github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-28 15:47:25 +00:00
Code Issues Projects Releases Wiki Activity

chore(userspace/falco): always print invalid syscalls from custom set

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2023-05-24 17:45:11 +00:00 committed by poiana
parent 2dadb05af6
commit b58a373835
1 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
userspace/falco/app/actions/configure_interesting_sets.cpp
View File

@ -91,6 +91,7 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
auto user_positive_sc_set = libsinsp::events::event_names_to_sc_set(user_positive_names); auto user_positive_sc_set = libsinsp::events::event_names_to_sc_set(user_positive_names);
auto user_negative_sc_set = libsinsp::events::event_names_to_sc_set(user_negative_names); auto user_negative_sc_set = libsinsp::events::event_names_to_sc_set(user_negative_names);
auto user_positive_sc_set_names = libsinsp::events::sc_set_to_event_names(user_positive_sc_set);
if (!user_positive_sc_set.empty()) if (!user_positive_sc_set.empty())
{ {
// user overrides base event set // user overrides base event set
@ -98,16 +99,15 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
// we re-transform from sc_set to names to make // we re-transform from sc_set to names to make
// sure that bad user inputs are ignored // sure that bad user inputs are ignored
auto user_positive_sc_set_names = libsinsp::events::sc_set_to_event_names(user_positive_sc_set);
falco_logger::log(LOG_DEBUG, "+(" + std::to_string(user_positive_sc_set_names.size()) falco_logger::log(LOG_DEBUG, "+(" + std::to_string(user_positive_sc_set_names.size())
+ ") syscalls added (base_syscalls override): " + ") syscalls added (base_syscalls override): "
+ concat_set_in_order(user_positive_sc_set_names) + "\n"); + concat_set_in_order(user_positive_sc_set_names) + "\n");
auto invalid_positive_sc_set_names = unordered_set_difference(user_positive_names, user_positive_sc_set_names); }
if (!invalid_positive_sc_set_names.empty()) auto invalid_positive_sc_set_names = unordered_set_difference(user_positive_names, user_positive_sc_set_names);
{ if (!invalid_positive_sc_set_names.empty())
falco_logger::log(LOG_WARNING, "Invalid (positive) syscall names: warning (base_syscalls override): " {
+ concat_set_in_order(invalid_positive_sc_set_names)); falco_logger::log(LOG_WARNING, "Invalid (positive) syscall names: warning (base_syscalls override): "
} + concat_set_in_order(invalid_positive_sc_set_names));
} }
// selected events are the union of the rules events set and the // selected events are the union of the rules events set and the
@ -127,6 +127,7 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
s.selected_sc_set = libsinsp::events::sinsp_repair_state_sc_set(rules_sc_set); s.selected_sc_set = libsinsp::events::sinsp_repair_state_sc_set(rules_sc_set);
} }
auto user_negative_sc_set_names = libsinsp::events::sc_set_to_event_names(user_negative_sc_set);
if (!user_negative_sc_set.empty()) if (!user_negative_sc_set.empty())
{ {
/* Remove negative base_syscalls events. */ /* Remove negative base_syscalls events. */
@ -134,16 +135,15 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
// we re-transform from sc_set to names to make // we re-transform from sc_set to names to make
// sure that bad user inputs are ignored // sure that bad user inputs are ignored
auto user_negative_sc_set_names = libsinsp::events::sc_set_to_event_names(user_negative_sc_set);
falco_logger::log(LOG_DEBUG, "-(" + std::to_string(user_negative_sc_set_names.size()) falco_logger::log(LOG_DEBUG, "-(" + std::to_string(user_negative_sc_set_names.size())
+ ") syscalls removed (base_syscalls override): " + ") syscalls removed (base_syscalls override): "
+ concat_set_in_order(user_negative_sc_set_names) + "\n"); + concat_set_in_order(user_negative_sc_set_names) + "\n");
auto invalid_negative_sc_set_names = unordered_set_difference(user_negative_names, user_negative_sc_set_names); }
if (!invalid_negative_sc_set_names.empty()) auto invalid_negative_sc_set_names = unordered_set_difference(user_negative_names, user_negative_sc_set_names);
{ if (!invalid_negative_sc_set_names.empty())
falco_logger::log(LOG_WARNING, "Invalid (negative) syscall names: warning (base_syscalls override): " {
+ concat_set_in_order(invalid_negative_sc_set_names)); falco_logger::log(LOG_WARNING, "Invalid (negative) syscall names: warning (base_syscalls override): "
} + concat_set_in_order(invalid_negative_sc_set_names));
} }
/* Derive the diff between the additional syscalls added via libsinsp state /* Derive the diff between the additional syscalls added via libsinsp state