The default config defines the cloudtrail/json plugins but does not
give them any actual config for init config/open params.
load_plugins is empty so neither plugin is actually loaded by default.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
If the value is not specified at all, then all plugins are
loaded. Otherwise, check against the list.
This allows disabling all plugins via:
---
load_plugins: []
---
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add a cmake module "plugins" that does the following:
- Downloads/installs the plugins repo from a known tag
- Builds using the make target
- Copies the resulting cloudtrail/json shared libraries to
CMAKE_CURRENT_BINARY_DIR/plugins
- Installs them to FALCO_SHARE_DIR/plugins
The default config will define the plugins but they will be disabled
by default.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Rules files that work with plugins should include a:
---
- required_engine_version: 10
---
In their rules files.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
When loading rules, parse a required_plugin_versions item that looks
like:
- required_plugin_versions:
- name: cloudtrail
version: 1.0.1
And save it in the engine.
A new method is_plugin_compatible() takes a plugin and version and
returns whether it's compatible with all required_plugin_versions
blocks in all rules files.
In falco, after loading rules and plugins, iterate over the result of
plugin_infos(), calling is_plugin_compatible(), and exiting if any are
not compatible.
First minimally working version with plugins + rule loading/rule
evaluation:
- In the falco engine, hold rulesets for plugins in a map from plugin
id to falco ruleset.
- Add new methods "add_plugin_filter" to rules.cpp/falco_engine
that adds a filter for a given source and compiled filter. This
isn't strictly necessary, as the plugin filterchecks are added when
a plugin is registered, but it more cleanly separates filters for
syscalls and plugins.
- When loading rules, if the source is not syscall or k8s_audit,
assume it's a plugin filter and call add_plugin_filter.
- In process_sinsp_event, if the event type is PLUGINEVENT_E, use the
plugins rulesets map instead of m_sinsp_rules, looking up the
appropriate source from the plugin.
This doesn't handle extractor plugins yet and I only tested the very
minimal happy path but I did get rules loaded and working.
The option was added but could not work since MINIMAL_BUILD is not declared in this scope (also not currently needed).
Furthermore, it never took effect since the builder image was never built and pushed. For the same reason, we have not noticed it until now.
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
