mirror of
https://github.com/falcosecurity/falco.git
synced 2026-03-21 12:12:28 +00:00
Compare commits
1 Commits
update/cli
...
new/inspec
| Author | SHA1 | Date | |
|---|---|---|---|
|
d469681bb1 |
20
.github/stale.yml
vendored
Normal file
20
.github/stale.yml
vendored
Normal file
@@ -0,0 +1,20 @@
|
||||
# Number of days of inactivity before an issue becomes stale
|
||||
daysUntilStale: 60
|
||||
# Number of days of inactivity before a stale issue is closed
|
||||
daysUntilClose: 7
|
||||
# Issues with these labels will never be considered stale
|
||||
exemptLabels:
|
||||
- cncf
|
||||
- roadmap
|
||||
- "help wanted"
|
||||
# Label to use when marking an issue as stale
|
||||
staleLabel: wontfix
|
||||
# Comment to post when marking an issue as stale. Set to `false` to disable
|
||||
markComment: >
|
||||
This issue has been automatically marked as stale because it has not had
|
||||
recent activity. It will be closed if no further activity occurs. Thank you
|
||||
for your contributions.
|
||||
Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed.
|
||||
Please refer to a maintainer to get such label added if you think this should be kept open.
|
||||
# Comment to post when closing a stale issue. Set to `false` to disable
|
||||
closeComment: false
|
||||
@@ -172,16 +172,12 @@ if(NOT MINIMAL_BUILD)
|
||||
COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
|
||||
BUILD_IN_SOURCE 1
|
||||
BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
|
||||
BUILD_BYPRODUCTS ${CIVETWEB_LIB}
|
||||
INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
|
||||
endif()
|
||||
|
||||
# string-view-lite
|
||||
#string-view-lite
|
||||
include(DownloadStringViewLite)
|
||||
|
||||
# cxxopts
|
||||
include(DownloadCxxOpts)
|
||||
|
||||
if(NOT MINIMAL_BUILD)
|
||||
# gRPC
|
||||
include(gRPC)
|
||||
|
||||
@@ -41,7 +41,7 @@ If you would like to run Falco in **production** please adhere to the [official
|
||||
|
||||
Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
|
||||
|
||||
Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/master/userspace/falco/outputs.proto).
|
||||
Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/update-readme/userspace/falco/outputs.proto).
|
||||
The Falco Project supports various SDKs for this endpoint.
|
||||
|
||||
##### SDKs
|
||||
@@ -65,7 +65,6 @@ For example, Falco can easily detect incidents including but not limited to:
|
||||
- Unexpected read of a sensitive file, such as `/etc/shadow`.
|
||||
- A non-device file is written to `/dev`.
|
||||
- A standard system binary, such as `ls`, is making an outbound network connection.
|
||||
- A privileged pod is started in a Kubernetes cluster.
|
||||
|
||||
### Documentation
|
||||
|
||||
|
||||
@@ -1,28 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2020 The Falco Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
|
||||
# the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
#
|
||||
|
||||
include(ExternalProject)
|
||||
|
||||
set(CXXOPTS_PREFIX ${CMAKE_BINARY_DIR}/cxxopts-prefix)
|
||||
set(CXXOPTS_INCLUDE ${CXXOPTS_PREFIX}/include)
|
||||
message(STATUS "Using bundled cxxopts in ${CXXOPTS_INCLUDE}")
|
||||
|
||||
ExternalProject_Add(
|
||||
cxxopts
|
||||
PREFIX ${CXXOPTS_PREFIX}
|
||||
GIT_REPOSITORY "https://github.com/jarro2783/cxxopts.git"
|
||||
GIT_TAG "master"
|
||||
CONFIGURE_COMMAND ""
|
||||
BUILD_COMMAND ""
|
||||
INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${CXXOPTS_PREFIX}/src/cxxopts/include/cxxopts.hpp
|
||||
${CXXOPTS_INCLUDE}/cxxopts.hpp)
|
||||
@@ -1,8 +1,8 @@
|
||||
diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
|
||||
index 6f51588e..5f9ea84e 100644
|
||||
index e9faea51..a1b3b501 100644
|
||||
--- a/userspace/libscap/scap.c
|
||||
+++ b/userspace/libscap/scap.c
|
||||
@@ -55,7 +55,7 @@ limitations under the License.
