mirror of
https://github.com/falcosecurity/falco.git
synced 2025-08-20 07:13:08 +00:00
chore: fix formatting
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
This commit is contained in:
Leonardo Grasso
poiana
parent
81f26b7e5d
commit
63d27fbe1b
@ -532,8 +532,8 @@ rule_loader::rule_info::rule_info(context& ctx):
|
|||||||
visibility(0),
|
visibility(0),
|
||||||
unknown_source(false),
|
unknown_source(false),
|
||||||
priority(falco_common::PRIORITY_DEBUG),
|
priority(falco_common::PRIORITY_DEBUG),
|
||||||
capture(false),
|
capture(false),
|
||||||
capture_duration(0),
|
capture_duration(0),
|
||||||
enabled(true),
|
enabled(true),
|
||||||
warn_evttypes(true),
|
warn_evttypes(true),
|
||||||
skip_if_unknown_filter(false) {}
|
skip_if_unknown_filter(false) {}
|
||||||
|
|||||||
@ -482,8 +482,8 @@ struct rule_update_info {
|
|||||||
bool has_any_value() {
|
bool has_any_value() {
|
||||||
return cond.has_value() || output.has_value() || desc.has_value() || tags.has_value() ||
|
return cond.has_value() || output.has_value() || desc.has_value() || tags.has_value() ||
|
||||||
exceptions.has_value() || priority.has_value() || enabled.has_value() ||
|
exceptions.has_value() || priority.has_value() || enabled.has_value() ||
|
||||||
capture.has_value() || capture_duration.has_value() ||
|
capture.has_value() || capture_duration.has_value() || warn_evttypes.has_value() ||
|
||||||
warn_evttypes.has_value() || skip_if_unknown_filter.has_value();
|
skip_if_unknown_filter.has_value();
|
||||||
}
|
}
|
||||||
|
|
||||||
context ctx;
|
context ctx;
|
||||||
|
|||||||
@ -634,8 +634,8 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg,
|
|||||||
"output",
|
"output",
|
||||||
"desc",
|
"desc",
|
||||||
"priority",
|
"priority",
|
||||||
"capture",
|
"capture",
|
||||||
"capture_duration",
|
"capture_duration",
|
||||||
"tags",
|
"tags",
|
||||||
"exceptions",
|
"exceptions",
|
||||||
"enabled",
|
"enabled",
|
||||||
|
|||||||
@ -36,8 +36,8 @@ void format_plugin_info(std::shared_ptr<sinsp_plugin> p, std::ostream& os);
|
|||||||
void format_described_rules_as_text(const nlohmann::json& v, std::ostream& os);
|
void format_described_rules_as_text(const nlohmann::json& v, std::ostream& os);
|
||||||
|
|
||||||
inline std::string generate_scap_file_path(const std::string& prefix,
|
inline std::string generate_scap_file_path(const std::string& prefix,
|
||||||
uint64_t timestamp,
|
uint64_t timestamp,
|
||||||
uint64_t evt_num) {
|
uint64_t evt_num) {
|
||||||
// File path in format: <prefix>_<timestamp>_<evt_num>.scap
|
// File path in format: <prefix>_<timestamp>_<evt_num>.scap
|
||||||
// Example: "/tmp/falco_00000001234567890_00000000000000042.scap"
|
// Example: "/tmp/falco_00000001234567890_00000000000000042.scap"
|
||||||
|
|
||||||
@ -45,32 +45,32 @@ inline std::string generate_scap_file_path(const std::string& prefix,
|
|||||||
std::string path = prefix + "_";
|
std::string path = prefix + "_";
|
||||||
|
|
||||||
// Zero-pad timestamp to 20 digits for proper lexicographic sorting
|
// Zero-pad timestamp to 20 digits for proper lexicographic sorting
|
||||||
// Build digits from right to left in a buffer, then append to path
|
// Build digits from right to left in a buffer, then append to path
|
||||||
char digits[21]; // 20 digits + null terminator
|
char digits[21]; // 20 digits + null terminator
