github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-11 19:12:12 +00:00
Code Issues Projects Releases Wiki Activity

refactor(userspace/falco): remove k8s audit references from falco

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2022-03-23 13:35:31 +00:00 committed by poiana
parent 21b127ef65
commit 42fcc7291f
13 changed files with 34 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
userspace/engine/json_evt.h
View File

@ -48,7 +48,7 @@ public:
inline uint16_t get_type() const
{
// All k8s audit events have the single tag "1". - see falco_engine::process_k8s_audit_event
return 1;
return ppm_event_type::PPME_PLUGINEVENT_E;
}
protected:

12
userspace/engine/rule_loader.cpp
View File

@ -721,7 +721,7 @@ void rule_loader::compile_rule_infos(
}
// populate set of event types and emit an special warning
set<uint16_t> evttypes;
set<uint16_t> evttypes = { ppm_event_type::PPME_PLUGINEVENT_E };
if(rule.source == falco_common::syscall_source)
{
filter_evttype_resolver().evttypes(ast, evttypes);
@ -734,16 +734,6 @@ void rule_loader::compile_rule_infos(
+ " This has a significant performance penalty.");
}
}
else if (rule.source == "k8s_audit")
{
// todo(jasondellaluce): remove this case once k8saudit
// gets ported to a plugin
evttypes = { ppm_event_type::PPME_GENERIC_X };
}
else
{
evttypes = { ppm_event_type::PPME_PLUGINEVENT_E };
}
// add rule and its filter in the engine
cfg.engine->add_filter(filter, rule.name, rule.source, evttypes, rule.tags);

11
userspace/falco/app_actions/init_falco_engine.cpp
View File

@ -56,24 +56,19 @@ application::run_result application::init_falco_engine()
configure_output_format();
// Create "factories" that can create filters/formatters for
// syscalls and k8s audit events.
// Create "factories" that can create filters/formatters for syscalls
// libs requires raw pointer, we should modify libs to use reference/shared_ptr
std::shared_ptr<gen_event_filter_factory> syscall_filter_factory(new sinsp_filter_factory(m_state->inspector.get()));
std::shared_ptr<gen_event_filter_factory> k8s_audit_filter_factory(new json_event_filter_factory());
// libs requires raw pointer, we should modify libs to use reference/shared_ptr
std::shared_ptr<gen_event_formatter_factory> syscall_formatter_factory(new sinsp_evt_formatter_factory(m_state->inspector.get()));
std::shared_ptr<gen_event_formatter_factory> k8s_audit_formatter_factory(new json_event_formatter_factory(k8s_audit_filter_factory));
m_state->syscall_source_idx = m_state->engine->add_source(application::s_syscall_source, syscall_filter_factory, syscall_formatter_factory);
m_state->k8s_audit_source_idx = m_state->engine->add_source(application::s_k8s_audit_source, k8s_audit_filter_factory, k8s_audit_formatter_factory);
if(m_state->config->m_json_output)
{
syscall_formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
k8s_audit_formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
}
for(const auto &src : m_options.disable_sources)
@ -81,10 +76,10 @@ application::run_result application::init_falco_engine()
m_state->enabled_sources.erase(src);
}
// XXX/mstemm technically this isn't right, you could disable syscall *and* k8s_audit and configure a plugin.
// todo(jasondellaluce,leogr): change this once we attain multiple active source
if(m_state->enabled_sources.empty())
{
throw std::invalid_argument("The event source \"syscall\" and \"k8s_audit\" can not be disabled together");
throw std::invalid_argument("At least one event source needs to be enabled");
}
m_state->engine->set_min_priority(m_state->config->m_min_priority);

