github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-07 03:39:01 +00:00
Code Issues Projects Releases Wiki Activity

Better tracking of rule counts per ruleset (#645)

Browse Source 
Add more accurate tracking of the number of falco rules loaded per
ruleset, which are made available via the engine method
::num_rules_for_ruleset().

In the ruleset objects, keep track if a filter wrapper is actually
added/removed and if so increment/decrement the count.
This commit is contained in:
Mark Stemm 2019-06-05 13:44:50 -07:00 committed by GitHub
parent de8b92fa05
commit 43bfaecff5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 66 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
userspace/engine/falco_engine.cpp
View File

@ -251,6 +251,14 @@ uint16_t falco_engine::find_ruleset_id(const std::string &ruleset)
return it->second; return it->second;
} }
uint64_t falco_engine::num_rules_for_ruleset(const std::string &ruleset)
{
uint16_t ruleset_id = find_ruleset_id(ruleset);
return m_sinsp_rules->num_rules_for_ruleset(ruleset_id) +
m_k8s_audit_rules->num_rules_for_ruleset(ruleset_id);
}
void falco_engine::evttypes_for_ruleset(std::vector<bool> &evttypes, const std::string &ruleset) void falco_engine::evttypes_for_ruleset(std::vector<bool> &evttypes, const std::string &ruleset)
{ {
uint16_t ruleset_id = find_ruleset_id(ruleset); uint16_t ruleset_id = find_ruleset_id(ruleset);

5
userspace/engine/falco_engine.h
View File

@ -106,6 +106,11 @@ public:
// //
uint16_t find_ruleset_id(const std::string &ruleset); uint16_t find_ruleset_id(const std::string &ruleset);
//
// Return the number of falco rules enabled for the provided ruleset
//
uint64_t num_rules_for_ruleset(const std::string &ruleset);
// //
// Print details on the given rule. If rule is NULL, print // Print details on the given rule. If rule is NULL, print
// details on all rules. // details on all rules.

52
userspace/engine/ruleset.cpp
View File

@ -41,6 +41,7 @@ falco_ruleset::~falco_ruleset()
} }
falco_ruleset::ruleset_filters::ruleset_filters() falco_ruleset::ruleset_filters::ruleset_filters()
: m_num_filters(0)
{ {
} }
@ -58,10 +59,14 @@ falco_ruleset::ruleset_filters::~ruleset_filters()
void falco_ruleset::ruleset_filters::add_filter(filter_wrapper *wrap) void falco_ruleset::ruleset_filters::add_filter(filter_wrapper *wrap)
{ {
bool added = false;
for(uint32_t etag = 0; etag < wrap->event_tags.size(); etag++) for(uint32_t etag = 0; etag < wrap->event_tags.size(); etag++)
{ {
if(wrap->event_tags[etag]) if(wrap->event_tags[etag])
{ {
added = true;
if(m_filter_by_event_tag.size() <= etag) if(m_filter_by_event_tag.size() <= etag)
{ {
m_filter_by_event_tag.resize(etag+1); m_filter_by_event_tag.resize(etag+1);
@ -75,10 +80,17 @@ void falco_ruleset::ruleset_filters::add_filter(filter_wrapper *wrap)
m_filter_by_event_tag[etag]->push_back(wrap); m_filter_by_event_tag[etag]->push_back(wrap);
} }
} }
if(added)
{
m_num_filters++;
}
} }
void falco_ruleset::ruleset_filters::remove_filter(filter_wrapper *wrap) void falco_ruleset::ruleset_filters::remove_filter(filter_wrapper *wrap)
{ {
bool removed = false;
for(uint32_t etag = 0; etag < wrap->event_tags.size(); etag++) for(uint32_t etag = 0; etag < wrap->event_tags.size(); etag++)
{ {
if(wrap->event_tags[etag]) if(wrap->event_tags[etag])
@ -88,22 +100,38 @@ void falco_ruleset::ruleset_filters::remove_filter(filter_wrapper *wrap)
list<filter_wrapper *> *l = m_filter_by_event_tag[etag]; list<filter_wrapper *> *l = m_filter_by_event_tag[etag];
if(l) if(l)
{ {
l->erase(remove(l->begin(), auto it = remove(l->begin(),
l->end(), l->end(),
wrap), wrap);
l->end());
if(l->size() == 0) if(it != l->end())
{ {
delete l; removed = true;
m_filter_by_event_tag[etag] = NULL;
l->erase(it,
l->end());
if(l->size() == 0)
{
delete l;
m_filter_by_event_tag[etag] = NULL;
}
} }
} }
} }
} }
} }
if(removed)
{
m_num_filters--;
}
} }
uint64_t falco_ruleset::ruleset_filters::num_filters()
{
return m_num_filters;
}
bool falco_ruleset::ruleset_filters::run(gen_event *evt, uint32_t etag) bool falco_ruleset::ruleset_filters::run(gen_event *evt, uint32_t etag)
{ {
@ -240,6 +268,16 @@ void falco_ruleset::enable_tags(const set<string> &tags, bool enabled, uint16_t
} }
} }
uint64_t falco_ruleset::num_rules_for_ruleset(uint16_t ruleset)
{
while (m_rulesets.size() < (size_t) ruleset + 1)
{
m_rulesets.push_back(new ruleset_filters());
}
return m_rulesets[ruleset]->num_filters();
}
bool falco_ruleset::run(gen_event *evt, uint32_t etag, uint16_t ruleset) bool falco_ruleset::run(gen_event *evt, uint32_t etag, uint16_t ruleset)
{ {
if(m_rulesets.size() < (size_t) ruleset + 1) if(m_rulesets.size() < (size_t) ruleset + 1)

8
userspace/engine/ruleset.h
View File

@ -61,6 +61,10 @@ public:
// enable_tags. // enable_tags.
void enable_tags(const std::set<std::string> &tags, bool enabled, uint16_t ruleset = 0); void enable_tags(const std::set<std::string> &tags, bool enabled, uint16_t ruleset = 0);
// Return the number of falco rules enabled for the provided ruleset
uint64_t num_rules_for_ruleset(uint16_t ruleset = 0);
// Match all filters against the provided event. // Match all filters against the provided event.
bool run(gen_event *evt, uint32_t etag, uint16_t ruleset = 0); bool run(gen_event *evt, uint32_t etag, uint16_t ruleset = 0);
@ -89,11 +93,15 @@ private:
void add_filter(filter_wrapper *wrap); void add_filter(filter_wrapper *wrap);
void remove_filter(filter_wrapper *wrap); void remove_filter(filter_wrapper *wrap);
uint64_t num_filters();
bool run(gen_event *evt, uint32_t etag); bool run(gen_event *evt, uint32_t etag);
void event_tags_for_ruleset(std::vector<bool> &event_tags); void event_tags_for_ruleset(std::vector<bool> &event_tags);
private: private:
uint64_t m_num_filters;
// Maps from event tag to a list of filters. There can // Maps from event tag to a list of filters. There can
// be multiple filters for a given event tag. // be multiple filters for a given event tag.
std::vector<std::list<filter_wrapper *> *> m_filter_by_event_tag; std::vector<std::list<filter_wrapper *> *> m_filter_by_event_tag;