github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-19 00:19:17 +00:00
Code Issues Projects Releases Wiki Activity
4,299 Commits 118 Branches 173 Tags
release/0.37.x
Commit Graph

487 Commits

Author SHA1 Message Date
Lorenzo Susini
e47ece4de9 update(userspace/engine): address jasondellaluce comments 
- avoiding inspector to be allocated for each rule
- use two boolean values for expecting macros and lists
- move items of lists alongside name, under info
- use snake case for json output, like we do for e.g alerts
- correctly retrieve evt names
- consider two levels of lists for exception operators

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
1195b1e7f0 update(userspace/engine): better modularize the code for getting json details 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
e11b4c4430 update(userspace/engine): add event codes to json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
46cbc3c589 update(userspace/engine): add info about all macros and lists in -L option 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
e30729555b update(userspace/engine): add enabled information to json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
727aed0c03 update(userspace/engine): avoid solving macros AST at each cycle when getting details of all rules 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
c1623771d8 update(userspace/engine): correctly use describe rule based on config 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
9947962cb8 update(userspace/engine): let describe_rule function print out json details when requested 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
a6542a6487 new(userspace/engine): introduce new class to get details about rules 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Jason Dellaluce
c603055acf fix(userspace/engine): don't count async event for evttype warning 
Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
9bfce8cfae update(userspace): make sure that async event is always matched in rules 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
5175a04c6b update(userspace/engine): bump engine checksum 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
8926022035 update: adapt Falco to new sinsp event source management 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-26 12:59:13 +02:00
Jason Dellaluce
95fa953398 update(cmake): bump libs and driver to ffcd702cf22e99d4d999c278be0cc3d713c6375c 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-26 12:59:13 +02:00
Leonardo Grasso
88b9537618 chore(userspace/falco): remove Mesos support 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-04-04 18:31:52 +02:00
Federico Di Pierro
e6078c8d16 chore(userspace): updated fields checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-03-22 11:17:07 +01:00
rabbitstack
03285f4140 define Windows equivalent for srandom and random functions 
Signed-off-by: rabbitstack <nedim.sabic@sysdig.com>
 2023-03-17 10:23:26 +01:00
Jason Dellaluce
e8b776a9cb update(userspace/engine): bump engine version to 17 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-09 09:39:12 +01:00
Jason Dellaluce
19ffadc763 update(userspace/engine): support searching ppm_sc events in rulesets 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-09 09:39:12 +01:00
Jason Dellaluce
5ed5c63202 refactor: adapt event set configuration changes to new libs definition 
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
010f6c6a9e update(userspace/engine): bump fields checksum 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
6c38ecaf0e update(userspace/engine): adapt engine classes to new libsinsp event definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
34ea7a8245 cleanup(userspace/engine): drop filtr_evttype_resolver 
Its logic was ported into libsinsp in:
3d8550e70e

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Melissa Kilby
72439b2eed cleanup(app_actions): adjust configure_interesting_sets 
* address reviewers feedback
* improve clarity around new -A and -i behavior
* additional cleanup (e.g. use generic set operations only)
* extend unit tests

Note: sinsp ppm sc API is undergoing a refactor, therefore current lookups are interim
and will subsequently be refactored as well.

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
ff68311629 fix(userspace/engine): add missing include 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 17:33:31 +01:00
Lorenzo Susini
88ac30650c fix(userspace/engine): correctly bump engine version after introduction of new fields 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-02-14 13:03:06 +01:00
Jason Dellaluce
79b3f81a02 chore: fix typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 12:47:07 +01:00
Jason Dellaluce
2495827e0c fix(userspace/engine): correctly handle evttype indexing corner cases 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 12:47:07 +01:00
Federico Di Pierro
75dc8c050c new(userspace,tests): add proper support for generic events indexing. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-02-13 14:54:03 +01:00
Andrea Terzolo
dca76ba93c chore: fix building with njson 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-02-10 11:41:24 +01:00
Jason Dellaluce
eaeec7c079 fix(userspace): avoid using std namespace in sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-08 15:30:29 +01:00
Jason Dellaluce
54f117141b update(userspace/engine): avoid relying on leaked std namespace 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-08 15:30:29 +01:00
Jason Dellaluce
c1985a7c99 fix(userspace/engine): absolute rule condition position in validation context 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-10 12:55:43 +01:00
Jason Dellaluce
d79d7112a0 fix(userspace/engine): catch YAML parsing and validation errors with right context 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-10 12:55:43 +01:00
Jason Dellaluce
5552bcab76 chore: fix typo 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
25ddc3c6a2 update(userspace/engine): broader err catching support in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
35dd0fc153 fix(userspace/engine): implement loop detection in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Andrea Terzolo
52ee61b800 chore(userspace): add njson lib as a dependency for falco_engine 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-10 17:07:06 +01:00
Andrea Terzolo
94ed56df95 chore: bump libs 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Federico Di Pierro
87371492c5 update(userspace/engine): updated checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Mark Stemm
356a4a0749 Also copy ruleset when copying falco source 
In the copy constructor and assignment operator for falco_source, also
copy the ruleset along with factories/name.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:07:52 +01:00
Mark Stemm
910b8ff858 Fix(engine) Save parse positions when finding unresolved macros 
Now that ASTs contain parse positions, use them when reporting errors
about unknown macros.

When doing the first pass to find all macro references, save macros as
a map<macro name,parse position> instead of a set<macro name>. While
making that change, change the visitor struct to use references
instead of pointers.

In the second pass, when reporting any unresolved macro references,
also report the parse position.

The unit tests also check that the positions of macros are properly
returned in the resolved/unresolved maps.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Mark Stemm
83b12bab1d Fix(engine): include parse positions in compile errors 
Now that ASTs have parse positions and the compiler will return the
position of the last error, use that in falco rules to return errors
within condition strings instead of reporting the position as the
beginning of the condition.

This led to a change in the filter_ruleset interface--now, an ast is
compiled to a filter before being passed to the filter_ruleset
object. That avoids polluting the interface with a lot of details
about rule_loader contexts, errors, etc. The ast is still provided in
case the filter_ruleset wants to do indexing/analysis of the filter.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Jason Dellaluce
15b57bd972 fix: remove minor string view dependencies 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
68f4d5bb59 fix(userspace/engine): no need to use external deps 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
47fd90bb7f chore: remove not used dependency - string-view-lite 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Luca Guerra
e3dbae3259 fix(engine): fix warning about redundant std::move 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-11 16:19:11 +01:00
Mark Stemm
acf5c4ce5f fix(engine): save syscall source only when processing events 
The optimization in https://github.com/falcosecurity/falco/pull/2210
had a bug when the engine uses multiple sources at the same
time--m_syscall_source is a pointer to an entry in the indexed vector
m_sources, but if add_source is called multiple times, the vector is
resized, which copies the structs but invalidates any pointer to the
vector entries.

So instead of caching m_syscall_source in add_source(), cache it in
process_events(). m_sources won't change once processing events starts.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-10-27 18:23:25 +02:00
Jason Dellaluce
9ee0298c4d fix(userspace/engine): avoid macro/list used checks if we encounter an error 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 14:03:20 +02:00
Jason Dellaluce
57b26530b6 update(userspace) fix cppcheck warnings 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 12:07:20 +02:00