github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-19 09:06:48 +00:00
Code Issues Projects Releases Wiki Activity

Allow exact matches for rule names

Browse Source 
Currently, when calling enable_rule, the provided rule name pattern is a
substring match, that is if the rules file has a rule "My fantastic
rule", and you call engine->enable_rule("fantastic", true), the rule
will be enabled.

This can cause problems if one rule name is a complete subset of another
rule name e.g. rules "My rule" and "My rule is great", and calling
engine->enable_rule("My rule", true).

To allow for this case, add an alternate method enable_rule_exact() in
both default ruleset and ruleset variants. In this case, the rule name
must be an exact match.

In the underlying ruleset code, add a "match_exact" option to
falco_ruleset::enable() that denotes whether the substring is an exact
or substring match.

This doesn't change the default behavior of falco in any way, as the
existing calls still use enable_rule().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2020-05-04 17:39:15 -07:00 committed by poiana
parent 900a3b5860
commit 7fd350d49a
4 changed files with 41 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
userspace/engine/falco_engine.cpp
View File

@ -211,9 +211,10 @@ void falco_engine::load_rules_file(const string &rules_filename, bool verbose, b
void falco_engine::enable_rule(const string &substring, bool enabled, const string &ruleset) void falco_engine::enable_rule(const string &substring, bool enabled, const string &ruleset)
{ {
uint16_t ruleset_id = find_ruleset_id(ruleset); uint16_t ruleset_id = find_ruleset_id(ruleset);
bool match_exact = false;
m_sinsp_rules->enable(substring, enabled, ruleset_id); m_sinsp_rules->enable(substring, match_exact, enabled, ruleset_id);
m_k8s_audit_rules->enable(substring, enabled, ruleset_id); m_k8s_audit_rules->enable(substring, match_exact, enabled, ruleset_id);
} }
void falco_engine::enable_rule(const string &substring, bool enabled) void falco_engine::enable_rule(const string &substring, bool enabled)
@ -221,6 +222,20 @@ void falco_engine::enable_rule(const string &substring, bool enabled)
enable_rule(substring, enabled, m_default_ruleset); enable_rule(substring, enabled, m_default_ruleset);
} }
void falco_engine::enable_rule_exact(const string &rule_name, bool enabled, const string &ruleset)
{
uint16_t ruleset_id = find_ruleset_id(ruleset);
bool match_exact = true;
m_sinsp_rules->enable(rule_name, match_exact, enabled, ruleset_id);
m_k8s_audit_rules->enable(rule_name, match_exact, enabled, ruleset_id);
}
void falco_engine::enable_rule_exact(const string &rule_name, bool enabled)
{
enable_rule_exact(rule_name, enabled, m_default_ruleset);
}
void falco_engine::enable_rule_by_tag(const set<string> &tags, bool enabled, const string &ruleset) void falco_engine::enable_rule_by_tag(const set<string> &tags, bool enabled, const string &ruleset)
{ {
uint16_t ruleset_id = find_ruleset_id(ruleset); uint16_t ruleset_id = find_ruleset_id(ruleset);

7
userspace/engine/falco_engine.h
View File

@ -85,6 +85,13 @@ public:
// Wrapper that assumes the default ruleset // Wrapper that assumes the default ruleset
void enable_rule(const std::string &substring, bool enabled); void enable_rule(const std::string &substring, bool enabled);
// Like enable_rule, but the rule name must be an exact match.
void enable_rule_exact(const std::string &rule_name, bool enabled, const std::string &ruleset);
// Wrapper that assumes the default ruleset
void enable_rule_exact(const std::string &rule_name, bool enabled);
// //
// Enable/Disable any rules with any of the provided tags (set, exact matches only) // Enable/Disable any rules with any of the provided tags (set, exact matches only)
// //

14
userspace/engine/ruleset.cpp
View File

@ -201,7 +201,7 @@ void falco_ruleset::add(string &name,
} }
} }
void falco_ruleset::enable(const string &substring, bool enabled, uint16_t ruleset) void falco_ruleset::enable(const string &substring, bool match_exact, bool enabled, uint16_t ruleset)
{ {
while(m_rulesets.size() < (size_t)ruleset + 1) while(m_rulesets.size() < (size_t)ruleset + 1)
{ {
@ -212,7 +212,17 @@ void falco_ruleset::enable(const string &substring, bool enabled, uint16_t rules
{ {
bool matches; bool matches;
matches = (substring == "" || (val.first.find(substring) != string::npos)); if(match_exact)
{
size_t pos = val.first.find(substring);
matches = (substring == "" || (pos == 0 &&
substring.size() == val.first.size()));
}
else
{
matches = (substring == "" || (val.first.find(substring) != string::npos));
}
if(matches) if(matches)
{ {

7
userspace/engine/ruleset.h
View File

@ -45,8 +45,11 @@ public:
// unnecessarily large vectors. // unnecessarily large vectors.
// Find those rules matching the provided substring and set // Find those rules matching the provided substring and set
// their enabled status to enabled. // their enabled status to enabled. If match_exact is true,
void enable(const std::string &substring, bool enabled, uint16_t ruleset = 0); // substring must be an exact match for a given rule
// name. Otherwise, any rules having substring as a substring
// in the rule name are enabled/disabled.
void enable(const std::string &substring, bool match_exact, bool enabled, uint16_t ruleset = 0);
// Find those rules that have a tag in the set of tags and set // Find those rules that have a tag in the set of tags and set
// their enabled status to enabled. Note that the enabled // their enabled status to enabled. Note that the enabled