|
||||
@@ -52,7 +52,7 @@ limitations under the License.
|
||||
//#define NDEBUG
|
||||
#include <assert.h>
|
||||
|
||||
@@ -11,16 +11,7 @@ index 6f51588e..5f9ea84e 100644
|
||||
|
||||
//
|
||||
// Probe version string size
|
||||
@@ -114,7 +114,7 @@ scap_t* scap_open_udig_int(char *error, int32_t *rc,
|
||||
static uint32_t get_max_consumers()
|
||||
{
|
||||
uint32_t max;
|
||||
- FILE *pfile = fopen("/sys/module/" PROBE_DEVICE_NAME "_probe/parameters/max_consumers", "r");
|
||||
+ FILE *pfile = fopen("/sys/module/" PROBE_DEVICE_NAME "/parameters/max_consumers", "r");
|
||||
if(pfile != NULL)
|
||||
{
|
||||
int w = fscanf(pfile, "%"PRIu32, &max);
|
||||
@@ -186,7 +186,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
|
||||
@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -29,27 +20,7 @@ index 6f51588e..5f9ea84e 100644
|
||||
bpf_probe = buf;
|
||||
}
|
||||
}
|
||||
@@ -344,7 +344,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
|
||||
else if(errno == EBUSY)
|
||||
{
|
||||
uint32_t curr_max_consumers = get_max_consumers();
|
||||
- snprintf(error, SCAP_LASTERR_SIZE, "Too many sysdig instances attached to device %s. Current value for /sys/module/" PROBE_DEVICE_NAME "_probe/parameters/max_consumers is '%"PRIu32"'.", filename, curr_max_consumers);
|
||||
+ snprintf(error, SCAP_LASTERR_SIZE, "Too many Falco instances attached to device %s. Current value for /sys/module/" PROBE_DEVICE_NAME "/parameters/max_consumers is '%"PRIu32"'.", filename, curr_max_consumers);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -579,8 +579,8 @@ scap_t* scap_open_udig_int(char *error, int32_t *rc,
|
||||
//
|
||||
// Map the ppm_ring_buffer_info that contains the buffer pointers
|
||||
//
|
||||
- if(udig_alloc_ring_descriptors(&(handle->m_devs[0].m_bufinfo_fd),
|
||||
- &handle->m_devs[0].m_bufinfo,
|
||||
+ if(udig_alloc_ring_descriptors(&(handle->m_devs[0].m_bufinfo_fd),
|
||||
+ &handle->m_devs[0].m_bufinfo,
|
||||
&handle->m_devs[0].m_bufstatus,
|
||||
error) != SCAP_SUCCESS)
|
||||
{
|
||||
@@ -2175,7 +2175,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
|
||||
@@ -1808,7 +1808,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
|
||||
|
||||
const char* scap_get_host_root()
|
||||
{
|
||||
|
||||
@@ -29,8 +29,8 @@ file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
|
||||
# default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
|
||||
# -DSYSDIG_VERSION=dev ..`
|
||||
if(NOT SYSDIG_VERSION)
|
||||
set(SYSDIG_VERSION "5c0b863ddade7a45568c0ac97d037422c9efb750")
|
||||
set(SYSDIG_CHECKSUM "SHA256=9de717b3a4b611ea6df56afee05171860167112f74bb7717b394bcc88ac843cd")
|
||||
set(SYSDIG_VERSION "new/next-per-cpu")
|
||||
set(SYSDIG_CHECKSUM "SHA256=6d2b1881bc49629d448f6a08ab3e85d6cc4c74788f9ed9e13cb402a9958de303")
|
||||
endif()
|
||||
set(PROBE_VERSION "${SYSDIG_VERSION}")
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ FROM falcosecurity/falco:${FALCO_IMAGE_TAG}
