github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-03 23:55:06 +00:00
Code Issues Projects Releases Wiki Activity

Add support for tagging rules.

Browse Source 
- in lua, look for a tags attribute to each rule. This is passed up in
  add_filter as a tags argument (as a lua table). If not present, an
  empty table is used. The tags table is iterated to populate a set
  of tags as strings, which is passed to add_filter().
- A new method falco_engine::enable_rule_by_tag is similar to
  enable_rule(), but is given a set of tag strings. Any rules containing
  one of the tags is enabled/disabled.
- The list of event types has been changed to a set to more accurately
  reflect its purpose.
- New argument to falco -T allows disabling all rules matching a given
  tag, via enable_rule_by_tag(). It can be provided multiple times.
- New argument to falco -t allows running those rules matching a given
  tag. If provided all rules are first disabled. It can be
  provided multiple times, but can not be combined with -T or
  -D (disable rules by name)
- falco_enging supports the notion of a ruleset. The idea is that you
  can choose a set of rules that are enabled/disabled by using
  enable_rule()/enable_rule_by_tag() in combination with a
  ruleset. Later, in process_event() you include that ruleset and the
  rules you had previously enabled will be run.
- rulsets are provided as strings in enable_rule()/enable_rule_by_tag()
  and as numbers in process_event()--this avoids the overhead of string
  lookups per-event. Ruleset ids are created on the fly as needed. A
  utility method find_ruleset_id() looks up the ruleset id for a given
  name. The default ruleset is NULL string/0 numeric if not provided.
- Although the ruleset is a useful falco engine feature, it isn't that
  important to the falco standalone program, so it's not
  documented. However, you can change the ruleset by providing
  FALCO_RULESET in the environment.
This commit is contained in:
Mark Stemm
2017-02-03 18:08:48 -08:00
parent 1e205db8aa
commit a0a6914b6a
6 changed files with 172 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
userspace/engine/falco_engine.h
View File

@@ -20,6 +20,7 @@ along with falco. If not, see <http://www.gnu.org/licenses/>.
#include <string>
#include <memory>
#include <set>
#include "sinsp.h"
#include "filter.h"
@@ -47,9 +48,18 @@ public:
void load_rules(const std::string &rules_content, bool verbose, bool all_events);
//
// Enable/Disable any rules matching the provided pattern (regex).
// Enable/Disable any rules matching the provided pattern
// (regex). If ruleset is non-NULL, enable/disable these
// rules in the context of the provided ruleset. The ruleset
// can later be passed as an argument to process_event(). This
// allows for different sets of rules being active at once.
//
void enable_rule(std::string &pattern, bool enabled);
void enable_rule(std::string &pattern, bool enabled, std::string *ruleset = NULL);
//
// Enable/Disable any rules with any of the provided tags (set, exact matches only)
//
void enable_rule_by_tag(std::set<std::string> &tags, bool enabled, std::string *ruleset = NULL);
struct rule_result {
sinsp_evt *evt;
@@ -58,13 +68,26 @@ public:
std::string format;
};
//
// Return the ruleset id corresponding to this ruleset name,
// creating a new one if necessary. If you provide any ruleset
// to enable_rule/enable_rule_by_tag(), you should look up the
// ruleset id and pass it to process_event().
//
uint16_t find_ruleset_id(std::string &ruleset);
//
// Given an event, check it against the set of rules in the
// engine and if a matching rule is found, return details on
// the rule that matched. If no rule matched, returns NULL.
//
// the reutrned rule_result is allocated and must be delete()d.
std::unique_ptr<rule_result> process_event(sinsp_evt *ev);
// If ruleset is non-NULL, use the enabled/disabled status
// associated with the provided ruleset. This is only useful
// when you have previously called enable_rule/enable_rule_by_tag
// with a non-NULL ruleset.
//
// the returned rule_result is allocated and must be delete()d.
std::unique_ptr<rule_result> process_event(sinsp_evt *ev, uint16_t ruleset_id = 0);
//
// Print details on the given rule. If rule is NULL, print
@@ -78,11 +101,12 @@ public:
void print_stats();
//
// Add a filter, which is related to the specified list of
// Add a filter, which is related to the specified set of
// event types, to the engine.
//
void add_evttype_filter(std::string &rule,
list<uint32_t> &evttypes,
std::set<uint32_t> &evttypes,
std::set<std::string> &tags,
sinsp_filter* filter);
// Clear all existing filters.
@@ -120,6 +144,8 @@ private:
inline bool should_drop_evt();
falco_rules *m_rules;
uint16_t m_next_ruleset_id;
std::map<string, uint16_t> m_known_rulesets;
std::unique_ptr<sinsp_evttype_filter> m_evttype_filter;
//