github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 16:17:32 +00:00
Code Issues Projects Releases Wiki Activity

update(falco.yaml): introduce rule_matching config key

Browse Source 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
This commit is contained in:
Lorenzo Susini 2023-08-02 13:17:24 +00:00 committed by poiana
parent ac3ba50e7c
commit c6abf6a133
3 changed files with 42 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
falco.yaml
View File

@ -139,6 +139,22 @@ rules_file:
- /etc/falco/falco_rules.local.yaml - /etc/falco/falco_rules.local.yaml
- /etc/falco/rules.d - /etc/falco/rules.d
# [Experimental] `rule_matching`
#
# Falco has to be performant when evaluating rules against events. To quickly
# understand which rules could trigger on a specific event, Falco maintains
# buckets of rules sharing the same event type in a map. Then, the lookup
# in each bucket is performed through linear search. The `rule_matching`
# configuration key's values are:
# - "first": when evaluating conditions of rules in a bucket, Falco will stop
# to evaluate rules if it finds a matching rules. Since rules are stored
# in buckets in the order they are defined in the rules files, this option
# could prevent other rules to trigger even if their condition is met, causing
# a shadowing problem.
# - "all": with this value Falco will continue evaluating all the rules
# stored in the bucket, so that multiple rules could be triggered upon one
# event.
rule_matching: first
################# #################
# Falco plugins # # Falco plugins #

18
userspace/engine/falco_common.cpp
View File

@ -27,6 +27,11 @@ static std::vector<std::string> priority_names = {
"Debug" "Debug"
}; };
static std::vector<std::string> rule_matching_names = {
"first",
"all"
};
bool falco_common::parse_priority(std::string v, priority_type& out) bool falco_common::parse_priority(std::string v, priority_type& out)
{ {
for (size_t i = 0; i < priority_names.size(); i++) for (size_t i = 0; i < priority_names.size(); i++)
@ -80,3 +85,16 @@ std::string falco_common::format_priority(priority_type v, bool shortfmt)
} }
return out; return out;
} }
bool falco_common::parse_rule_matching(std::string v, rule_matching& out)
{
for (size_t i = 0; i < rule_matching_names.size(); i++)
{
if (!strcasecmp(v.c_str(), rule_matching_names[i].c_str()))
{
out = (rule_matching) i;
return true;
}
}
return false;
}

8
userspace/engine/falco_common.h
View File

@ -71,4 +71,12 @@ namespace falco_common
priority_type parse_priority(std::string v); priority_type parse_priority(std::string v);
bool format_priority(priority_type v, std::string& out, bool shortfmt=false); bool format_priority(priority_type v, std::string& out, bool shortfmt=false);
std::string format_priority(priority_type v, bool shortfmt=false); std::string format_priority(priority_type v, bool shortfmt=false);
enum rule_matching
{
FIRST = 0,
ALL = 1
};
bool parse_rule_matching(std::string v, rule_matching& out);
}; };