github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-15 21:03:54 +00:00
Code Issues Projects Releases Wiki Activity
4,579 Commits 117 Branches 173 Tags 105 MiB
generalize-indexable-ruleset-polymorphic
Commit Graph

1527 Commits

Author SHA1 Message Date
Jason Dellaluce
eabf49892d update(userspace/falco): bump engine version to 24 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-31 18:33:30 +02:00
Jason Dellaluce
901fca2257 update(userspace/engine): upgrade skip-if-unknown-filter YAML field 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-31 18:33:30 +02:00
Andrea Terzolo
cc8d6705f6 fix: fix "ebpf_enabled" output stat 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-08-31 17:37:29 +02:00
Federico Di Pierro
26f626c1d5 chore(userspace/falco): properly check that parent init() did not fail for reasons. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2023-08-31 16:11:29 +02:00
Federico Di Pierro
acaaa0b4ca cleanup(userspace/falco): improvements to the http output perf. 
Moreover, add option to disable stdout echoing.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-08-31 16:11:29 +02:00
Jason Dellaluce
01093d2dfc fix(userspace/engine): support both old and new gcc + std::move 
Old gcc versions (e.g. 4.8.3) won't allow move elision
but newer versions (e.g. 10.2.1) would complain about
the redundant move.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-30 20:57:27 +02:00
Andrea Terzolo
988703b601 clenaup: remove b64 from falco dependencies 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-08-30 19:12:26 +02:00
Andrea Terzolo
8d6c6900d3 cleanup: turn a warning into an error 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-08-29 13:46:21 +02:00
Andrea Terzolo
34d796439f cleanup: fail if the time unit is not specified 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-08-29 13:46:21 +02:00
Anna Simon
c8d1637130 feat(userspace/outputs_http): Add option for mTLS 
Signed-off-by: Anna Simon <asimon@mercari.com>
 2023-08-29 10:28:21 +02:00
Melissa Kilby
37ea9b25c4 feat(userspace): deprecate -d daemonize option 
Deprecate `-d` option (currently broken).

Symptoms included the message queue filling up without popping any messages
even though events were handled normally.

Maintainers decided to deprecate not needed `-d` option while keeping
the useful `pidfile` command args option.

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-08-25 18:14:45 +02:00
Melissa Kilby
b66bf2c6e4 cleanup: remove some unused variables 
Co-authored-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-08-25 15:20:45 +02:00
Melissa Kilby
6cdb740786 cleanup(userspace): update parse_prometheus_interval 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-08-25 15:20:45 +02:00
Melissa Kilby
9a12a93342 feat(userspace): deprecate stats command args option in favor of metrics configs in falco.yaml 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-08-25 15:20:45 +02:00
Leonardo Grasso
84fe33a029 fix(userspace/falco): correct typo in -p help message 
Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-08-25 15:18:45 +02:00
Leonardo Grasso
8fbf49bbba update(userspace/falco): new defaults for -p presets 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-08-25 15:18:45 +02:00
Leonardo Grasso
f10d0499d2 update(userspace/falco): improve help message for -p option 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-08-25 15:18:45 +02:00
Jason Dellaluce
4f3181cb1c update(userspace/engine): bump engine version to 23 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-24 10:30:40 +02:00
Jason Dellaluce
527c42c030 chore: polish conditional compilation flags for emscripten 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-24 10:30:40 +02:00
Jason Dellaluce
78e2ddc63e fix: solve cmake issues 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-24 10:30:40 +02:00
Jason Dellaluce
828fa7d14d update(cmake): fix wasm package content 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Rohith Raju <rohithraju488@gmail.com>
 2023-08-24 10:30:40 +02:00
Jason Dellaluce
590b034a55 fix: solve plugin loading error 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Rohith Raju <rohithraju488@gmail.com>
 2023-08-24 10:30:40 +02:00
Jason Dellaluce
54ab1eed9e update(cmake): update add emmc link_options 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Rohith Raju <rohithraju488@gmail.com>
 2023-08-24 10:30:40 +02:00
rohith-raju
c73e43c973 cleanup: fix workflow and build errors 
Signed-off-by: rohith-raju <rohithraju488@gmail.com>
 2023-08-24 10:30:40 +02:00
rohith-raju
e8ee850dee update(ci,cmake): add support for emscripten build 
Signed-off-by: rohith-raju <rohithraju488@gmail.com>
 2023-08-24 10:30:40 +02:00
Jason Dellaluce
ce6368a89e fix: solve runtime issues with emscripten build 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Rohith Raju <rohithraju488@gmail.com>
 2023-08-24 10:30:40 +02:00
Jason Dellaluce
0faa45669b update(build): setup cpack for emscripten build 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Rohith Raju <rohithraju488@gmail.com>
 2023-08-24 10:30:40 +02:00
Jason Dellaluce
aa6061681d update: adapt code to multi-platform builds 
Co-authored-by: Rohith Raju <rohithraju488@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-24 10:30:40 +02:00
Jason Dellaluce
86e76924a1 update: adapt cmake setup for non-linux and emscripten builds 
Co-authored-by: Rohith Raju <rohithraju488@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-24 10:30:40 +02:00
Lorenzo Susini
4e6149e5da update(userspace/engine): make rule_matching strategy stateless in falco engine 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-11 10:11:46 +02:00
Lorenzo Susini
6e50d2ad83 update: directly return match_found variable 
Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Lorenzo Susini <49318629+loresuso@users.noreply.github.com>
 2023-08-09 13:36:39 +02:00
Lorenzo Susini
2660582198 update(userspace/engine): bump engine version to 22 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-09 13:36:39 +02:00
Lorenzo Susini
6acd924c50 perf: avoid stack allocation and make use of switch to select behavior on rule matching strategy 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-09 13:36:39 +02:00
Lorenzo Susini
1705c0dab3 update(userspace/engine): allow the engine to match and handle multiple rules while processing events 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-09 13:36:39 +02:00
Lorenzo Susini
46e8f2c14b update(userspace/falco): handle the new rule matching configuration key 
Added a set method for the rule matching strategy on the engine.
This allows to modify the stategy at runtime withotu the need to
rebuild an engine from scratch.