|
||||
|
||||
LABEL maintainer="cncf-falco-dev@lists.cncf.io"
|
||||
|
||||
LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE"
|
||||
LABEL usage="docker run -i -t -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
|
||||
|
||||
ENV HOST_ROOT /host
|
||||
ENV HOME /root
|
||||
|
||||
@@ -2,7 +2,7 @@ FROM debian:stable
|
||||
|
||||
LABEL maintainer="cncf-falco-dev@lists.cncf.io"
|
||||
|
||||
LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
|
||||
LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
|
||||
|
||||
ARG FALCO_VERSION=latest
|
||||
ARG VERSION_BUCKET=deb
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
FROM ubuntu:18.04 as ubuntu
|
||||
|
||||
LABEL maintainer="cncf-falco-dev@lists.cncf.io"
|
||||
|
||||
ARG FALCO_VERSION
|
||||
ARG VERSION_BUCKET=bin
|
||||
|
||||
@@ -20,14 +22,6 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/
|
||||
|
||||
FROM scratch
|
||||
|
||||
LABEL maintainer="cncf-falco-dev@lists.cncf.io"
|
||||
|
||||
LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
|
||||
# NOTE: for the "least privileged" use case, please refer to the official documentation
|
||||
|
||||
ENV HOST_ROOT /host
|
||||
ENV HOME /root
|
||||
|
||||
COPY --from=ubuntu /falco /
|
||||
|
||||
CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
|
||||
@@ -15,7 +15,6 @@ configure_file(config_falco.h.in config_falco.h)
|
||||
|
||||
set(
|
||||
FALCO_SOURCES
|
||||
cli.cpp
|
||||
configuration.cpp
|
||||
logger.cpp
|
||||
falco_outputs.cpp
|
||||
@@ -35,7 +34,6 @@ set(
|
||||
"${PROJECT_BINARY_DIR}/userspace/falco"
|
||||
"${PROJECT_BINARY_DIR}/driver/src"
|
||||
"${STRING_VIEW_LITE_INCLUDE}"
|
||||
"${CXXOPTS_INCLUDE}"
|
||||
"${YAMLCPP_INCLUDE_DIR}"
|
||||
"${CMAKE_CURRENT_BINARY_DIR}"
|
||||
"${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include"
|
||||
@@ -43,7 +41,6 @@ set(
|
||||
|
||||
set(
|
||||
FALCO_DEPENDENCIES
|
||||
cxxopts
|
||||
string-view-lite
|
||||
libyaml
|
||||
b64
|
||||
@@ -126,16 +123,16 @@ target_include_directories(
|
||||
${FALCO_INCLUDE_DIRECTORIES}
|
||||
)
|
||||
|
||||
# if(NOT MINIMAL_BUILD)
|
||||
# add_custom_command(
|
||||
# TARGET falco
|
||||
# COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
|
||||
# WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
|
||||
# COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields"
|
||||
# )
|
||||
# else()
|
||||
# message(STATUS "Skipping engine fields checksum when building the minimal Falco.")
|
||||
# endif()
|
||||
if(NOT MINIMAL_BUILD)
|
||||
add_custom_command(
|
||||
TARGET falco
|
||||
COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
|
||||
WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
|
||||
COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields"
|
||||
)
|
||||
else()
|
||||
message(STATUS "Skipping engine fields checksum when building the minimal Falco.")
