github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-18 18:58:41 +00:00
Code Issues Projects Releases Wiki Activity
5,090 Commits 122 Branches 184 Tags
feat/capture-events-filesize-limits
Commit Graph

630 Commits

Author SHA1 Message Date
Leonardo Grasso
61d77cfb59 new(userspace/engine): add capture_events and capture_filesize limits 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2026-03-17 14:06:37 +01:00
Leonardo Grasso
7994460666 new(userspace/engine): validation for unknown-key in rules 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2026-03-17 12:03:34 +01:00
Leonardo Grasso
9aed480082 fix(userspace/engine): JSON Schema fixes 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2026-03-17 12:03:34 +01:00
Leonardo Grasso
59dae06e13 update(engine): bump engine version to 0.60.0 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2026-03-12 17:12:07 +01:00
irozzo-1A
7554de160a fix(engine): add unknown filter match in err_is_unknown_type_or_field 
After PR https://github.com/falcosecurity/libs/pull/2776 a new error
message has been introduced for unknown types.

Signed-off-by: irozzo-1A <iacopo@sysdig.com>
 2026-03-11 12:05:07 +01:00
irozzo-1A
17ebbecec9 feat(userspace/engine): update libs ref and adapt to transformer AST changes 
- Bump default falcosecurity/libs to latest main (8f6b914) with
  transformer_list_expr and field_transformer_expr (values) support
- Add visit(transformer_list_expr*) to filter_details_resolver and
  filter_macro_resolver visitors
- Fix field_transformer_expr handling to use e->values instead of e->value

Signed-off-by: irozzo-1A <iacopo@sysdig.com>
 2026-03-11 12:05:07 +01:00
Leonardo Di Giovanna
43aaffc4e0 chore!: drop gRPC output and server support 
Falco 0.43.0 deprecated the gRPC output and server supports. Drop
their supports as well as any reference to them.

BREAKING CHANGE: drop gRPC output and server support

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2026-02-05 17:21:54 +01:00
Leonardo Grasso
69581443ae fix(userspace/engine): missing closing quote in deprecated field warning 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2026-01-21 16:16:32 +01:00
Leonardo Di Giovanna
e34a6b28eb chore(cmake): bump libs/drivers to 0.23.0/9.1.0+driver 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2025-12-24 09:36:41 +01:00
irozzo-1A
5b53681d2f chore(engine): add deprecation warning for evt.latency when used in conditions 
Emit a deprecation warning when `evt.latency` is detected in a rule
condition.

Signed-off-by: irozzo-1A <iacopo@sysdig.com>
 2025-12-01 12:54:18 +01:00
Iacopo Rozzo
9eacf5e58f chore(deps): bump libs version to 0.22.0 
Signed-off-by: Iacopo Rozzo <iacopo@sysdig.com>
 2025-10-17 15:09:15 +02:00
Iacopo Rozzo
1717a98749 feat(engine): emit warning when a rule output uses deprecated "evt.dir" 
Emit a warning when a rule uses the deprecated "evt.dir" field in output.

Signed-off-by: Iacopo Rozzo <iacopo@sysdig.com>
 2025-10-14 09:46:43 +02:00
Leonardo Grasso
38be8ba5d2 update(cmake): update libs and driver to 0.22 dev 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-10-13 12:32:37 +02:00
Iacopo Rozzo
8c4e5aa854 Use generic DEPRECATED_ITEM warning code 
Signed-off-by: Iacopo Rozzo <iacopo@sysdig.com>
 2025-10-09 14:06:12 +02:00
Iacopo Rozzo
42085c9d7a feat(engine): emit warning when a condition uses deprecated "evt.dir" 
Emit a warning when a rule with a condition using "evt.dir" field is
encountered.
The direction have been deprecated in the scope of enter event
suppression initiative.