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-09 13:36:39 +02:00
Lorenzo Susini
c6abf6a133 update(falco.yaml): introduce rule_matching config key 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-09 13:36:39 +02:00
Andrea Terzolo
528a76a7fe update(userspace/engine): bump engine version to 21 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-08-08 14:10:36 +02:00
Jason Dellaluce
bc0fef15ca update(userspace/engine): bump engine version to 20 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-07 17:29:32 +02:00
Jason Dellaluce
23a0005b25 fix(ci): solve malformed worflow issues 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-04 16:03:22 +02:00
Jason Dellaluce
5790f0ff64 update: refine engine checksum docs and scoping 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-04 16:03:22 +02:00
Jason Dellaluce
803d131843 fix(userspce/engine): skip deprecated fields in --list -N option 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-04 16:03:22 +02:00
Jason Dellaluce
fafb7c4a72 cleanup(userspace/falco): remove lagacy fields checksum check 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-04 16:03:22 +02:00
Leonardo Grasso
784284c692 update(userspace/falco): improve cli flag description related to drivers 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-07-28 14:59:46 +02:00
Luca Guerra
02202620ff update(falco): update libs to 0790cff 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-07-19 10:20:36 +02:00
Luca Guerra
88fb693595 update(falco): update libs to dc02e50 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-07-11 16:23:02 +02:00
Jason Dellaluce
ba8e9af22d chore(userspace/falco): fix misleading content 
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-06-22 17:14:55 +02:00
Jason Dellaluce
8f4b7324ad chore: apply codespell suggestions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-06-22 17:14:55 +02:00
Jason Dellaluce
8c5c672c9e fix(userspace/falco/app): evt sources safety check issues in live mode 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-06-22 17:14:55 +02:00
Jason Dellaluce
9d29a3afb2 update(userspace/falco/app): check illegal source setup in live inspectors 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-06-22 17:14:55 +02:00
Jason Dellaluce
893a3c90da update(userspace/falco/app): print loaded event sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-06-22 17:14:55 +02:00
Federico Di Pierro
f7e15ca282 chore(userspace): cleanup old code. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-06-22 10:08:55 +02:00
Federico Di Pierro
c0ea9b3618 fix(userspace): switch to timer_settime API in stats writer. 
It seems like `setitimer` is not correctly working when built from CI; perhaps a gcc/glibc bug?

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-06-22 10:08:55 +02:00
Jason Dellaluce
7c387069af chore(userspace/falco): make source matching error more expressive 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-06-21 15:41:52 +02:00
Lorenzo Susini
0034d01a50 update(userspace): change description of snaplen option 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-06-12 14:45:09 +02:00
Daniel Wright
9097d2c359 fix: unquote quoted URL's to avoid libcurl errors 
This commit will unquote URL's allowing them to be supported by
libcurl and eliminate any errors when a valid (quoted) URL is supplied
by a user.

Closes #2579

Signed-off-by: Daniel Wright danielwright@bitgo.com
 2023-06-05 11:09:32 +02:00
Lorenzo Susini
9fda7dfb93 fix(userspace/engine): store alternatives as array in -L json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-31 16:16:31 +02:00
Melissa Kilby
aa8c13b4e4 cleanup(userspace): adjust stats n_drops_perc 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-31 15:48:32 +02:00
Melissa Kilby
efd0c7421e cleanup(userspace,config): apply reviewers suggestions 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-31 15:48:32 +02:00
Melissa Kilby
e775fc6f5b cleanup(userspace): improve metrics UX 
add send_numeric_zero_values config to allow users to save space
when using metrics option, while still also allowing
to send all keys (especially because we don't document the schema)

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-31 15:48:32 +02:00
Lorenzo Susini
79b9d0ff21 fix(userspace/engine): store required engine version as string in -L json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-30 12:09:30 +02:00
Lorenzo Susini
6e12b95dd2 update(userspace/engine): address jasondellaluce comments 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-30 10:45:30 +02:00
Lorenzo Susini
0bd609d5a4 update(userspace/falco): update description of -l and -L flags 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-30 10:45:30 +02:00
Lorenzo Susini
cfb96d0562 update(userspace/engine): adding required_engine_version, required_plugin_versions and exception names to -L output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-30 10:45:30 +02:00
Lorenzo Susini
75f556e3b7 update(userspace/engine): add required_engine_version to rule collector 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-30 10:45:30 +02:00
Jason Dellaluce
1263c67ac6 chore: apply codespell suggestions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-29 12:26:24 +02:00
Jason Dellaluce
a9ea18b99a fix(userspace/falco): report plugin deps rules issues in any case 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-29 12:26:24 +02:00
Jason Dellaluce
b58a373835 chore(userspace/falco): always print invalid syscalls from custom set 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-25 14:14:11 +02:00
Roberto Scolaro
2dadb05af6 fix(userspace/falco/app/actions): hotreload on wrong metrics 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-25 14:09:10 +02:00
Andrea Terzolo
1098b6f7ca cleanup: rename a file 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-05-25 10:23:10 +02:00
Andrea Terzolo
1a359f5806 fix: add a check on online CPUs 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-05-25 10:23:10 +02:00
Jason Dellaluce
0943456ffe fix(userspace/falco): don't hang on terminating error when multi sourcing 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-24 19:12:06 +02:00
Jason Dellaluce
b40a6bc703 fix(userspace/falco): right boundary checks for strncat 
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 16:53:35 +02:00
Jason Dellaluce
75720534d7 fix(userspace/falco): solve escape issues in grpc output 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 16:53:35 +02:00
Jason Dellaluce
00acd17ba1 fix(userspace/faclco): output drop perc metric only if drops are present 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 16:53:35 +02:00
Jason Dellaluce
d550552fc1 fix(userspace/falco): properly format numeric values in metrics 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 16:53:35 +02:00
Melissa Kilby
eaa4354ddf cleanup(userspace/falco): new consistent metrics output fields classes falco. and scap. 
* Ensure each metric field name more consistently adheres to the grammar used in Falco rules:
  * `falco.`: new field class representing userspace counters, statistics, resource utilization, or necessary information fields
  * `scap.`: new field class represents counters and statistics mostly obtained from Falco's kernel instrumentation before events are sent to userspace, but can include scap userspace stats as well
* minor cleanup

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
8e0c89d3b4 cleanup(userspace/engine): prometheus compliant regex parsing for metrics interval 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
fcecde845d cleanup(userspace): move parse_prometheus_interval to falco_utils 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
f2318a9ac5 cleanup(userspace/falco): address reviewers comments + cleanup 
* prefix counters and stats belonging to kernel space w/ `k.` else `u.` for userspace
* add n_drops_perc from old stats writer schema
* revert one change: file output shall reflect exact same "output_fields" key as rule output, note that src is already part of the "output_fields" schema.

