github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-19 09:06:48 +00:00
Code Issues Projects Releases Wiki Activity
4,906 Commits 119 Branches 173 Tags 104 MiB
new/add_mimalloc
Commit Graph

596 Commits

Author SHA1 Message Date
Jason Dellaluce
039069d0e1 update(engine): bump engine version and checksum 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-02-06 10:25:53 +01:00
Jason Dellaluce
4cffcedba1 refactor: remove refs to gen_event class family 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-02-06 10:25:53 +01:00
Luca Guerra
7d9cfd02e3 chore(falco): update engine checksum 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-02-02 19:57:40 +01:00
Roberto Scolaro
40f4ce008a chore(engine): bump engine version 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2024-01-31 11:53:35 +01:00
Roberto Scolaro
3d06b77de5 chore(engine): update falco engine checksum 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2024-01-31 11:53:35 +01:00
Roberto Scolaro
ce87f2a014 refactor(userspace): remove libs relative imports 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2024-01-31 11:51:37 +01:00
Mark Stemm
1e0430dff9 Make compile_condition() a protected method for use in subclasses 
Move the part of compile_rule_infos that actually compiled a condition
string into a sinsp_filter into a standalone method
compile_condition(). That way it can be used by classes that derive
from rule_loader::compiler() and want to compile condition strings.

This implementation also saves the compiled filter as a part of the
falco_rule object so it does not need to be compiled again wihin the
falco engine after rules loading.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-30 20:24:33 +01:00
Mark Stemm
88a57bfd1a Add ability for rulesets to access falco engine state 
Some rulesets may need information which is held by the falco_engine
that created this ruleset. So define a set of functions in a struct
and have setters/getters for those functions in the base class.

Derived classes can use the struct's functions to obtain the falco
engine information.

The only function so far is to obtain the filter_ruleset for a given
event source.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-30 20:24:33 +01:00
Mark Stemm
ce5a50cbb5 Add addl support for rules reader/compiler subclasses 
To support subclasses that may extend the falco rules format, add
additional error/warning/item types for an extension item.

When subclasses report errors and warnings, they can use these
codes/item types in context objects and still provide an exact
line/column context.

Also make some previously static functions in rules reader protected
methods so they can be used in sub-classes.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-30 20:24:33 +01:00
Mark Stemm
eed5b906a8 Provide the entire compile output to ruleset vs individual add()s 
In order to support external rules loaders that may extend the falco
rules format with new top level objects, move away from providing
individual filter objects to the filter_ruleset via calls to add().

Instead, pass the entire compile output returned by the compiler to
the ruleset using a new method add_compile_output(). Custom users can
then cast back the compile output to the appropriate derived class for
use in the ruleset.

Move the declaration of the compile output to a standalone class so it
can be used by rulesets without including the entire rules loader
header files, and add a new factory method new_compile_output() to the
compiler so it can create a derived class if necessary.

This change is
backwards-compatible with existing rulesets, as the default
implementation of add_compile_output() simply iterates over rules and
calls add() for each rule.

This change also speeds up rule loading. Previously, each rule
condition was compiled twice:

1. First, in the compiler, to see if it was valid.
2. Second, in the falco engine before providing each rule to the
ruleset.

Add the compiled filter to the falco_rule object instead of throwing
it away in the compiler.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-30 20:24:33 +01:00
Mark Stemm
2d0159ae05 Add ability to provide external rules reader/collector/compiler 
In some cases, a user of the falco engine may want to extend the falco
rules format to provide additional objects to the rules file.

