github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-04-02 18:12:15 +00:00
Code Issues Projects Releases Wiki Activity
4,659 Commits 127 Branches 184 Tags
2badce17143b84ad7d150db69ba90527dc707fcf
Commit Graph

1569 Commits

Author SHA1 Message Date
Melissa Kilby
2badce1714 update(falco_metrics): adjust sha256 prometheus name, remove double falco_ 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-09-12 15:26:33 +02:00
Melissa Kilby
4f35b3e4e2 update(falco_metrics): apply reviewers suggestions 
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-09-12 15:26:33 +02:00
Melissa Kilby
9669a4a0bb update(falco_metrics): rearrange evts and drops prometheus metrics 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-09-12 15:26:33 +02:00
Luca Guerra
bc7394b8c3 new(falco): add json_include_message_property option 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-11 17:52:32 +02:00
Federico Di Pierro
0f26e3c9ed chore(userspace): adjusted rule_loader::result::as_verbose_string following errors and warnings output layout. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-11 13:20:31 +02:00
Federico Di Pierro
468037151a chore(userspace,unit_tests): properly report all schema validation warnings from yaml_helper::validate_node(). 
`-V` option will print all warnings, while normal run will only print foremost warning.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-11 13:20:31 +02:00
Federico Di Pierro
2f89a2c140 chore(userspace): added schema validation info to rule_loader::result as_json and as_string outputs. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-11 13:20:31 +02:00
Federico Di Pierro
1f9bea5a0b update(userspace/engine): fixed priorities in rules schema. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2024-09-11 13:20:31 +02:00
Federico Di Pierro
c8361efea7 chore(userspace/falco): reverted file to master version. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-11 13:20:31 +02:00
Federico Di Pierro
118e82ae01 cleanup(userspace): drop unused includes from yaml_helper. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-11 13:20:31 +02:00
Federico Di Pierro
a392e1ed2d chore(userspace): minified rule schema json. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-11 13:20:31 +02:00
Federico Di Pierro
5bd2d5a63e cleanup(userspace,unit_tests): moved rule schema under engine. 
Also, moved yaml_helper under engine/ folder.
Ported rule json schema validation in the engine.

Also, updated rule_loader tests to check for validation.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-11 13:20:31 +02:00
Federico Di Pierro
895e50d3a0 new(userspace): added json schema validation for rules. 
Also, a new `--rule-schema` cli option was added to print the schema and leave.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-11 13:20:31 +02:00
Federico Di Pierro
d14825faf0 update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-11 13:15:31 +02:00
Luca Guerra
ddc736057f cleanup(falco): apply review suggestion about extra_output_field_t 
Signed-off-by: Luca Guerra <luca@guerra.sh>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-09 15:31:24 +02:00
Luca Guerra
aeb4126ce2 fix(falco): update json schema 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-09 15:31:24 +02:00
Luca Guerra
63784e06ef new(falco): add json schema for append_output 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-09 15:31:24 +02:00
Luca Guerra
d210ed2e4f new(app): add append_output configuration option with fields and format 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-09 15:31:24 +02:00
Federico Di Pierro
f3eecb6b21 new(userspace/falco): added --config-schema action to print config schema. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-06 09:51:10 +02:00
Federico Di Pierro
dabfe0e154 cleanup(userspace/falco): drop deprecated -t,-T,-D options. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-06 09:26:10 +02:00
Luca Guerra
5b6810a51e new(falco): enable -o key={object} configuration 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-06 09:25:11 +02:00
Melissa Kilby
8a3cb7608a chore: updat config schema w/ container_engines 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-08-27 12:13:26 +02:00
Melissa Kilby
898e060544 chore: update desc in falco.yaml 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-08-27 12:13:26 +02:00
Melissa Kilby
08d5ac92ad update(engine): move some contaienr engines debug message to init inspector 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-08-27 12:13:26 +02:00
Melissa Kilby
e8afcc55cc update(engine): address reviewers comments wrt container_engines config 
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-08-27 12:13:26 +02:00
Melissa Kilby
f6ffa75d74 new(config): add container_engines config to falco.yaml 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-08-27 12:13:26 +02:00
Melissa Kilby
f8398213ba update(metrics): always refresh ifinfo 
Because libs constantly refreshes them, it's fine to re-create the JSON
each time

