github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 08:07:24 +00:00
Code Issues Projects Releases Wiki Activity

chore(userspace/falco): always print invalid syscalls from custom set

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2023-05-24 17:45:11 +00:00 committed by poiana
parent 2dadb05af6
commit b58a373835
1 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
userspace/falco/app/actions/configure_interesting_sets.cpp
View File

@ -91,6 +91,7 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
auto user_positive_sc_set = libsinsp::events::event_names_to_sc_set(user_positive_names); auto user_positive_sc_set = libsinsp::events::event_names_to_sc_set(user_positive_names);
auto user_negative_sc_set = libsinsp::events::event_names_to_sc_set(user_negative_names); auto user_negative_sc_set = libsinsp::events::event_names_to_sc_set(user_negative_names);
auto user_positive_sc_set_names = libsinsp::events::sc_set_to_event_names(user_positive_sc_set);
if (!user_positive_sc_set.empty()) if (!user_positive_sc_set.empty())
{ {
// user overrides base event set // user overrides base event set
@ -98,17 +99,16 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
// we re-transform from sc_set to names to make // we re-transform from sc_set to names to make
// sure that bad user inputs are ignored // sure that bad user inputs are ignored
auto user_positive_sc_set_names = libsinsp::events::sc_set_to_event_names(user_positive_sc_set);
falco_logger::log(LOG_DEBUG, "+(" + std::to_string(user_positive_sc_set_names.size()) falco_logger::log(LOG_DEBUG, "+(" + std::to_string(user_positive_sc_set_names.size())
+ ") syscalls added (base_syscalls override): " + ") syscalls added (base_syscalls override): "
+ concat_set_in_order(user_positive_sc_set_names) + "\n"); + concat_set_in_order(user_positive_sc_set_names) + "\n");
}
auto invalid_positive_sc_set_names = unordered_set_difference(user_positive_names, user_positive_sc_set_names); auto invalid_positive_sc_set_names = unordered_set_difference(user_positive_names, user_positive_sc_set_names);
if (!invalid_positive_sc_set_names.empty()) if (!invalid_positive_sc_set_names.empty())
{ {
falco_logger::log(LOG_WARNING, "Invalid (positive) syscall names: warning (base_syscalls override): " falco_logger::log(LOG_WARNING, "Invalid (positive) syscall names: warning (base_syscalls override): "
+ concat_set_in_order(invalid_positive_sc_set_names)); + concat_set_in_order(invalid_positive_sc_set_names));
} }
}
// selected events are the union of the rules events set and the // selected events are the union of the rules events set and the
// base events set (either the default or the user-defined one) // base events set (either the default or the user-defined one)
@ -127,6 +127,7 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
s.selected_sc_set = libsinsp::events::sinsp_repair_state_sc_set(rules_sc_set); s.selected_sc_set = libsinsp::events::sinsp_repair_state_sc_set(rules_sc_set);
} }
auto user_negative_sc_set_names = libsinsp::events::sc_set_to_event_names(user_negative_sc_set);
if (!user_negative_sc_set.empty()) if (!user_negative_sc_set.empty())
{ {
/* Remove negative base_syscalls events. */ /* Remove negative base_syscalls events. */
@ -134,17 +135,16 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
// we re-transform from sc_set to names to make // we re-transform from sc_set to names to make
// sure that bad user inputs are ignored // sure that bad user inputs are ignored
auto user_negative_sc_set_names = libsinsp::events::sc_set_to_event_names(user_negative_sc_set);
falco_logger::log(LOG_DEBUG, "-(" + std::to_string(user_negative_sc_set_names.size()) falco_logger::log(LOG_DEBUG, "-(" + std::to_string(user_negative_sc_set_names.size())
+ ") syscalls removed (base_syscalls override): " + ") syscalls removed (base_syscalls override): "
+ concat_set_in_order(user_negative_sc_set_names) + "\n"); + concat_set_in_order(user_negative_sc_set_names) + "\n");
}
auto invalid_negative_sc_set_names = unordered_set_difference(user_negative_names, user_negative_sc_set_names); auto invalid_negative_sc_set_names = unordered_set_difference(user_negative_names, user_negative_sc_set_names);
if (!invalid_negative_sc_set_names.empty()) if (!invalid_negative_sc_set_names.empty())
{ {
falco_logger::log(LOG_WARNING, "Invalid (negative) syscall names: warning (base_syscalls override): " falco_logger::log(LOG_WARNING, "Invalid (negative) syscall names: warning (base_syscalls override): "
+ concat_set_in_order(invalid_negative_sc_set_names)); + concat_set_in_order(invalid_negative_sc_set_names));
} }
}
/* Derive the diff between the additional syscalls added via libsinsp state /* Derive the diff between the additional syscalls added via libsinsp state
enforcement and the syscalls from each Falco rule. We avoid printing enforcement and the syscalls from each Falco rule. We avoid printing