github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-26 22:57:24 +00:00
Code Issues Projects Releases Wiki Activity

new(grpc): Add tags to outputs service

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2021-08-26 10:56:04 +00:00 committed by poiana
parent 7c9ec9fc17
commit ca66b84e5a
10 changed files with 30 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
userspace/engine/falco_engine.cpp
View File

@ -343,17 +343,29 @@ void falco_engine::populate_rule_result(unique_ptr<struct rule_result> &res, gen
{ {
lua_pushnumber(m_ls, ev->get_check_id()); lua_pushnumber(m_ls, ev->get_check_id());
if(lua_pcall(m_ls, 1, 4, 0) != 0) if(lua_pcall(m_ls, 1, 5, 0) != 0)
{ {
const char* lerr = lua_tostring(m_ls, -1); const char* lerr = lua_tostring(m_ls, -1);
string err = "Error invoking function output: " + string(lerr); string err = "Error invoking function output: " + string(lerr);
throw falco_exception(err); throw falco_exception(err);
} }
const char *p = lua_tostring(m_ls, -4); const char *p = lua_tostring(m_ls, -5);
res->rule = p; res->rule = p;
res->evt = ev; res->evt = ev;
res->priority_num = (falco_common::priority_type) lua_tonumber(m_ls, -3); res->priority_num = (falco_common::priority_type) lua_tonumber(m_ls, -4);
res->format = lua_tostring(m_ls, -2); res->format = lua_tostring(m_ls, -3);
// Tags are passed back as a table, and is on the top of the stack
lua_pushnil(m_ls); /* first key */
while (lua_next(m_ls, -2) != 0) {
// key is at index -2, value is at index
// -1. We want the value.
res->tags.insert(luaL_checkstring(m_ls, -1));
// Remove value, keep key for next iteration
lua_pop(m_ls, 1);
}
lua_pop(m_ls, 1); // Clean table leftover
// Exception fields are passed back as a table // Exception fields are passed back as a table
lua_pushnil(m_ls); /* first key */ lua_pushnil(m_ls); /* first key */

1
userspace/engine/falco_engine.h
View File

@ -161,6 +161,7 @@ public:
falco_common::priority_type priority_num; falco_common::priority_type priority_num;
std::string format; std::string format;
std::set<std::string> exception_fields; std::set<std::string> exception_fields;
std::set<std::string> tags;
}; };
// //

2
userspace/engine/lua/rule_loader.lua
View File

@ -1156,7 +1156,7 @@ function on_event(rule_id)
error ("rule_loader.on_event(): could not find rule by name: ", rule.rule) error ("rule_loader.on_event(): could not find rule by name: ", rule.rule)
end end
return rule.rule, rule.priority_num, output, combined_rule.exception_fields return rule.rule, rule.priority_num, output, combined_rule.exception_fields, rule.tags
end end
function print_stats() function print_stats()

2
userspace/falco/falco.cpp
View File

@ -374,7 +374,7 @@ uint64_t do_inspect(falco_engine *engine,
unique_ptr<falco_engine::rule_result> res = engine->process_sinsp_event(ev); unique_ptr<falco_engine::rule_result> res = engine->process_sinsp_event(ev);
if(res) if(res)
{ {
outputs->handle_event(res->evt, res->rule, res->source, res->priority_num, res->format); outputs->handle_event(res->evt, res->rule, res->source, res->priority_num, res->format, res->tags);
} }
num_evts++; num_evts++;

3
userspace/falco/falco_outputs.cpp
View File

@ -142,7 +142,7 @@ void falco_outputs::add_output(falco::outputs::config oc)
} }
void falco_outputs::handle_event(gen_event *evt, string &rule, string &source, void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
falco_common::priority_type priority, string &format) falco_common::priority_type priority, string &format, std::set<std::string> tags)
{ {
if(!m_notifications_tb.claim()) if(!m_notifications_tb.claim())
{ {
@ -192,6 +192,7 @@ void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
cmsg.msg = falco_formats::format_event(evt, rule, source, falco_common::priority_names[priority], sformat); cmsg.msg = falco_formats::format_event(evt, rule, source, falco_common::priority_names[priority], sformat);
cmsg.fields = falco_formats::resolve_tokens(evt, source, sformat); cmsg.fields = falco_formats::resolve_tokens(evt, source, sformat);
cmsg.tags.insert(tags.begin(), tags.end());
cmsg.type = ctrl_msg_type::CTRL_MSG_OUTPUT; cmsg.type = ctrl_msg_type::CTRL_MSG_OUTPUT;
m_queue.push(cmsg); m_queue.push(cmsg);

2
userspace/falco/falco_outputs.h
View File

@ -48,7 +48,7 @@ public:
// Format then send the event to all configured outputs (`evt` is an event that has matched some rule). // Format then send the event to all configured outputs (`evt` is an event that has matched some rule).
void handle_event(gen_event *evt, std::string &rule, std::string &source, void handle_event(gen_event *evt, std::string &rule, std::string &source,
falco_common::priority_type priority, std::string &format); falco_common::priority_type priority, std::string &format, std::set<std::string> tags);
// Format then send a generic message to all outputs. Not necessarily associated with any event. // Format then send a generic message to all outputs. Not necessarily associated with any event.
void handle_msg(uint64_t now, void handle_msg(uint64_t now,

1
userspace/falco/outputs.h
View File

@ -50,6 +50,7 @@ struct message
std::string rule; std::string rule;
std::string source; std::string source;
map<std::string, std::string> fields; map<std::string, std::string> fields;
std::set<std::string> tags;
}; };
// //

3
userspace/falco/outputs.proto
View File

@ -50,6 +50,5 @@ message response {
string output = 5; string output = 5;
map<string, string> output_fields = 6; map<string, string> output_fields = 6;
string hostname = 7; string hostname = 7;
// TODO(leodido,fntlnz): tags not supported yet, keeping it for reference. repeated string tags = 8;
// repeated string tags = 8;
} }

4
userspace/falco/outputs_grpc.cpp
View File

@ -64,5 +64,9 @@ void falco::outputs::output_grpc::output(const message *msg)
auto host = grpc_res.mutable_hostname(); auto host = grpc_res.mutable_hostname();
*host = m_hostname; *host = m_hostname;
// tags
auto tags = grpc_res.mutable_tags();
*tags = {msg->tags.begin(), msg->tags.end()};
falco::grpc::queue::get().push(grpc_res); falco::grpc::queue::get().push(grpc_res);
} }

2
userspace/falco/webserver.cpp
View File

@ -102,7 +102,7 @@ bool k8s_audit_handler::accept_data(falco_engine *engine,
{ {
outputs->handle_event(res->evt, res->rule, outputs->handle_event(res->evt, res->rule,
res->source, res->priority_num, res->source, res->priority_num,
res->format); res->format, res->tags);
} }
catch(falco_exception &e) catch(falco_exception &e)
{ {