github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-25 17:38:53 +00:00
Code Issues Projects Releases Wiki Activity

chore(falco): deprecated -A

Browse Source 
Signed-off-by: Luca Guerra <luca@guerra.sh>
This commit is contained in:
Luca Guerra 2024-09-30 11:03:45 +00:00 committed by poiana
parent 3b28450171
commit dfa6b9b88e
2 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
userspace/falco/app/actions/configure_interesting_sets.cpp
View File

@ -200,11 +200,21 @@ static void select_event_set(falco::app::state& s,
concat_set_in_order(non_rules_sc_set_names) + "\n"); concat_set_in_order(non_rules_sc_set_names) + "\n");
} }
/* -A flag behavior: /* base_syscall.all / -A flag behavior:
* (1) default: all syscalls in rules included, sinsp state enforcement * (1) default: all syscalls in rules included, sinsp state enforcement
without high volume syscalls without high volume syscalls
* (2) -A flag set: all syscalls in rules included, sinsp state enforcement * (2) set: all syscalls in rules included, sinsp state enforcement
and allowing high volume syscalls */ and allowing high volume syscalls */
bool all_events = false;
if(s.options.all_events) {
falco_logger::log(falco_logger::level::WARNING,
"The -A option is deprecated and will be removed. Use -o "
"base_syscalls.all=true instead.");
all_events = true;
}
if(s.config->m_base_syscalls_all) {
all_events = true;
}
if(!(s.options.all_events || s.config->m_base_syscalls_all)) { if(!(s.options.all_events || s.config->m_base_syscalls_all)) {
auto ignored_sc_set = falco::app::ignored_sc_set(); auto ignored_sc_set = falco::app::ignored_sc_set();
auto erased_sc_set = s.selected_sc_set.intersect(ignored_sc_set); auto erased_sc_set = s.selected_sc_set.intersect(ignored_sc_set);

2
userspace/falco/app/options.cpp
View File

@ -104,7 +104,7 @@ void options::define(cxxopts::Options& opts)
#endif #endif
("config-schema", "Print the config json schema and exit.", cxxopts::value(print_config_schema)->default_value("false")) ("config-schema", "Print the config json schema and exit.", cxxopts::value(print_config_schema)->default_value("false"))
("rule-schema", "Print the rule json schema and exit.", cxxopts::value(print_rule_schema)->default_value("false")) ("rule-schema", "Print the rule json schema and exit.", cxxopts::value(print_rule_schema)->default_value("false"))
("A", "Monitor all events supported by Falco and defined in rules and configs. Some events are ignored by default when -A is not specified (the -i option lists these events ignored). Using -A can impact performance. This option has no effect when reproducing events from a capture file.", cxxopts::value(all_events)->default_value("false")) ("A", "DEPRECATED: use -o base_syscalls.all=true instead. Monitor all events supported by Falco and defined in rules and configs. Some events are ignored by default when -A is not specified (the -i option lists these events ignored). Using -A can impact performance. This option has no effect when reproducing events from a capture file.", cxxopts::value(all_events)->default_value("false"))
("b,print-base64", "Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.") ("b,print-base64", "Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.")
("disable-source", "Turn off a specific <event_source>. By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times, but turning off all event sources simultaneously is not permitted. This option can not be mixed with --enable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(disable_sources), "<event_source>") ("disable-source", "Turn off a specific <event_source>. By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times, but turning off all event sources simultaneously is not permitted. This option can not be mixed with --enable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(disable_sources), "<event_source>")
("dry-run", "Run Falco without processing events. It can help check that the configuration and rules do not have any errors.", cxxopts::value(dry_run)->default_value("false")) ("dry-run", "Run Falco without processing events. It can help check that the configuration and rules do not have any errors.", cxxopts::value(dry_run)->default_value("false"))