github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-16 13:17:04 +00:00
Code Issues Projects Releases Wiki Activity
4,579 Commits 117 Branches 173 Tags 105 MiB
generalize-indexable-ruleset-polymorphic
Commit Graph

551 Commits

Author SHA1 Message Date
Jason Dellaluce
359bd6e593 cleanup(userspace/engine): remove legacy k8saudit implementation 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-11-15 16:05:15 +01:00
Luca Guerra
8bf40cdf88 update(engine): port decode_uri in falco engine 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-11-14 20:36:15 +01:00
Jason Dellaluce
f5985720f1 fix(userspace/engine): cache latest rules compilation output 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-11-02 20:32:07 +01:00
Jason Dellaluce
2e7cacb4e0 fix(userspace/engine): solve description of macro-only rules 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-11-02 16:16:06 +01:00
Luca Guerra
1e38967b18 update(engine): remove banned.h 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-10-19 17:41:22 +02:00
Roberto Scolaro
b7cef5bab2 fix(userspace/engine): fix memory leak 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-10-17 21:20:15 +02:00
Melissa Kilby
dd807b19c8 feat(userspace): remove experimental outputs queue recovery strategies 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-10-12 13:03:46 +02:00
Lorenzo Susini
09b1f92267 update(userspace/engine): update falco engine checksum 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-09-28 20:05:21 +02:00
Lorenzo Susini
1326ca356e update(userspace/engine): address jasondellaluce comments for maintainability 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-09-28 20:05:21 +02:00
Lorenzo Susini
f8cbeaaa9b update(userspace/engine): let the rule loader reader and collector be able to load rules with both numeric and semver string required_engine_version 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-09-28 20:05:21 +02:00
Lorenzo Susini
cd6cb14c08 update(userspace/engine): convert engine version to semver string 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-09-28 20:05:21 +02:00
Jason Dellaluce
d3e1a1f746 chore(userspace/engine): apply codespell suggestions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
aae114c331 refactor(userspace/engine)!: rename some description details outputs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
b67ad907a7 fix(userspace/engine): solve issues with filter details resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
dc264a0577 fix(userspace/engine): solve issues in describing rules/macros/lists 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
8f411f3d3b refactor(userspace/engine): modularize rules files compilation 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
cba80a404f fix(userspace/engine): print rules fields with arguments 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
26bdefae8e update(userspace/engine): support printing plugins used by rules 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
dce5cac820 update(userspace/engine): find evt names in filter resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
ab77a5d687 update(userspace/engine): refactor rule describe methods to accept plugins 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Leonardo Grasso
fe50ac22ee update: add SPDX license identifier 
See https://github.com/falcosecurity/evolution/issues/318

