github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-04 18:36:48 +00:00
Code Issues Projects Releases Wiki Activity

update(falco): add warning if the append condition does not appear to make sense

Browse Source 
Signed-off-by: Luca Guerra <luca@guerra.sh>
This commit is contained in:
Luca Guerra 2024-09-13 13:27:09 +00:00 committed by poiana
parent 5c959d0b1b
commit cd0d607f14
1 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
userspace/falco/configuration.cpp
View File

@ -602,6 +602,28 @@ void falco_configuration::load_yaml(const std::string& config_name)
m_config.get_sequence<std::vector<rule_selection_config>>(m_rules_selection, "rules"); m_config.get_sequence<std::vector<rule_selection_config>>(m_rules_selection, "rules");
m_config.get_sequence<std::vector<append_output_config>>(m_append_output, "append_output"); m_config.get_sequence<std::vector<append_output_config>>(m_append_output, "append_output");
// check if append_output matching conditions are sane, if not emit a warning
for (auto const& entry : m_append_output)
{
if (entry.m_rule != "" && entry.m_tags.size() > 0)
{
std::string tag_list;
for (auto const& tag : entry.m_tags)
{
tag_list += tag;
tag_list += ", ";
}
tag_list.pop_back();
falco_logger::log(falco_logger::level::WARNING,
"An append_ouptut entry specifies both a rule (" + entry.m_rule + ") and a list of tags (" + tag_list + std::string("). ") +
"This means that output will be appended only to the " + entry.m_rule + " rule and only if it has " +
"all the tags: " + tag_list + ".");
}
}
std::vector<std::string> load_plugins; std::vector<std::string> load_plugins;
bool load_plugins_node_defined = m_config.is_defined("load_plugins"); bool load_plugins_node_defined = m_config.is_defined("load_plugins");