github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-19 11:12:36 +00:00
Code Issues Projects Releases Wiki Activity
3,298 Commits 122 Branches 184 Tags
exec-hashes
Commit Graph

345 Commits

Author SHA1 Message Date
Loris Degioanni
a71907c1b7 executable hashing integration in falco.yaml. 
Signed-off-by: Loris Degioanni <loris@sysdig.com>
 2022-11-29 17:06:25 -08:00
Jason Dellaluce
15b57bd972 fix: remove minor string view dependencies 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
68f4d5bb59 fix(userspace/engine): no need to use external deps 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
47fd90bb7f chore: remove not used dependency - string-view-lite 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Luca Guerra
e3dbae3259 fix(engine): fix warning about redundant std::move 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-11 16:19:11 +01:00
Mark Stemm
acf5c4ce5f fix(engine): save syscall source only when processing events 
The optimization in https://github.com/falcosecurity/falco/pull/2210
had a bug when the engine uses multiple sources at the same
time--m_syscall_source is a pointer to an entry in the indexed vector
m_sources, but if add_source is called multiple times, the vector is
resized, which copies the structs but invalidates any pointer to the
vector entries.

So instead of caching m_syscall_source in add_source(), cache it in
process_events(). m_sources won't change once processing events starts.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-10-27 18:23:25 +02:00
Jason Dellaluce
9ee0298c4d fix(userspace/engine): avoid macro/list used checks if we encounter an error 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 14:03:20 +02:00
Jason Dellaluce
57b26530b6 update(userspace) fix cppcheck warnings 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 12:07:20 +02:00
Jason Dellaluce
3629c4dc4a update(userspace): solve cppcheck performance suggestions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 12:07:20 +02:00
Jason Dellaluce
5e531870a9 fix(userspace/engine): fix unit test segfault 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
4cb556aed2 update(userspace/engine): use sinsp api to access event table information 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
11160f8463 fix(userspace): safely check string bounded access 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 11:23:15 +02:00
Jason Dellaluce
3c02b40a21 chore(userspace/falco): make log message termination consistent 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
83a83a5853 update(userspace): pass string as const refs when possible 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
5781c53ddc fix(userspace): add explicit constructors and initializations 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-03 13:04:15 +02:00
Jason Dellaluce
8aea0935c9 chore(userspace/engine): remove unused var 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
9c240198a0 refactor(userspace/engine): refactor falco_engine with new loader defs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
f6f763fe84 refactor(userspace/engine): clean up rule collector 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
9b5f3ee99e refactor(userspace/engine): clean up rule compiler 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
89e8f70de0 refactor(userspace/engine): clean up and rename rule reader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b0f0105116 refactor(userspace/engine): clean up rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
5f2267f716 update(userspace/engine): add new loader files to CMakeLists 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b65157af5e refactor(userspace/engine): split rule loader git history (5) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b2b1feb1f2 refactor(userspace/engine): split rule loader git history (4) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b900e46dfe refactor(userspace/engine): split rule loader git history (3) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
a98c9cdd20 refactor(userspace/engine): split rule loader git history (2) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
2a427925a0 refactor(userspace/engine): split rule loader git history (1) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Federico Di Pierro
e068df514c chore(userspace/engine,userspace/falco): upgraded to latest libs. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-20 11:35:28 +02:00
Mark Stemm
2d5fc0b647 Use the same falco_rule struct for every call to filter_ruleset 
Instead of using a falco_rule struct on the stack, use a single value
inside the falco_source struct. It's mutable as find_source returns a
const struct.

At very high event volumes (> 1M syscalls/second), even the tiny time
it takes to create/destroy the struct starts to add up, and this
switch has some small cpu savings.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-16 12:50:39 +02:00
Mark Stemm
e5cd5eacf5 Save syscall source separately and check explicitly in process_event 
When doing some testing of falco on very high event volumes (> 1.5M
events/second), I found that the time taken to look up a falco_source
struct had a non-negligible contribution to cpu usage.

So instead of looking up the source from the source_idx every time,
separately save the source for syscalls in the falco_engine object
directly. The separately saved copy is only used once someone calls
add_source with source="syscall".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-16 12:50:39 +02:00
Jason Dellaluce
cf9baea624 fix(userspace/engine): avoid reading duplicate exception values 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 15:53:15 +02:00
Federico Di Pierro
ccd3c896de fix(userspace/engine): properly include stdexcept header to fix build. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-12 12:28:15 +02:00
Mark Stemm
0f45cf49db Use enums for rules content item type 
Use an enum instead of a string for the item_type aka "parts of a
rules file" field of contexts.

The set of values is mostly defined by the contexts that were already
created. There are a couple of forward-looking values for rule
outputs/macro conditions/etc. that may be useful for later.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-07 10:13:02 +02:00
Mark Stemm
7a5a4c32ee Support condition parse errors in rule loading results 
In #2098 and #2158, we reworked how rules loading errors/warnings were
returned to provide a richer set of information, including
locations/context for the errors/warnings.

That did *not* include locations within condition expressions,
though. When parsing a condition expression resulted in a
warning/error, the location simply pointed to the condition property
of the rule.

This commit improves this to handle parse errors:

- When libsinsp::filter::parser::parse() throws an exception, use
  get_pos() to get the position within the condition string.
- Add a new context() constructor that takes a filter pos_info instead
  of a YAML::Mark.

Now that positions aren't always related to the location of yaml
nodes, Make up a generic "position" struct for locations and convert
YAML::Mark and parser positions to a position struct.

Also allow a context to contain an alternate content string which is
used to build the snippet. For contexts related to condition strings,
the content is the condition.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-07 10:13:02 +02:00
VadimZy
af95455bab dropping fix for list parsing due to the absence of regex portability. 
reverting to the inefficient code.

Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
4b75f213c6 use <onigposix.h> instead of <regex.h> 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
0de617a7fb remove sinsp.h public dependencies 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
5745faeccc fix tests, remove dead code 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
f9ee45b38e Improve Falco engine performance when loading rules and creating the rule sets 
- replace std::set<uint16_t> with fixed size vector in event types propagation
- rework lists expansion by replacing repetitive string::find in constantly growing expansion string with regex tokenization
- improve json_event parsing by moving const initializations into static routines

Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
Jason Dellaluce
7d2f82fddc update(usperspace/engine): bump engine version to 15 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
1b410ea2cc update(userspace/engine): consider plugin version requirements in engine checks 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
52402ac805 update(userspace/engine): support plugin version requirement alternatives in rule reader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
6e0971f1e1 update(userspace/engine): support plugin version requirement alternatives in rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
c2a8efc329 chore(userspace/engine): fix typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:26:18 +02:00
Jason Dellaluce
978f192c38 chore(userspace/engine): fix codespell typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:26:18 +02:00
Jason Dellaluce
1120fb2564 doc(userspace/engine): define thread-safety guarantees of falco_engine::process_event 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:26:18 +02:00
Jason Dellaluce
1b8847c06b refactor(userspace/engine): make stats manager thread-safe for on_event method 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:26:18 +02:00
Jason Dellaluce
d9b6473db2 refactor(userspace/engine): increase const coherence of falco engine 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:04:18 +02:00
Leonardo Grasso
34ad5c43fb update(userspace/engine): add support for hostname 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-08-25 16:59:15 +02:00
Jason Dellaluce
d35dba30ed update(userspace/engine): sync ast structs to new libs definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-25 16:32:15 +02:00