github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-05-13 18:22:40 +00:00
Code Issues Projects Releases Wiki Activity
3,146 Commits 121 Branches 185 Tags
752c3d8332108f0d4cf615cce161fe92de5f7cb6
Commit Graph

899 Commits

Author SHA1 Message Date
Mark Stemm
0f45cf49db Use enums for rules content item type 
Use an enum instead of a string for the item_type aka "parts of a
rules file" field of contexts.

The set of values is mostly defined by the contexts that were already
created. There are a couple of forward-looking values for rule
outputs/macro conditions/etc. that may be useful for later.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-07 10:13:02 +02:00
Mark Stemm
7a5a4c32ee Support condition parse errors in rule loading results 
In #2098 and #2158, we reworked how rules loading errors/warnings were
returned to provide a richer set of information, including
locations/context for the errors/warnings.

That did *not* include locations within condition expressions,
though. When parsing a condition expression resulted in a
warning/error, the location simply pointed to the condition property
of the rule.

This commit improves this to handle parse errors:

- When libsinsp::filter::parser::parse() throws an exception, use
  get_pos() to get the position within the condition string.
- Add a new context() constructor that takes a filter pos_info instead
  of a YAML::Mark.

Now that positions aren't always related to the location of yaml
nodes, Make up a generic "position" struct for locations and convert
YAML::Mark and parser positions to a position struct.

Also allow a context to contain an alternate content string which is
used to build the snippet. For contexts related to condition strings,
the content is the condition.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-07 10:13:02 +02:00
VadimZy
af95455bab dropping fix for list parsing due to the absence of regex portability. 
reverting to the inefficient code.

Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
4b75f213c6 use <onigposix.h> instead of <regex.h> 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
0de617a7fb remove sinsp.h public dependencies 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
5745faeccc fix tests, remove dead code 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
f9ee45b38e Improve Falco engine performance when loading rules and creating the rule sets 
- replace std::set<uint16_t> with fixed size vector in event types propagation
- rework lists expansion by replacing repetitive string::find in constantly growing expansion string with regex tokenization
- improve json_event parsing by moving const initializations into static routines

Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
Jason Dellaluce
7d2f82fddc update(usperspace/engine): bump engine version to 15 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
1b410ea2cc update(userspace/engine): consider plugin version requirements in engine checks 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
52402ac805 update(userspace/engine): support plugin version requirement alternatives in rule reader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
6e0971f1e1 update(userspace/engine): support plugin version requirement alternatives in rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
6c1f908ca5 cleanup(cmake): rename legacy cmake variables 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-29 15:42:33 +02:00
Jason Dellaluce
574a4b9f0a update(userspace/falco): fix copyright notice year 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
c05ad6fde4 update(userspace/falco): fix copyright notice year 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
e361069092 chore(userspace/falco): fix typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
9c6ad6ce84 update(userspace/falco): use json lib in stats writer 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
2d8efee73e refactor(userspace/falco): improve design and docs of stats writer 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
28ff6ad3bd refactor(userspace/falco): rename stats writer source files 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
2f5461bed0 refactor(userspace/falco): use new stats writer in event processing action 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
605dd2816d refactor(userspace/falco): re-implement stats writer 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
c5442ccb41 new(userspace/falco): introduce new refactored stats writer class 
This new model uses an async worker and a concurrent queue to handle
stats writing. This ensures better performance, because the live event
processing loop will just need to do a push on the queue instead of writing
to a file (only when the timer triggers), and should be thread-safe by design.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
cc4ccc40d7 refactor(userspace/falco): implement complete event source selection 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-08-26 12:47:18 +02:00
Jason Dellaluce
0e2a053151 new(userspace/falco): add new cli option to selectively enable event sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:47:18 +02:00
Jason Dellaluce
97bf0338b9 refactor(userspace/falco): introduce standalone action for event source selection 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:47:18 +02:00
Jason Dellaluce
34ca78786a refactor(userspace/falco): make signal handlers thread-safe 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:31:18 +02:00
Jason Dellaluce
f2aba88a6c refactor(userspace/falco): ensure falco outputs are non-blocking and define exiting condition 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:31:18 +02:00
Jason Dellaluce
bc765f1b7d chore(userspace/falco): log in signal handlers instead than in event processing loop 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:31:18 +02:00
Jason Dellaluce
c2a8efc329 chore(userspace/engine): fix typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:26:18 +02:00
Jason Dellaluce
978f192c38 chore(userspace/engine): fix codespell typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:26:18 +02:00
Jason Dellaluce
1120fb2564 doc(userspace/engine): define thread-safety guarantees of falco_engine::process_event 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:26:18 +02:00
Jason Dellaluce
1b8847c06b refactor(userspace/engine): make stats manager thread-safe for on_event method 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:26:18 +02:00
Jason Dellaluce
3839fdca1e update(userspace/falco): avoid using zlib in webserver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:23:17 +02:00
Jason Dellaluce
2b7bcc87a7 update(userspace/falco): add configuration entry for webserver threadiness 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:23:17 +02:00
Jason Dellaluce
0eacd41cd5 refactor(userspace/falco): support zlib and custom threadiness in webserver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:23:17 +02:00
Jason Dellaluce
d9b6473db2 refactor(userspace/engine): increase const coherence of falco engine 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 11:04:18 +02:00
Jason Dellaluce
7d3dacc6d7 refactor(userspace/falco): cleanup actions order 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-25 17:02:15 +02:00
Jason Dellaluce
a9d185f5e1 refactor(userspace/falco): drop inspector dependency on print_plugin_info action 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-25 17:02:15 +02:00
Jason Dellaluce
bd26bc09c2 refactor(userspace/falco): drop inspector dependency on print_ignored_events action 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-25 17:02:15 +02:00
Jason Dellaluce
97e3209222 refactor(userspace/falco): drop inspector dependency on load_rule_files action 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-25 17:02:15 +02:00
Jason Dellaluce
6d30061576 refactor(userspace/falco): drop inspector dependency on list_plugins action 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-25 17:02:15 +02:00
Jason Dellaluce
2caadd1af5 refactor(userspace/falco): add action for printing syscall events 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-25 17:02:15 +02:00
Jason Dellaluce
b307853e39 update(userspace/falco): use move semantics in falco logger 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-25 17:00:15 +02:00
Leonardo Grasso
3d61d3427e fix: correct env var name FALCO_HOSTNAME 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-08-25 16:59:15 +02:00
Leonardo Grasso
928e10f0ce fix(userspace/falco): print hostname when json formating is enabled 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-08-25 16:59:15 +02:00
Leonardo Grasso
34ad5c43fb update(userspace/engine): add support for hostname 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-08-25 16:59:15 +02:00
Jason Dellaluce
d35dba30ed update(userspace/engine): sync ast structs to new libs definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-25 16:32:15 +02:00
Jason Dellaluce
e7502431a2 update(userspace/falco): move rate limiter out of falco outputs framework 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-23 15:52:05 +02:00
Jason Dellaluce
6c74aa1a29 update(userspace/falco): enable per-event-source rate limiter 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-23 15:52:05 +02:00
Jason Dellaluce
af0b624a3a fix(userspace/falco): set alert throttling config defaults 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-23 15:52:05 +02:00
Jason Dellaluce
8760f04bf2 refactor(userspace/falco): make output framework explicitly thread-safe 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-23 15:52:05 +02:00