To support that, add a new method set_rule_loader() that allows a user
to provide classes that derive from
rule_loader::{reader,collector,compiler} and read those additional
objects from the rules file.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-30 20:24:33 +01:00
Federico Aponte
8143a194d2 fix: nlohmann_json lib include path 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2024-01-24 09:38:13 +01:00
Jason Dellaluce
ccf62a3745 fix(userspace/engine): avoid storing escaped strings in engine defs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2024-01-23 11:58:09 +01:00
Andrea Terzolo
a6a1a9769f cleanup: restore the name of a variable 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Co-authored-by: Luca Guerra <luca.guerra@sysdig.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
c308f5c7e2 cleanup: rename some error messages 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
ee78c862ad tests: add some new tests on override replace 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
8ebdbe3e6f cleanup: use macros for default error messages 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
5192921732 doc: typo in the exception 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
56de6e6786 update(rule_loader): remove the warning on the required_engine_version 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
b318c165da cleanup(falco_engine): remove unused methods 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
5ac005bd4d update(rule_loader): deprecate all non-SemVer compatible values 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
95e4c58e7f update(rule_loader): deprecate enabled usage 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
4aebee684a update(rule_loader): deprecate append key and add a warning 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
63736563a2 cleanup(rule_loader): remove useless include 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Andrea Terzolo
7cac2833b2 cleanup(rule_loader): add a common log message 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-01-11 15:37:38 +01:00
Mark Stemm
14d1ca3c97 Add methods to look up the factories provided in add_source() 
Add methods that allow looking up the factories provided to
add_source(). This allows not having to keep track of the factories
outside of the engine.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-08 12:00:27 +01:00
Mark Stemm
07d7b9a57a Inline find_source() as it can be called in the event path 
Inline find_source as it can be called in the event processing path.

Also take the cached variant that assigns/uses m_syscall_source_idx
and put it in find_source() instead of process_event().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-01-08 12:00:27 +01:00
Luca Guerra
728c8d7d0e fix(engine): clarify error message for invalid append 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-12-22 21:49:21 +01:00
Luca Guerra
4c023b0d93 update(engine): temporary replace for error messages 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-12-22 21:49:21 +01:00
Luca Guerra
8a7ef687b1 update(engine): throw an error if an unexpected top level key is found in an override 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-12-22 21:49:21 +01:00
Luca Guerra
21c629dc4d chore(engine): bump engine version 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-12-22 21:49:21 +01:00
Luca Guerra
2db29af0e8 update(engine): clarify override error messages 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-12-22 21:49:21 +01:00
Luca Guerra
bc072502cc new(engine): add selective overrides 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-12-22 21:49:21 +01:00
Andrea Terzolo
8ff1ef752d chore: bump falco engine version 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-12-18 19:01:01 +01:00
Mark Stemm
334302e525 Allow enabling rules by ruleset id in addition to name 
Add alternate enable_* methods that allow enabling rulesets by ruleset
id in addition to name. This might be used by some filter_rulesets to
enable/disable rules on the fly via the falco engine.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2023-12-18 15:58:04 +01:00
Andrea Terzolo
ed346e90cd update(falco): bump engine version and checksum 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-12-13 16:59:46 +01:00
Federico Aponte
e427c800f3 chore(build): fix error using find_package with ExternalProject_Add 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2023-12-11 16:52:39 +01:00
Federico Aponte