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-09-21 13:21:47 +02:00
Leonardo Grasso
35cb960917 update(userspace/engine): align %container.info defaults with new rule styles 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-09-08 19:00:04 +02:00
Melissa Kilby
88a5e1bf45 cleanup(config): rename default outputs queue macro 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-09-07 13:15:59 +02:00
Melissa Kilby
0eff98aa8e cleanup: apply more reviewers suggestions 
Co-authored-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-09-07 13:15:59 +02:00
Melissa Kilby
016fdae93b cleanup: apply reviewers suggestions 
Co-authored-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-09-07 13:15:59 +02:00
Melissa Kilby
a61f24066f cleanup(userspace/falco): always set queue capacity and use largest long as default for unbounded 
Co-authored-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-09-07 13:15:59 +02:00
Melissa Kilby
1e94598eca new(metrics): add falco.outputs_queue_num_drops metrics + plus fix rebase leftovers 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-09-07 13:15:59 +02:00
Melissa Kilby
85883b7200 cleanup(outputs): adopt different style for outputs_queue params encodings 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-09-07 13:15:59 +02:00
Luca Guerra
a22dac6866 update(falco)!: --list-syscall-events is now called --list-events 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-09-07 12:47:59 +02:00
Luca Guerra
bfb22527a2 chore(falco): update engine version and checksum 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-09-07 12:47:59 +02:00
Andrea Terzolo
4f8d11acdd chore: bump engine version and checksum 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-09-04 12:19:46 +02:00
Jason Dellaluce
c8122ff474 fix(userspace/engine): support appending to unknown sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-01 06:46:31 +02:00
Jason Dellaluce
eabf49892d update(userspace/falco): bump engine version to 24 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-31 18:33:30 +02:00
Jason Dellaluce
901fca2257 update(userspace/engine): upgrade skip-if-unknown-filter YAML field 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-31 18:33:30 +02:00
Jason Dellaluce
01093d2dfc fix(userspace/engine): support both old and new gcc + std::move 
Old gcc versions (e.g. 4.8.3) won't allow move elision
but newer versions (e.g. 10.2.1) would complain about
the redundant move.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-30 20:57:27 +02:00
Melissa Kilby
6cdb740786 cleanup(userspace): update parse_prometheus_interval 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-08-25 15:20:45 +02:00
Jason Dellaluce
4f3181cb1c update(userspace/engine): bump engine version to 23 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-24 10:30:40 +02:00
Jason Dellaluce
527c42c030 chore: polish conditional compilation flags for emscripten 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-24 10:30:40 +02:00
rohith-raju
c73e43c973 cleanup: fix workflow and build errors 
Signed-off-by: rohith-raju <rohithraju488@gmail.com>
 2023-08-24 10:30:40 +02:00
Jason Dellaluce
aa6061681d update: adapt code to multi-platform builds 
Co-authored-by: Rohith Raju <rohithraju488@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-24 10:30:40 +02:00
Lorenzo Susini
4e6149e5da update(userspace/engine): make rule_matching strategy stateless in falco engine 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-11 10:11:46 +02:00
Lorenzo Susini
6e50d2ad83 update: directly return match_found variable 
Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Lorenzo Susini <49318629+loresuso@users.noreply.github.com>
 2023-08-09 13:36:39 +02:00
Lorenzo Susini
2660582198 update(userspace/engine): bump engine version to 22 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-09 13:36:39 +02:00
Lorenzo Susini
6acd924c50 perf: avoid stack allocation and make use of switch to select behavior on rule matching strategy 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-09 13:36:39 +02:00
Lorenzo Susini
1705c0dab3 update(userspace/engine): allow the engine to match and handle multiple rules while processing events 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-09 13:36:39 +02:00
Lorenzo Susini
c6abf6a133 update(falco.yaml): introduce rule_matching config key 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-09 13:36:39 +02:00
Andrea Terzolo
528a76a7fe update(userspace/engine): bump engine version to 21 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-08-08 14:10:36 +02:00
Jason Dellaluce
bc0fef15ca update(userspace/engine): bump engine version to 20 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-07 17:29:32 +02:00
Jason Dellaluce
23a0005b25 fix(ci): solve malformed worflow issues 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-04 16:03:22 +02:00
Jason Dellaluce
5790f0ff64 update: refine engine checksum docs and scoping 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-04 16:03:22 +02:00
Jason Dellaluce
803d131843 fix(userspce/engine): skip deprecated fields in --list -N option 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-04 16:03:22 +02:00
Luca Guerra
02202620ff update(falco): update libs to 0790cff 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-07-19 10:20:36 +02:00
Luca Guerra
88fb693595 update(falco): update libs to dc02e50 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-07-11 16:23:02 +02:00
Lorenzo Susini
9fda7dfb93 fix(userspace/engine): store alternatives as array in -L json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-31 16:16:31 +02:00
Lorenzo Susini
79b9d0ff21 fix(userspace/engine): store required engine version as string in -L json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-30 12:09:30 +02:00
Lorenzo Susini
6e12b95dd2 update(userspace/engine): address jasondellaluce comments 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-30 10:45:30 +02:00
Lorenzo Susini
cfb96d0562 update(userspace/engine): adding required_engine_version, required_plugin_versions and exception names to -L output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-30 10:45:30 +02:00
Lorenzo Susini
75f556e3b7 update(userspace/engine): add required_engine_version to rule collector 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-30 10:45:30 +02:00
Melissa Kilby
8e0c89d3b4 cleanup(userspace/engine): prometheus compliant regex parsing for metrics interval 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
fcecde845d cleanup(userspace): move parse_prometheus_interval to falco_utils 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
f2318a9ac5 cleanup(userspace/falco): address reviewers comments + cleanup 
* prefix counters and stats belonging to kernel space w/ `k.` else `u.` for userspace
* add n_drops_perc from old stats writer schema
* revert one change: file output shall reflect exact same "output_fields" key as rule output, note that src is already part of the "output_fields" schema.

