github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-01 22:58:12 +00:00
Code Issues Projects Releases Wiki Activity
4,957 Commits 119 Branches 173 Tags
master
Commit Graph

1700 Commits

Author SHA1 Message Date
Leonardo Grasso
fda1430afb fix(userspace/falco): smart pointer for sinsp_dumper 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
97d88d12f1 chore(userspace/engine): initialize bool member for falco_rule 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
3af03998eb fix(userspace/falco): correct typo in type 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
aa501437a4 fix(userspace/engine): adding capture members to to the rule equility operator 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
504d52e694 fix(userspace/falco): address init ordering warning for falco_configuration 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
8dbd04816d fix(userspace/falco): add "capture" in config schema 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
63d27fbe1b chore: fix formatting 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
81f26b7e5d chore(userspace/falco): fix codespell 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
15e8a746cb new(userspace/falco): capture feature impl 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
a818d48806 new(userspace/falco): add file name generator helper for capture 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
1da5514012 new(userspapace/engine): add capture and capture_duration to the engine 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
21350a282c new(userspapace/engine): add capture and capture_duration to rules loader 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
e6cd74995c new(userspace/falco): config parsing 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
5ebfa1b05b new: add config options and docs for capture feature 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Federico Di Pierro
539294595e update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-08-04 17:12:50 +02:00
Federico Di Pierro
154cde354f fix(userspace/falco): use proper API to fetch event param[0] as uint32_t. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-08-04 17:12:50 +02:00
Federico Di Pierro
ec24062b71 chore(userspace/falco): print plugin version info too at plugin loading. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-08-01 18:27:30 +02:00
Federico Di Pierro
3dce2f030d fix(cmake,userspace): fix usage and build of mimalloc. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-07-25 16:58:43 +02:00
Federico Di Pierro
6a4fa5dfce new(cmake,userspace/falco): add mimalloc allocator library support. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-07-25 16:58:43 +02:00
Mariell Hoversholm
c3fc9e0d0f fix(restart_handler): disable if there is no work 
When there is no work to do, i.e. when all config watching is disabled,
there is no need to keep the restart_handler running. Disable it in this
case.

This is helpful to do on nodes where there is little to no headroom in
terms of open inotify watches (as per the inotify/max_user_instances
configuration), as can happen on nodes populated with other software
that also watch the filesystem for changes. If Falco is run on such a
node, it may fail to start due to functionality the app does not even
intend on using.

This has one change in terms of behaviour, however: the dry-run restarts
will no longer occur. As there is still never going to happen a real
restart, I understand it as unlikely for there to be a proper need for
dry-run restarts.

Signed-off-by: Mariell Hoversholm <mariell@grafana.com>
 2025-07-24 12:56:39 +02:00
Leonardo Di Giovanna
ca291b0eaf update(userspace/engine): update falco engine version and checksum 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2025-07-22 14:30:29 +02:00
Federico Di Pierro
ea9e86d9e0 update(userspace): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-30 14:25:18 +02:00
Federico Di Pierro
b2c76769cf fix(userspace/falco): enforce filtercheck overlap check for static fields too against plugin fields. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2025-06-30 14:25:18 +02:00
Federico Di Pierro
07266e1247 new(userspace/falco): append static filterchecks with static fields. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-30 14:25:18 +02:00
Federico Di Pierro
8d8ba5ba5c new(userspace/falco): add new static_fields config key + update schema. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-30 14:25:18 +02:00
Federico Di Pierro
4418bf2101 update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-09 12:19:53 +02:00
Federico Di Pierro
7a349a3e87 update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-03 11:12:11 +02:00
Federico Di Pierro
9055811d79 fix(userspace/falco): when collecting metrics for stats_writer, create a libs_metrics_collector for each source. 
In case multiple sources are enabled, each source has its own `libs_metrics_collector`
with correct flags, so that it can retrieve all metrics.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-02 10:42:59 +02:00
Federico Di Pierro
2346a397f7 chore(userspace/falco): fix build for non linux minimal builds. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-30 19:05:38 +02:00
Federico Di Pierro
24f92dfdbc fix(userspace/falco): only enable prometheus metrics once all inspectors have been opened. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-30 19:05:38 +02:00
Federico Di Pierro
a7433e032b chore(userspace/falco): make re2 patterns statically lived. 
Moreover, rename `falco_metrics::` methods to better expose
they return prometheus metrics.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-05-28 09:47:16 +02:00
Federico Di Pierro
bac052f5d2 cleanup(userspace/falco): only push metrics for enabled sources. 
Refactor `::to_text` a bit to be more clear.
Also, we will push agent_info and machine_info only for the first
inspector that exposes them, to avoid duplicated entries in the prometheus text.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-28 09:47:16 +02:00
Melissa Kilby
0ffe864e42 fix(metrics/prometheus): non-duplicate evt_source retrieval 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-28 09:47:16 +02:00
Melissa Kilby
4ef697b2c6 cleanup(metrics/prometheus): add detailed logic explanation wrt inspector loop 
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-28 09:47:16 +02:00
Melissa Kilby
b90f3cc18e update(metrics/prometheus): place syscalls inspector (if applicable) at index 0 of loop 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-28 09:47:16 +02:00
Melissa Kilby
4c12c2b1b5 fix(metrics/prometheus): gracefully handle multiple event sources, avoid erroneous duplicate metrics 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-28 09:47:16 +02:00
Federico Di Pierro
8c703602c1 chore(userspace/falco): initialize m_falco_reload_ts to 0. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-26 13:00:05 +02:00
Melissa Kilby
faee56fc1a cleanup: apply minor code pilot suggestions 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-26 13:00:05 +02:00
Melissa Kilby
c4dcf9e4e8 cleanup(configs): move runtime generated configs to section w/ clear comments 
Co-authored-by: Samuel Gaist <samuel.gaist@idiap.ch>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-26 13:00:05 +02:00
Melissa Kilby
309ccf65d3 cleanup(metrics): simplify logic around immediate metrics logging after start/reload 
* For consistency don't make first run metrics log special
* Remove firt tick variable altogether to enable metrics logging immediately after startup/reload

Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-26 13:00:05 +02:00
Melissa Kilby
22d40e2a65 clenaup(metrics): rename new restart_ts to reload_ts to reflect hot relaod conditions 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-26 13:00:05 +02:00
Melissa Kilby
c86a45e2ca update(metrics): introduce restart ts metric to statistically inspect restart/hot_reload conditions 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-26 13:00:05 +02:00
Melissa Kilby
7b8fdd8f97 update(metrics): introduce immediate initial metrics msg (output_rule or output_file) upon start/restart/hot_reload 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-26 13:00:05 +02:00
Federico Di Pierro
831e804473 cleanup(userspace/falco): drop unused libs_metrics_collector variable. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-20 17:34:29 +02:00
Federico Di Pierro
b0ef64b449 update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-12 12:01:22 +02:00
Luca Guerra
ae28be023e cleanup(engine): update docs for rule_files and -r option 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2025-05-12 10:58:22 +02:00
Luca Guerra
28e7050f0f cleanup(engine): remove unreachable function engine::read_file 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2025-05-12 10:58:22 +02:00
Luca Guerra
910788850a cleanup(engine): only consider .yaml/.yml rule files 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2025-05-12 10:58:22 +02:00
Federico Di Pierro
a41e3df45d update(userspace/engine): bump engine checksum and version. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-06 15:03:44 +02:00
Federico Di Pierro
ff288f70b3 chore(userspace/falco): rework a bit -p cli option help message. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-06 10:06:43 +02:00