Merge-strategy for included config files must now be
specified as yaml map of the form:
- path: foo
strategy: bar
If `strategy` is omitted, or the old `string-only` form is used,
`append` strategy is enforced.
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
By default we now use the `append` merge-strategy:
* existing sequence keys will be appended
* existing scalar keys will be overridden
* non-existing keys will be added
We also have an `override` merge-strategy:
* existing keys will be overridden
* non-existing keys will be added
Finally, there is an `add-only` merge-strategy:
* existing keys will be ignored
* non-existing keys will be added
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Defining `exceptions` with empty `values` is a legitimate use case since the values can be added to another rules file. Even when values are not populated elsewhere, Falco can work without issues; that's the reason why the `values` field is not required. With this change, we avoid emitting useless validation warnings in situations where exceptions are just defined but not actually used because values are not being provided.
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Also, remove `container_id container_name` fields from `-pc` output.
These fields are now automatically appended since the `container` plugin
marks them as suggested.
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
In places where a second rule definition might replace, append to, or
replace items from a base rule, ensure that the source of the second
rule definiton matches the first.
This already existed for defines, but for other changes. There was a
bug where a second definition might exist for a different source, but
the additional rule was used anyway.
This now returns the same error for these other changes e.g. "Rule has
been re-defined..." as define.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
It's possible that someone might want to override a property for a
non-syscall rule source. To assist in this, decode any source property
for rules with append/override and save it in the rule_update_info
object. For the source property only, the value for source can be
empty e.g. 'source: ' or an empty string e.g. 'source: ""'. Both of
those are considered valid but result in an empty source.
A later change will ensure that the sources match up when
appending/redefining/overriding/enabling.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add an equality operator for indexed_vector.
As indexed_vectors commonly hold falco lists/macros/rules, also add
equality operators for those structs. For condition/sinsp_filter
shared_ptrs, the operator checks that the shared_ptrs point to the
same underlying memory.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add a clone() method that can be overridden by subclasses. This allows
copying compile state when needed in a way that preserves
polymorphism.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Also, moved yaml_helper under engine/ folder.
Ported rule json schema validation in the engine.
Also, updated rule_loader tests to check for validation.
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Modify evttype_index_ruleset to derive from indexable_ruleset instead
of having its own implementation of segregating filters by ruleset
id/event type.
An evttype_index_wrapper contains a falco rule and filter, and
implements the methods required by the template. run_wrappers()
evaluate the filter as before, without the segregation by ruleset
id/event type.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Now that custom rules loading implementations (and related, custom
rulesets) can be swapped into falco in a customizable way, there is
some functionality in evttype_index_ruleset that could be used by
other rulesets, specifically the part that segregates filters by
ruleset and enables/disables filters based on name substring + tags.
To allow for this, create a new template indexable_ruleset<class
filter_wrapper> which derives from filter_ruleset and segregates the
filter_wrappers by ruleset. It also optionally segregates
filter_wrappers by event type.
The filter_wrapper class is an object that can return a name, tags,
and sc/event codes.
The main interfaces for classes that derive from indexable_ruleset are:
- add_wrapper(), which provides a filter_wrapper to the
indexable_ruleset. This is generally called from
add()/add_compile_output(), which must be implemented by the derived class.
- run_wrappers(), which must be implemented by the derived class and
is called for event processing.
Most of the methods required by filter_ruleset are implemented by
indexable_ruleset and do not need to be implemented by the derived
class.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