|
||||
endif()
|
||||
|
||||
if(NOT MINIMAL_BUILD)
|
||||
add_custom_command(
|
||||
|
||||
@@ -1,22 +0,0 @@
|
||||
/*
|
||||
Copyright (C) 2020 The Falco Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
#include "cli.h"
|
||||
|
||||
namespace falco
|
||||
{
|
||||
|
||||
} // namespace falco
|
||||
@@ -1,188 +0,0 @@
|
||||
/*
|
||||
Copyright (C) 2020 The Falco Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
#include <cxxopts.hpp>
|
||||
|
||||
namespace falco
|
||||
{
|
||||
|
||||
class option_requires_specific_argument_exception : public cxxopts::OptionParseException
|
||||
{
|
||||
public:
|
||||
explicit option_requires_specific_argument_exception(const std::string& option, const std::string& values):
|
||||
OptionParseException("Option " + cxxopts::LQUOTE + option + cxxopts::RQUOTE + " requires an argument equal to " + values)
|
||||
{
|
||||
}
|
||||
};
|
||||
|
||||
class option_cannot_be_specified_exception : public cxxopts::OptionParseException
|
||||
{
|
||||
public:
|
||||
explicit option_cannot_be_specified_exception(const std::string& option1, const std::string& option2):
|
||||
OptionParseException("Options " + cxxopts::LQUOTE + option1 + cxxopts::RQUOTE + " and " + cxxopts::LQUOTE + option2 + cxxopts::RQUOTE + " can not be specified together")
|
||||
{
|
||||
}
|
||||
};
|
||||
|
||||
class cli
|
||||
{
|
||||
public:
|
||||
cli(int argc, const char** argv):
|
||||
m_argc(argc), m_argv(argv), m_options("falco", "Cloud-Native Runtime Security")
|
||||
{
|
||||
}
|
||||
virtual ~cli()
|
||||
{
|
||||
}
|
||||
|
||||
void run()
|
||||
{
|
||||
// These options give some info about Falco (Falco exits).
|
||||
m_options.add_options(
|
||||
"help",
|
||||
{
|
||||
{"h,help", "Print help page."},
|
||||
{"support", "Print support information (version, rules files, etc.)."},
|
||||
{"version", "Print version info."},
|
||||
});
|
||||
|
||||
// These are options responsible for listing Falco elements (Falco exits).
|
||||
m_options.add_options(
|
||||
"list",
|
||||
{
|
||||
{"L", "Show name and description of all rules."},
|
||||
{"l", "Show name and description of a specific rule.", cxxopts::value<std::string>(), "rule name"},
|
||||
{"list", "Show all fields.", cxxopts::value<std::string>()->implicit_value("all"), "sycall|k8s_audit"},
|
||||
{"N", "Show field names only."},
|
||||
});
|
||||
|
||||
// m_options.add_options(
|
||||
// "output",
|
||||
// {
|
||||
// {},
|
||||
// });
|
||||
|
||||
// m_options.add_options(
|
||||
// "input",
|
||||
// {
|
||||
// {},
|
||||
// });
|
||||
|
||||
m_options.add_options(
|
||||
"filtering",
|
||||
{
|
||||
{"D", "Disable any rules with names having the given substring. Can be specified multiple times. Can not be specified with -t.", cxxopts::value<std::vector<std::string>>(), "substring"},
|
||||
{"T", "Disable any rules with a specific tag. Can be specified several times. Can not be specified with -t.", cxxopts::value<std::vector<std::string>>(), "tag"},
|
||||
{"t", "Only run those rules with a specific tag. Can be specified several times. Can not be specified with -T or -D.", cxxopts::value<std::vector<std::string>>(), "tag"},
|
||||
});
|
||||
|
||||
