github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-14 04:16:17 +00:00
Code Issues Projects Releases Wiki Activity
4,579 Commits 117 Branches 173 Tags 105 MiB
generalize-indexable-ruleset-polymorphic
Commit Graph

1527 Commits

Author SHA1 Message Date
Federico Aponte
f6af72fe76 cleanup: too many includes and useless defines 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2024-02-26 14:59:22 +01:00
Federico Aponte
4d66a50d5b fix: pessimizing move warning 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2024-02-26 14:59:22 +01:00
Federico Aponte
59c14f46a2 refactor: shared_ptr construction 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2024-02-26 14:59:22 +01:00
Federico Aponte
557929a82a refactor: use object rather than unique_ptr 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2024-02-26 14:59:22 +01:00
Federico Aponte
9a2b58c6f7 refactor: very minor improvement 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2024-02-26 14:59:22 +01:00
Gianmatteo Palmieri
91e74b1b19 cleanup(build): remove bundled dep check 
Signed-off-by: Gianmatteo Palmieri <mail@gian.im>
 2024-02-23 15:43:08 +01:00
Jason Dellaluce
3b06fb2cbb fix(userspace): solve compilation issues 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-02-23 11:39:07 +01:00
Jason Dellaluce
c13cf79aab update(engine): bump engine version 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-02-23 11:39:07 +01:00
Jason Dellaluce
0ec2a6c708 refactor(userspace): reduce usage of raw pointers 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-02-23 11:39:07 +01:00
Jason Dellaluce
b515f0a079 refactor(usersapace): adapt to changes libs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-02-23 11:39:07 +01:00
Federico Aponte
745d18ba38 refactor: test AtomicSignalHandler.handle_once_wait_consistency 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2024-02-20 15:19:56 +01:00
Samuel Gaist
05e796723f fix(userspace): remove unread variable in restart_handler 
When hitting that part, the restart signal is triggered and the code
leaves the loop, hence setting should_restart as false makes no sense
in this context.

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-02-19 18:01:48 +01:00
Samuel Gaist
ad585cd46b fix(actions): remove unused variable in print_support 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-02-19 18:01:48 +01:00
Andrea Terzolo
a44bee57d9 fix(CI): fix windows CI 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-02-16 18:30:38 +01:00
Andrea Terzolo
d49b21ab22 cleanup: move ebpf default value logic 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-02-16 18:30:38 +01:00
Andrea Terzolo
99781f7936 cleanup(configuration): cleanup deprecated code 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-02-16 18:30:38 +01:00
Samuel Gaist
5e497a4119 fix(c++): improve const correctness 
Reported by cppcheck

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-02-15 22:16:33 +01:00
Luca Guerra
5564d3da11 cleanup(app): ensure unbuffered_outputs is initialized 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-02-15 11:03:30 +01:00
Samuel Gaist
e18acc361e fix(c++): don't throw outside of the try catch block in nothrow function 
Reported by cppcheck

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-02-15 10:19:30 +01:00
Samuel Gaist
f3491d62c9 fix(c++): re-throw original exception rather than copy 
Reported by cppcheck

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-02-15 10:19:30 +01:00
Federico Aponte
7a18795ca5 cleanup: falco_engine deps and include paths 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2024-02-15 10:08:30 +01:00
Samuel Gaist
8c98ca5e8d fix(c++): add missing member initialisation to grpc server 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-02-12 18:45:18 +01:00
Samuel Gaist
d6b0810657 fix(c++): move trivial initializations to declaration site 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-02-12 18:45:18 +01:00
Samuel Gaist
42f90817ad refactor: make falco_exception a std::runtime_error 
The implementation provides more or less the same implementation
and thus it makes more sense to base it on std::runtime_error.