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Jason Dellaluce
5d35cda8dc update(userspace): minor polishing 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 09:58:34 +02:00
Jason Dellaluce
f117d5273c update(userspace): refactor metrics data flow and fix bugs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
f0ac327f98 cleanup(userspace/falco): add more fields to metrics 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
e37027a1d0 cleanup(userspace/falco): address reviewers comments 
* renaming to `metrics` for technical clarity
* adopt Prometheus like metrics interval settings

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
134d2630e9 new(userspace/falco): stats v2 config option to convert memory metrics to MB 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
78dbfab48f feat(userspace/falco)!: use new resource_utilization metrics / stats v2 schema for stats file ouput logs 
These changes break the old stats file output schema and consolidates
them with the new schema.

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
4d24bcdd2f new(userspace/falco)!: introduce native support for resource_utilization metrics / stats v2 
Intended to phase out previous stats writer settings and log schema.

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
44d9f99c72 new(userspace/falco)!: new stats v2 configs 
Intended to phase out previous stats writer settings and log schema.

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Jason Dellaluce
7248284b12 chore(userspace/falco/app): print all supported plugin caps 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-22 15:23:32 +02:00
Lorenzo Susini
e47ece4de9 update(userspace/engine): address jasondellaluce comments 
- avoiding inspector to be allocated for each rule
- use two boolean values for expecting macros and lists
- move items of lists alongside name, under info
- use snake case for json output, like we do for e.g alerts
- correctly retrieve evt names
- consider two levels of lists for exception operators

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
1195b1e7f0 update(userspace/engine): better modularize the code for getting json details 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
e11b4c4430 update(userspace/engine): add event codes to json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
46cbc3c589 update(userspace/engine): add info about all macros and lists in -L option 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
e30729555b update(userspace/engine): add enabled information to json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
727aed0c03 update(userspace/engine): avoid solving macros AST at each cycle when getting details of all rules 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
c1623771d8 update(userspace/engine): correctly use describe rule based on config 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
9947962cb8 update(userspace/engine): let describe_rule function print out json details when requested 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
a6542a6487 new(userspace/engine): introduce new class to get details about rules 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Jason Dellaluce
c603055acf fix(userspace/engine): don't count async event for evttype warning 
Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
bb04892baf fix(userspace/falco): avoid double plugin initializations 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
9df72e0f2a fix(userspace/falco/app): properly populate filtercheck lists 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
4e8d1f025c fix(userspace/falco/app): skip unnecessary app steps 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
9bfce8cfae update(userspace): make sure that async event is always matched in rules 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
733ea88ab3 fix(userspace/falco): properly init configuration 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
b2615de062 new(userspace/falco/app): print a warning if multiple plugins for same source are loaded 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
0649be619b update(userspace/falco/app): support nodriver open mode and plugins sourcing system events 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
301c4efeb7 update(userspace/falco): support new plugin API definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
5175a04c6b update(userspace/engine): bump engine checksum 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
3681cacda1 new(userspace/falco): add new --nodriver option 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Andrea Terzolo
696fa43dc2 cleanup(actions): now modern bpf support -A flag 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-05-17 12:19:00 +02:00
Andrea Terzolo
e83dbe85f7 cleanup(config): modern bpf is no more experimental 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-05-12 12:27:45 +02:00
Jason Dellaluce
1f4919bfe1 update: improve control and UX of ignored events 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-27 11:10:14 +02:00
Jason Dellaluce
4d24a02ad6 fix(userspace/falco): preserve config's plugin loading order 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-26 12:59:13 +02:00
Jason Dellaluce
8926022035 update: adapt Falco to new sinsp event source management 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-26 12:59:13 +02:00
Jason Dellaluce
95fa953398 update(cmake): bump libs and driver to ffcd702cf22e99d4d999c278be0cc3d713c6375c 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-26 12:59:13 +02:00
Jason Dellaluce
3b64052832 update(userspace/falco): leverage new sc_set_to_event_names API 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-04 19:39:53 +02:00
Leonardo Grasso
88b9537618 chore(userspace/falco): remove Mesos support 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-04-04 18:31:52 +02:00
Leonardo Grasso
5c0cd6a170 update!: remove --mesos-api,-pmesos, and -pm command-line flags 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-04-04 18:31:52 +02:00
Melissa Kilby
0b6e243582 cleanup(app_acions): fine-tune base_syscalls.repair behavior 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-03-30 19:08:33 +02:00
Melissa Kilby
78daafb56c cleanup(app_actions): finalize base_syscalls.repair option 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-03-30 19:08:33 +02:00
Jason Dellaluce
2b93a79521 refactor: apply review suggestions 
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-30 19:08:33 +02:00
Melissa Kilby
e360175c15 fix(app_actions): enforce PPM_SC_SCHED_PROCESS_EXIT for base_syscalls.custom_set 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-03-30 19:08:33 +02:00
Melissa Kilby
692abf71eb new(app_actions): add base_syscalls.repair option 
See https://github.com/falcosecurity/falco/issues/2433

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-03-30 19:08:33 +02:00
Melissa Kilby
1d66eb4d6d cleanup(app_actions): add warnings for invalid syscalls in user base_syscalls set 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-03-30 19:08:33 +02:00
Aldo Lacuku
31335d3c3b new(falco/config): add new configuration for http_output 
Support for user provided CA certificate that can verify the remote server. Users
can provide path to the CA certiface store by providing a path to the dir or to the
CA store file. If needed users can decide to tell Falco to not verify the server.

