mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-20 09:29:42 +00:00
refactor(userspace/engine): improve ruleset interface definitions
The filter_ruleset interface its implementation evt_type_index_ruleset have been modified as follows: - Only keep track of ruleset ids and not names. The falco engine will take care of mapping easy-to-remember ruleset names to ruleset ids. To emphasize this, use ruleset_id everywhere and not ruleset. Also, make it non-optional. - Have explicit separate functions to enable/disable rules, instead of a single enable() method combined with a boolean flag. This does *not* change the falco_engine interface, which has similar methods, to avoid breaking API changes. Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Jason Dellaluce
poiana
parent
833fec8537
commit
a1bdf95a0f
@ -179,17 +179,6 @@ void evttype_index_ruleset::add(
|
||||
}
|
||||
}
|
||||
|
||||
uint16_t evttype_index_ruleset::ruleset_id(const std::string &name)
|
||||
{
|
||||
auto it = find(m_ruleset_names.begin(), m_ruleset_names.end(), name);
|
||||
if (it != m_ruleset_names.end())
|
||||
{
|
||||
return it - m_ruleset_names.begin();
|
||||
}
|
||||
m_ruleset_names.push_back(name);
|
||||
return m_ruleset_names.size() - 1;
|
||||
}
|
||||
|
||||
void evttype_index_ruleset::on_loading_complete()
|
||||
{
|
||||
// nothing to do for now
|
||||
@ -205,9 +194,19 @@ void evttype_index_ruleset::clear()
|
||||
m_filters.clear();
|
||||
}
|
||||
|
||||
void evttype_index_ruleset::enable(const string &substring, bool match_exact, bool enabled, uint16_t ruleset)
|
||||
void evttype_index_ruleset::enable(const string &substring, bool match_exact, uint16_t ruleset_id)
|
||||
{
|
||||
while(m_rulesets.size() < (size_t)ruleset + 1)
|
||||
enable_disable(substring, match_exact, true, ruleset_id);
|
||||
}
|
||||
|
||||
void evttype_index_ruleset::disable(const string &substring, bool match_exact, uint16_t ruleset_id)
|
||||
{
|
||||
enable_disable(substring, match_exact, false, ruleset_id);
|
||||
}
|
||||
|
||||
void evttype_index_ruleset::enable_disable(const string &substring, bool match_exact, bool enabled, uint16_t ruleset_id)
|
||||
{
|
||||
while(m_rulesets.size() < (size_t)ruleset_id + 1)
|
||||
{
|
||||
m_rulesets.emplace_back(new ruleset_filters());
|
||||
}
|
||||
@ -232,19 +231,29 @@ void evttype_index_ruleset::enable(const string &substring, bool match_exact, bo
|
||||
{
|
||||
if(enabled)
|
||||
{
|
||||
m_rulesets[ruleset]->add_filter(wrap);
|
||||
m_rulesets[ruleset_id]->add_filter(wrap);
|
||||
}
|
||||
else
|
||||
{
|
||||
m_rulesets[ruleset]->remove_filter(wrap);
|
||||
m_rulesets[ruleset_id]->remove_filter(wrap);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void evttype_index_ruleset::enable_tags(const set<string> &tags, bool enabled, uint16_t ruleset)
|
||||
void evttype_index_ruleset::enable_tags(const set<string> &tags, uint16_t ruleset_id)
|
||||
{
|
||||
while(m_rulesets.size() < (size_t)ruleset + 1)
|
||||
enable_disable_tags(tags, true, ruleset_id);
|
||||
}
|
||||
|
||||
void evttype_index_ruleset::disable_tags(const set<string> &tags, uint16_t ruleset_id)
|
||||
{
|
||||
enable_disable_tags(tags, false, ruleset_id);
|
||||
}
|
||||
|
||||
void evttype_index_ruleset::enable_disable_tags(const set<string> &tags, bool enabled, uint16_t ruleset_id)
|
||||
{
|
||||
while(m_rulesets.size() < (size_t)ruleset_id + 1)
|
||||
{
|
||||
m_rulesets.emplace_back(new ruleset_filters());
|
||||
}
|
||||
@ -261,42 +270,42 @@ void evttype_index_ruleset::enable_tags(const set<string> &tags, bool enabled, u
|
||||
{
|
||||
if(enabled)
|
||||
{
|
||||
m_rulesets[ruleset]->add_filter(wrap);
|
||||
m_rulesets[ruleset_id]->add_filter(wrap);
|
||||
}
|
||||
else
|
||||
{
|
||||