45
userspace/falco/app_actions/open_inspector.cpp
View File

@ -37,48 +37,12 @@ application::run_result application::open_inspector()
falco_logger::log(LOG_INFO, "Reading system call events from file: " + m_options.trace_filename + "\n");
}
catch(sinsp_exception &e)
{
falco_logger::log(LOG_DEBUG, "Could not read trace file \"" + m_options.trace_filename + "\": " + string(e.what()));
m_state->trace_is_scap=false;
}
if(!m_state->trace_is_scap)
{
#ifdef MINIMAL_BUILD
ret.success = false;
ret.errstr = "Cannot use k8s audit events trace file with a minimal Falco build";
ret.proceed = false;
return ret;
#else
try {
string line;
nlohmann::json j;
// Note we only temporarily open the file here.
// The read file read loop will be later.
ifstream ifs(m_options.trace_filename);
getline(ifs, line);
j = nlohmann::json::parse(line);
falco_logger::log(LOG_INFO, "Reading k8s audit events from file: " + m_options.trace_filename + "\n");
}
catch (nlohmann::json::parse_error& e)
{
ret.success = false;
ret.errstr = std::string("Trace filename ") + m_options.trace_filename + " not recognized as system call events or k8s audit events";
ret.proceed = false;
return ret;
}
catch (exception &e)
{
ret.success = false;
ret.errstr = std::string("Could not open trace filename ") + m_options.trace_filename + " for reading: " + e.what();
ret.proceed = false;
return ret;
}
#endif
}
}
else
{
@ -101,19 +65,14 @@ application::run_result application::open_inspector()
open_t open_f;
// Default mode: both event sources enabled
if (m_state->enabled_sources.find(application::s_syscall_source) != m_state->enabled_sources.end() &&
m_state->enabled_sources.find(application::s_k8s_audit_source) != m_state->enabled_sources.end())
if (m_state->enabled_sources.find(application::s_syscall_source) != m_state->enabled_sources.end())
{
open_f = open_cb;
}
if (m_state->enabled_sources.find(application::s_syscall_source) == m_state->enabled_sources.end())
else
{
open_f = open_nodriver_cb;
}
if (m_state->enabled_sources.find(application::s_k8s_audit_source) == m_state->enabled_sources.end())
{
open_f = open_cb;
}
try
{

43
userspace/falco/app_actions/process_events.cpp
View File

@ -31,35 +31,6 @@ limitations under the License.
using namespace falco::app;
#ifndef MINIMAL_BUILD
// Read a jsonl file containing k8s audit events and pass each to the engine.
void application::read_k8s_audit_trace_file(string &trace_filename)
{
ifstream ifs(trace_filename);
uint64_t line_num = 0;
while(ifs)
{
string line, errstr;
getline(ifs, line);
line_num++;
if(line == "")
{
continue;
}
if(!k8s_audit_handler::accept_data(m_state->engine, m_state->outputs, m_state->k8s_audit_source_idx, line, errstr))
{
falco_logger::log(LOG_ERR, "Could not read k8s audit event line #" + to_string(line_num) + ", \"" + line + "\": " + errstr + ", stopping");
return;
}
}
}
#endif
//
// Event processing loop
//
@ -214,17 +185,7 @@ application::run_result application::process_events()
duration = ((double)clock()) / CLOCKS_PER_SEC;
if(!m_options.trace_filename.empty() && !m_state->trace_is_scap)
{
#ifndef MINIMAL_BUILD
read_k8s_audit_trace_file(m_options.trace_filename);
#endif
}
else
{
uint64_t num_evts;
num_evts = do_inspect(sdropmgr,
uint64_t num_evts = do_inspect(sdropmgr,
uint64_t(m_options.duration_to_tot*ONE_SECOND_IN_NS),
ret);
@ -244,8 +205,6 @@ application::run_result application::process_events()
num_evts / duration);
}
}
// Honor -M also when using a trace file.
// Since inspection stops as soon as all events have been consumed
// just await the given duration is reached, if needed.

