github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-13 11:55:50 +00:00
Code Issues Projects Releases Wiki Activity
4,579 Commits 117 Branches 173 Tags 105 MiB
generalize-indexable-ruleset-polymorphic
Commit Graph

1527 Commits

Author SHA1 Message Date
Mark Stemm
c2011ac9c6 Modify evttype_index_ruleset to derive from indexable_ruleset 
Modify evttype_index_ruleset to derive from indexable_ruleset instead
of having its own implementation of segregating filters by ruleset
id/event type.

An evttype_index_ruleset::wrapper contains a falco rule and filter,
and run_wrappers() evaluate the filter as before, without the
segregation by ruleset id/event type.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-06-18 10:26:49 -07:00
Mark Stemm
7dfc4e3447 Actually add indexable_ruleset to build 
Done separately just in case we ever have github checks that track
files separate from cmake changes.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-06-14 11:39:32 -07:00
Mark Stemm
605e69cf0e Add an indexable ruleset that can split filters by ruleset/evttype 
Now that custom rules loading implementations (and related, custom
rulesets) can be swapped into falco in a customizable way, there is
some functionality in evttype_index_ruleset that could be used by
other rulesets, specifically the part that segregates filters by
ruleset and enables/disables filters based on name substring + tags.

To allow for this, create a new base class indexable_ruleset that
takes a generic filter_wrapper object that can return a name, tags,
and sc/event codes, and segregates the filters by ruleset. It also
optionally segregates filters by event type.

The main interfaces are:

- an implementation of filter_wrapper to provide a name/tags/event
  codes.
- add_wrapper(), which provides a filter_wrapper to the
  indexable_ruleset.
- run_wrappers(), which must be implemented by the derived class and
  is called for event processing.

Most of the methods required by filter_ruleset are implemented by
indexable_ruleset and do not need to be implemented by the derived
class.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-06-14 11:39:32 -07:00
Gianmatteo Palmieri
3e91a27538 new(metrics): enable plugins metrics 
Signed-off-by: Gianmatteo Palmieri <mail@gian.im>
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-06-13 16:32:48 +02:00
Federico Di Pierro
0e754aec14 chore(userspace): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-06-13 13:40:48 +02:00
Luca Guerra
b8e5e2e8dd update(engine): allow using -p to pass a format to plugin events 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-06-11 09:19:39 +02:00
Luca Guerra
8a59cee355 cleanup(falco): clarify that --print variants only affect syscalls 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-06-06 09:46:22 +02:00
Gianmatteo Palmieri
1c66b640f2 Revert "fix(engine): apply output substitutions for all sources" 
This reverts commit 4ef7c9553a.

Signed-off-by: Gianmatteo Palmieri <mail@gian.im>
 2024-06-05 12:43:19 +02:00
Melissa Kilby
5777a44ca1 fix(metrics): fix sha256 metric names for prometheus 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-06-04 09:52:13 +02:00
Melissa Kilby
97207d309a fix(metrics): allow each metric output channel to be selected independently 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-06-04 09:52:13 +02:00
Federico Di Pierro
6687d50fc2 chore(userspace/falco): more extra safety checks on stats collector too. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-06-03 15:56:14 +02:00
Federico Di Pierro
ae71cec507 fix(userspace/falco): fixed falco_metrics::to_text implementation when running with plugins. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-06-03 15:56:14 +02:00
Jason Dellaluce
cd1c5f911c refactor(userspace): move falco logger under falco engine 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-05-23 09:29:23 +02:00
Federico Di Pierro
a48965a00c chore(userspace,falco.yaml,unit_tests): configs_files -> config_files. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-05-20 16:33:11 +02:00
Melissa Kilby
0668c54485 cleanup(metrics): use sha26_rules (plural form) as naming 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-20 10:25:10 +02:00
Melissa Kilby
27bab30017 cleanup(metrics): add original rule name as label 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-20 10:25:10 +02:00
Melissa Kilby
c15a309781 clenaup: add sanitize_metric_name helper 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-17 14:54:58 +02:00
Melissa Kilby
e9afe24e17 cleanup(metrics): simplify some logic 
Co-authored-by: Samuel Gaist <samuel.gaist@idiap.ch>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-17 14:54:58 +02:00
Melissa Kilby
aa021537d9 cleanup(metrics): improve comments 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-17 14:54:58 +02:00
Melissa Kilby
0195dba889 cleanup: add getter functions to stats_manager 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-17 14:54:58 +02:00
Melissa Kilby
b7adcd251d new(metrics): add rules_counters_enabled option 
Intended to replace https://github.com/falcosecurity/falco-exporter
when used with Prometheus output