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Jason Dellaluce
5d35cda8dc update(userspace): minor polishing 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 09:58:34 +02:00
Jason Dellaluce
f117d5273c update(userspace): refactor metrics data flow and fix bugs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
e37027a1d0 cleanup(userspace/falco): address reviewers comments 
* renaming to `metrics` for technical clarity
* adopt Prometheus like metrics interval settings

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Lorenzo Susini
e47ece4de9 update(userspace/engine): address jasondellaluce comments 
- avoiding inspector to be allocated for each rule
- use two boolean values for expecting macros and lists
- move items of lists alongside name, under info
- use snake case for json output, like we do for e.g alerts
- correctly retrieve evt names
- consider two levels of lists for exception operators

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
1195b1e7f0 update(userspace/engine): better modularize the code for getting json details 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
e11b4c4430 update(userspace/engine): add event codes to json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
46cbc3c589 update(userspace/engine): add info about all macros and lists in -L option 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
e30729555b update(userspace/engine): add enabled information to json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
727aed0c03 update(userspace/engine): avoid solving macros AST at each cycle when getting details of all rules 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
c1623771d8 update(userspace/engine): correctly use describe rule based on config 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
9947962cb8 update(userspace/engine): let describe_rule function print out json details when requested 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
a6542a6487 new(userspace/engine): introduce new class to get details about rules 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Jason Dellaluce
c603055acf fix(userspace/engine): don't count async event for evttype warning 
Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
9bfce8cfae update(userspace): make sure that async event is always matched in rules 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
5175a04c6b update(userspace/engine): bump engine checksum 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
8926022035 update: adapt Falco to new sinsp event source management 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-26 12:59:13 +02:00
Jason Dellaluce
95fa953398 update(cmake): bump libs and driver to ffcd702cf22e99d4d999c278be0cc3d713c6375c 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-26 12:59:13 +02:00
Leonardo Grasso
88b9537618 chore(userspace/falco): remove Mesos support 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-04-04 18:31:52 +02:00
Federico Di Pierro
e6078c8d16 chore(userspace): updated fields checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-03-22 11:17:07 +01:00
rabbitstack
03285f4140 define Windows equivalent for srandom and random functions 
Signed-off-by: rabbitstack <nedim.sabic@sysdig.com>
 2023-03-17 10:23:26 +01:00
Jason Dellaluce
e8b776a9cb update(userspace/engine): bump engine version to 17 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-09 09:39:12 +01:00
Jason Dellaluce
19ffadc763 update(userspace/engine): support searching ppm_sc events in rulesets 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-09 09:39:12 +01:00
Jason Dellaluce
5ed5c63202 refactor: adapt event set configuration changes to new libs definition 
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
010f6c6a9e update(userspace/engine): bump fields checksum 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
6c38ecaf0e update(userspace/engine): adapt engine classes to new libsinsp event definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
34ea7a8245 cleanup(userspace/engine): drop filtr_evttype_resolver 
Its logic was ported into libsinsp in:
3d8550e70e

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Melissa Kilby
72439b2eed cleanup(app_actions): adjust configure_interesting_sets 
* address reviewers feedback
* improve clarity around new -A and -i behavior
* additional cleanup (e.g. use generic set operations only)
* extend unit tests

Note: sinsp ppm sc API is undergoing a refactor, therefore current lookups are interim
and will subsequently be refactored as well.

