falco

mirror of https://github.com/falcosecurity/falco.git synced 2026-04-02 18:12:15 +00:00

Author	SHA1	Message	Date
Federico Di Pierro	211eea6abb	new(userspace/falco): allow entirely disabling plugin hostinfo support. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-12-05 10:15:39 +01:00
Mark Stemm	4a73ef8824	When overriding rules, ensure that the sources match In places where a second rule definition might replace, append to, or replace items from a base rule, ensure that the source of the second rule definiton matches the first. This already existed for defines, but for other changes. There was a bug where a second definition might exist for a different source, but the additional rule was used anyway. This now returns the same error for these other changes e.g. "Rule has been re-defined..." as define. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2024-10-24 08:45:12 +02:00
Mark Stemm	a44b311333	Add a source to rule_update_info It's possible that someone might want to override a property for a non-syscall rule source. To assist in this, decode any source property for rules with append/override and save it in the rule_update_info object. For the source property only, the value for source can be empty e.g. 'source: ' or an empty string e.g. 'source: ""'. Both of those are considered valid but result in an empty source. A later change will ensure that the sources match up when appending/redefining/overriding/enabling. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2024-10-24 08:45:12 +02:00
Federico Di Pierro	e4cbffc35b	update(userpsace/engine): update engine checksum and version. See https://github.com/falcosecurity/libs/pull/2047. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-10-21 16:01:59 +02:00
Mark Stemm	e99b11e793	Make enable()/disable() virtual so they can be overridden Subclasses might want to also see when rules are enabled/disabled. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2024-10-16 12:01:37 +02:00
Luca Guerra	fb01b6d927	cleanup(falco): deprecate -b --print-base64 Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-10-10 17:37:18 +02:00
Luca Guerra	4501b64b9d	new(falco): add buffer_format_base64 Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-10-10 17:37:18 +02:00
Luca Guerra	dfa6b9b88e	chore(falco): deprecated -A Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-10-10 10:26:16 +02:00
Luca Guerra	3b28450171	new(falco): add base_syscalls.all option to falco.yaml Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-10-10 10:26:16 +02:00
Mark Stemm	5f13a9be08	Add equality operators for indexed_vector/falco_{list,macro,rule} Add an equality operator for indexed_vector. As indexed_vectors commonly hold falco lists/macros/rules, also add equality operators for those structs. For condition/sinsp_filter shared_ptrs, the operator checks that the shared_ptrs point to the same underlying memory. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2024-10-10 09:20:17 +02:00
Mark Stemm	093d9234a5	Add a compile_output::clone() method that can be overridden Add a clone() method that can be overridden by subclasses. This allows copying compile state when needed in a way that preserves polymorphism. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2024-10-10 09:20:17 +02:00
Federico Di Pierro	c55adf38b4	chore(userspace/engine): fix build warning. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-10-09 16:26:14 +02:00
Federico Di Pierro	3e24606c11	new(ci): use `zig` compiler instead of relying on centos7. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-10-09 16:26:14 +02:00
Luca Guerra	6721a6b9cf	fix(engine): allow null init_config for plugin info Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-10-08 12:06:08 +02:00
Luca Guerra	c7c0246ca8	fix(engine): disable comma separated vectors in cxxopts Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-10-07 13:24:04 +02:00
Luca Guerra	478514940f	update(falco): deprecated -S --snaplen option Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-10-07 11:33:03 +02:00
Luca Guerra	ef79648037	new(falco): add falco_libs.snaplen option Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-10-07 11:33:03 +02:00
Federico Di Pierro	f72e6a59ad	fix(userspace/falco): fix event set selection for plugin with parsing capability. In live mode we need to use the source_info inspectors instead of the offline inspector. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-10-07 09:56:02 +02:00
Federico Di Pierro	41f20fd07a	cleanup(userspac/falco): drop deprecated options. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-10-02 14:49:40 +02:00
Luca Guerra	17e61450db	cleanup(falco): reformat options::define Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-09-30 17:50:32 +02:00
Luca Guerra	683df327ac	fix(falco): allow disable_cri_async from both CLI and config Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-09-30 15:33:32 +02:00
Poiana	50b98b30e5	chore(falco): apply code formatting Signed-off-by: Poiana <poiana.bot@gmail.com>	2024-09-30 13:25:31 +02:00
Leonardo Di Giovanna	3a6d1c8c5d	feat(stats): add host_netinfo networking information stats family Introduce host_netinfo stats family to hold information regarding host networking. At the moment, it only provides ipv4 and ipv6 addresses list for each interface available on the host. The naming schema for the introduced stats is falco.host_netinfo.interfaces.<ifname>.protocols.<ipv4\|ipv6>.addresses. Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>	2024-09-26 15:50:16 +02:00