|
||||||
digits[20] = '\0';
|
digits[20] = '\0';
|
||||||
uint64_t t = timestamp;
|
uint64_t t = timestamp;
|
||||||
for (int i = 19; i >= 0; --i) {
|
for(int i = 19; i >= 0; --i) {
|
||||||
digits[i] = '0' + (t % 10);
|
digits[i] = '0' + (t % 10);
|
||||||
t /= 10;
|
t /= 10;
|
||||||
}
|
}
|
||||||
path += digits;
|
path += digits;
|
||||||
|
|
||||||
// Add underscore separator between timestamp and evt_num
|
// Add underscore separator between timestamp and evt_num
|
||||||
path += "_";
|
path += "_";
|
||||||
|
|
||||||
// Zero-pad evt_num to 20 digits for proper lexicographic sorting
|
// Zero-pad evt_num to 20 digits for proper lexicographic sorting
|
||||||
// Build digits from right to left in a buffer, then append to path
|
// Build digits from right to left in a buffer, then append to path
|
||||||
t = evt_num;
|
t = evt_num;
|
||||||
for (int i = 19; i >= 0; --i) {
|
for(int i = 19; i >= 0; --i) {
|
||||||
digits[i] = '0' + (t % 10);
|
digits[i] = '0' + (t % 10);
|
||||||
t /= 10;
|
t /= 10;
|
||||||
}
|
}
|
||||||
path += digits;
|
path += digits;
|
||||||
|
|
||||||
// Add file extension
|
// Add file extension
|
||||||
path += ".scap";
|
path += ".scap";
|
||||||
|
|
||||||
return path;
|
return path;
|
||||||
}
|
}
|
||||||
|
|
||||||
falco::app::run_result open_offline_inspector(falco::app::state& s);
|
falco::app::run_result open_offline_inspector(falco::app::state& s);
|
||||||
|
|||||||
@ -145,7 +145,7 @@ static falco::app::run_result do_inspect(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// init dumper for captures
|
// init dumper for captures
|
||||||
sinsp_dumper *dumper = new sinsp_dumper();
|
sinsp_dumper* dumper = new sinsp_dumper();
|
||||||
uint64_t dump_started_ts = 0;
|
uint64_t dump_started_ts = 0;
|
||||||
uint64_t dump_deadline_ts = 0;
|
uint64_t dump_deadline_ts = 0;
|
||||||
|
|
||||||
@ -174,7 +174,7 @@ static falco::app::run_result do_inspect(
|
|||||||
if(falco::app::g_terminate_signal.triggered()) {
|
if(falco::app::g_terminate_signal.triggered()) {
|
||||||
falco::app::g_terminate_signal.handle([&]() {
|
falco::app::g_terminate_signal.handle([&]() {
|
||||||
falco_logger::log(falco_logger::level::INFO, "SIGINT received, exiting...\n");
|
falco_logger::log(falco_logger::level::INFO, "SIGINT received, exiting...\n");
|
||||||
if (dump_started_ts != 0) {
|
if(dump_started_ts != 0) {
|
||||||
dump_started_ts = 0;
|
dump_started_ts = 0;
|
||||||
dump_deadline_ts = 0;
|
dump_deadline_ts = 0;
|
||||||
dumper->close();
|
dumper->close();
|
||||||
@ -184,7 +184,7 @@ static falco::app::run_result do_inspect(
|
|||||||
} else if(falco::app::g_restart_signal.triggered()) {
|
} else if(falco::app::g_restart_signal.triggered()) {
|
||||||
falco::app::g_restart_signal.handle([&]() {
|
falco::app::g_restart_signal.handle([&]() {
|
||||||
falco_logger::log(falco_logger::level::INFO, "SIGHUP received, restarting...\n");
|
falco_logger::log(falco_logger::level::INFO, "SIGHUP received, restarting...\n");
|
||||||
if (dump_started_ts != 0) {
|
if(dump_started_ts != 0) {
|
||||||
dump_started_ts = 0;
|
dump_started_ts = 0;
|
||||||
dump_deadline_ts = 0;
|
dump_deadline_ts = 0;
|
||||||
dumper->close();
|
dumper->close();
|
||||||
@ -303,7 +303,8 @@ static falco::app::run_result do_inspect(
|
|||||||
// the outputs.
|
// the outputs.
