github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-11-01 17:49:56 +00:00
Code Issues Projects Releases Wiki Activity

Allow exact matches for rule names

Browse Source 
Currently, when calling enable_rule, the provided rule name pattern is a
substring match, that is if the rules file has a rule "My fantastic
rule", and you call engine->enable_rule("fantastic", true), the rule
will be enabled.

This can cause problems if one rule name is a complete subset of another
rule name e.g. rules "My rule" and "My rule is great", and calling
engine->enable_rule("My rule", true).

To allow for this case, add an alternate method enable_rule_exact() in
both default ruleset and ruleset variants. In this case, the rule name
must be an exact match.

In the underlying ruleset code, add a "match_exact" option to
falco_ruleset::enable() that denotes whether the substring is an exact
or substring match.

This doesn't change the default behavior of falco in any way, as the
existing calls still use enable_rule().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm
2020-05-04 17:39:15 -07:00
committed by poiana
parent 900a3b5860
commit 7fd350d49a
4 changed files with 41 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
userspace/engine/falco_engine.cpp
View File

@@ -211,9 +211,10 @@ void falco_engine::load_rules_file(const string &rules_filename, bool verbose, b
void falco_engine::enable_rule(const string &substring, bool enabled, const string &ruleset)
{
uint16_t ruleset_id = find_ruleset_id(ruleset);
bool match_exact = false;
m_sinsp_rules->enable(substring, enabled, ruleset_id);
m_k8s_audit_rules->enable(substring, enabled, ruleset_id);
m_sinsp_rules->enable(substring, match_exact, enabled, ruleset_id);
m_k8s_audit_rules->enable(substring, match_exact, enabled, ruleset_id);
}
void falco_engine::enable_rule(const string &substring, bool enabled)
@@ -221,6 +222,20 @@ void falco_engine::enable_rule(const string &substring, bool enabled)
enable_rule(substring, enabled, m_default_ruleset);
}
void falco_engine::enable_rule_exact(const string &rule_name, bool enabled, const string &ruleset)
{
uint16_t ruleset_id = find_ruleset_id(ruleset);
bool match_exact = true;
m_sinsp_rules->enable(rule_name, match_exact, enabled, ruleset_id);
m_k8s_audit_rules->enable(rule_name, match_exact, enabled, ruleset_id);
}
void falco_engine::enable_rule_exact(const string &rule_name, bool enabled)
{
enable_rule_exact(rule_name, enabled, m_default_ruleset);
}
void falco_engine::enable_rule_by_tag(const set<string> &tags, bool enabled, const string &ruleset)
{
uint16_t ruleset_id = find_ruleset_id(ruleset);