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2023-03-30 17:11:33 +02:00
Federico Di Pierro
0b7ca2823e chore(userspace): apply review suggestions. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Jason Dellaluca <jasondellaluce@gmail.com>
 2023-03-28 19:01:30 +02:00
Federico Di Pierro
b2e03b1938 chore(userspace): syscall_drop_failed -> syscall_drop_failed_exit. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-03-28 19:01:30 +02:00
Federico Di Pierro
70c6c93389 chore(userspace): improved wording. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-03-28 19:01:30 +02:00
Federico Di Pierro
bf5e340833 new(userspace/falco): added syscall_drop_failed option to drop failed syscalls exit events. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-03-28 19:01:30 +02:00
Federico Di Pierro
e6078c8d16 chore(userspace): updated fields checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-03-22 11:17:07 +01:00
Federico Di Pierro
17b170b4f9 update(cmake,userspace): bumped to libs master. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-03-22 11:17:07 +01:00
rabbitstack
03285f4140 define Windows equivalent for srandom and random functions 
Signed-off-by: rabbitstack <nedim.sabic@sysdig.com>
 2023-03-17 10:23:26 +01:00
Jason Dellaluce
93ae6bb609 chore(userspace/falco): fix codespell typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-15 17:54:49 +01:00
Jason Dellaluce
e07e3abfb5 update(userspace/falco): implement debouncing logic in restart handler 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-15 17:54:49 +01:00
Jason Dellaluce
3f69d46f9a update(userspace/falco): minor compilation improvements 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-15 17:54:49 +01:00
Jason Dellaluce
647441c06c fix(userspace/falco): solve gettid compilation issues 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-15 17:54:49 +01:00
Jason Dellaluce
cd155ed6f5 refactor(userspace/falco): update actions to use new hot restarter utility with dry-run safetyc checks 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-15 17:54:49 +01:00
Jason Dellaluce
561022ebb6 new(userspace/falco): add utility for handling hot app restarts 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-15 17:54:49 +01:00
Jason Dellaluce
af46833ad3 update(userspace/falco): make cmdline options simpler and copyable 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-15 17:54:49 +01:00
Jason Dellaluce
e40369648c fix(userspace/falco): solve minor compilation flaws 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-15 17:54:49 +01:00
Jason Dellaluce
ee7fa1cb06 new(usersapce/falco): add an app option for dry-run 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-15 17:54:49 +01:00
Jason Dellaluce
e8b776a9cb update(userspace/engine): bump engine version to 17 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-09 09:39:12 +01:00
Jason Dellaluce
09ab9db423 chore(userspace/falco): apply review suggestion 
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-09 09:39:12 +01:00
Jason Dellaluce
61a7f32982 chore(userspace/falco): apply review suggestions 
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-09 09:39:12 +01:00
Jason Dellaluce
2645f6640c chore(userspace/falco): rename source file using its action name 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-09 09:39:12 +01:00
Jason Dellaluce
fb37d8f365 refactor(userspace/falco): adapt event set selection to only use ppm_sc and new engine features 
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-09 09:39:12 +01:00
Jason Dellaluce
19ffadc763 update(userspace/engine): support searching ppm_sc events in rulesets 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-09 09:39:12 +01:00
Melissa Kilby
0de9af9ed0 fix(app_actions): base_syscalls check for empty string 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-02-24 11:43:43 +01:00
Melissa Kilby
58dc60e58d cleanup(app_actions): address reviewers comments 
* Plus minor adjustments to ensure correct state_event_set for all configurations
* Ensure valid check_for_rules_unsupported_events for all configurations
* Remove user input validation warning -> re-introduce in follow up PR

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-02-24 11:43:43 +01:00
Melissa Kilby
b6f6195725 cleanup(app_actions): include activated syscalls in LOG_DEBUG logs 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-02-24 11:43:43 +01:00
Melissa Kilby
76a3c8d7ee new(app_actions): introduce base_syscalls 
See https://github.com/falcosecurity/falco/issues/2373

Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-02-24 11:43:43 +01:00
Jason Dellaluce
7d67fbbfe7 chore(userspace/falco): apply review suggestions 
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
5ed5c63202 refactor: adapt event set configuration changes to new libs definition 
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
4706cd8b4e cleanup: solve std namespace issues and remove unused imports 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
010f6c6a9e update(userspace/engine): bump fields checksum 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
1485dc5d68 refactor(userspace/falco): adapt app actions to new event definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
e7d76ca722 refactor(userspace/falco): use new event definitions in app state 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
6c38ecaf0e update(userspace/engine): adapt engine classes to new libsinsp event definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
34ea7a8245 cleanup(userspace/engine): drop filtr_evttype_resolver 
Its logic was ported into libsinsp in:
3d8550e70e

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Melissa Kilby
d89f4b4904 cleanup(app_actions): adjust ignored events 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-02-21 14:31:28 +01:00
Melissa Kilby
16aa36291a fix rebase 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-02-21 14:31:28 +01:00
Melissa Kilby
72439b2eed cleanup(app_actions): adjust configure_interesting_sets 
* address reviewers feedback
* improve clarity around new -A and -i behavior
* additional cleanup (e.g. use generic set operations only)
* extend unit tests

Note: sinsp ppm sc API is undergoing a refactor, therefore current lookups are interim
and will subsequently be refactored as well.

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-02-21 14:31:28 +01:00
Melissa Kilby
30fe065446 cleanup(app_actions): configure -A w/ new default behavior 
Define new -A behavior in configure_interesting_sets

* default: all syscalls in rules included, sinsp state enforcement without high volume I/O syscalls
* -A flag set: all syscalls in rules included, sinsp state enforcement and allowing high volume I/O syscalls

Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-02-21 14:31:28 +01:00
Melissa Kilby
91c185a178 cleanup(app_actions): include evttypes from rules in configure_interesting_sets 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
34ed5a5fc9 chore: fix typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 11:09:29 +01:00
Jason Dellaluce
70c22c7d2e refactor(userspace/falco): adapt actions to new signal handler constructs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 11:09:29 +01:00
Jason Dellaluce
eb3bf7260d refactor(userspace/falco): add an ad-hoc concurrent object for signal handlers 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 11:09:29 +01:00
Jason Dellaluce
5470a88b61 fix(userspace/falco): add missing constructors/methods on falco semaphore 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 11:09:29 +01:00
Jason Dellaluce
bf5b8f5c83 new(userspace/falco): add intermediate cmake target for falco app 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-15 10:51:35 +01:00
Jason Dellaluce
c45bf3eb17 chore(userspace/falco): rename falco_init into falco_run 
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 17:33:31 +01:00
Jason Dellaluce
149544d7ab chore(userspace/falco): fix spacing and license 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 17:33:31 +01:00
Jason Dellaluce
1eb915bf2f fix(userspace/falco): solve issues with minimal build 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 17:33:31 +01:00
Jason Dellaluce
5d35dff2a7 refactor(userspace/falco/app): standalone sources for action helpers 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 17:33:31 +01:00
Jason Dellaluce
799557f7f7 refactor(userspace/falco/app): make run and teardown actions consistent 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 17:33:31 +01:00
Jason Dellaluce
fe859bda2d refactor(userspace/engine): turn app methods into simple functions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 17:33:31 +01:00
Jason Dellaluce
374136be18 refactor(userspace/engine): add standalone sources for app signals and options 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 17:33:31 +01:00
Jason Dellaluce
623d27ef77 refactor(userspace/engine): create standalone sources for app state and run result 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 17:33:31 +01:00
Jason Dellaluce
0f402d01d0 fix(userspace/falco): add missing pragma once 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 17:33:31 +01:00
Jason Dellaluce
ff68311629 fix(userspace/engine): add missing include 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 17:33:31 +01:00
Lorenzo Susini
88ac30650c fix(userspace/engine): correctly bump engine version after introduction of new fields 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-02-14 13:03:06 +01:00
Jason Dellaluce
79b3f81a02 chore: fix typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 12:47:07 +01:00
Jason Dellaluce
2495827e0c fix(userspace/engine): correctly handle evttype indexing corner cases 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 12:47:07 +01:00
Federico Di Pierro
75dc8c050c new(userspace,tests): add proper support for generic events indexing. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-02-13 14:54:03 +01:00
Andrea Terzolo
dca76ba93c chore: fix building with njson 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-02-10 11:41:24 +01:00
Federico Di Pierro
7343bcf050 cleanup(uerspace/falco): do not enter dropping mode. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-02-09 14:16:31 +01:00
Jason Dellaluce
eaeec7c079 fix(userspace): avoid using std namespace in sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-08 15:30:29 +01:00
Jason Dellaluce
54f117141b update(userspace/engine): avoid relying on leaked std namespace 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-08 15:30:29 +01:00
Andrea Terzolo
1b11a041b5 update: change cpus_for_each_syscall_buffer default value 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-02-03 12:50:20 +01:00
Andrea Terzolo
8eb6fbf32d fix(userspace): use the right path for the cpus_for_each_syscall_buffer 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-01-26 11:44:44 +01:00
Andrea Terzolo
77686cb8b9 update: don't expose available CPU feature 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-01-24 12:41:34 +01:00
Andrea Terzolo
42670a50c7 new: support multiple buffer modes and online CPUs 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-01-24 12:41:34 +01:00
Federico Di Pierro
e64c14a947 fix(userspace/falco): fixed grpc server shutdown. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-01-24 11:59:34 +01:00
Federico Di Pierro
306f9ba468 fix(userspace/falco): fixed build. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-01-17 16:00:23 +01:00
Jason Dellaluce
55a6436ee8 new(userspace/falco): add webserver endpoint for retrieving internal versions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-16 17:24:54 +01:00
Jason Dellaluce
ea48ec70be refactor(userspace/falco): use new utility for printing versions and support 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-16 17:24:54 +01:00
Jason Dellaluce
7724ad940a new(userspace/falco): standaline utility for retrieving internal version numbers 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-16 17:24:54 +01:00
Jason Dellaluce
c69b198777 chore(userspace/falco): cleanup error message when no output is configured 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
db2f5d5e9c fix(userspace/falco): solve tests issues 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
4aefb7fd7d fix(userspace/falco): require config file only when needed 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
149c95c3fb fix(userspace/falco): load config before every other action 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
78312c8c15 update(userspace/falco): clean up configuration and allow re-initialization 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
d6bbf5d442 refactor(userspace/falco): isolate yaml helpers (2) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
2eac8f88cb refactor(userspace/falco): isolate yaml helpers (1) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
bc3ec30f3e chore(userspace/falco) remove unused var 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
42ef8db26f refactor(userspace/falco): deprecate version-json option and rely on json_output 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
09d9ae135b update(userspace/falco): load default config at app initialization 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
57cafcb65a refator(userspace/falco): allow loading default config with no file 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-15 18:30:15 +01:00
Jason Dellaluce
c1985a7c99 fix(userspace/engine): absolute rule condition position in validation context 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-10 12:55:43 +01:00
Jason Dellaluce
d79d7112a0 fix(userspace/engine): catch YAML parsing and validation errors with right context 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-10 12:55:43 +01:00
Luca Guerra
1b2c7ef7d9 new(falco): add --version-json to print version information in json format 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-01-10 12:35:43 +01:00
Leonardo Grasso
280fcfe5d3 update: deprecate Mesos support, --mesos-api, and -pm command-line flags 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-01-09 14:04:55 +01:00
Andrea Terzolo
609171fe14 doc: reword 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-21 14:56:02 +01:00
Andrea Terzolo
de6292ce09 doc(userspace): fix a warning message 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-21 14:56:02 +01:00
Luca Guerra
6ea233dd75 new(falco): add engine version to --version 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-12-16 12:09:24 +01:00
Luca Guerra
dde2fdd67c new(falco): add driver_api_version, driver_schema_version, default_driver_version, libs_version to support 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-12-16 12:09:24 +01:00
Jason Dellaluce
5552bcab76 chore: fix typo 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
25ddc3c6a2 update(userspace/engine): broader err catching support in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
35dd0fc153 fix(userspace/engine): implement loop detection in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Federico Di Pierro
4696948754 fix(cmake): properly fetch dev version by appending latest Falco tag, delta between master and tag, and hash. 
`describe` can no more be used as tags are now made on release branches.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-12 11:11:44 +01:00
Andrea Terzolo
52ee61b800 chore(userspace): add njson lib as a dependency for falco_engine 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-10 17:07:06 +01:00
Andrea Terzolo
94ed56df95 chore: bump libs 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Andrea Terzolo
6a972272c0 update: the capture will be stopped in the inspector destructor 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Andrea Terzolo
55deb452d8 update: start/stop capture inside do_inspect 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Federico Di Pierro
87371492c5 update(userspace/engine): updated checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Federico Di Pierro
17dfe4f55d fix(userspace/falco): properly start/stop capture. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Mark Stemm
356a4a0749 Also copy ruleset when copying falco source 
In the copy constructor and assignment operator for falco_source, also
copy the ruleset along with factories/name.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:07:52 +01:00
Mark Stemm
910b8ff858 Fix(engine) Save parse positions when finding unresolved macros 
Now that ASTs contain parse positions, use them when reporting errors
about unknown macros.