Signed-off-by: Iacopo Rozzo <iacopo.rozzo@iacopo.rozzo>
 2025-10-09 14:06:12 +02:00
Leonardo Grasso
573871955c chore(userspace/engine): bump Falco engine version to 0.56.0 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-09-30 18:52:12 +02:00
Leonardo Di Giovanna
4fa53452c3 fix(userspace/engine): fix logger date format 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2025-09-18 14:54:46 +02:00
Leonardo Di Giovanna
4d3b685c8b feat: make libs internal auto thread purging intervals configurable 
Make Falco's libs internal auto thread purging interval and timeout
configurable and set their default values to 5 minutes. This helps
controlling the memory impact of process exit events dropping and
events re-ordering.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2025-09-16 15:42:34 +02:00
Samuel Gaist
7c7196f1f0 chore: pre-commit cleanup 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
e5654849d4 refactor(userspace/engine): port from asctime to strftime 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
0cc39ac5e7 refactor(userspace/engine): make constructor explicit 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
d9f561cd7b refactor(userspace/engine): remove unused variable 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
668bbfc9de refactor(userpsace/engine): add missing override 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
4d03686999 refactor(userspace/engine): fix variable scope 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
2da40e798b refactor(userspace/engine): const correctness 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Leonardo Grasso
97d88d12f1 chore(userspace/engine): initialize bool member for falco_rule 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
aa501437a4 fix(userspace/engine): adding capture members to to the rule equility operator 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
63d27fbe1b chore: fix formatting 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
1da5514012 new(userspapace/engine): add capture and capture_duration to the engine 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
21350a282c new(userspapace/engine): add capture and capture_duration to rules loader 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
5ebfa1b05b new: add config options and docs for capture feature 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Federico Di Pierro
539294595e update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-08-04 17:12:50 +02:00
Leonardo Di Giovanna
ca291b0eaf update(userspace/engine): update falco engine version and checksum 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2025-07-22 14:30:29 +02:00
Federico Di Pierro
ea9e86d9e0 update(userspace): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-30 14:25:18 +02:00
Federico Di Pierro
4418bf2101 update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-09 12:19:53 +02:00
Federico Di Pierro
7a349a3e87 update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-03 11:12:11 +02:00
Federico Di Pierro
b0ef64b449 update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-12 12:01:22 +02:00
Luca Guerra
28e7050f0f cleanup(engine): remove unreachable function engine::read_file 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2025-05-12 10:58:22 +02:00
Federico Di Pierro
a41e3df45d update(userspace/engine): bump engine checksum and version. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-06 15:03:44 +02:00
Federico Di Pierro
6e4b7663ca cleanup(userspace/engine,userspace/falco): drop replace_container_info flag. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-06 10:06:43 +02:00
Federico Di Pierro
11f6fc5d14 cleanup(userspace/engine): deprecated %container.info. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-06 10:06:43 +02:00
Federico Di Pierro
08a00609a1 new(userspace,unit_tests): port merge-strategy to be a yaml map. 
Merge-strategy for included config files must now be
specified as yaml map of the form:
- path: foo
  strategy: bar

If `strategy` is omitted, or the old `string-only` form is used,
`append` strategy is enforced.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-04-29 16:17:06 +02:00
Federico Di Pierro
630167d9ad new(userspace,unit_tests)!: add a way to specify merge-strategy for config_files. 
By default we now use the `append` merge-strategy:
* existing sequence keys will be appended
* existing scalar keys will be overridden
* non-existing keys will be added

We also have an `override` merge-strategy:
* existing keys will be overridden
* non-existing keys will be added

Finally, there is an `add-only` merge-strategy:
* existing keys will be ignored
* non-existing keys will be added

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-04-29 16:17:06 +02:00
Federico Di Pierro
80d52963d6 fix(userspace): fixed engine openssl dep. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-04-29 13:50:04 +02:00
Federico Di Pierro
52127d4c8a update(userspace/engine): bump engine checksum and version. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-04-29 09:48:03 +02:00
Leonardo Grasso
6e717daa95 update(userspace/engine): relax validation for values in exceptions 
Defining `exceptions` with empty `values` is a legitimate use case since the values can be added to another rules file. Even when values are not populated elsewhere, Falco can work without issues; that's the reason why the `values` field is not required. With this change, we avoid emitting useless validation warnings in situations where exceptions are just defined but not actually used because values are not being provided.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-04-10 18:37:07 +02:00
Luca Guerra
f70b28bfb4 new(falco): add json_include_output_fields_property option 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2025-04-08 16:22:51 +02:00
Federico Di Pierro
cfc221549a chore(userspace/engine): update engine checksum and version minor. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 13:08:26 +01:00
Federico Di Pierro
9f1bc7d518 fix(userspace/engine): expand %container.info extra format to empty string. 
Also, remove `container_id container_name` fields from `-pc` output.
These fields are now automatically appended since the `container` plugin
marks them as suggested.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 13:08:26 +01:00
Federico Di Pierro
aa312096d0 chore(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-01-15 14:49:50 +01:00