::sinsp_repair_state_sc_set(s7_rules_set); + ASSERT_EQ(s7.selected_sc_set, s7_state_set); + ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size()); +} + TEST(ConfigureInterestingSets, ignored_set_expected_size) { // unit test fence to make sure we don't have unexpected regressions // in the ignored set, to be updated in the future diff --git a/userspace/falco/app/actions/configure_interesting_sets.cpp b/userspace/falco/app/actions/configure_interesting_sets.cpp index 86f2b894..8d084a9c 100644 --- a/userspace/falco/app/actions/configure_interesting_sets.cpp +++ b/userspace/falco/app/actions/configure_interesting_sets.cpp @@ -205,7 +205,7 @@ static void select_event_set(falco::app::state& s, without high volume syscalls * (2) -A flag set: all syscalls in rules included, sinsp state enforcement and allowing high volume syscalls */ - if(!s.options.all_events) { + if(!(s.options.all_events || s.config->m_base_syscalls_all)) { auto ignored_sc_set = falco::app::ignored_sc_set(); auto erased_sc_set = s.selected_sc_set.intersect(ignored_sc_set); s.selected_sc_set = s.selected_sc_set.diff(ignored_sc_set); diff --git a/userspace/falco/config_json_schema.h b/userspace/falco/config_json_schema.h index 430b9123..34081bc4 100644 --- a/userspace/falco/config_json_schema.h +++ b/userspace/falco/config_json_schema.h @@ -277,6 +277,9 @@ const char config_schema_string[] = LONG_STRING_CONST( "type": "object", "additionalProperties": false, "properties": { + "all": { + "type": "boolean" + }, "custom_set": { "type": "array", "items": { diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index fe8e217b..26f2fd96 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -85,6 +85,7 @@ falco_configuration::falco_configuration(): m_syscall_evt_timeout_max_consecutives(1000), m_falco_libs_thread_table_size(DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE), m_falco_libs_snaplen(0), + m_base_syscalls_all(false), m_base_syscalls_repair(false), m_metrics_enabled(false), m_metrics_interval_str("5000"), @@ -577,6 +578,7 @@ void falco_configuration::load_yaml(const std::string &config_name) { m_config.get_sequence>(m_base_syscalls_custom_set, std::string("base_syscalls.custom_set")); m_base_syscalls_repair = m_config.get_scalar("base_syscalls.repair", false); + m_base_syscalls_all = m_config.get_scalar("base_syscalls.all", false); m_metrics_enabled = m_config.get_scalar("metrics.enabled", false); m_metrics_interval_str = m_config.get_scalar("metrics.interval", "5000"); diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index 02e6bf24..f330f238 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -179,6 +179,7 @@ public: // User supplied base_syscalls, overrides any Falco state engine enforcement. std::unordered_set m_base_syscalls_custom_set; + bool m_base_syscalls_all; bool m_base_syscalls_repair; // metrics configs