3
userspace/falco/app_actions/start_webserver.cpp
View File

@ -26,11 +26,10 @@ application::run_result application::start_webserver()
{
run_result ret;
if(m_options.trace_filename.empty() && m_state->config->m_webserver_enabled && m_state->enabled_sources.find(application::s_k8s_audit_source) != m_state->enabled_sources.end())
if(m_state->config->m_webserver_enabled)
{
std::string ssl_option = (m_state->config->m_webserver_ssl_enabled ? " (SSL)" : "");
falco_logger::log(LOG_INFO, "Starting internal webserver, listening on port " + to_string(m_state->config->m_webserver_listen_port) + ssl_option + "\n");
m_state->webserver.init(m_state->config, m_state->engine, m_state->outputs, m_state->k8s_audit_source_idx);
m_state->webserver.start();
}

6
userspace/falco/app_cmdline_options.cpp
View File

@ -160,9 +160,9 @@ void cmdline_options::define()
("cri", "Path to CRI socket for container metadata. Use the specified socket to fetch data from a CRI-compatible runtime. If not specified, uses libs default. It can be passed multiple times to specify socket to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "<path>")
("d,daemon", "Run as a daemon.", cxxopts::value(daemon)->default_value("false"))
("disable-cri-async", "Disable asynchronous CRI metadata fetching. This is useful to let the input event wait for the container metadata fetch to finish before moving forward. Async fetching, in some environments leads to empty fields for container metadata when the fetch is not fast enough to be completed asynchronously. This can have a performance penalty on your environment depending on the number of containers and the frequency at which they are created/started/stopped.", cxxopts::value(disable_cri_async)->default_value("false"))
("disable-source", "Disable a specific event source. Available event sources are: syscall, k8s_audit, or any source from a configured source plugin. It can be passed multiple times. Can not disable all event sources.", cxxopts::value(disable_sources), "<event_source>")
("disable-source", "Disable a specific event source. Available event sources are: syscall or any source from a configured source plugin. It can be passed multiple times. Can not disable all event sources.", cxxopts::value(disable_sources), "<event_source>")
("D", "Disable any rules with names having the substring <substring>. Can be specified multiple times. Can not be specified with -t.", cxxopts::value(disabled_rule_substrings), "<substring>")
("e", "Read the events from <events_file> (in .scap format for sinsp events, or jsonl for k8s audit events) instead of tapping into live.", cxxopts::value(trace_filename), "<events_file>")
("e", "Read the events from <events_file> in .scap format instead of tapping into live.", cxxopts::value(trace_filename), "<events_file>")
("i", "Print all events that are ignored by default (i.e. without the -A flag) and exit.", cxxopts::value(print_ignored_events)->default_value("false"))
#ifndef MINIMAL_BUILD
("k,k8s-api", "Enable Kubernetes support by connecting to the API server specified as argument. E.g. \"http://admin:password@127.0.0.1:8080\". The API server can also be specified via the environment variable FALCO_K8S_API.", cxxopts::value(k8s_api), "<url>")
@ -171,7 +171,7 @@ void cmdline_options::define()
#endif
("L", "Show the name and description of all rules and exit.", cxxopts::value(describe_all_rules)->default_value("false"))
("l", "Show the name and description of the rule with name <rule> and exit.", cxxopts::value(describe_rule), "<rule>")
("list", "List all defined fields. If <source> is provided, only list those fields for the source <source>. Current values for <source> are \"syscall\", \"k8s_audit\", or any source from a configured source plugin.", cxxopts::value(list_source_fields)->implicit_value(""), "<source>")
("list", "List all defined fields. If <source> is provided, only list those fields for the source <source>. Current values for <source> are \"syscall\" or any source from a configured source plugin.", cxxopts::value(list_source_fields)->implicit_value(""), "<source>")
("list-syscall-events", "List all defined system call events.", cxxopts::value<bool>(list_syscall_events))
#ifndef MUSL_OPTIMIZED
("list-plugins", "Print info on all loaded plugins and exit.", cxxopts::value(list_plugins)->default_value("false"))

3
userspace/falco/application.cpp
View File

@ -30,7 +30,6 @@ namespace falco {
namespace app {
std::string application::s_syscall_source = falco_common::syscall_source;
std::string application::s_k8s_audit_source = "k8s_audit";
application::run_result::run_result()
: success(true), errstr(""), proceed(true)
@ -45,7 +44,7 @@ application::state::state()
: restart(false),
terminate(false),
reopen_outputs(false),
enabled_sources({application::s_syscall_source, application::s_k8s_audit_source}),
enabled_sources({application::s_syscall_source}),
trace_is_scap(true)
{
config = std::make_shared<falco_configuration>();

