diff --git a/falco.yaml b/falco.yaml index 276fe251..6883d239 100644 --- a/falco.yaml +++ b/falco.yaml @@ -97,6 +97,23 @@ syscall_event_drops: rate: .03333 max_burst: 1 +# Falco uses a shared buffer between the kernel and userspace to receive +# the events (eg., system call information) in userspace. +# +# Anyways, the underlying libraries can also timeout for various reasons. +# For example, there could have been issues while reading an event. +# Or the particular event needs to be skipped. +# Normally, it's very unlikely that Falco does not receive events consecutively. +# +# Falco is able to detect such uncommon situation. +# +# Here you can configure the maximum number of consecutive timeouts without an event +# after which you want Falco to alert. +# By default this value is set to 1000 consecutive timeouts without an event at all. + +syscall_event_timeouts: + max_consecutives: 1000 + # Falco continuously monitors outputs performance. When an output channel does not allow # to deliver an alert within a given deadline, an error is reported indicating # which output is blocking notifications. diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index bf14e237..0ecdae80 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -246,6 +246,12 @@ void falco_configuration::init(string conf_filename, list &cmdline_optio m_syscall_evt_drop_rate = m_config->get_scalar("syscall_event_drops", "rate", .03333); m_syscall_evt_drop_max_burst = m_config->get_scalar("syscall_event_drops", "max_burst", 1); m_syscall_evt_simulate_drops = m_config->get_scalar("syscall_event_drops", "simulate_drops", false); + + m_syscall_evt_timeout_max_consecutives = m_config->get_scalar("syscall_event_timeouts", "max_consecutives", 1000); + if(m_syscall_evt_timeout_max_consecutives == 0) + { + throw logic_error("Error reading config file(" + m_config_file + "): the maximum consecutive timeouts without an event must be an unsigned integer > 0"); + } } void falco_configuration::read_rules_file_directory(const string &path, list &rules_filenames) diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index 6724ec0d..4bc6fbfd 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -219,14 +219,16 @@ public: std::string m_webserver_k8s_healthz_endpoint; bool m_webserver_ssl_enabled; std::string m_webserver_ssl_certificate; + syscall_evt_drop_actions m_syscall_evt_drop_actions; double m_syscall_evt_drop_threshold; double m_syscall_evt_drop_rate; double m_syscall_evt_drop_max_burst; - // Only used for testing bool m_syscall_evt_simulate_drops; + uint32_t m_syscall_evt_timeout_max_consecutives; + private: void init_cmdline_options(std::list& cmdline_options);