When doing the first pass to find all macro references, save macros as
a map<macro name,parse position> instead of a set<macro name>. While
making that change, change the visitor struct to use references
instead of pointers.

In the second pass, when reporting any unresolved macro references,
also report the parse position.

The unit tests also check that the positions of macros are properly
returned in the resolved/unresolved maps.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Mark Stemm
83b12bab1d Fix(engine): include parse positions in compile errors 
Now that ASTs have parse positions and the compiler will return the
position of the last error, use that in falco rules to return errors
within condition strings instead of reporting the position as the
beginning of the condition.

This led to a change in the filter_ruleset interface--now, an ast is
compiled to a filter before being passed to the filter_ruleset
object. That avoids polluting the interface with a lot of details
about rule_loader contexts, errors, etc. The ast is still provided in
case the filter_ruleset wants to do indexing/analysis of the filter.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Jason Dellaluce
ba61706557 update(userspace/falco): enable using zlib with webserver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-30 19:24:47 +01:00
Jason Dellaluce
15b57bd972 fix: remove minor string view dependencies 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
68f4d5bb59 fix(userspace/engine): no need to use external deps 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
47fd90bb7f chore: remove not used dependency - string-view-lite 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Luca Guerra
f08a5b4067 update(cli): also add cg / kg container-gvisor / kubernetes-gvisor 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-23 13:03:57 +01:00
Luca Guerra
dea02f82e8 update(falco): add container-gvisor and kubernetes-gvisor print options 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-23 13:03:57 +01:00
Luca Guerra
e3dbae3259 fix(engine): fix warning about redundant std::move 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-11 16:19:11 +01:00
Aldo Lacuku
161246fe1a fix(output): do not print syscall_buffer_size when gvisor is enabled 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-11-10 10:32:05 +01:00
Jason Dellaluce
240c0b870d fix(userspace/falco): verify engine fields only for syscalls 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-07 15:37:25 +01:00
Mark Stemm
acf5c4ce5f fix(engine): save syscall source only when processing events 
The optimization in https://github.com/falcosecurity/falco/pull/2210
had a bug when the engine uses multiple sources at the same
time--m_syscall_source is a pointer to an entry in the indexed vector
m_sources, but if add_source is called multiple times, the vector is
resized, which copies the structs but invalidates any pointer to the
vector entries.

So instead of caching m_syscall_source in add_source(), cache it in
process_events(). m_sources won't change once processing events starts.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-10-27 18:23:25 +02:00
Yarden Shoham
4a4fa2592b fix(plugins): trim whitespace in open_params 
`open_params` is read from the falco YAML configuration file and parsed using Go's URL.

For example:
c349be6e84/plugins/k8saudit/pkg/k8saudit/source.go (L41-L42)

Go's URL parser does not handle whitespace, so if a user defines the `open_params` in the falco configuration file as follows

```yaml
open_params: >
/file/path
```

the parser returns an error. To avoid this, we now trim this parameter so no whitespace will be left for Go's URL parser to error out on.

For reference see #2262.