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
ff68311629 fix(userspace/engine): add missing include 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 17:33:31 +01:00
Lorenzo Susini
88ac30650c fix(userspace/engine): correctly bump engine version after introduction of new fields 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-02-14 13:03:06 +01:00
Jason Dellaluce
79b3f81a02 chore: fix typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 12:47:07 +01:00
Jason Dellaluce
2495827e0c fix(userspace/engine): correctly handle evttype indexing corner cases 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 12:47:07 +01:00
Federico Di Pierro
75dc8c050c new(userspace,tests): add proper support for generic events indexing. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-02-13 14:54:03 +01:00
Andrea Terzolo
dca76ba93c chore: fix building with njson 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-02-10 11:41:24 +01:00
Jason Dellaluce
eaeec7c079 fix(userspace): avoid using std namespace in sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-08 15:30:29 +01:00
Jason Dellaluce
54f117141b update(userspace/engine): avoid relying on leaked std namespace 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-08 15:30:29 +01:00
Jason Dellaluce
c1985a7c99 fix(userspace/engine): absolute rule condition position in validation context 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-10 12:55:43 +01:00
Jason Dellaluce
d79d7112a0 fix(userspace/engine): catch YAML parsing and validation errors with right context 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-10 12:55:43 +01:00
Jason Dellaluce
5552bcab76 chore: fix typo 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
25ddc3c6a2 update(userspace/engine): broader err catching support in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
35dd0fc153 fix(userspace/engine): implement loop detection in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Andrea Terzolo
52ee61b800 chore(userspace): add njson lib as a dependency for falco_engine 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-10 17:07:06 +01:00
Andrea Terzolo
94ed56df95 chore: bump libs 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Federico Di Pierro
87371492c5 update(userspace/engine): updated checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Mark Stemm
356a4a0749 Also copy ruleset when copying falco source 
In the copy constructor and assignment operator for falco_source, also
copy the ruleset along with factories/name.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:07:52 +01:00
Mark Stemm
910b8ff858 Fix(engine) Save parse positions when finding unresolved macros 
Now that ASTs contain parse positions, use them when reporting errors
about unknown macros.

When doing the first pass to find all macro references, save macros as
a map<macro name,parse position> instead of a set<macro name>. While
making that change, change the visitor struct to use references
instead of pointers.

In the second pass, when reporting any unresolved macro references,
also report the parse position.

The unit tests also check that the positions of macros are properly
returned in the resolved/unresolved maps.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Mark Stemm
83b12bab1d Fix(engine): include parse positions in compile errors 
Now that ASTs have parse positions and the compiler will return the
position of the last error, use that in falco rules to return errors
within condition strings instead of reporting the position as the
beginning of the condition.

This led to a change in the filter_ruleset interface--now, an ast is
compiled to a filter before being passed to the filter_ruleset
object. That avoids polluting the interface with a lot of details
about rule_loader contexts, errors, etc. The ast is still provided in
case the filter_ruleset wants to do indexing/analysis of the filter.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Jason Dellaluce
15b57bd972 fix: remove minor string view dependencies 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
68f4d5bb59 fix(userspace/engine): no need to use external deps 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
47fd90bb7f chore: remove not used dependency - string-view-lite 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Luca Guerra
e3dbae3259 fix(engine): fix warning about redundant std::move 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-11 16:19:11 +01:00
Mark Stemm
acf5c4ce5f fix(engine): save syscall source only when processing events 
The optimization in https://github.com/falcosecurity/falco/pull/2210
had a bug when the engine uses multiple sources at the same
time--m_syscall_source is a pointer to an entry in the indexed vector
m_sources, but if add_source is called multiple times, the vector is
resized, which copies the structs but invalidates any pointer to the
vector entries.

So instead of caching m_syscall_source in add_source(), cache it in
process_events(). m_sources won't change once processing events starts.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-10-27 18:23:25 +02:00
Jason Dellaluce
9ee0298c4d fix(userspace/engine): avoid macro/list used checks if we encounter an error 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 14:03:20 +02:00
Jason Dellaluce
57b26530b6 update(userspace) fix cppcheck warnings 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 12:07:20 +02:00
Jason Dellaluce
3629c4dc4a update(userspace): solve cppcheck performance suggestions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 12:07:20 +02:00
Jason Dellaluce
5e531870a9 fix(userspace/engine): fix unit test segfault 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
4cb556aed2 update(userspace/engine): use sinsp api to access event table information 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
11160f8463 fix(userspace): safely check string bounded access 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 11:23:15 +02:00
Jason Dellaluce
3c02b40a21 chore(userspace/falco): make log message termination consistent 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
83a83a5853 update(userspace): pass string as const refs when possible 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
5781c53ddc fix(userspace): add explicit constructors and initializations 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-03 13:04:15 +02:00
Jason Dellaluce
8aea0935c9 chore(userspace/engine): remove unused var 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
9c240198a0 refactor(userspace/engine): refactor falco_engine with new loader defs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
f6f763fe84 refactor(userspace/engine): clean up rule collector 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
9b5f3ee99e refactor(userspace/engine): clean up rule compiler 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
89e8f70de0 refactor(userspace/engine): clean up and rename rule reader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b0f0105116 refactor(userspace/engine): clean up rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
5f2267f716 update(userspace/engine): add new loader files to CMakeLists 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b65157af5e refactor(userspace/engine): split rule loader git history (5) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b2b1feb1f2 refactor(userspace/engine): split rule loader git history (4) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b900e46dfe refactor(userspace/engine): split rule loader git history (3) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
a98c9cdd20 refactor(userspace/engine): split rule loader git history (2) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
2a427925a0 refactor(userspace/engine): split rule loader git history (1) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Federico Di Pierro
e068df514c chore(userspace/engine,userspace/falco): upgraded to latest libs. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-20 11:35:28 +02:00
Mark Stemm
2d5fc0b647 Use the same falco_rule struct for every call to filter_ruleset 
Instead of using a falco_rule struct on the stack, use a single value
inside the falco_source struct. It's mutable as find_source returns a
const struct.

