github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-14 06:54:46 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #119 from draios/add-enabled-flag

Browse Source 
Add enabled flag
This commit is contained in:
Mark Stemm 2016-09-07 10:40:07 -05:00 committed by GitHub
commit fbcddba06a
5 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
test/falco_tests.yaml.in
View File

@ -113,6 +113,12 @@ trace_files: !mux
- "open.*" - "open.*"
trace_file: trace_files/cat_write.scap trace_file: trace_files/cat_write.scap
disabled_rules_using_enabled_flag:
detect: False
rules_file:
- rules/single_rule_enabled_flag.yaml
trace_file: trace_files/cat_write.scap
file_output: file_output:
detect: True detect: True
detect_level: WARNING detect_level: WARNING

9
test/rules/single_rule_enabled_flag.yaml Normal file
View File

@ -0,0 +1,9 @@
- macro: is_cat
condition: proc.name=cat
- rule: open_from_cat
desc: A process named cat does an open
condition: evt.type=open and is_cat
output: "An open was seen (command=%proc.cmdline)"
priority: WARNING
enabled: false

9
userspace/engine/lua/rule_loader.lua
View File

@ -188,6 +188,15 @@ function load_rules(rules_content, rules_mgr, verbose, all_events)
else else
state.filter_ast = { type = "BinaryBoolOp", operator = "or", left = state.filter_ast, right = filter_ast.filter.value } state.filter_ast = { type = "BinaryBoolOp", operator = "or", left = state.filter_ast, right = filter_ast.filter.value }
end end
-- Enable/disable the rule
if (v['enabled'] == nil) then
v['enabled'] = true
end
if (v['enabled'] == false) then
falco_rules.enable_rule(rules_mgr, v['rule'], 0)
end
else else
error ("Unexpected type in load_rule: "..filter_ast.type) error ("Unexpected type in load_rule: "..filter_ast.type)
end end

25
userspace/engine/rules.cpp
View File

@ -11,6 +11,7 @@ extern "C" {
const static struct luaL_reg ll_falco_rules [] = const static struct luaL_reg ll_falco_rules [] =
{ {
{"add_filter", &falco_rules::add_filter}, {"add_filter", &falco_rules::add_filter},
{"enable_rule", &falco_rules::enable_rule},
{NULL,NULL} {NULL,NULL}
}; };
@ -65,6 +66,30 @@ void falco_rules::add_filter(string &rule, list<uint32_t> &evttypes)
m_engine->add_evttype_filter(rule, evttypes, filter); m_engine->add_evttype_filter(rule, evttypes, filter);
} }
int falco_rules::enable_rule(lua_State *ls)
{
if (! lua_islightuserdata(ls, -3) ||
! lua_isstring(ls, -2) ||
! lua_isnumber(ls, -1))
{
throw falco_exception("Invalid arguments passed to enable_rule()\n");
}
falco_rules *rules = (falco_rules *) lua_topointer(ls, -3);
const char *rulec = lua_tostring(ls, -2);
std::string rule = rulec;
bool enabled = (lua_tonumber(ls, -1) ? true : false);
rules->enable_rule(rule, enabled);
return 0;
}
void falco_rules::enable_rule(string &rule, bool enabled)
{
m_engine->enable_rule(rule, enabled);
}
void falco_rules::load_rules(const string &rules_content, bool verbose, bool all_events) void falco_rules::load_rules(const string &rules_content, bool verbose, bool all_events)
{ {
lua_getglobal(m_ls, m_lua_load_rules.c_str()); lua_getglobal(m_ls, m_lua_load_rules.c_str());

2
userspace/engine/rules.h
View File

@ -18,9 +18,11 @@ class falco_rules
static void init(lua_State *ls); static void init(lua_State *ls);
static int add_filter(lua_State *ls); static int add_filter(lua_State *ls);
static int enable_rule(lua_State *ls);
private: private:
void add_filter(string &rule, list<uint32_t> &evttypes); void add_filter(string &rule, list<uint32_t> &evttypes);
void enable_rule(string &rule, bool enabled);
lua_parser* m_lua_parser; lua_parser* m_lua_parser;
sinsp* m_inspector; sinsp* m_inspector;