new(userspace/falco): add new static_fields config key + update schema.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
2025-07-31 22:16:49 +00:00 · 2025-05-15 10:06:28 +02:00 · 2025-05-15 10:06:28 +02:00 · 8d8ba5ba5c
commit 8d8ba5ba5c
parent 2ed1f0ffec
4 changed files with 19 additions and 1 deletions
--- a/falco.yaml
+++ b/falco.yaml
@ -687,7 +687,7 @@ outputs_queue:
 #             affect the regular Falco message in any way. These can be specified as a
 #             custom name with a custom format or as any supported field
 #             (see: https://falco.org/docs/reference/rules/supported-fields/)
-#   `suggested_output`: enable the use of extractor plugins suggested fields for the matching source output.
+#   `suggested_output`: automatically append fields that are suggested to rules output
 #
 # Example:
 # 
@ -711,6 +711,17 @@ outputs_queue:
 append_output:
  - suggested_output: true

+# [Sandbox] `static_fields`
+#
+# Add statically defined fields to the Falco engine.
+# Then, they can be used as normal rule conditions, by prepending `static.` prefix,
+# eg: evt.type=open and static.foo=bar
+# Also, if `append_output.suggested_output` is true,
+# they'll be automatically appended to each rule output,
+# in the form "static_foo=bar"
+# static_fields:
+#  foo: bar
+#  foo2: ${env}

 ##########################
 # Falco outputs channels #
--- a/userspace/falco/config_json_schema.h
+++ b/userspace/falco/config_json_schema.h
@ -35,6 +35,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
                        "$ref": "#/definitions/AppendOutput"
                    }
                },
+                "static_fields": {
+                    "type": "object"
+                },
                "config_files": {
                    "type": "array",
                    "items": {
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@ -663,6 +663,8 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 		}
 	}

+	m_static_fields = m_config.get_scalar<std::map<std::string, std::string>>("static_fields", {});
+
 	std::vector<std::string> load_plugins;

 	bool load_plugins_node_defined = m_config.is_defined("load_plugins");
--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@ -147,6 +147,8 @@ public:
 	std::vector<rule_selection_config> m_rules_selection;
 	// Append output configuration passed by the user
 	std::vector<append_output_config> m_append_output;
+	// Static fields configuration passed by the user
+	std::map<std::string, std::string> m_static_fields;

 	bool m_json_output;
 	bool m_json_include_output_property;