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-17 14:54:58 +02:00
Jason Dellaluce
e211e97e2a fix(userspace/engine): make sure exception fields are not optional in replace mode 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-05-17 14:38:57 +02:00
Melissa Kilby
6057c1553e cleanup(engine): print total number of enabled rules 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-16 10:29:53 +02:00
Melissa Kilby
77341cbd2e new(engine): add print_enabled_rules_falco_logger when log_level debug 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-16 10:29:53 +02:00
Luca Guerra
eb3ee5d2b2 update(falco): add deprecation warning messages 
Signed-off-by: Luca Guerra <luca@guerra.sh>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-15 10:33:50 +02:00
Luca Guerra
f9a56d9c9d update(falco): add deprecation notice for -T, -t and -D 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-05-15 10:33:50 +02:00
Luca Guerra
abf82f6373 update(config): split init_from_content from init_from_file 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-05-14 12:47:46 +02:00
Luca Guerra
35bd348e21 new(falco): implement rule selection configuration in falco.yaml 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-05-14 12:47:46 +02:00
Melissa Kilby
60e6798f9b cleanup(metrics): use map for config and rules filenames sha256 tracking 
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-14 10:08:51 +02:00
Melissa Kilby
91b58c43f1 chore: fix non linux build metrics 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-14 10:08:51 +02:00
Melissa Kilby
67a5015be7 cleanup(metrics): use filesystem lib to derive file names + build fix 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-14 10:08:51 +02:00
Melissa Kilby
34ecd39113 new(metrics): add file sha256sum metrics for loaded config and rules files 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-14 10:08:51 +02:00
Melissa Kilby
2b80cf85ac new(utils): add new helper to calculate file sha256sum 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-05-14 10:08:51 +02:00
Federico Di Pierro
dd9163c6f4 fix(userspace/falco): fix state inizialization. 
This fixes an ugly segfault happening during hot reload.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-05-09 10:43:58 +02:00
Jason Dellaluce
b2e4cddcdf fix(userspace/falco): inizialize options variables 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-05-08 20:23:55 +02:00
Jason Dellaluce
f18ea1e8b7 update(userspace/engine): support tranformers in exception fields 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-05-08 20:23:55 +02:00
Jason Dellaluce
fa8e780b07 update(userspace/engine): propagate compiler warnings 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-05-08 20:23:55 +02:00
Jason Dellaluce
bc078f1f63 update(userspace/engine): support comparins with right-hand fields 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-05-08 20:23:55 +02:00
Jason Dellaluce
ed22e94292 refactor(userspace/libsinsp): support new filter ast structure in falco engine 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-05-08 20:23:55 +02:00
Federico Aponte
62d1c4fc4d refactor: smart pointer usage 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2024-05-06 11:10:44 +02:00
Federico Di Pierro
6954a4028e chore(userspace/engine): bump version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-05-03 12:12:02 +02:00
Samuel Gaist
cbfe77d1a0 fix(falco_metrics): remove falco_ prefix for version 
The textual content was fixed but not the metrics name.

Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-05-03 11:23:02 +02:00
Samuel Gaist
66d1970952 fix(falco_metrics): make duration_sec and outputs_queue_num_drops monotonic 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-05-03 11:23:02 +02:00
Samuel Gaist
82c914c11d fix(falco_metrics): make duration_sec a count and not a timestamp 
The output will thus be a total which is what this metrics is.

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-05-03 11:23:02 +02:00
Samuel Gaist
2ae6103ab6 fix(falco_metrics): remove redundant falco in version metrics 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-05-03 11:23:02 +02:00
Samuel Gaist
65331c0f20 feat(falco_metrics): add event sources 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-05-03 11:23:02 +02:00
Samuel Gaist
1ba35c911a feat(falco_metrics): add duration_sec 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-05-03 11:23:02 +02:00
Samuel Gaist
5ef8f1c311 feat(falco_metrics): add outputs_queue_num_drops 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-05-03 11:23:02 +02:00
Samuel Gaist
f90dbf9b77 refactor(metrics): use prometheus_metrics_enabled for configuration 
As agreed upon during review, use this name to get started. If more
backends were to be added, the configuration structure will be updated.

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-05-03 11:23:02 +02:00
Samuel Gaist
5c237a07dc refactor(metrics): make to_text get the application state 
As falco may update its state at any time and thus its inspectors objects,
keeping pointers to them may end up in using dangling values.

Therefore, use the state of the application when requesting metrics.

Optimizations such as caching of mostly static values will be done in
a follow up patch.

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-05-03 11:23:02 +02:00