5e17ba6c23 chore(build): allow usage of non-bundled nlohmann-json 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2023-12-11 16:52:39 +01:00
Federico Aponte
44b7352180 cleanup: fix several warnings from a Clang build 
Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>
 2023-12-06 16:40:26 +01:00
Jason Dellaluce
390a13bd40 update(userspace): optimizations in validation and description steps 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-12-02 09:38:15 +01:00
Jason Dellaluce
e3943ccac3 refactor(userspace/engine): uniform json lib in rules description and not print from engine 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-12-02 09:38:15 +01:00
Luca Guerra
6411eed4a7 cleanup(falco): remove decode_uri as it is no longer used 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-11-29 17:42:06 +01:00
Melissa Kilby
3b068919d0 update(cmake): bump libs and driver to c2fd308 plus bump falco engine version 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-11-28 12:57:04 +01:00
Jason Dellaluce
66a122d4ce update(userspace/engine): bump engine version 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-11-16 09:26:19 +01:00
Jason Dellaluce
04e2f19915 refactor: solve compilation issues with latest libs changes 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-11-16 09:26:19 +01:00
Jason Dellaluce
359bd6e593 cleanup(userspace/engine): remove legacy k8saudit implementation 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-11-15 16:05:15 +01:00
Luca Guerra
8bf40cdf88 update(engine): port decode_uri in falco engine 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-11-14 20:36:15 +01:00
Jason Dellaluce
f5985720f1 fix(userspace/engine): cache latest rules compilation output 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-11-02 20:32:07 +01:00
Jason Dellaluce
2e7cacb4e0 fix(userspace/engine): solve description of macro-only rules 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-11-02 16:16:06 +01:00
Luca Guerra
1e38967b18 update(engine): remove banned.h 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-10-19 17:41:22 +02:00
Roberto Scolaro
b7cef5bab2 fix(userspace/engine): fix memory leak 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2023-10-17 21:20:15 +02:00
Melissa Kilby
dd807b19c8 feat(userspace): remove experimental outputs queue recovery strategies 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-10-12 13:03:46 +02:00
Lorenzo Susini
09b1f92267 update(userspace/engine): update falco engine checksum 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-09-28 20:05:21 +02:00
Lorenzo Susini
1326ca356e update(userspace/engine): address jasondellaluce comments for maintainability 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-09-28 20:05:21 +02:00
Lorenzo Susini
f8cbeaaa9b update(userspace/engine): let the rule loader reader and collector be able to load rules with both numeric and semver string required_engine_version 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-09-28 20:05:21 +02:00
Lorenzo Susini
cd6cb14c08 update(userspace/engine): convert engine version to semver string 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-09-28 20:05:21 +02:00
Jason Dellaluce
d3e1a1f746 chore(userspace/engine): apply codespell suggestions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
aae114c331 refactor(userspace/engine)!: rename some description details outputs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
b67ad907a7 fix(userspace/engine): solve issues with filter details resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
dc264a0577 fix(userspace/engine): solve issues in describing rules/macros/lists 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
8f411f3d3b refactor(userspace/engine): modularize rules files compilation 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
cba80a404f fix(userspace/engine): print rules fields with arguments 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
26bdefae8e update(userspace/engine): support printing plugins used by rules 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
dce5cac820 update(userspace/engine): find evt names in filter resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Jason Dellaluce
ab77a5d687 update(userspace/engine): refactor rule describe methods to accept plugins 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-28 12:39:20 +02:00
Leonardo Grasso
fe50ac22ee update: add SPDX license identifier 
See https://github.com/falcosecurity/evolution/issues/318