m_rulesets[ruleset]->remove_filter(wrap);
|
||||
m_rulesets[ruleset_id]->remove_filter(wrap);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
uint64_t evttype_index_ruleset::enabled_count(uint16_t ruleset)
|
||||
uint64_t evttype_index_ruleset::enabled_count(uint16_t ruleset_id)
|
||||
{
|
||||
while(m_rulesets.size() < (size_t)ruleset + 1)
|
||||
while(m_rulesets.size() < (size_t)ruleset_id + 1)
|
||||
{
|
||||
m_rulesets.emplace_back(new ruleset_filters());
|
||||
}
|
||||
|
||||
return m_rulesets[ruleset]->num_filters();
|
||||
return m_rulesets[ruleset_id]->num_filters();
|
||||
}
|
||||
|
||||
bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t ruleset)
|
||||
bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t ruleset_id)
|
||||
{
|
||||
if(m_rulesets.size() < (size_t)ruleset + 1)
|
||||
if(m_rulesets.size() < (size_t)ruleset_id + 1)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
return m_rulesets[ruleset]->run(evt, match);
|
||||
return m_rulesets[ruleset_id]->run(evt, match);
|
||||
}
|
||||
|
||||
void evttype_index_ruleset::enabled_evttypes(set<uint16_t> &evttypes, uint16_t ruleset)
|
||||
void evttype_index_ruleset::enabled_evttypes(set<uint16_t> &evttypes, uint16_t ruleset_id)
|
||||
{
|
||||
if(m_rulesets.size() < (size_t)ruleset + 1)
|
||||
if(m_rulesets.size() < (size_t)ruleset_id + 1)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
return m_rulesets[ruleset]->evttypes_for_ruleset(evttypes);
|
||||
return m_rulesets[ruleset_id]->evttypes_for_ruleset(evttypes);
|
||||
}
|
||||
|
||||
@ -45,24 +45,29 @@ public:
|
||||
|
||||
void clear() override;
|
||||
|
||||
uint16_t ruleset_id(const std::string &name) override;
|
||||
bool run(gen_event *evt, falco_rule& match, uint16_t rulset_id);
|
||||
|
||||
bool run(gen_event *evt, falco_rule& match, uint16_t ruleset = 0);
|
||||
|
||||
uint64_t enabled_count(uint16_t ruleset = 0) override;
|
||||
uint64_t enabled_count(uint16_t ruleset_id) override;
|
||||
|
||||
void on_loading_complete() override;
|
||||
|
||||
void enable(
|
||||
const std::string &substring,
|
||||
bool match_exact,
|
||||
bool enabled,
|
||||
uint16_t ruleset = 0) override;
|
||||
uint16_t rulset_id) override;
|
||||
|
||||
void disable(
|
||||
const std::string &substring,
|
||||
bool match_exact,
|
||||
uint16_t rulset_id) override;
|
||||
|
||||
void enable_tags(
|
||||
const std::set<std::string> &tags,
|
||||
bool enabled,
|
||||
uint16_t ruleset = 0) override;
|
||||
uint16_t rulset_id) override;
|
||||
|
||||
void disable_tags(
|
||||
const std::set<std::string> &tags,
|
||||
uint16_t rulset_id) override;
|
||||
|
||||
// evttypes for a ruleset
|
||||
void enabled_evttypes(
|
||||
@ -71,6 +76,19 @@ public:
|
||||
|
||||
private:
|
||||
|
||||
// Helper used by enable()/disable()
|
||||
void enable_disable(
|
||||
const std::string &substring,
|
||||
bool match_exact,
|
||||
bool enabled,
|
||||
uint16_t rulset_id);
|
||||
|
||||
// Helper used by enable_tags()/disable_tags()
|
||||
void enable_disable_tags(
|
||||
const std::set<std::string> &tags,
|
||||
bool enabled,
|
||||
uint16_t rulset_id);
|
||||
|
||||
struct filter_wrapper
|
||||
{
|
||||
falco_rule rule;
|
||||
|
||||
@ -51,14 +51,6 @@ public:
|
||||
*/
|
||||
virtual void clear() = 0;
|
||||
|
||||
/*!
|
||||
\brief Returns the numeric id of a ruleset given its name.
|
||||
If a ruleset has been used before, its previously assigned id is
|
||||
returned. Otherwise, a new ruleset is created with the given name
|
||||
and a new id is assigned to it.
|
||||
*/
|
||||
virtual uint16_t ruleset_id(const std::string &name) = 0;
|
||||
|
||||
/*!
|
||||
\brief This is meant to be called after all rules have been added
|
||||
with add() and enabled on the given ruleset with enable()/enable_tags().