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-02-12 18:45:18 +01:00
Samuel Gaist
f6498cd8bd fix(c++): refactor member initialization in constructor initialization list 
Reported by cppcheck

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>

# Conflicts:
#	userspace/engine/falco_common.h
 2024-02-12 18:45:18 +01:00
Samuel Gaist
08f62200b1 fix(c++): add missing explicit to single argument constructors 
Reported by cppcheck

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-02-12 16:59:17 +01:00
Jason Dellaluce
0cc1c5b44f refactor(userspace/engine): reduce allocations during rules loading 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-02-09 14:50:05 +01:00
Samuel Gaist
a9e1bfef42 fix(c++): add missing overrides 
Reported by cppcheck

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2024-02-09 08:24:03 +01:00
Federico Di Pierro
7879920570 chore(userspace/engine): introduce proper check to avoid future issues throwing an exception. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-02-08 15:13:59 +01:00
Federico Di Pierro
7bcbc08b52 fix(userspace/engine): always consider all rules (even the ones below min_prio) in m_rule_stats_manager. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-02-08 15:13:59 +01:00
Jason Dellaluce
039069d0e1 update(engine): bump engine version and checksum 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-02-06 10:25:53 +01:00
Jason Dellaluce
4cffcedba1 refactor: remove refs to gen_event class family 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-02-06 10:25:53 +01:00
Luca Guerra
7d9cfd02e3 chore(falco): update engine checksum 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-02-02 19:57:40 +01:00
Roberto Scolaro
40f4ce008a chore(engine): bump engine version 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2024-01-31 11:53:35 +01:00
Roberto Scolaro
3d06b77de5 chore(engine): update falco engine checksum 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2024-01-31 11:53:35 +01:00
Roberto Scolaro
9557b74501 fix: adopt new libsinsp logger 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2024-01-31 11:53:35 +01:00
Roberto Scolaro
ce87f2a014 refactor(userspace): remove libs relative imports 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2024-01-31 11:51:37 +01:00
Mark Stemm
1e0430dff9 Make compile_condition() a protected method for use in subclasses 
Move the part of compile_rule_infos that actually compiled a condition
string into a sinsp_filter into a standalone method
compile_condition(). That way it can be used by classes that derive
from rule_loader::compiler() and want to compile condition strings.

This implementation also saves the compiled filter as a part of the
falco_rule object so it does not need to be compiled again wihin the
falco engine after rules loading.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-30 20:24:33 +01:00
Mark Stemm
88a57bfd1a Add ability for rulesets to access falco engine state 
Some rulesets may need information which is held by the falco_engine
that created this ruleset. So define a set of functions in a struct
and have setters/getters for those functions in the base class.

Derived classes can use the struct's functions to obtain the falco
engine information.

The only function so far is to obtain the filter_ruleset for a given
event source.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-30 20:24:33 +01:00
Mark Stemm
ce5a50cbb5 Add addl support for rules reader/compiler subclasses 
To support subclasses that may extend the falco rules format, add
additional error/warning/item types for an extension item.

When subclasses report errors and warnings, they can use these
codes/item types in context objects and still provide an exact
line/column context.

Also make some previously static functions in rules reader protected
methods so they can be used in sub-classes.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-30 20:24:33 +01:00
Mark Stemm
eed5b906a8 Provide the entire compile output to ruleset vs individual add()s 
In order to support external rules loaders that may extend the falco
rules format with new top level objects, move away from providing
individual filter objects to the filter_ruleset via calls to add().

Instead, pass the entire compile output returned by the compiler to
the ruleset using a new method add_compile_output(). Custom users can
then cast back the compile output to the appropriate derived class for
use in the ruleset.

Move the declaration of the compile output to a standalone class so it
can be used by rulesets without including the entire rules loader
header files, and add a new factory method new_compile_output() to the
compiler so it can create a derived class if necessary.

This change is
backwards-compatible with existing rulesets, as the default
implementation of add_compile_output() simply iterates over rules and
calls add() for each rule.

This change also speeds up rule loading. Previously, each rule
condition was compiled twice:

1. First, in the compiler, to see if it was valid.
2. Second, in the falco engine before providing each rule to the
ruleset.

Add the compiled filter to the falco_rule object instead of throwing
it away in the compiler.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-30 20:24:33 +01:00
Mark Stemm
2d0159ae05 Add ability to provide external rules reader/collector/compiler 
In some cases, a user of the falco engine may want to extend the falco
rules format to provide additional objects to the rules file.

