github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-18 18:58:41 +00:00
Code Issues Projects Releases Wiki Activity
3,756 Commits 122 Branches 184 Tags
75720534d7d02fc08c19e689e23e8209eb4bf051
Commit Graph

1155 Commits

Author SHA1 Message Date
Jason Dellaluce
75720534d7 fix(userspace/falco): solve escape issues in grpc output 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 16:53:35 +02:00
Jason Dellaluce
00acd17ba1 fix(userspace/faclco): output drop perc metric only if drops are present 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 16:53:35 +02:00
Jason Dellaluce
d550552fc1 fix(userspace/falco): properly format numeric values in metrics 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 16:53:35 +02:00
Melissa Kilby
eaa4354ddf cleanup(userspace/falco): new consistent metrics output fields classes falco. and scap. 
* Ensure each metric field name more consistently adheres to the grammar used in Falco rules:
  * `falco.`: new field class representing userspace counters, statistics, resource utilization, or necessary information fields
  * `scap.`: new field class represents counters and statistics mostly obtained from Falco's kernel instrumentation before events are sent to userspace, but can include scap userspace stats as well
* minor cleanup

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
8e0c89d3b4 cleanup(userspace/engine): prometheus compliant regex parsing for metrics interval 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
fcecde845d cleanup(userspace): move parse_prometheus_interval to falco_utils 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
f2318a9ac5 cleanup(userspace/falco): address reviewers comments + cleanup 
* prefix counters and stats belonging to kernel space w/ `k.` else `u.` for userspace
* add n_drops_perc from old stats writer schema
* revert one change: file output shall reflect exact same "output_fields" key as rule output, note that src is already part of the "output_fields" schema.

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Jason Dellaluce
5d35cda8dc update(userspace): minor polishing 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 09:58:34 +02:00
Jason Dellaluce
f117d5273c update(userspace): refactor metrics data flow and fix bugs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
f0ac327f98 cleanup(userspace/falco): add more fields to metrics 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
e37027a1d0 cleanup(userspace/falco): address reviewers comments 
* renaming to `metrics` for technical clarity
* adopt Prometheus like metrics interval settings

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
134d2630e9 new(userspace/falco): stats v2 config option to convert memory metrics to MB 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
78dbfab48f feat(userspace/falco)!: use new resource_utilization metrics / stats v2 schema for stats file ouput logs 
These changes break the old stats file output schema and consolidates
them with the new schema.

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
4d24bcdd2f new(userspace/falco)!: introduce native support for resource_utilization metrics / stats v2 
Intended to phase out previous stats writer settings and log schema.

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Melissa Kilby
44d9f99c72 new(userspace/falco)!: new stats v2 configs 
Intended to phase out previous stats writer settings and log schema.

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-05-23 09:58:34 +02:00
Jason Dellaluce
7248284b12 chore(userspace/falco/app): print all supported plugin caps 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-22 15:23:32 +02:00
Lorenzo Susini
e47ece4de9 update(userspace/engine): address jasondellaluce comments 
- avoiding inspector to be allocated for each rule
- use two boolean values for expecting macros and lists
- move items of lists alongside name, under info
- use snake case for json output, like we do for e.g alerts
- correctly retrieve evt names
- consider two levels of lists for exception operators

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
1195b1e7f0 update(userspace/engine): better modularize the code for getting json details 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
e11b4c4430 update(userspace/engine): add event codes to json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
46cbc3c589 update(userspace/engine): add info about all macros and lists in -L option 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
e30729555b update(userspace/engine): add enabled information to json output 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
727aed0c03 update(userspace/engine): avoid solving macros AST at each cycle when getting details of all rules 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
c1623771d8 update(userspace/engine): correctly use describe rule based on config 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
9947962cb8 update(userspace/engine): let describe_rule function print out json details when requested 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Lorenzo Susini
a6542a6487 new(userspace/engine): introduce new class to get details about rules 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-05-19 15:56:05 +02:00
Jason Dellaluce
c603055acf fix(userspace/engine): don't count async event for evttype warning 
Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
bb04892baf fix(userspace/falco): avoid double plugin initializations 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
9df72e0f2a fix(userspace/falco/app): properly populate filtercheck lists 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
4e8d1f025c fix(userspace/falco/app): skip unnecessary app steps 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
9bfce8cfae update(userspace): make sure that async event is always matched in rules 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
733ea88ab3 fix(userspace/falco): properly init configuration 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
b2615de062 new(userspace/falco/app): print a warning if multiple plugins for same source are loaded 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
0649be619b update(userspace/falco/app): support nodriver open mode and plugins sourcing system events 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
301c4efeb7 update(userspace/falco): support new plugin API definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
5175a04c6b update(userspace/engine): bump engine checksum 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Jason Dellaluce
3681cacda1 new(userspace/falco): add new --nodriver option 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-05-19 12:15:04 +02:00
Andrea Terzolo
696fa43dc2 cleanup(actions): now modern bpf support -A flag 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-05-17 12:19:00 +02:00
Andrea Terzolo
e83dbe85f7 cleanup(config): modern bpf is no more experimental 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-05-12 12:27:45 +02:00
Jason Dellaluce
1f4919bfe1 update: improve control and UX of ignored events 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-27 11:10:14 +02:00
Jason Dellaluce
4d24a02ad6 fix(userspace/falco): preserve config's plugin loading order 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-26 12:59:13 +02:00
Jason Dellaluce
8926022035 update: adapt Falco to new sinsp event source management 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-26 12:59:13 +02:00
Jason Dellaluce
95fa953398 update(cmake): bump libs and driver to ffcd702cf22e99d4d999c278be0cc3d713c6375c 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-26 12:59:13 +02:00
Jason Dellaluce
3b64052832 update(userspace/falco): leverage new sc_set_to_event_names API 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-04-04 19:39:53 +02:00
Leonardo Grasso
88b9537618 chore(userspace/falco): remove Mesos support 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-04-04 18:31:52 +02:00
Leonardo Grasso
5c0cd6a170 update!: remove --mesos-api,-pmesos, and -pm command-line flags 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2023-04-04 18:31:52 +02:00
Melissa Kilby
0b6e243582 cleanup(app_acions): fine-tune base_syscalls.repair behavior 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-03-30 19:08:33 +02:00
Melissa Kilby
78daafb56c cleanup(app_actions): finalize base_syscalls.repair option 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-03-30 19:08:33 +02:00
Jason Dellaluce
2b93a79521 refactor: apply review suggestions 
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-30 19:08:33 +02:00
Melissa Kilby
e360175c15 fix(app_actions): enforce PPM_SC_SCHED_PROCESS_EXIT for base_syscalls.custom_set 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-03-30 19:08:33 +02:00
Melissa Kilby
692abf71eb new(app_actions): add base_syscalls.repair option 
See https://github.com/falcosecurity/falco/issues/2433

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-03-30 19:08:33 +02:00