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-09-21 13:21:47 +02:00
Leonardo Grasso
35cb960917 update(userspace/engine): align %container.info defaults with new rule styles 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-09-08 19:00:04 +02:00
Melissa Kilby
88a5e1bf45 cleanup(config): rename default outputs queue macro 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-09-07 13:15:59 +02:00
Melissa Kilby
0eff98aa8e cleanup: apply more reviewers suggestions 
Co-authored-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-09-07 13:15:59 +02:00
Melissa Kilby
016fdae93b cleanup: apply reviewers suggestions 
Co-authored-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-09-07 13:15:59 +02:00
Melissa Kilby
a61f24066f cleanup(userspace/falco): always set queue capacity and use largest long as default for unbounded 
Co-authored-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-09-07 13:15:59 +02:00
Melissa Kilby
1e94598eca new(metrics): add falco.outputs_queue_num_drops metrics + plus fix rebase leftovers 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-09-07 13:15:59 +02:00
Melissa Kilby
85883b7200 cleanup(outputs): adopt different style for outputs_queue params encodings 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-09-07 13:15:59 +02:00
Luca Guerra
a22dac6866 update(falco)!: --list-syscall-events is now called --list-events 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-09-07 12:47:59 +02:00
Luca Guerra
bfb22527a2 chore(falco): update engine version and checksum 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-09-07 12:47:59 +02:00
Andrea Terzolo
4f8d11acdd chore: bump engine version and checksum 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-09-04 12:19:46 +02:00
Jason Dellaluce
c8122ff474 fix(userspace/engine): support appending to unknown sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-09-01 06:46:31 +02:00
Jason Dellaluce
eabf49892d update(userspace/falco): bump engine version to 24 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-31 18:33:30 +02:00
Jason Dellaluce
901fca2257 update(userspace/engine): upgrade skip-if-unknown-filter YAML field 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-31 18:33:30 +02:00
Jason Dellaluce
01093d2dfc fix(userspace/engine): support both old and new gcc + std::move 
Old gcc versions (e.g. 4.8.3) won't allow move elision
but newer versions (e.g. 10.2.1) would complain about
the redundant move.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-30 20:57:27 +02:00
Melissa Kilby
6cdb740786 cleanup(userspace): update parse_prometheus_interval 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-08-25 15:20:45 +02:00
Jason Dellaluce
4f3181cb1c update(userspace/engine): bump engine version to 23 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-24 10:30:40 +02:00
Jason Dellaluce
527c42c030 chore: polish conditional compilation flags for emscripten 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-24 10:30:40 +02:00
rohith-raju
c73e43c973 cleanup: fix workflow and build errors 
Signed-off-by: rohith-raju <rohithraju488@gmail.com>
 2023-08-24 10:30:40 +02:00
Jason Dellaluce
aa6061681d update: adapt code to multi-platform builds 
Co-authored-by: Rohith Raju <rohithraju488@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-24 10:30:40 +02:00
Lorenzo Susini
4e6149e5da update(userspace/engine): make rule_matching strategy stateless in falco engine 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-11 10:11:46 +02:00
Lorenzo Susini
6e50d2ad83 update: directly return match_found variable 
Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Lorenzo Susini <49318629+loresuso@users.noreply.github.com>
 2023-08-09 13:36:39 +02:00
Lorenzo Susini
2660582198 update(userspace/engine): bump engine version to 22 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-09 13:36:39 +02:00
Lorenzo Susini
6acd924c50 perf: avoid stack allocation and make use of switch to select behavior on rule matching strategy 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-09 13:36:39 +02:00
Lorenzo Susini
1705c0dab3 update(userspace/engine): allow the engine to match and handle multiple rules while processing events 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-09 13:36:39 +02:00
Lorenzo Susini
c6abf6a133 update(falco.yaml): introduce rule_matching config key 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-08-09 13:36:39 +02:00
Andrea Terzolo
528a76a7fe update(userspace/engine): bump engine version to 21 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2023-08-08 14:10:36 +02:00
Jason Dellaluce
bc0fef15ca update(userspace/engine): bump engine version to 20 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-07 17:29:32 +02:00
Jason Dellaluce
23a0005b25 fix(ci): solve malformed worflow issues 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-04 16:03:22 +02:00
Jason Dellaluce
5790f0ff64 update: refine engine checksum docs and scoping 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-04 16:03:22 +02:00
Jason Dellaluce
803d131843 fix(userspce/engine): skip deprecated fields in --list -N option 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-08-04 16:03:22 +02:00
Luca Guerra
02202620ff update(falco): update libs to 0790cff 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-07-19 10:20:36 +02:00
Luca Guerra
88fb693595 update(falco): update libs to dc02e50 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2023-07-11 16:23:02 +02:00
Lorenzo Susini
9fda7dfb93 fix(userspace/engine): store alternatives as array in -L json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-31 16:16:31 +02:00
Lorenzo Susini
79b9d0ff21 fix(userspace/engine): store required engine version as string in -L json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-30 12:09:30 +02:00
Lorenzo Susini
6e12b95dd2 update(userspace/engine): address jasondellaluce comments 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-30 10:45:30 +02:00
Lorenzo Susini
cfb96d0562 update(userspace/engine): adding required_engine_version, required_plugin_versions and exception names to -L output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-30 10:45:30 +02:00
Lorenzo Susini
75f556e3b7 update(userspace/engine): add required_engine_version to rule collector 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-30 10:45:30 +02:00
Melissa Kilby
8e0c89d3b4 cleanup(userspace/engine): prometheus compliant regex parsing for metrics interval 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
fcecde845d cleanup(userspace): move parse_prometheus_interval to falco_utils 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
f2318a9ac5 cleanup(userspace/falco): address reviewers comments + cleanup 
* prefix counters and stats belonging to kernel space w/ `k.` else `u.` for userspace
* add n_drops_perc from old stats writer schema
* revert one change: file output shall reflect exact same "output_fields" key as rule output, note that src is already part of the "output_fields" schema.