To support that, add a new method set_rule_loader() that allows a user
to provide classes that derive from
rule_loader::{reader,collector,compiler} and read those additional
objects from the rules file.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-30 20:24:33 +01:00
Melissa Kilby
bb4a643385 update(config): soft deprecation of old stats 
add CHANGE NOTICE wrt syscall_event_drops

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-01-25 10:33:15 +01:00
Melissa Kilby
3675587aad cleanup(configs): adjust old stats deprecation notice 
Co-authored-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-01-25 10:33:15 +01:00
Melissa Kilby
8a697502b9 update!(config): add deprecation notice for syscall_event_drops 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-01-25 10:33:15 +01:00
Melissa Kilby
2dc8d452ae fix(userspace/metric): minor fixes in new libsinsp state metrics handling 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-01-24 11:04:13 +01:00
Federico Aponte
8143a194d2 fix: nlohmann_json lib include path 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2024-01-24 09:38:13 +01:00
Jason Dellaluce
ccf62a3745 fix(userspace/engine): avoid storing escaped strings in engine defs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-01-23 11:58:09 +01:00
Andrea Terzolo
ae9ffe414f cleanup: rename none into nodriver 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2024-01-17 09:41:55 +01:00
Andrea Terzolo
a6a1a9769f cleanup: restore the name of a variable 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Co-authored-by: Luca Guerra <luca.guerra@sysdig.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
c308f5c7e2 cleanup: rename some error messages 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
ee78c862ad tests: add some new tests on override replace 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
8ebdbe3e6f cleanup: use macros for default error messages 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
5192921732 doc: typo in the exception 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
56de6e6786 update(rule_loader): remove the warning on the required_engine_version 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
f5dea33b5e update(falco): always enable rules warnings 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
b318c165da cleanup(falco_engine): remove unused methods 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
5ac005bd4d update(rule_loader): deprecate all non-SemVer compatible values 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
95e4c58e7f update(rule_loader): deprecate enabled usage 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
4aebee684a update(rule_loader): deprecate append key and add a warning 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
63736563a2 cleanup(rule_loader): remove useless include 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
7cac2833b2 cleanup(rule_loader): add a common log message 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Mark Stemm
14d1ca3c97 Add methods to look up the factories provided in add_source() 
Add methods that allow looking up the factories provided to
add_source(). This allows not having to keep track of the factories
outside of the engine.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-08 12:00:27 +01:00
Mark Stemm
07d7b9a57a Inline find_source() as it can be called in the event path 
Inline find_source as it can be called in the event processing path.

Also take the cached variant that assigns/uses m_syscall_source_idx
and put it in find_source() instead of process_event().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-08 12:00:27 +01:00
Luca Guerra
728c8d7d0e fix(engine): clarify error message for invalid append 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-12-22 21:49:21 +01:00
Luca Guerra
4c023b0d93 update(engine): temporary replace for error messages 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-12-22 21:49:21 +01:00
Luca Guerra
8a7ef687b1 update(engine): throw an error if an unexpected top level key is found in an override 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-12-22 21:49:21 +01:00
Luca Guerra
21c629dc4d chore(engine): bump engine version 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-12-22 21:49:21 +01:00
Luca Guerra
2db29af0e8 update(engine): clarify override error messages 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-12-22 21:49:21 +01:00
Luca Guerra
bc072502cc new(engine): add selective overrides 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-12-22 21:49:21 +01:00
Melissa Kilby
9131261ff3 chore: fix some characters in deprecation notices 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-12-22 09:55:19 +01:00
Luca Guerra
e5034323fd cleanup(engine): clarify deprecation notice for engines 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-12-21 17:40:15 +01:00
Andrea Terzolo
8ff1ef752d chore: bump falco engine version 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-12-18 19:01:01 +01:00
Samuel Gaist
d99c137b09 feat(outputs_http): implement keep alive 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2023-12-18 17:41:02 +01:00
Samuel Gaist
691bc8b04d feat(outputs_http): implement support for compressed upload 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2023-12-18 17:41:02 +01:00
Mark Stemm
334302e525 Allow enabling rules by ruleset id in addition to name 
Add alternate enable_* methods that allow enabling rulesets by ruleset
id in addition to name. This might be used by some filter_rulesets to
enable/disable rules on the fly via the falco engine.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2023-12-18 15:58:04 +01:00
Federico Di Pierro
cbbcb61153 new(unit_tests,userspace): properly support env var expansions in all scalar values of yaml file. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-12-13 17:03:46 +01:00
Federico Di Pierro
7805bf5ad5 fix(userspace,unit_tests): fixed bool parsing. 
Moreover, added some more tests around env vars.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-12-13 17:03:46 +01:00
Federico Di Pierro
0c0fb63008 chore(unit_test,userspace): allow env var to get expanded in yaml even when part of a string. 
Moreover, support env variable embedding another env variable.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-12-13 17:03:46 +01:00
Andrea Terzolo
ed346e90cd update(falco): bump engine version and checksum 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-12-13 16:59:46 +01:00
Nitro Cao
4bfc42eb7d feat(falco): monitor events with more types for rules directory 
Signed-off-by: Nitro Cao <jaycecao520@gmail.com>
 2023-12-12 18:49:44 +01:00
Federico Aponte
e427c800f3 chore(build): fix error using find_package with ExternalProject_Add 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2023-12-11 16:52:39 +01:00
Federico Aponte
5e17ba6c23 chore(build): allow usage of non-bundled nlohmann-json 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2023-12-11 16:52:39 +01:00
Federico Aponte
44b7352180 cleanup: fix several warnings from a Clang build 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2023-12-06 16:40:26 +01:00
Jason Dellaluce
390a13bd40 update(userspace): optimizations in validation and description steps 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-12-02 09:38:15 +01:00
Jason Dellaluce
67542ec88e new(userspace/falco): support -L when validating for parity 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-12-02 09:38:15 +01:00
Jason Dellaluce
e3943ccac3 refactor(userspace/engine): uniform json lib in rules description and not print from engine 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-12-02 09:38:15 +01:00
Luca Guerra
6411eed4a7 cleanup(falco): remove decode_uri as it is no longer used 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-11-29 17:42:06 +01:00
Andrea Terzolo
c5364be191 new: print system info when Falco starts 
Print kernel info when Falco starts with a kernel driver

