github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-13 13:32:50 +00:00
Code Issues Projects Releases Wiki Activity

update(userspace/engine): allow overwriting rules with enabled flag only

Browse Source 
This allows defining rules that simply enable/disable already defined rules, like the following:
- rule: A rule enabled by default
  enabled: false
- rule: A rule disabled by default
  enabled: true

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce
2021-11-15 18:36:38 +00:00
committed by poiana
parent 7dcf8f4bf7
commit eec2f5062f
1 changed files with 19 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
userspace/engine/lua/rule_loader.lua
View File

@@ -542,10 +542,6 @@ function load_rules_doc(rules_mgr, doc, load_state)
return false, build_error_with_context(v['context'], "Rule name is empty"), warnings return false, build_error_with_context(v['context'], "Rule name is empty"), warnings
end end
if (v['condition'] == nil and v['exceptions'] == nil) then
return false, build_error_with_context(v['context'], "Rule must have exceptions or condition property"), warnings
end
-- By default, if a rule's condition refers to an unknown -- By default, if a rule's condition refers to an unknown
-- filter like evt.type, etc the loader throws an error. -- filter like evt.type, etc the loader throws an error.
if v['skip-if-unknown-filter'] == nil then if v['skip-if-unknown-filter'] == nil then
@@ -611,6 +607,9 @@ function load_rules_doc(rules_mgr, doc, load_state)
return false, build_error_with_context(v['context'], "Rule " ..v['rule'].. " has 'append' key but no rule by that name already exists"), warnings return false, build_error_with_context(v['context'], "Rule " ..v['rule'].. " has 'append' key but no rule by that name already exists"), warnings
end end
else else
if (v['condition'] == nil and next(v['exceptions']) == nil) then
return false, build_error_with_context(v['context'], "Appended rule must have exceptions or condition property"), warnings
end
if next(v['exceptions']) ~= nil then if next(v['exceptions']) ~= nil then
@@ -663,14 +662,25 @@ function load_rules_doc(rules_mgr, doc, load_state)
end end
else else
local err = nil
for j, field in ipairs({'condition', 'output', 'desc', 'priority'}) do for j, field in ipairs({'condition', 'output', 'desc', 'priority'}) do
if (v[field] == nil) then if (err == nil and v[field] == nil) then
return false, build_error_with_context(v['context'], "Rule must have property "..field), warnings err = build_error_with_context(v['context'], "Rule must have property "..field)
end end
end end
-- Convert the priority-as-string to a priority-as-number now -- Handle spacial case where "enabled" flag is defined only
if (err ~= nil) then
if (v['enabled'] == nil) then
return false, err, warnings
else
if state.rules_by_name[v['rule']] == nil then
return false, build_error_with_context(v['context'], "Rule " ..v['rule'].. " has 'enabled' key only, but no rule by that name already exists"), warnings
end
state.rules_by_name[v['rule']]['enabled'] = v['enabled']
end
else
-- Convert the priority-as-string to a priority-as-number now
v['priority_num'] = priorities[v['priority']] v['priority_num'] = priorities[v['priority']]
if v['priority_num'] == nil then if v['priority_num'] == nil then
@@ -693,6 +703,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
else else
state.skipped_rules_by_name[v['rule']] = v state.skipped_rules_by_name[v['rule']] = v
end end
end
end end
else else
local context = v['context'] local context = v['context']