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Jason Dellaluce
5d35cda8dc update(userspace): minor polishing 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 09:58:34 +02:00
Jason Dellaluce
f117d5273c update(userspace): refactor metrics data flow and fix bugs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
e37027a1d0 cleanup(userspace/falco): address reviewers comments 
* renaming to `metrics` for technical clarity
* adopt Prometheus like metrics interval settings

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Lorenzo Susini
e47ece4de9 update(userspace/engine): address jasondellaluce comments 
- avoiding inspector to be allocated for each rule
- use two boolean values for expecting macros and lists
- move items of lists alongside name, under info
- use snake case for json output, like we do for e.g alerts
- correctly retrieve evt names
- consider two levels of lists for exception operators

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
1195b1e7f0 update(userspace/engine): better modularize the code for getting json details 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
e11b4c4430 update(userspace/engine): add event codes to json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
46cbc3c589 update(userspace/engine): add info about all macros and lists in -L option 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
e30729555b update(userspace/engine): add enabled information to json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
727aed0c03 update(userspace/engine): avoid solving macros AST at each cycle when getting details of all rules 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
c1623771d8 update(userspace/engine): correctly use describe rule based on config 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
9947962cb8 update(userspace/engine): let describe_rule function print out json details when requested 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
a6542a6487 new(userspace/engine): introduce new class to get details about rules 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Jason Dellaluce
c603055acf fix(userspace/engine): don't count async event for evttype warning 
Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
9bfce8cfae update(userspace): make sure that async event is always matched in rules 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
5175a04c6b update(userspace/engine): bump engine checksum 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
8926022035 update: adapt Falco to new sinsp event source management 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-26 12:59:13 +02:00
Jason Dellaluce
95fa953398 update(cmake): bump libs and driver to ffcd702cf22e99d4d999c278be0cc3d713c6375c 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-26 12:59:13 +02:00
Leonardo Grasso
88b9537618 chore(userspace/falco): remove Mesos support 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-04-04 18:31:52 +02:00
Federico Di Pierro
e6078c8d16 chore(userspace): updated fields checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-03-22 11:17:07 +01:00
rabbitstack
03285f4140 define Windows equivalent for srandom and random functions 
Signed-off-by: rabbitstack <nedim.sabic@sysdig.com>
 2023-03-17 10:23:26 +01:00
Jason Dellaluce
e8b776a9cb update(userspace/engine): bump engine version to 17 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-09 09:39:12 +01:00
Jason Dellaluce
19ffadc763 update(userspace/engine): support searching ppm_sc events in rulesets 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-09 09:39:12 +01:00
Jason Dellaluce
5ed5c63202 refactor: adapt event set configuration changes to new libs definition 
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
010f6c6a9e update(userspace/engine): bump fields checksum 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
6c38ecaf0e update(userspace/engine): adapt engine classes to new libsinsp event definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
34ea7a8245 cleanup(userspace/engine): drop filtr_evttype_resolver 
Its logic was ported into libsinsp in:
3d8550e70e

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Melissa Kilby
72439b2eed cleanup(app_actions): adjust configure_interesting_sets 
* address reviewers feedback
* improve clarity around new -A and -i behavior
* additional cleanup (e.g. use generic set operations only)
* extend unit tests

Note: sinsp ppm sc API is undergoing a refactor, therefore current lookups are interim
and will subsequently be refactored as well.

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
ff68311629 fix(userspace/engine): add missing include 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 17:33:31 +01:00
Lorenzo Susini
88ac30650c fix(userspace/engine): correctly bump engine version after introduction of new fields 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-02-14 13:03:06 +01:00
Jason Dellaluce
79b3f81a02 chore: fix typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 12:47:07 +01:00
Jason Dellaluce
2495827e0c fix(userspace/engine): correctly handle evttype indexing corner cases 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 12:47:07 +01:00
Federico Di Pierro
75dc8c050c new(userspace,tests): add proper support for generic events indexing. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-02-13 14:54:03 +01:00
Andrea Terzolo
dca76ba93c chore: fix building with njson 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-02-10 11:41:24 +01:00
Jason Dellaluce
eaeec7c079 fix(userspace): avoid using std namespace in sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-08 15:30:29 +01:00
Jason Dellaluce
54f117141b update(userspace/engine): avoid relying on leaked std namespace 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-08 15:30:29 +01:00
Jason Dellaluce
c1985a7c99 fix(userspace/engine): absolute rule condition position in validation context 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-10 12:55:43 +01:00
Jason Dellaluce
d79d7112a0 fix(userspace/engine): catch YAML parsing and validation errors with right context 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-10 12:55:43 +01:00
Jason Dellaluce
5552bcab76 chore: fix typo 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
25ddc3c6a2 update(userspace/engine): broader err catching support in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
35dd0fc153 fix(userspace/engine): implement loop detection in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Andrea Terzolo
52ee61b800 chore(userspace): add njson lib as a dependency for falco_engine 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-10 17:07:06 +01:00
Andrea Terzolo
94ed56df95 chore: bump libs 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Federico Di Pierro
87371492c5 update(userspace/engine): updated checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Mark Stemm
356a4a0749 Also copy ruleset when copying falco source 
In the copy constructor and assignment operator for falco_source, also
copy the ruleset along with factories/name.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:07:52 +01:00