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-28 22:14:05 +01:00
Melissa Kilby
3b068919d0 update(cmake): bump libs and driver to c2fd308 plus bump falco engine version 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-11-28 12:57:04 +01:00
Melissa Kilby
3e4566e5af cleanup(userspace/falco): minor adjustments to stats writer and rebase correction 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-11-28 12:57:04 +01:00
Melissa Kilby
9cb4c09500 cleanup(userspace/falco): enable sinsp_stats_v2 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-11-28 12:57:04 +01:00
Melissa Kilby
8196ee3b83 cleanup(libsinsp): simplify metrics flags config handling 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-11-28 12:57:04 +01:00
Melissa Kilby
af7192bdc3 update(userspace/falco): add libsinsp state metrics option 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-11-28 12:57:04 +01:00
Andrea Terzolo
00b7c56d54 cleanup: rename modern-ebpf into modern_ebpf 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
2ce8fe9011 docs: improve a log 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
4443e9d64f fix: fix some broken tests 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
249ccf2f4b new: add some deprecation warnings 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
715db9ddb4 cleanup: move some macros inside a shared file 
These macros will be used by other files so we need to share them

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Federico Di Pierro
0368de5229 chore(userspace): small round of review-induced fixes. 
Also, properly warn the user that deprecated CLI options will be ignored
when the new `engine` configuration key is in use.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-11-27 15:01:00 +01:00
Federico Di Pierro
b92e0d6134 chore(userspace,unit_tests): renamed engine.replay.trace_file to engine.replay.capture_file. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
12122729a4 docs: add a comment on missing config files 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
335022076f docs: fix some docs 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
be16af7fe0 cleanup: rename cpus_for_each_syscall_buffer 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
588a94578a fix: take into consideration that load_yaml is called more than once 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
5e8e0a4722 new: allow to use only one between the config and the command line 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
bfef0e95be fix: use drop_failed_exit instead of just drop_failed 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
2778b12344 fix: always initialize the engine configs 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Federico Di Pierro
7056cb9035 chore(userspace): properly let old config keys override new ones when set to a non-default value. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
1f27f3b7f0 cleanup: move some initializations and add helpers 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
1ee6569a5d fix: use only new config instead of old command line options 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
f3f56db5ca cleanup: some renaming from bpf to ebpf 
the idea is to use only the word `ebpf` in Falco

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Federico Di Pierro
4127764129 chore(userspace): renamed driver. config to engine.; renamed engine.replay.scap_file to engine.replay.trace_file. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-11-27 15:01:00 +01:00
Federico Di Pierro
4f1b950e0d chore(userspace,falco.yaml): rename new config key to driver.kind. 
Moreover, renamed driver kinds to use better naming, and move driver's related
config keys under `driver.$kind`.

Added DEPRECTATION notices on CLI options, and in falco.yaml.

