github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-24 08:58:52 +00:00
Code Issues Projects Releases Wiki Activity

new(userspapace/engine): add capture and capture_duration to rules loader

Browse Source 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
This commit is contained in:
Leonardo Grasso 2025-07-18 13:07:00 +02:00
parent b6730db82c
commit f33d5b43fe
No known key found for this signature in database
GPG Key ID: 5826A20627574B83
5 changed files with 43 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
userspace/engine/rule_loader.cpp
View File

@ -1,6 +1,6 @@
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
/* /*
Copyright (C) 2023 The Falco Authors. Copyright (C) 2025 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
@ -532,6 +532,8 @@ rule_loader::rule_info::rule_info(context& ctx):
visibility(0), visibility(0),
unknown_source(false), unknown_source(false),
priority(falco_common::PRIORITY_DEBUG), priority(falco_common::PRIORITY_DEBUG),
capture(false),
capture_duration(0),
enabled(true), enabled(true),
warn_evttypes(true), warn_evttypes(true),
skip_if_unknown_filter(false) {} skip_if_unknown_filter(false) {}

5
userspace/engine/rule_loader.h
View File

@ -460,6 +460,8 @@ struct rule_info {
std::set<std::string> tags; std::set<std::string> tags;
std::vector<rule_exception_info> exceptions; std::vector<rule_exception_info> exceptions;
falco_common::priority_type priority; falco_common::priority_type priority;
bool capture;
uint32_t capture_duration;
bool enabled; bool enabled;
bool warn_evttypes; bool warn_evttypes;
bool skip_if_unknown_filter; bool skip_if_unknown_filter;
@ -480,6 +482,7 @@ struct rule_update_info {
bool has_any_value() { bool has_any_value() {
return cond.has_value() || output.has_value() || desc.has_value() || tags.has_value() || return cond.has_value() || output.has_value() || desc.has_value() || tags.has_value() ||
exceptions.has_value() || priority.has_value() || enabled.has_value() || exceptions.has_value() || priority.has_value() || enabled.has_value() ||
capture.has_value() || capture_duration.has_value() ||
warn_evttypes.has_value() || skip_if_unknown_filter.has_value(); warn_evttypes.has_value() || skip_if_unknown_filter.has_value();
} }
@ -493,6 +496,8 @@ struct rule_update_info {
std::optional<std::set<std::string>> tags; std::optional<std::set<std::string>> tags;
std::optional<std::vector<rule_exception_info>> exceptions; std::optional<std::vector<rule_exception_info>> exceptions;
std::optional<falco_common::priority_type> priority; std::optional<falco_common::priority_type> priority;
std::optional<bool> capture;
std::optional<uint32_t> capture_duration;
std::optional<bool> enabled; std::optional<bool> enabled;
std::optional<bool> warn_evttypes; std::optional<bool> warn_evttypes;
std::optional<bool> skip_if_unknown_filter; std::optional<bool> skip_if_unknown_filter;

10
userspace/engine/rule_loader_collector.cpp
View File

@ -1,6 +1,6 @@
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
/* /*
Copyright (C) 2023 The Falco Authors. Copyright (C) 2025 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
@ -313,6 +313,14 @@ void rule_loader::collector::selective_replace(configuration& cfg, rule_update_i
prev->priority = *info.priority; prev->priority = *info.priority;
} }
if(info.capture.has_value()) {
prev->capture = *info.capture;
}
if(info.capture_duration.has_value()) {
prev->capture_duration = *info.capture_duration;
}
if(info.enabled.has_value()) { if(info.enabled.has_value()) {
prev->enabled = *info.enabled; prev->enabled = *info.enabled;
} }

4
userspace/engine/rule_loader_compiler.cpp
View File

@ -1,6 +1,6 @@
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
/* /*
Copyright (C) 2023 The Falco Authors. Copyright (C) 2025 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
@ -523,6 +523,8 @@ void rule_loader::compiler::compile_rule_infos(configuration& cfg,
rule.source = r.source; rule.source = r.source;
rule.description = r.desc; rule.description = r.desc;
rule.priority = r.priority; rule.priority = r.priority;
rule.capture = r.capture;
rule.capture_duration = r.capture_duration;
rule.tags = r.tags; rule.tags = r.tags;
auto rule_id = out.insert(rule, rule.name); auto rule_id = out.insert(rule, rule.name);
out.at(rule_id)->id = rule_id; out.at(rule_id)->id = rule_id;

24
userspace/engine/rule_loader_reader.cpp
View File

@ -1,6 +1,6 @@
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
/* /*
Copyright (C) 2023 The Falco Authors. Copyright (C) 2025 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
@ -634,6 +634,8 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg,
"output", "output",
"desc", "desc",
"priority", "priority",
"capture",
"capture_duration",
"tags", "tags",
"exceptions", "exceptions",
"enabled", "enabled",
@ -756,6 +758,22 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg,
v.priority = parsed_priority; v.priority = parsed_priority;
} }
if(check_update_expected(expected_keys,
override_replace,
"replace",
"capture",
ctx)) {
decode_val(item, "capture", v.capture, ctx);
}
if(check_update_expected(expected_keys,
override_replace,
"replace",
"capture_duration",
ctx)) {
decode_val(item, "capture_duration", v.capture_duration, ctx);
}
if(check_update_expected(expected_keys, if(check_update_expected(expected_keys,
override_replace, override_replace,
"replace", "replace",
@ -818,6 +836,8 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg,
rule_loader::rule_info v(ctx); rule_loader::rule_info v(ctx);
v.name = name; v.name = name;
v.enabled = true; v.enabled = true;
v.capture = false;
v.capture_duration = 0;
v.warn_evttypes = true; v.warn_evttypes = true;
v.skip_if_unknown_filter = false; v.skip_if_unknown_filter = false;
@ -863,6 +883,8 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg,
prictx); prictx);
decode_optional_val(item, "source", v.source, ctx); decode_optional_val(item, "source", v.source, ctx);
decode_optional_val(item, "enabled", v.enabled, ctx); decode_optional_val(item, "enabled", v.enabled, ctx);
decode_optional_val(item, "capture", v.capture, ctx);
decode_optional_val(item, "capture_duration", v.capture_duration, ctx);
decode_optional_val(item, "warn_evttypes", v.warn_evttypes, ctx); decode_optional_val(item, "warn_evttypes", v.warn_evttypes, ctx);
decode_optional_val(item, "skip-if-unknown-filter", v.skip_if_unknown_filter, ctx); decode_optional_val(item, "skip-if-unknown-filter", v.skip_if_unknown_filter, ctx);
decode_tags(item, v.tags, ctx); decode_tags(item, v.tags, ctx);