At very high event volumes (> 1M syscalls/second), even the tiny time
it takes to create/destroy the struct starts to add up, and this
switch has some small cpu savings.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-16 12:50:39 +02:00
Mark Stemm
e5cd5eacf5 Save syscall source separately and check explicitly in process_event 
When doing some testing of falco on very high event volumes (> 1.5M
events/second), I found that the time taken to look up a falco_source
struct had a non-negligible contribution to cpu usage.

So instead of looking up the source from the source_idx every time,
separately save the source for syscalls in the falco_engine object
directly. The separately saved copy is only used once someone calls
add_source with source="syscall".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-16 12:50:39 +02:00
Jason Dellaluce
cf9baea624 fix(userspace/engine): avoid reading duplicate exception values 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 15:53:15 +02:00
Federico Di Pierro
ccd3c896de fix(userspace/engine): properly include stdexcept header to fix build. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-12 12:28:15 +02:00
Mark Stemm
0f45cf49db Use enums for rules content item type 
Use an enum instead of a string for the item_type aka "parts of a
rules file" field of contexts.

The set of values is mostly defined by the contexts that were already
created. There are a couple of forward-looking values for rule
outputs/macro conditions/etc. that may be useful for later.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-07 10:13:02 +02:00
Mark Stemm
7a5a4c32ee Support condition parse errors in rule loading results 
In #2098 and #2158, we reworked how rules loading errors/warnings were
returned to provide a richer set of information, including
locations/context for the errors/warnings.

That did *not* include locations within condition expressions,
though. When parsing a condition expression resulted in a
warning/error, the location simply pointed to the condition property
of the rule.

This commit improves this to handle parse errors:

- When libsinsp::filter::parser::parse() throws an exception, use
  get_pos() to get the position within the condition string.
- Add a new context() constructor that takes a filter pos_info instead
  of a YAML::Mark.

Now that positions aren't always related to the location of yaml
nodes, Make up a generic "position" struct for locations and convert
YAML::Mark and parser positions to a position struct.

Also allow a context to contain an alternate content string which is
used to build the snippet. For contexts related to condition strings,
the content is the condition.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-07 10:13:02 +02:00
VadimZy
af95455bab dropping fix for list parsing due to the absence of regex portability. 
reverting to the inefficient code.

Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
4b75f213c6 use <onigposix.h> instead of <regex.h> 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
0de617a7fb remove sinsp.h public dependencies 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
5745faeccc fix tests, remove dead code 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
f9ee45b38e Improve Falco engine performance when loading rules and creating the rule sets 
- replace std::set<uint16_t> with fixed size vector in event types propagation
- rework lists expansion by replacing repetitive string::find in constantly growing expansion string with regex tokenization
- improve json_event parsing by moving const initializations into static routines

Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
Jason Dellaluce
7d2f82fddc update(usperspace/engine): bump engine version to 15 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
1b410ea2cc update(userspace/engine): consider plugin version requirements in engine checks 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
52402ac805 update(userspace/engine): support plugin version requirement alternatives in rule reader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
6e0971f1e1 update(userspace/engine): support plugin version requirement alternatives in rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
c2a8efc329 chore(userspace/engine): fix typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:26:18 +02:00