diff --git a/falco.yaml b/falco.yaml index 83df9bdd..69ac6e1c 100644 --- a/falco.yaml +++ b/falco.yaml @@ -1277,6 +1277,7 @@ metrics: base_syscalls: custom_set: [] repair: false + all: false ############## # Falco libs # diff --git a/userspace/falco/app/actions/configure_interesting_sets.cpp b/userspace/falco/app/actions/configure_interesting_sets.cpp index a6e42fad..5a638816 100644 --- a/userspace/falco/app/actions/configure_interesting_sets.cpp +++ b/userspace/falco/app/actions/configure_interesting_sets.cpp @@ -200,22 +200,12 @@ static void select_event_set(falco::app::state& s, concat_set_in_order(non_rules_sc_set_names) + "\n"); } - /* base_syscall.all / -A flag behavior: + /* base_syscall.all behavior: * (1) default: all syscalls in rules included, sinsp state enforcement without high volume syscalls * (2) set: all syscalls in rules included, sinsp state enforcement and allowing high volume syscalls */ - bool all_events = false; - if(s.options.all_events) { - falco_logger::log(falco_logger::level::WARNING, - "The -A option is deprecated and will be removed. Use -o " - "base_syscalls.all=true instead."); - all_events = true; - } - if(s.config->m_base_syscalls_all) { - all_events = true; - } - if(!(s.options.all_events || s.config->m_base_syscalls_all)) { + if(!s.config->m_base_syscalls_all) { auto ignored_sc_set = falco::app::ignored_sc_set(); auto erased_sc_set = s.selected_sc_set.intersect(ignored_sc_set); s.selected_sc_set = s.selected_sc_set.diff(ignored_sc_set); diff --git a/userspace/falco/app/actions/init_inspectors.cpp b/userspace/falco/app/actions/init_inspectors.cpp index 203bc232..690c69ab 100644 --- a/userspace/falco/app/actions/init_inspectors.cpp +++ b/userspace/falco/app/actions/init_inspectors.cpp @@ -27,12 +27,6 @@ using namespace falco::app::actions; static void init_syscall_inspector(falco::app::state& s, std::shared_ptr inspector) { sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL; - if(s.options.print_base64) { - falco_logger::log(falco_logger::level::WARNING, - "The -b/--print-base64 option is deprecated and will be removed. Use -o " - "buffer_format_base64=true instead."); - event_buffer_format = sinsp_evt::PF_BASE64; - } if(s.config->m_buffer_format_base64) { event_buffer_format = sinsp_evt::PF_BASE64; } @@ -86,17 +80,10 @@ static void init_syscall_inspector(falco::app::state& s, std::shared_ptr // // If required, set the snaplen. - // In case both config and CLI options are specified, CLI takes precedence. // if(s.config->m_falco_libs_snaplen != 0) { inspector->set_snaplen(s.config->m_falco_libs_snaplen); } - if(s.options.snaplen != 0) { - inspector->set_snaplen(s.options.snaplen); - falco_logger::log(falco_logger::level::WARNING, - "The -S/--snaplen option is deprecated and will be removed. Use -o " - "falco_libs.snaplen= instead."); - } if(s.is_driver_drop_failed_exit_enabled()) { falco_logger::log(falco_logger::level::INFO, diff --git a/userspace/falco/app/options.cpp b/userspace/falco/app/options.cpp index db91d8ad..be45f8f2 100644 --- a/userspace/falco/app/options.cpp +++ b/userspace/falco/app/options.cpp @@ -73,10 +73,6 @@ bool options::parse(int argc, char **argv, std::string &errstr) { } } - if(m_cmdline_parsed.count("b") > 0) { - print_base64 = true; - } - if(m_cmdline_parsed.count("r") > 0) { for(auto &path : m_cmdline_parsed["r"].as>()) { rules_filenames.push_back(path); @@ -104,15 +100,13 @@ void options::define(cxxopts::Options& opts) #endif ("config-schema", "Print the config json schema and exit.", cxxopts::value(print_config_schema)->default_value("false")) ("rule-schema", "Print the rule json schema and exit.", cxxopts::value(print_rule_schema)->default_value("false")) - ("A", "DEPRECATED: use -o base_syscalls.all=true instead. Monitor all events supported by Falco and defined in rules and configs. Some events are ignored by default when -A is not specified (the -i option lists these events ignored). Using -A can impact performance. This option has no effect when reproducing events from a capture file.", cxxopts::value(all_events)->default_value("false")) - ("b,print-base64", "DEPRECATED: use -o buffer_format_base64=true. Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.") ("disable-source", "Turn off a specific . By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times, but turning off all event sources simultaneously is not permitted. This option can not be mixed with --enable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(disable_sources), "") ("dry-run", "Run Falco without processing events. It can help check that the configuration and rules do not have any errors.", cxxopts::value(dry_run)->default_value("false")) ("enable-source", "Enable a specific . By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times. When using this option, only the event sources specified by it will be enabled. This option can not be mixed with --disable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(enable_sources), "") #ifdef HAS_GVISOR ("gvisor-generate-config", "Generate a configuration file that can be used for gVisor and exit. See --gvisor-config for more details.", cxxopts::value(gvisor_generate_config_with_socket)->implicit_value("/run/falco/gvisor.sock"), "") #endif - ("i", "Print those events that are ignored by default for performance reasons and exit. See -A for more details.", cxxopts::value(print_ignored_events)->default_value("false")) + ("i", "Print those events that are ignored by default for performance reasons and exit.", cxxopts::value(print_ignored_events)->default_value("false")) ("L", "Show the name and description of all rules and exit. If json_output is set to true, it prints details about all rules, macros, and lists in JSON format.", cxxopts::value(describe_all_rules)->default_value("false")) ("l", "Show the name and description of the rule specified and exit. If json_output is set to true, it prints details about the rule in JSON format.", cxxopts::value(describe_rule), "") ("list", "List all defined fields and exit. If is provided, only list those fields for the source . Current values for are \"syscall\" or any source from a configured plugin with event sourcing capability.", cxxopts::value(list_source_fields)->implicit_value(""), "") @@ -126,7 +120,6 @@ void options::define(cxxopts::Options& opts) ("p,print", "Print (or replace) additional information in the rule's output.\nUse -pc or -pcontainer to append container details to syscall events.\nUse -pk or -pkubernetes to add both container and Kubernetes details to syscall events.\nIf using gVisor, choose -pcg or -pkg variants (or -pcontainer-gvisor and -pkubernetes-gvisor, respectively).\nIf a syscall rule's output contains %container.info, it will be replaced with the corresponding details. Otherwise, these details will be directly appended to the rule's output.\nAlternatively, use -p for a custom format. In this case, the given will be appended to the rule's output without any replacement to all events, including plugin events.", cxxopts::value(print_additional), "") ("P,pidfile", "Write PID to specified path. By default, no PID file is created.", cxxopts::value(pidfilename)->default_value(""), "") ("r", "Rules file or directory to be loaded. This option can be passed multiple times. Falco defaults to the values in the configuration file when this option is not specified.", cxxopts::value>(), "") - ("S,snaplen", "DEPRECATED: use -o falco_libs.snaplen= instead. Collect only the first bytes of each I/O buffer for 'syscall' events. By default, the first 80 bytes are collected by the driver and sent to the user space for processing. Use this option with caution since it can have a strong performance impact.", cxxopts::value(snaplen)->default_value("0"), "") ("support", "Print support information, including version, rules files used, loaded configuration, etc., and exit. The output is in JSON format.", cxxopts::value(print_support)->default_value("false")) ("U,unbuffered", "Turn off output buffering for configured outputs. This causes every single line emitted by Falco to be flushed, which generates higher CPU usage but is useful when piping those outputs into another process or a script.", cxxopts::value(unbuffered_outputs)->default_value("false")) ("V,validate", "Read the contents of the specified file(s), validate the loaded rules, and exit. This option can be passed multiple times to validate multiple files.", cxxopts::value(validate_rules_filenames), "") diff --git a/userspace/falco/app/options.h b/userspace/falco/app/options.h index 6b7b6db8..52440ca6 100644 --- a/userspace/falco/app/options.h +++ b/userspace/falco/app/options.h @@ -45,9 +45,7 @@ public: bool print_config_schema = false; bool print_rule_schema = false; std::string conf_filename; - bool all_events = false; sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL; - bool print_base64 = false; std::vector disable_sources; std::vector enable_sources; std::string gvisor_generate_config_with_socket; @@ -67,7 +65,6 @@ public: std::string pidfilename; // Rules list as passed by the user, via cmdline option '-r' std::list rules_filenames; - uint64_t snaplen = 0; bool print_support = false; bool unbuffered_outputs = false; std::vector validate_rules_filenames;