|
||||||
auto res = s.engine->process_event(source_engine_idx, ev, s.config->m_rule_matching);
|
auto res = s.engine->process_event(source_engine_idx, ev, s.config->m_rule_matching);
|
||||||
if(res != nullptr) {
|
if(res != nullptr) {
|
||||||
auto capture = s.config->m_capture_enabled && capture_mode_t::ALL_RULES == s.config->m_capture_mode;
|
auto capture = s.config->m_capture_enabled &&
|
||||||
|
capture_mode_t::ALL_RULES == s.config->m_capture_mode;
|
||||||
for(auto& rule_res : *res) {
|
for(auto& rule_res : *res) {
|
||||||
// Process output
|
// Process output
|
||||||
s.outputs->handle_event(rule_res.evt,
|
s.outputs->handle_event(rule_res.evt,
|
||||||
@ -312,7 +313,7 @@ static falco::app::run_result do_inspect(
|
|||||||
rule_res.priority_num,
|
rule_res.priority_num,
|
||||||
rule_res.format,
|
rule_res.format,
|
||||||
rule_res.tags,
|
rule_res.tags,
|
||||||
rule_res.extra_output_fields);
|
rule_res.extra_output_fields);
|
||||||
// Compute capture params, if enabled
|
// Compute capture params, if enabled
|
||||||
if(s.config->m_capture_enabled) {
|
if(s.config->m_capture_enabled) {
|
||||||
if(capture_mode_t::RULES == s.config->m_capture_mode && rule_res.capture) {
|
if(capture_mode_t::RULES == s.config->m_capture_mode && rule_res.capture) {
|
||||||
@ -325,25 +326,27 @@ static falco::app::run_result do_inspect(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// When a rule matches or we are in all_rules mode, we start a dump (if not in progress yet)
|
// When a rule matches or we are in all_rules mode, we start a dump (if not in progress
|
||||||
|
// yet)
|
||||||
if(capture && dump_started_ts == 0) {
|
if(capture && dump_started_ts == 0) {
|
||||||
dumper->open(inspector.get(),
|
dumper->open(inspector.get(),
|
||||||
generate_scap_file_path(s.config->m_capture_path_prefix, ev->get_ts(), ev->get_num()),
|
generate_scap_file_path(s.config->m_capture_path_prefix,
|
||||||
true); // Enable compression
|
ev->get_ts(),
|
||||||
|
ev->get_num()),
|
||||||
|
true); // Enable compression
|
||||||
dump_started_ts = ev->get_ts();
|
dump_started_ts = ev->get_ts();
|
||||||
// If no rule has set a deadline, use the default one
|
// If no rule has set a deadline, use the default one
|
||||||
if (dump_deadline_ts == 0) {
|
if(dump_deadline_ts == 0) {
|
||||||
dump_deadline_ts = dump_started_ts + s.config->m_capture_default_duration_ns;
|
dump_deadline_ts = dump_started_ts + s.config->m_capture_default_duration_ns;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
// Save events when a dump is in progress.
|
// Save events when a dump is in progress.
|
||||||
// If the deadline is reached, close the dump.
|
// If the deadline is reached, close the dump.
|
||||||
if (dump_started_ts != 0) {
|
if(dump_started_ts != 0) {
|
||||||
dumper->dump(ev);
|
dumper->dump(ev);
|
||||||
if (ev->get_ts() > dump_deadline_ts) {
|
if(ev->get_ts() > dump_deadline_ts) {
|
||||||
dumper->flush();
|
dumper->flush();
|
||||||
dumper->close();
|
dumper->close();
|
||||||
dump_started_ts = 0;
|
dump_started_ts = 0;
|
||||||
@ -491,19 +494,18 @@ falco::app::run_result falco::app::actions::process_events(falco::app::state& s)
|
|||||||
if(s.config->m_capture_enabled) {
|
if(s.config->m_capture_enabled) {
|
||||||
std::string capture_mode;
|
std::string capture_mode;
|
||||||
switch(s.config->m_capture_mode) {
|
switch(s.config->m_capture_mode) {
|
||||||
case capture_mode_t::RULES:
|
case capture_mode_t::RULES:
|
||||||
capture_mode = "'rules'";
|
capture_mode = "'rules'";
|
||||||
break;
|
break;
|
||||||
case capture_mode_t::ALL_RULES:
|
case capture_mode_t::ALL_RULES:
|
||||||
capture_mode = "'all_rules'";
|
capture_mode = "'all_rules'";
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
ASSERT(false);
|
ASSERT(false);
|
||||||
}
|
}
|
||||||
falco_logger::log(