DEPRECATED options (both CLI and config ones) will have priority over the new ones,
to retain compatibility with existing configs.

DEPRECATED options will be dropped in Falco 0.38.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-27 15:01:00 +01:00
Roberto Scolaro
626e609e4b new(userspace/falco): select driver from config 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-27 15:01:00 +01:00
Roberto Scolaro
fb4ac046b0 refacotr(configuration): enhance readability of get_driver_mode 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-27 15:01:00 +01:00
Roberto Scolaro
d53fa930c2 wip: driver selection in falco.yaml 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-27 15:01:00 +01:00
Andrea Terzolo
a1d5bb7009 cleanup: remove init in the configuration constructor 
This `init({});` in the falco_configuration constructor is unnecessary
since when we call the action `load_config`, if we don't have a config
file, we will call the same `init` we have just removed. This cleanup
avoids calling `falco_configuration::init` 2 times.

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-11-21 15:44:39 +01:00
Jason Dellaluce
66a122d4ce update(userspace/engine): bump engine version 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-11-16 09:26:19 +01:00
Jason Dellaluce
04e2f19915 refactor: solve compilation issues with latest libs changes 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-11-16 09:26:19 +01:00
Jason Dellaluce
359bd6e593 cleanup(userspace/engine): remove legacy k8saudit implementation 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-11-15 16:05:15 +01:00
Luca Guerra
8bf40cdf88 update(engine): port decode_uri in falco engine 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-11-14 20:36:15 +01:00
Roberto Scolaro
92b42c9474 fix(userspace/falco): fix create_dir behaviour 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
fde8da0e5c fix(userspace/falco): split init_ticker for different oses 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
be90768b0a fix(userspace/falco): rename get_sysinfo 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
b9d7eb7ab3 refactor(cmake): selectively remove sources on win32 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
1b8525bf80 refactor(cmake): move compiler flags in another file 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
6d4006a1ec feat(ci): create win32 and macos installer 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
f0d2f17c8d fix(userspace/falco): include windows.h in print actions 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
907ced9f50 refactor(userspace/falco): add log level enum 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
df4e91476f chore(userspace/falco/app/actions): refactor sysinfo function 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
0ca5251128 fix(userspace/falco): enable --support on windows 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
89e45ced87 fix(userspace/falco): disable sys/select.h on windows 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
5ee9ff8c8f fix(userspace/falco): disable program_output on windows 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
f7575292c6 fix(userspace/falco): disable sys/time.h+inotify on windows 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
af70b4e770 fix(userspace/falco): remove syslog on windows 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
00a87234ce fix(userpsace/falco): print page size on windows 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
325701ce4f fix(userspace/falco): use std::filesystem 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
5b3cb654ff fix(userspace/falco): add PATH_MAX for windows build 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
e5e5416ade fix(userspace/falco): substitute syscall_evt_drop_action::IGNORE with DISREGARD 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
fb0d757bfe fix(userspace/falco): use io.h instead of unistd.h on win32 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Roberto Scolaro
e0f7c597be fix(build): various fixes for macos build 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-11-13 10:59:47 +01:00
Lorenzo Susini
7319b93d9b update(userspace/falco): introduce new engine_version_semver key in versions endpoint 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-11-08 16:30:25 +01:00
Samuel Gaist
d074728994 feat(userspace/falco): add configuration support for IPV6 webserver listen address 
The IPV6 capabilities is provided through cpp-httplib.

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2023-11-03 09:09:08 +01:00
Samuel Gaist
91a9717779 feat(userspace/falco): implement configuration of webserver listening 
address

Currently the webserver is listening on the hard coded 0.0.0.0. This
patch keeps this default but allows the administrator to change it.

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2023-11-03 09:09:08 +01:00
Jason Dellaluce
f5985720f1 fix(userspace/engine): cache latest rules compilation output 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-11-02 20:32:07 +01:00
Jason Dellaluce
2e7cacb4e0 fix(userspace/engine): solve description of macro-only rules 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-11-02 16:16:06 +01:00
Luca Guerra
3ff2bb5c2b cleanup(engine): strncpy -> strlcpy 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-10-19 17:41:22 +02:00
Luca Guerra
1e38967b18 update(engine): remove banned.h 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-10-19 17:41:22 +02:00
Roberto Scolaro
b7cef5bab2 fix(userspace/engine): fix memory leak 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-10-17 21:20:15 +02:00