github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-17 08:11:32 +00:00
Code Issues Projects Releases Wiki Activity
4,906 Commits 118 Branches 173 Tags 104 MiB
new/add_mimalloc
Commit Graph

1676 Commits

Author SHA1 Message Date
Federico Di Pierro
fc2f6287ab new(cmake,userspace/falco): add mimalloc allocator library support. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-13 11:59:03 +02:00
Federico Di Pierro
4418bf2101 update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-09 12:19:53 +02:00
Federico Di Pierro
7a349a3e87 update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-03 11:12:11 +02:00
Federico Di Pierro
9055811d79 fix(userspace/falco): when collecting metrics for stats_writer, create a libs_metrics_collector for each source. 
In case multiple sources are enabled, each source has its own `libs_metrics_collector`
with correct flags, so that it can retrieve all metrics.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-02 10:42:59 +02:00
Federico Di Pierro
2346a397f7 chore(userspace/falco): fix build for non linux minimal builds. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-30 19:05:38 +02:00
Federico Di Pierro
24f92dfdbc fix(userspace/falco): only enable prometheus metrics once all inspectors have been opened. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-30 19:05:38 +02:00
Federico Di Pierro
a7433e032b chore(userspace/falco): make re2 patterns statically lived. 
Moreover, rename `falco_metrics::` methods to better expose
they return prometheus metrics.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-05-28 09:47:16 +02:00
Federico Di Pierro
bac052f5d2 cleanup(userspace/falco): only push metrics for enabled sources. 
Refactor `::to_text` a bit to be more clear.
Also, we will push agent_info and machine_info only for the first
inspector that exposes them, to avoid duplicated entries in the prometheus text.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-28 09:47:16 +02:00
Melissa Kilby
0ffe864e42 fix(metrics/prometheus): non-duplicate evt_source retrieval 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-28 09:47:16 +02:00
Melissa Kilby
4ef697b2c6 cleanup(metrics/prometheus): add detailed logic explanation wrt inspector loop 
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-28 09:47:16 +02:00
Melissa Kilby
b90f3cc18e update(metrics/prometheus): place syscalls inspector (if applicable) at index 0 of loop 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-28 09:47:16 +02:00
Melissa Kilby
4c12c2b1b5 fix(metrics/prometheus): gracefully handle multiple event sources, avoid erroneous duplicate metrics 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-28 09:47:16 +02:00
Federico Di Pierro
8c703602c1 chore(userspace/falco): initialize m_falco_reload_ts to 0. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-26 13:00:05 +02:00
Melissa Kilby
faee56fc1a cleanup: apply minor code pilot suggestions 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-26 13:00:05 +02:00
Melissa Kilby
c4dcf9e4e8 cleanup(configs): move runtime generated configs to section w/ clear comments 
Co-authored-by: Samuel Gaist <samuel.gaist@idiap.ch>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-26 13:00:05 +02:00
Melissa Kilby
309ccf65d3 cleanup(metrics): simplify logic around immediate metrics logging after start/reload 
* For consistency don't make first run metrics log special
* Remove firt tick variable altogether to enable metrics logging immediately after startup/reload

Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-26 13:00:05 +02:00
Melissa Kilby
22d40e2a65 clenaup(metrics): rename new restart_ts to reload_ts to reflect hot relaod conditions 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-26 13:00:05 +02:00
Melissa Kilby
c86a45e2ca update(metrics): introduce restart ts metric to statistically inspect restart/hot_reload conditions 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-26 13:00:05 +02:00
Melissa Kilby
7b8fdd8f97 update(metrics): introduce immediate initial metrics msg (output_rule or output_file) upon start/restart/hot_reload 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-05-26 13:00:05 +02:00
Federico Di Pierro
831e804473 cleanup(userspace/falco): drop unused libs_metrics_collector variable. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-20 17:34:29 +02:00
Federico Di Pierro
b0ef64b449 update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-12 12:01:22 +02:00
Luca Guerra
ae28be023e cleanup(engine): update docs for rule_files and -r option 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2025-05-12 10:58:22 +02:00
Luca Guerra
28e7050f0f cleanup(engine): remove unreachable function engine::read_file 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2025-05-12 10:58:22 +02:00
Luca Guerra
910788850a cleanup(engine): only consider .yaml/.yml rule files 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2025-05-12 10:58:22 +02:00
Federico Di Pierro
a41e3df45d update(userspace/engine): bump engine checksum and version. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-06 15:03:44 +02:00
Federico Di Pierro
ff288f70b3 chore(userspace/falco): rework a bit -p cli option help message. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-06 10:06:43 +02:00
Federico Di Pierro
6e4b7663ca cleanup(userspace/engine,userspace/falco): drop replace_container_info flag. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-06 10:06:43 +02:00
Federico Di Pierro
0326210f49 cleanup(userspace/falco): deprecate -p option. 
Also, `-pc` and `-pk` won't do anything now.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-06 10:06:43 +02:00
Federico Di Pierro
11f6fc5d14 cleanup(userspace/engine): deprecated %container.info. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-06 10:06:43 +02:00
Federico Di Pierro
08a00609a1 new(userspace,unit_tests): port merge-strategy to be a yaml map. 
Merge-strategy for included config files must now be
specified as yaml map of the form:
- path: foo
  strategy: bar