|
falco_logger::log(falco_logger::level::INFO,
|
||||||
falco_logger::level::INFO,
|
"Capture is enabled in mode " + capture_mode + ". Capturing events to " +
|
||||||
"Capture is enabled in mode " + capture_mode +
|
s.config->m_capture_path_prefix + "\n");
|
||||||
". Capturing events to " + s.config->m_capture_path_prefix + "\n");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Start processing events
|
// Start processing events
|
||||||
|
|||||||
@ -97,10 +97,10 @@ falco_configuration::falco_configuration():
|
|||||||
m_metrics_flags(0),
|
m_metrics_flags(0),
|
||||||
m_metrics_convert_memory_to_mb(true),
|
m_metrics_convert_memory_to_mb(true),
|
||||||
m_metrics_include_empty_values(false),
|
m_metrics_include_empty_values(false),
|
||||||
m_capture_enabled(false),
|
m_capture_enabled(false),
|
||||||
m_capture_path_prefix("/tmp/falco"),
|
m_capture_path_prefix("/tmp/falco"),
|
||||||
m_capture_mode(capture_mode_t::RULES),
|
m_capture_mode(capture_mode_t::RULES),
|
||||||
m_capture_default_duration_ns(5000 * 1000000LL),
|
m_capture_default_duration_ns(5000 * 1000000LL),
|
||||||
m_plugins_hostinfo(true) {
|
m_plugins_hostinfo(true) {
|
||||||
m_config_schema = nlohmann::json::parse(config_schema_string);
|
m_config_schema = nlohmann::json::parse(config_schema_string);
|
||||||
}
|
}
|
||||||
@ -641,13 +641,12 @@ void falco_configuration::load_yaml(const std::string &config_name) {
|
|||||||
m_metrics_include_empty_values =
|
m_metrics_include_empty_values =
|
||||||
m_config.get_scalar<bool>("metrics.include_empty_values", false);
|
m_config.get_scalar<bool>("metrics.include_empty_values", false);
|
||||||
|
|
||||||
|
|
||||||
m_capture_enabled = m_config.get_scalar<bool>("capture.enabled", false);
|
m_capture_enabled = m_config.get_scalar<bool>("capture.enabled", false);
|
||||||
m_capture_path_prefix = m_config.get_scalar<std::string>("capture.path_prefix", "/tmp/falco");
|
m_capture_path_prefix = m_config.get_scalar<std::string>("capture.path_prefix", "/tmp/falco");
|
||||||
// Set capture mode if not already set.
|
// Set capture mode if not already set.
|
||||||
const std::unordered_map<std::string, capture_mode_t> capture_mode_lut = {
|
const std::unordered_map<std::string, capture_mode_t> capture_mode_lut = {
|
||||||
{"rules", capture_mode_t::RULES},
|
{"rules", capture_mode_t::RULES},
|
||||||
{"all_rules", capture_mode_t::ALL_RULES},
|
{"all_rules", capture_mode_t::ALL_RULES},
|
||||||
};
|
};
|
||||||
|
|
||||||
auto capture_mode_str = m_config.get_scalar<std::string>("capture.mode", "rules");
|
auto capture_mode_str = m_config.get_scalar<std::string>("capture.mode", "rules");
|
||||||
@ -659,7 +658,8 @@ void falco_configuration::load_yaml(const std::string &config_name) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Convert to nanoseconds
|
// Convert to nanoseconds
|
||||||
m_capture_default_duration_ns = m_config.get_scalar<uint32_t>("capture.default_duration", 5000) * 1000000LL;
|
m_capture_default_duration_ns =
|
||||||
|
m_config.get_scalar<uint32_t>("capture.default_duration", 5000) * 1000000LL;
|
||||||
|
|
||||||
m_plugins_hostinfo = m_config.get_scalar<bool>("plugins_hostinfo", true);
|
m_plugins_hostinfo = m_config.get_scalar<bool>("plugins_hostinfo", true);
|
||||||
|
|
||||||
|
|||||||
@ -215,7 +215,6 @@ public:
|
|||||||
capture_mode_t m_capture_mode = capture_mode_t::RULES;
|
capture_mode_t m_capture_mode = capture_mode_t::RULES;
|
||||||
u_int64_t m_capture_default_duration_ns;
|
u_int64_t m_capture_default_duration_ns;
|
||||||
|
|
||||||
|
|
||||||
// Falco engine
|
// Falco engine
|
||||||
engine_kind_t m_engine_mode = engine_kind_t::KMOD;
|
engine_kind_t m_engine_mode = engine_kind_t::KMOD;
|
||||||
kmod_config m_kmod = {};
|
kmod_config m_kmod = {};
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user