Luca Guerra	70c10ee7e0	fix(engine): sync outputs before printing stats at shutdown Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-09-23 16:58:01 +02:00
Leonardo Di Giovanna	d3a67c10bd	cleanup(falco_metrics): remove unused falco_utils import Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>	2024-09-23 15:38:01 +02:00
Leonardo Di Giovanna	5ba94a36bd	fix(falco_metrics): remove ifinfo_json stat/metric Using JSON as value prevents any meaningful aggregation for the stats. Splitting these information into multiple labels can drastically increase the number of dimensions, as the number of interfaces and addresses can be high in some environment. Moreover, these information are not currently refreshed, even if they can frequently change. Given these reasons, remove ifinfo_json from stats and metrics. Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>	2024-09-23 15:38:01 +02:00
Leonardo Di Giovanna	00b35cfd81	fix(falco_metrics)!: use full name for configs and rules files Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>	2024-09-23 15:38:01 +02:00
Leonardo Di Giovanna	d77f768692	fix(falco_metrics)!: split tags label into multiple tag_ labels Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>	2024-09-23 15:38:01 +02:00
Luca Guerra	1a4a29348f	fix(falco): allow plugin init_config map in json schema Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-09-20 09:55:49 +02:00
Federico Di Pierro	78f56190b4	fix(userspace/falco): properly account for plugin with CAP_PARSING when computing interesting sc set. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-09-19 17:40:48 +02:00
Federico Di Pierro	6f1a741c7e	chore(userspace/falco): deprecate `cri` related CLI options. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-09-18 09:35:52 +02:00
Federico Di Pierro	fa701dd52f	fix(userspace/engine): improve rule json schema to account for `source` and `required_plugin_versions`. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-09-17 17:34:51 +02:00
Luca Guerra	037d7f9b36	cleanup(falco): use a header file for rule json schema Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-09-16 09:59:46 +02:00
Luca Guerra	ed4fb33981	cleanup(falco): use header file for json schema Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-09-16 09:59:46 +02:00
Luca Guerra	cd0d607f14	update(falco): add warning if the append condition does not appear to make sense Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-09-13 15:58:36 +02:00
Luca Guerra	5c959d0b1b	update(falco): use std::include for readability Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-09-13 15:58:36 +02:00
Luca Guerra	a2336f186e	update(falco): update json schema Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-09-13 15:58:36 +02:00
Luca Guerra	7005983409	update(engine): modify append_output format Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-09-13 15:58:36 +02:00
Melissa Kilby	d3c6a7478e	update(falco_metrics): change prometheus rules metric naming Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>	2024-09-13 11:25:36 +02:00
Federico Di Pierro	d1644079e9	chore(userspace/falco): updated configuration schema. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-09-12 15:26:33 +02:00
Melissa Kilby	9089262569	update(falco_metrics): add kernel_event_counters_per_cpu_enabled config Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>	2024-09-12 15:26:33 +02:00
Melissa Kilby	2ceb6ecf0f	update(Falco_metrics): fix prom subsystem for some scap vs falco metrics Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>	2024-09-12 15:26:33 +02:00
Melissa Kilby	2badce1714	update(falco_metrics): adjust sha256 prometheus name, remove double falco_ Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>	2024-09-12 15:26:33 +02:00
Melissa Kilby	4f35b3e4e2	update(falco_metrics): apply reviewers suggestions Co-authored-by: Federico Di Pierro <nierro92@gmail.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>	2024-09-12 15:26:33 +02:00
Melissa Kilby	9669a4a0bb	update(falco_metrics): rearrange evts and drops prometheus metrics Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>	2024-09-12 15:26:33 +02:00
Luca Guerra	bc7394b8c3	new(falco): add json_include_message_property option Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-09-11 17:52:32 +02:00
Federico Di Pierro	0f26e3c9ed	chore(userspace): adjusted `rule_loader::result::as_verbose_string` following errors and warnings output layout. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-09-11 13:20:31 +02:00
Federico Di Pierro	468037151a	chore(userspace,unit_tests): properly report all schema validation warnings from yaml_helper::validate_node(). `-V` option will print all warnings, while normal run will only print foremost warning. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-09-11 13:20:31 +02:00
Federico Di Pierro	2f89a2c140	chore(userspace): added schema validation info to `rule_loader::result` `as_json` and `as_string` outputs. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-09-11 13:20:31 +02:00
Federico Di Pierro	1f9bea5a0b	update(userspace/engine): fixed priorities in rules schema. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>	2024-09-11 13:20:31 +02:00

1 2 3 4 5 ...

1611 Commits