github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-03 23:55:06 +00:00
Code Issues Projects Releases Wiki Activity

Allow exact matches for rule names

Browse Source 
Currently, when calling enable_rule, the provided rule name pattern is a
substring match, that is if the rules file has a rule "My fantastic
rule", and you call engine->enable_rule("fantastic", true), the rule
will be enabled.

This can cause problems if one rule name is a complete subset of another
rule name e.g. rules "My rule" and "My rule is great", and calling
engine->enable_rule("My rule", true).

To allow for this case, add an alternate method enable_rule_exact() in
both default ruleset and ruleset variants. In this case, the rule name
must be an exact match.

In the underlying ruleset code, add a "match_exact" option to
falco_ruleset::enable() that denotes whether the substring is an exact
or substring match.

This doesn't change the default behavior of falco in any way, as the
existing calls still use enable_rule().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm
2020-05-04 17:39:15 -07:00
committed by poiana
parent 900a3b5860
commit 7fd350d49a
4 changed files with 41 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
userspace/engine/falco_engine.h
View File

@@ -85,6 +85,13 @@ public:
// Wrapper that assumes the default ruleset
void enable_rule(const std::string &substring, bool enabled);
// Like enable_rule, but the rule name must be an exact match.
void enable_rule_exact(const std::string &rule_name, bool enabled, const std::string &ruleset);
// Wrapper that assumes the default ruleset
void enable_rule_exact(const std::string &rule_name, bool enabled);
//
// Enable/Disable any rules with any of the provided tags (set, exact matches only)
//