Signed-off-by: Yarden Shoham <hrsi88@gmail.com>
 2022-10-21 19:12:58 +02:00
Jason Dellaluce
10fe9fd84b fix(userspace/falco): avoid using CPU when main thread waits for parallel event sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-14 13:12:22 +02:00
Jason Dellaluce
3d7677ce5b update(userspace/falco): create struct for sync parallel event sources parallelization 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-14 13:12:22 +02:00
Jason Dellaluce
0fd765f7c3 new(userspace/falco): add simple semaphre implementation 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-14 13:12:22 +02:00
Jason Dellaluce
cca90b2f80 update(userspace/falco): move on from deprecated libs API for printing event list 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-13 17:00:18 +02:00
Jason Dellaluce
6c873418ce chore(userspace/falco): improve the CLI options helper 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-13 15:39:18 +02:00
Jason Dellaluce
f12531a153 chore(userspace/falco): log cli options with debug level 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-13 15:39:18 +02:00
Jason Dellaluce
9d8f130f47 fix(userspace/falco): make sure validation summary is populated even when json output is requested 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 14:03:20 +02:00
Jason Dellaluce
9ee0298c4d fix(userspace/engine): avoid macro/list used checks if we encounter an error 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 14:03:20 +02:00
Jason Dellaluce
7da30ca661 chore(userspace/falco): make logging optional when terminating, restarting, and reopening outputs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 13:14:20 +02:00
Jason Dellaluce
57b26530b6 update(userspace) fix cppcheck warnings 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 12:07:20 +02:00
Jason Dellaluce
3629c4dc4a update(userspace): solve cppcheck performance suggestions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 12:07:20 +02:00
Jason Dellaluce
5e531870a9 fix(userspace/engine): fix unit test segfault 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
f684e144be chore(userspace/falco): polish ignored event warning message 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
a4218a4b4f fix(userspace/falco): print right list in ignored events warning 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
48fbe0801d fix(userspace/falco): print right list of ignored events when in simple cons mode 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
c47492ab6d update(userspace/falco): populate list of interesting event types in app state 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
4cb556aed2 update(userspace/engine): use sinsp api to access event table information 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
5f2bc6a2d3 fix(userspace/falco): properly handle termination at source opening failures 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 19:23:17 +02:00
Jason Dellaluce
88c7202fdc fix(userspace/falco): check conditions in right order 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 19:23:17 +02:00
Jason Dellaluce
a98a1b2c4c fix(userspace/falco/falco): allow output reopening to happen multiple times 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 19:23:17 +02:00
Jason Dellaluce
77857a7236 fix(userspace/falco): solve warning 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 19:23:17 +02:00
Jason Dellaluce
e011b3b5e5 chore(userspace/falco): fix typo 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 19:23:17 +02:00
Jason Dellaluce
fd4d521a5f fix(userspace/falco): make multi-source termination condition more stable 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 19:23:17 +02:00
Jason Dellaluce
3f3386cfe0 fix(userspace/falco): make signal handlers safe with multi-threading 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 19:23:17 +02:00
Jason Dellaluce
11160f8463 fix(userspace): safely check string bounded access 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 11:23:15 +02:00
Jason Dellaluce
3c02b40a21 chore(userspace/falco): make log message termination consistent 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
e85a8c914f chore(userspace/falco): move enabled sources list printout when capture is opened 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
21c2b1f472 update(userspace/falco): use unordered_set where possible for faster lookups 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
909f6d0961 chore(userspace/falco): make log messages formatting more consistent 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
83a83a5853 update(userspace): pass string as const refs when possible 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
b4ea2f4da2 fix(userspace/falco): stabilize termination signal handler 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 18:21:05 +02:00
Jason Dellaluce
59ba2f9aab fix(userspace/falco): properly terminate threads 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 18:21:05 +02:00
Federico Di Pierro
e68151eb07 chore(test,userspace/falco): fixed tests after libs bump. 
Moreover, try to create grpc socket folder path only if grpc is actually enabled.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-10-05 19:38:21 +02:00
Andrea Terzolo
ec7ddbbaf8 chore: bump libs/driver to pre-release tag 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-10-05 19:38:21 +02:00
Jason Dellaluce
663c1d073a fix(userspace/falco): check plugin requirements when validating rule files 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-05 13:21:20 +02:00
Jason Dellaluce
bbb821fb8e refactor(userspace/falco): move rules plugin requirements check in an internal funcion 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-05 13:21:20 +02:00
Jason Dellaluce
5781c53ddc fix(userspace): add explicit constructors and initializations 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-03 13:04:15 +02:00
Andrea Terzolo
545b58ee14 update(open_inspector): use variable buffer dim in modern bpf 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-28 18:55:06 +02:00
Andrea Terzolo
8d8e7622e1 update(cmd_line): put modern bpf to false 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-28 18:55:06 +02:00
Andrea Terzolo
fd097e94d7 new(cmdline): add support for modern BPF probe 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-28 18:55:06 +02:00
Luca Guerra
6634c896b7 fix(falco): print container info and gvisor info in the same way 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-09-28 12:45:04 +02:00
Andrea Terzolo
3aa9267b48 fix(syscall_buffer): set dimension if page size not available 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-27 10:47:59 +02:00
Andrea Terzolo
725714726d update(configuration): define m_syscall_buf_size_preset as uint16_t 
improve also some logs for `m_syscall_buf_size_preset` configuration errors

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:47:59 +02:00
Andrea Terzolo
c9fa585801 update: address some review comments 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-09-27 10:47:59 +02:00
Andrea Terzolo
90e4634a79 update(syscall_buffer_size): don't crash in case of getpagesize error 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-27 10:47:59 +02:00
Andrea Terzolo
b0b2f05eb5 new: configure syscall buffer dimension from Falco 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-27 10:47:59 +02:00
Jason Dellaluce
8aea0935c9 chore(userspace/engine): remove unused var 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
9c240198a0 refactor(userspace/engine): refactor falco_engine with new loader defs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
f6f763fe84 refactor(userspace/engine): clean up rule collector 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
9b5f3ee99e refactor(userspace/engine): clean up rule compiler 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
89e8f70de0 refactor(userspace/engine): clean up and rename rule reader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b0f0105116 refactor(userspace/engine): clean up rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
5f2267f716 update(userspace/engine): add new loader files to CMakeLists 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b65157af5e refactor(userspace/engine): split rule loader git history (5) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b2b1feb1f2 refactor(userspace/engine): split rule loader git history (4) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b900e46dfe refactor(userspace/engine): split rule loader git history (3) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
a98c9cdd20 refactor(userspace/engine): split rule loader git history (2) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
2a427925a0 refactor(userspace/engine): split rule loader git history (1) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Andrea Terzolo
c0c37d87f5 fix(process_events): check the return value of open_live_inspector 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 18:07:30 +02:00
Andrea Terzolo
f57c67cc96 docs(falco.yaml): fix a typo 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
7686c03a36 update(app_actions): add a depraction comment for BPF 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
a325086363 test(falco): fix broken tests 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
7e37c72431 update: falco works with the latest libs commit 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Federico Di Pierro
e068df514c chore(userspace/engine,userspace/falco): upgraded to latest libs. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-20 11:35:28 +02:00
Federico Di Pierro
0274959981 update(userspace/falco, cmake): updated libs to latest master. 
Adapted API to sinsp::open API break, and simple consumer API break.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Mark Stemm
2d5fc0b647 Use the same falco_rule struct for every call to filter_ruleset 
Instead of using a falco_rule struct on the stack, use a single value
inside the falco_source struct. It's mutable as find_source returns a
const struct.

At very high event volumes (> 1M syscalls/second), even the tiny time
it takes to create/destroy the struct starts to add up, and this
switch has some small cpu savings.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-16 12:50:39 +02:00
Mark Stemm
e5cd5eacf5 Save syscall source separately and check explicitly in process_event 
When doing some testing of falco on very high event volumes (> 1.5M
events/second), I found that the time taken to look up a falco_source
struct had a non-negligible contribution to cpu usage.

So instead of looking up the source from the source_idx every time,
separately save the source for syscalls in the falco_engine object
directly. The separately saved copy is only used once someone calls
add_source with source="syscall".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-16 12:50:39 +02:00
Leonardo Grasso
c0ea753262 update(userspace/falco): gVisor sock now defaults to /run/falco/gvisor.sock 
Co-authored-by: Vicente J. Jiménez Miras <vjjmiras@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-09-14 10:27:24 +02:00
Vicente JJ. Miras
e4008217b9 Replacing /tmp/gvisor.sock with /run/gvisor.sock 
According to the FHS 3.0 (https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html), transient UNIX-domain sockets should be placed under the directory /run, so this commit updates the implicit value generated by the application.