7
userspace/falco/application.h
View File

@ -53,7 +53,6 @@ public:
private:
static std::string s_syscall_source;
static std::string s_k8s_audit_source;
// Holds the state used and shared by the below methods that
// actually implement the application. Declared as a
@ -75,10 +74,8 @@ private:
std::shared_ptr<sinsp> inspector;
std::set<std::string> enabled_sources;
// The event sources that correspond to "syscalls" and
// "k8s_audit events".
// The event sources that correspond to "syscall"
std::size_t syscall_source_idx;
std::size_t k8s_audit_source_idx;
// The event source actually used to process events in
// process_events(). Will generally be
@ -99,7 +96,6 @@ private:
std::string cmdline;
bool trace_is_scap;
#ifndef MINIMAL_BUILD
falco::grpc::server grpc_server;
std::thread grpc_server_thread;
@ -164,7 +160,6 @@ private:
void configure_output_format();
void check_for_ignored_events();
void print_all_ignored_events();
void read_k8s_audit_trace_file(string &trace_filename);
uint64_t do_inspect(syscall_evt_drop_mgr &sdropmgr,
uint64_t duration_to_tot_ns,
run_result &result);

2
userspace/falco/configuration.cpp
View File

@ -36,7 +36,6 @@ falco_configuration::falco_configuration():
m_time_format_iso_8601(false),
m_webserver_enabled(false),
m_webserver_listen_port(8765),
m_webserver_k8s_audit_endpoint("/k8s-audit"),
m_webserver_k8s_healthz_endpoint("/healthz"),
m_webserver_ssl_enabled(false),
m_config(NULL)
@ -203,7 +202,6 @@ void falco_configuration::init(string conf_filename, const vector<string> &cmdli
m_webserver_enabled = m_config->get_scalar<bool>("webserver.enabled", false);
m_webserver_listen_port = m_config->get_scalar<uint32_t>("webserver.listen_port", 8765);
m_webserver_k8s_audit_endpoint = m_config->get_scalar<string>("webserver.k8s_audit_endpoint", "/k8s-audit");
m_webserver_k8s_healthz_endpoint = m_config->get_scalar<string>("webserver.k8s_healthz_endpoint", "/healthz");
m_webserver_ssl_enabled = m_config->get_scalar<bool>("webserver.ssl_enabled", false);
m_webserver_ssl_certificate = m_config->get_scalar<string>("webserver.ssl_certificate", "/etc/falco/falco.pem");

1
userspace/falco/configuration.h
View File

@ -245,7 +245,6 @@ public:
bool m_webserver_enabled;
uint32_t m_webserver_listen_port;
std::string m_webserver_k8s_audit_endpoint;
std::string m_webserver_k8s_healthz_endpoint;
bool m_webserver_ssl_enabled;
std::string m_webserver_ssl_certificate;

14
userspace/falco/falco_outputs.cpp
View File

@ -155,8 +155,6 @@ void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
cmsg.rule = rule;
string sformat;
if(source != "k8s_audit")
{
if(m_time_format_iso_8601)
{
sformat = "*%evt.time.iso8601: ";
@ -165,18 +163,6 @@ void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
{
sformat = "*%evt.time: ";
}
}
else
{
if(m_time_format_iso_8601)
{
sformat = "*%jevt.time.iso8601: ";
}
else
{
sformat = "*%jevt.time: ";
}
}
sformat += falco_common::format_priority(priority);
// if format starts with a *, remove it, as we added our own prefix

1
userspace/falco/falco_outputs.h
View File

@ -20,7 +20,6 @@ limitations under the License.
#include <map>
#include "gen_filter.h"
#include "json_evt.h"
#include "falco_common.h"
#include "token_bucket.h"
#include "falco_engine.h"