If `strategy` is omitted, or the old `string-only` form is used,
`append` strategy is enforced.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-04-29 16:17:06 +02:00
Federico Di Pierro
630167d9ad new(userspace,unit_tests)!: add a way to specify merge-strategy for config_files. 
By default we now use the `append` merge-strategy:
* existing sequence keys will be appended
* existing scalar keys will be overridden
* non-existing keys will be added

We also have an `override` merge-strategy:
* existing keys will be overridden
* non-existing keys will be added

Finally, there is an `add-only` merge-strategy:
* existing keys will be ignored
* non-existing keys will be added

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-04-29 16:17:06 +02:00
Federico Di Pierro
80d52963d6 fix(userspace): fixed engine openssl dep. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-04-29 13:50:04 +02:00
benierc
835ac52f4f Update userspace/falco/config_json_schema.h 
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: benierc <clement.benier@iot.bzh>
 2025-04-29 11:52:05 +02:00
benierc
543734af3c Apply suggestions from code review 
Co-authored-by: Samuel Gaist <samuel.gaist@idiap.ch>
Signed-off-by: benierc <clement.benier@iot.bzh>
 2025-04-29 11:52:05 +02:00
Clément Bénier
186614dff4 fix(userspace/falco): fix outputs_http timeout 
libcurl timeout prevent to send alert through http
keep trying to send the alert

Signed-off-by: Clément Bénier <clement.benier@iot.bzh>
 2025-04-29 11:52:05 +02:00
Federico Di Pierro
52127d4c8a update(userspace/engine): bump engine checksum and version. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-04-29 09:48:03 +02:00
Leonardo Grasso
6e717daa95 update(userspace/engine): relax validation for values in exceptions 
Defining `exceptions` with empty `values` is a legitimate use case since the values can be added to another rules file. Even when values are not populated elsewhere, Falco can work without issues; that's the reason why the `values` field is not required. With this change, we avoid emitting useless validation warnings in situations where exceptions are just defined but not actually used because values are not being provided.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-04-10 18:37:07 +02:00
Luca Guerra
f70b28bfb4 new(falco): add json_include_output_fields_property option 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2025-04-08 16:22:51 +02:00
Federico Di Pierro
8843a9ec2b chore(userspace/falco,falco.yaml): enable libs_logger with info severity by default. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-03-17 13:20:09 +01:00
Federico Di Pierro
9cbfdda21f fix(userspace/falco): when counting -M timeout, make sure that time diff is > 0. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 22:08:28 +01:00
Federico Di Pierro
cfc221549a chore(userspace/engine): update engine checksum and version minor. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 13:08:26 +01:00
Federico Di Pierro
9f1bc7d518 fix(userspace/engine): expand %container.info extra format to empty string. 
Also, remove `container_id container_name` fields from `-pc` output.
These fields are now automatically appended since the `container` plugin
marks them as suggested.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 13:08:26 +01:00
Federico Di Pierro
bb13702f0f chore(userspace/falco): drop container_engines config key. 
Also, default falco.yaml will only host container plugin configuration but won't enable the plugin.
Instead, a configuration override file will be installed only on linux non-musl deployments, enabled the plugin.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 13:08:26 +01:00
Federico Di Pierro
fafeddaf35 chore(userspace,unit_tests): include thread.h where needed. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 13:08:26 +01:00
Federico Di Pierro
1fd8a85b95 fix(userspace/falco): fixed bundled deps build. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 13:08:26 +01:00
Federico Di Pierro
66cd160f1d new(cmake,userspace): port Falco to use new container plugin. 
It will be shipped by default hence it is present in default config.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-26 13:08:26 +01:00
Federico Di Pierro
4c34457fa3 cleanup(userspace/falco): drop deprecated in 0.40.0 CLI flags. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-19 14:24:43 +01:00
Federico Di Pierro
252eb5cd40 fix(userspace/falco): init cmdline options after loading all config files. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-02-13 13:21:10 +01:00
Leonardo Di Giovanna
9e2c22804c refactor(falco/app): apply early return pattern in actions code 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2025-02-10 18:20:53 +01:00
Leonardo Di Giovanna
a8db99db5b feat(falco/app): move actions not using config before load_config 
Move actions not requiring config to be loaded before `load_config`
action. This avoid resource waste. Notably, `print_help` is
promoted as first execution action. Moreover, set actions lists to
constant expressions.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2025-02-10 10:44:52 +01:00