github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-18 18:58:41 +00:00
Code Issues Projects Releases Wiki Activity

new(userspace/falco): input plugin support via configuration

Browse Source 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
This commit is contained in:
Leonardo Grasso
2021-05-21 12:33:18 +02:00
parent 6adf79ea25
commit c7f18edd5a
4 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
falco.yaml
View File

@@ -15,6 +15,12 @@
# limitations under the License.
#
input_plugin:
name: ""
path: ""
init_config: ""
open_params: ""
# File(s) or Directories containing Falco rules, loaded at startup.
# The name "rules_file" is only for backwards compatibility.
# If the entry is a file, it will be read directly. If the entry is a directory,

5
userspace/falco/configuration.cpp
View File

@@ -252,6 +252,11 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
{
throw logic_error("Error reading config file(" + m_config_file + "): the maximum consecutive timeouts without an event must be an unsigned integer > 0");
}
m_input_plugin_name = m_config->get_scalar<string>("input_plugin", "name", "");
m_input_plugin_path = m_config->get_scalar<string>("input_plugin", "path", "");
m_input_plugin_init_config = m_config->get_scalar<string>("input_plugin", "init_config", "");
m_input_plugin_open_params = m_config->get_scalar<string>("input_plugin", "open_params", "");
}
void falco_configuration::read_rules_file_directory(const string &path, list<string> &rules_filenames)

5
userspace/falco/configuration.h
View File

@@ -229,6 +229,11 @@ public:
uint32_t m_syscall_evt_timeout_max_consecutives;
std::string m_input_plugin_name;
std::string m_input_plugin_path;
std::string m_input_plugin_init_config;
std::string m_input_plugin_open_params;
private:
void init_cmdline_options(std::list<std::string>& cmdline_options);

22
userspace/falco/falco.cpp
View File

@@ -49,6 +49,7 @@ limitations under the License.
#include "webserver.h"
#include "grpc_server.h"
#endif
#include "plugin.h"
#include "banned.h" // This raises a compilation error when certain functions are used
typedef function<void(sinsp* inspector)> open_t;
@@ -865,6 +866,27 @@ int falco_init(int argc, char **argv)
throw std::runtime_error("Could not find configuration file at " + conf_filename);
}
if(config.m_input_plugin_path.size() > 0)
{
falco_logger::log(LOG_INFO, "Loading input plugin (" + config.m_input_plugin_name + ") from file " + config.m_input_plugin_path + "\n");
if(config.m_input_plugin_init_config.size() > 0)
{
sinsp_plugin::register_plugin(inspector, config.m_input_plugin_path, (char *)config.m_input_plugin_init_config.c_str());
}
else
{
sinsp_plugin::register_plugin(inspector, config.m_input_plugin_path, NULL);
}
inspector->set_input_plugin(config.m_input_plugin_name);
if(config.m_input_plugin_open_params.size() > 0)
{
inspector->set_input_plugin_open_params(config.m_input_plugin_open_params);
}
}
if (rules_filenames.size())
{
config.m_rules_filenames = rules_filenames;