|
||||
@ -71,61 +63,87 @@ public:
|
||||
\param evt The event to be processed
|
||||
\param match If true is returned, this is filled-out with the rule
|
||||
that matched the event
|
||||
\param ruleset The id of the ruleset to be used
|
||||
\param ruleset_id The id of the ruleset to be used
|
||||
*/
|
||||
virtual bool run(
|
||||
gen_event *evt,
|
||||
falco_rule& match,
|
||||
uint16_t ruleset = 0) = 0;
|
||||
uint16_t ruleset_id) = 0;
|
||||
|
||||
/*!
|
||||
\brief Returns the number of rules enabled in a given ruleset
|
||||
\param ruleset The id of the ruleset to be used
|
||||
\param ruleset_id The id of the ruleset to be used
|
||||
*/
|
||||
virtual uint64_t enabled_count(uint16_t ruleset = 0) = 0;
|
||||
virtual uint64_t enabled_count(uint16_t ruleset_id) = 0;
|
||||
|
||||
/*!
|
||||
\brief Returns the union of the evttypes of all the rules enabled
|
||||
in a given ruleset
|
||||
\param ruleset The id of the ruleset to be used
|
||||
\param ruleset_id The id of the ruleset to be used
|
||||
*/
|
||||
virtual void enabled_evttypes(
|
||||
std::set<uint16_t> &evttypes,
|
||||
uint16_t ruleset) = 0;
|
||||
|
||||
/*!
|
||||
\brief Find those rules matching the provided substring and set
|
||||
their enabled status to enabled in a given ruleset.
|
||||
\brief Find those rules matching the provided substring and enable
|
||||
them in the provided ruleset.
|
||||
\param substring Substring used to match rule names.
|
||||
If empty, all rules are matched.
|
||||
\param match_exact If true, substring must be an exact match for a
|
||||
given rule name. Otherwise, any rules having substring as a substring
|
||||
in the rule name are enabled/disabled.
|
||||
\param enabled The enabled status to set on all matching rules
|
||||
\param ruleset The id of the ruleset to be used
|
||||
\param ruleset_id The id of the ruleset to be used
|
||||
*/
|
||||
virtual void enable(
|
||||
const std::string &substring,
|
||||
bool match_exact,
|
||||
bool enabled,
|
||||
uint16_t ruleset = 0) = 0;
|
||||
uint16_t ruleset_id) = 0;
|
||||
|
||||
/*!
|
||||
\brief Find those rules matching the provided substring and disable
|
||||
them in the provided ruleset.
|
||||
\param substring Substring used to match rule names.
|
||||
If empty, all rules are matched.
|
||||
\param match_exact If true, substring must be an exact match for a
|
||||
given rule name. Otherwise, any rules having substring as a substring
|
||||
in the rule name are enabled/disabled.
|
||||
\param ruleset_id The id of the ruleset to be used
|
||||
*/
|
||||
virtual void disable(
|
||||
const std::string &substring,
|
||||
bool match_exact,
|
||||
uint16_t ruleset_id) = 0;
|
||||
|
||||
/*!
|
||||
\brief Find those rules that have a tag in the set of tags and
|
||||
set their enabled status to enabled. Note that the enabled
|
||||
enable them for the provided ruleset. Note that the enabled
|
||||
status is on the rules, and not the tags--if a rule R has
|
||||
tags (a, b), and you call enable_tags([a], true) and then
|
||||
enable_tags([b], false), R will be disabled despite the
|
||||
tags (a, b), and you call enable_tags([a]) and then
|
||||
disable_tags([b]), R will be disabled despite the
|
||||
fact it has tag a and was enabled by the first call to
|
||||
enable_tags.
|
||||
\param substring Tags used to match ruless
|
||||
\param enabled The enabled status to set on all matching rules
|
||||
\param ruleset The id of the ruleset to be used
|
||||
\param ruleset_id The id of the ruleset to be used
|
||||
*/
|
||||
virtual void enable_tags(
|
||||
const std::set<std::string> &tags,
|
||||
bool enabled,
|
||||
uint16_t ruleset = 0) = 0;
|
||||
uint16_t ruleset_id) = 0;
|
||||
|
||||
/*!
|
||||
\brief Find those rules that have a tag in the set of tags and
|
||||
disable them for the provided ruleset. Note that the disabled
|
||||
status is on the rules, and not the tags--if a rule R has
|
||||
tags (a, b), and you call enable_tags([a]) and then
|
||||
disable_tags([b]), R will be disabled despite the
|
||||
fact it has tag a and was enabled by the first call to
|
||||
enable_tags.
|
||||
\param substring Tags used to match ruless
|
||||
\param ruleset_id The id of the ruleset to be used
|
||||
*/
|
||||
virtual void disable_tags(
|
||||
const std::set<std::string> &tags,
|
||||
uint16_t ruleset_id) = 0;
|
||||
};
|
||||
|
||||
/*!
|
||||
|
||||
Loading…
Reference in New Issue
Block a user