Signed-off-by: Vicente J. Jiménez Miras <vjjmiras@gmail.com>
 2022-09-14 10:27:24 +02:00
Jason Dellaluce
9c184af2a1 fix(userspace/falco): adopt stricter memory order semantics 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
d11aec28d5 fix(userspace/falco): move stats collection in event success path 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
d17e173e35 chore(userspace/falco): rename sources app state list for more clarity 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
25e9bd1c91 chore(userspace/falco): fix codespell typo 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
4bc9fc74c8 update(userspace/falco)!: adapt stats writer for multiple parallel event sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
b65cc49221 update(userspace/falco): rename init_inspector action into init_inspectors 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
65993ad1ed refactor(userspace/falco): support multiple parallel event processing loops 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
f4c6a81ed8 update(userspace/falco): fix plugin list access in rule file loading action 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
f9a152b24c refactor(userspace/falco): generalize responsibilities of init_inspector action 
Now, the action takes care of inizializing all app inspectors
(just one in capture mode, one for each evt source in live mode), and of
registering and initializing all loaded plugins in the right inspector as needed.
The plugin initialization logic, which also involves the filtercheck list
population and checks, was moved and refactored from the previous
implementation of the load_plugins action.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
ed025f1a86 refactor(userspace/falco): init all event sources in falco engine and in the right order 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
8ba779de8c refactor(userspace/falco): restrict load_plugins action responsibilities 
Now, the action is in charge of loading all plugins and initializing:
- the offline inspector
- the list of loaded event sources
- the list of loaded plugins and their config

After this action runs, plugins are loaded but not yet initialized.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
cf8b85ad86 refactor(userspace/falco): turn open inspector action into convenience private methods 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
9cf3d118f6 update(userspace/falco): restrict clients init action to syscall inspector only 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
63bdc1119f cleanup(userspace/falco): remove legacy hacks on source selection action 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
9dc3eb2fc6 update(userspace/falco): reorder actions for their new semantics 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
7bb319b21e update(userspace/falco): add convenience method for merging app run results 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
3f7d61f150 refactor(userspace/falco): re-design application state and methods 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
cf9baea624 fix(userspace/engine): avoid reading duplicate exception values 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 15:53:15 +02:00
Federico Di Pierro
ccd3c896de fix(userspace/engine): properly include stdexcept header to fix build. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-12 12:28:15 +02:00
Federico Di Pierro
11644ecafc chore(userspace/falco): be somewhat more portable, avoiding assuming that '/' is the path delim. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-09 09:59:06 +02:00
Federico Di Pierro
23df49a47f new(userspace/falco): create grpc unix socket and gvisor endpoint path automatically. 
It is also able to handle multipart paths, like /run/falco/falco/falco/falco.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-09 09:59:06 +02:00
Mark Stemm
0f45cf49db Use enums for rules content item type 
Use an enum instead of a string for the item_type aka "parts of a
rules file" field of contexts.

The set of values is mostly defined by the contexts that were already
created. There are a couple of forward-looking values for rule
outputs/macro conditions/etc. that may be useful for later.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-07 10:13:02 +02:00
Mark Stemm
7a5a4c32ee Support condition parse errors in rule loading results 
In #2098 and #2158, we reworked how rules loading errors/warnings were
returned to provide a richer set of information, including
locations/context for the errors/warnings.

That did *not* include locations within condition expressions,
though. When parsing a condition expression resulted in a
warning/error, the location simply pointed to the condition property
of the rule.

This commit improves this to handle parse errors:

- When libsinsp::filter::parser::parse() throws an exception, use
  get_pos() to get the position within the condition string.
- Add a new context() constructor that takes a filter pos_info instead
  of a YAML::Mark.

Now that positions aren't always related to the location of yaml
nodes, Make up a generic "position" struct for locations and convert
YAML::Mark and parser positions to a position struct.

Also allow a context to contain an alternate content string which is
used to build the snippet. For contexts related to condition strings,
the content is the condition.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-07 10:13:02 +02:00
VadimZy
af95455bab dropping fix for list parsing due to the absence of regex portability. 
reverting to the inefficient code.

Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
4b75f213c6 use <onigposix.h> instead of <regex.h> 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
0de617a7fb remove sinsp.h public dependencies 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
5745faeccc fix tests, remove dead code 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
f9ee45b38e Improve Falco engine performance when loading rules and creating the rule sets 
- replace std::set<uint16_t> with fixed size vector in event types propagation
- rework lists expansion by replacing repetitive string::find in constantly growing expansion string with regex tokenization
- improve json_event parsing by moving const initializations into static routines

Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
Jason Dellaluce
7d2f82fddc update(usperspace/engine): bump engine version to 15 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
1b410ea2cc update(userspace/engine): consider plugin version requirements in engine checks 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
52402ac805 update(userspace/engine): support plugin version requirement alternatives in rule reader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
6e0971f1e1 update(userspace/engine): support plugin version requirement alternatives in rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
6c1f908ca5 cleanup(cmake): rename legacy cmake variables 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-29 15:42:33 +02:00
Jason Dellaluce
574a4b9f0a update(userspace/falco): fix copyright notice year 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
c05ad6fde4 update(userspace/falco): fix copyright notice year 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
e361069092 chore(userspace/falco): fix typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
9c6ad6ce84 update(userspace/falco): use json lib in stats writer 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
2d8efee73e refactor(userspace/falco): improve design and docs of stats writer 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
28ff6ad3bd refactor(userspace/falco): rename stats writer source files 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
2f5461bed0 refactor(userspace/falco): use new stats writer in event processing action 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
605dd2816d refactor(userspace/falco): re-implement stats writer 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
c5442ccb41 new(userspace/falco): introduce new refactored stats writer class 
This new model uses an async worker and a concurrent queue to handle
stats writing. This ensures better performance, because the live event
processing loop will just need to do a push on the queue instead of writing
to a file (only when the timer triggers), and should be thread-safe by design.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
cc4ccc40d7 refactor(userspace/falco): implement complete event source selection 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-08-26 12:47:18 +02:00