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-08-27 10:18:26 +02:00
Melissa Kilby
1caece2cf9 update(metrics): use new libs addr_to_string methods for host_ifinfo_json 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-08-27 10:18:26 +02:00
Melissa Kilby
23b412ea3c new(metrics): add host_ifinfo metric 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-08-27 10:18:26 +02:00
Federico Di Pierro
db52442b3f fix(userspace/falco): fixed windows build by enforcing NOMINMAX compile definition. 
Also, minified config schema, since the big schema string leads to an MSVC compiler error.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
3fff994b19 chore(userspace/falco): include numeric header for std::accumulate. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
d1c715e7a8 chore(unit_tests,userspace): use nlhomann json instead of jsoncpp. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
be927edfe8 new(userspace/falco,unit_tests): added new tests around schema validation feature. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
94dc7da986 cleanup(unit_tests,userspace/falco): moved all config validation logic to be more testable. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
6dfdfdd649 chore(unit_tests): moved config_files and env vars config tests to their own source file. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
c807727475 chore(userspace/falco): use minProperties where needed. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
5c551df116 new(userspace/falco): validate loaded configuration files against config schema. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 18:06:25 +02:00
Federico Di Pierro
4e45152521 fix(cmake,userspace/falco): bumped libs to latest master. 
Also, fixes some newly introduced API breaks.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-08-26 15:51:25 +02:00
Luca Guerra
1886aca8b5 update(falco): update metrics interface 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-08-26 15:51:25 +02:00
Melissa Kilby
33a0d9c6ab fix(metrics/prometheus): adopt best prometheus practices for rules counters and sha256 file metrics 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-08-05 11:39:40 +02:00
Federico Di Pierro
4a4ed1e118 update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-06-26 10:32:44 +02:00
Federico Di Pierro
24eec1e92a update(cmake,userspace): bump libs and driver to latest master. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-06-26 10:32:44 +02:00
Mark Stemm
a3bf8b472b If rule compilation fails, return immediately 
There's no need to populate rulesets with the output if compilation
failed.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-06-25 18:27:39 +02:00
Mark Stemm
adeca79d1c Modify evttype_index_ruleset to derive from indexable_ruleset 
Modify evttype_index_ruleset to derive from indexable_ruleset instead
of having its own implementation of segregating filters by ruleset
id/event type.

An evttype_index_wrapper contains a falco rule and filter, and
implements the methods required by the template. run_wrappers()
evaluate the filter as before, without the segregation by ruleset
id/event type.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-06-20 11:23:12 +02:00
Mark Stemm
bbcfa61d82 Add an indexable ruleset that can split filters by ruleset/evttype 
Now that custom rules loading implementations (and related, custom
rulesets) can be swapped into falco in a customizable way, there is
some functionality in evttype_index_ruleset that could be used by
other rulesets, specifically the part that segregates filters by
ruleset and enables/disables filters based on name substring + tags.

To allow for this, create a new template indexable_ruleset<class
filter_wrapper> which derives from filter_ruleset and segregates the
filter_wrappers by ruleset. It also optionally segregates
filter_wrappers by event type.

The filter_wrapper class is an object that can return a name, tags,
and sc/event codes.

The main interfaces for classes that derive from indexable_ruleset are:

- add_wrapper(), which provides a filter_wrapper to the
  indexable_ruleset. This is generally called from
  add()/add_compile_output(), which must be implemented by the derived class.
- run_wrappers(), which must be implemented by the derived class and
  is called for event processing.

Most of the methods required by filter_ruleset are implemented by
indexable_ruleset and do not need to be implemented by the derived
class.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2024-06-20 11:23:12 +02:00
Gianmatteo Palmieri
3e91a27538 new(metrics): enable plugins metrics 
Signed-off-by: Gianmatteo Palmieri <mail@gian.im>
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2024-06-13 16:32:48 +02:00
Federico Di Pierro
0e754aec14 chore(userspace): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-06-13 13:40:48 +02:00
Luca Guerra
b8e5e2e8dd update(engine): allow using -p to pass a format to plugin events 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-06-11 09:19:39 +02:00
Luca Guerra
8a59cee355 cleanup(falco): clarify that --print variants only affect syscalls 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-06-06 09:46:22 +02:00
Gianmatteo Palmieri
1c66b640f2 Revert "fix(engine): apply output substitutions for all sources" 
This reverts commit 4ef7c9553a.

Signed-off-by: Gianmatteo Palmieri <mail@gian.im>
 2024-06-05 12:43:19 +02:00