From c1da6d21b9811cb068a62f5273e02bf43cc4c40e Mon Sep 17 00:00:00 2001 From: Leonardo Di Donato Date: Fri, 16 Apr 2021 09:06:09 +0000 Subject: [PATCH] new: syscall_event_timeouts configuration block Falco uses a shared buffer between the kernel and userspace to receive the events (eg., system call information) in userspace. Anyways, the underlying libraries can also timeout for various reasons. For example, there could have been issues while reading an event. Or the particular event needs to be skipped. Normally, it's very unlikely that Falco does not receive events consecutively. Falco is able to detect such uncommon situation. Here you can configure the maximum number of consecutive timeouts without an event after which you want Falco to alert. By default this value is set to 1000 consecutive timeouts without an event at all. Signed-off-by: Leonardo Di Donato --- falco.yaml | 17 +++++++++++++++++ userspace/falco/configuration.cpp | 6 ++++++ userspace/falco/configuration.h | 4 +++- 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/falco.yaml b/falco.yaml index 276fe251..6883d239 100644 --- a/falco.yaml +++ b/falco.yaml @@ -97,6 +97,23 @@ syscall_event_drops: rate: .03333 max_burst: 1 +# Falco uses a shared buffer between the kernel and userspace to receive +# the events (eg., system call information) in userspace. +# +# Anyways, the underlying libraries can also timeout for various reasons. +# For example, there could have been issues while reading an event. +# Or the particular event needs to be skipped. +# Normally, it's very unlikely that Falco does not receive events consecutively. +# +# Falco is able to detect such uncommon situation. +# +# Here you can configure the maximum number of consecutive timeouts without an event +# after which you want Falco to alert. +# By default this value is set to 1000 consecutive timeouts without an event at all. + +syscall_event_timeouts: + max_consecutives: 1000 + # Falco continuously monitors outputs performance. When an output channel does not allow # to deliver an alert within a given deadline, an error is reported indicating # which output is blocking notifications. diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index bf14e237..0ecdae80 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -246,6 +246,12 @@ void falco_configuration::init(string conf_filename, list &cmdline_optio m_syscall_evt_drop_rate = m_config->get_scalar("syscall_event_drops", "rate", .03333); m_syscall_evt_drop_max_burst = m_config->get_scalar("syscall_event_drops", "max_burst", 1); m_syscall_evt_simulate_drops = m_config->get_scalar("syscall_event_drops", "simulate_drops", false); + + m_syscall_evt_timeout_max_consecutives = m_config->get_scalar("syscall_event_timeouts", "max_consecutives", 1000); + if(m_syscall_evt_timeout_max_consecutives == 0) + { + throw logic_error("Error reading config file(" + m_config_file + "): the maximum consecutive timeouts without an event must be an unsigned integer > 0"); + } } void falco_configuration::read_rules_file_directory(const string &path, list &rules_filenames) diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index 6724ec0d..4bc6fbfd 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -219,14 +219,16 @@ public: std::string m_webserver_k8s_healthz_endpoint; bool m_webserver_ssl_enabled; std::string m_webserver_ssl_certificate; + syscall_evt_drop_actions m_syscall_evt_drop_actions; double m_syscall_evt_drop_threshold; double m_syscall_evt_drop_rate; double m_syscall_evt_drop_max_burst; - // Only used for testing bool m_syscall_evt_simulate_drops; + uint32_t m_syscall_evt_timeout_max_consecutives; + private: void init_cmdline_options(std::list& cmdline_options);