m_result = m_options.parse(m_argc, m_argv);
|
||||
|
||||
process();
|
||||
}
|
||||
|
||||
private:
|
||||
void process()
|
||||
{
|
||||
if(m_result.count("help") && m_result["help"].as<bool>())
|
||||
{
|
||||
std::cout << m_options.help() << std::endl;
|
||||
// todo: print > exit
|
||||
}
|
||||
|
||||
if(m_result.count("support") && m_result["support"].as<bool>())
|
||||
{
|
||||
// todo: argv + config rule filenames > cmdline > print > exit
|
||||
}
|
||||
|
||||
if(m_result.count("version") && m_result["version"].as<bool>())
|
||||
{
|
||||
// todo: print > exit
|
||||
}
|
||||
|
||||
if(m_result.count("L") && m_result["L"].as<bool>())
|
||||
{
|
||||
// todo: engine > print > exit
|
||||
// engine->describe_rule(NULL)
|
||||
}
|
||||
|
||||
if(m_result.count("l"))
|
||||
{
|
||||
// todo: engine > print > exit
|
||||
// engine->describe_rule(m_result["l"].as<string>());
|
||||
}
|
||||
|
||||
if(m_result.count("list"))
|
||||
{
|
||||
auto source = m_result["list"].as<std::string>();
|
||||
// todo: retrieve implicit value
|
||||
if(source.empty() || (source != "syscall" && source != "k8s_audit" && source != "all"))
|
||||
{
|
||||
throw falco::option_requires_specific_argument_exception(
|
||||
"list",
|
||||
cxxopts::LQUOTE + "syscall" + cxxopts::RQUOTE + " or " + cxxopts::LQUOTE + "k8s_audit" + cxxopts::RQUOTE);
|
||||
}
|
||||
|
||||
bool names_only = false;
|
||||
if(m_result.count("N"))
|
||||
{
|
||||
names_only = m_result["N"].as<bool>();
|
||||
}
|
||||
|
||||
// todo: engine + names_only + source
|
||||
// se valore == syscall ==> + [-V]
|
||||
}
|
||||
|
||||
bool count_D = m_result.count("D");
|
||||
bool count_t = m_result.count("t");
|
||||
bool count_T = m_result.count("T");
|
||||
if(count_D > 0)
|
||||
{
|
||||
if(count_t > 0)
|
||||
{
|
||||
throw falco::option_cannot_be_specified_exception("D", "t");
|
||||
}
|
||||
// todo
|
||||
// engine > not exit
|
||||
}
|
||||
if(count_T > 0)
|
||||
{
|
||||
if(count_t > 0)
|
||||
{
|
||||
throw falco::option_cannot_be_specified_exception("T", "t");
|
||||
}
|
||||
// todo
|
||||
// engine > not exit
|
||||
}
|
||||
if(count_t > 0)
|
||||
{
|
||||
// todo
|
||||
// engine > not exit
|
||||
}
|
||||
}
|
||||
|
||||
int m_argc;
|
||||
const char** m_argv;
|
||||
cxxopts::Options m_options;
|
||||
cxxopts::ParseResult m_result;
|
||||
};
|
||||
|
||||
} // namespace falco
|
||||
|
||||
// 3 tipi di azioni
|
||||
// quelle che una volta date devono farlo uscire e non hanno bisogno di nessuna istanza
|
||||
// quelle che hanno bisogno di inspector e/o engine e poi falco esce
|
||||
// quelle che hanno bisogno di inspector e/o engine e poi falco esegue
|
||||
@@ -30,6 +30,8 @@ limitations under the License.
|
||||
#include <sys/stat.h>
|
||||
#include <unistd.h>
|
||||
#include <getopt.h>
|
||||
#include <condition_variable>
|
||||
#include <chrono>
|
||||
|
||||
#include <sinsp.h>
|
||||
|
||||
@@ -43,7 +45,6 @@ limitations under the License.
|
||||
#include "falco_engine.h"
|
||||
#include "config_falco.h"
|
||||
#include "statsfilewriter.h"
|
||||
#include "cli.h"
|
||||
#ifndef MINIMAL_BUILD
|
||||
#include "webserver.h"
|
||||
#include "grpc_server.h"
|
||||
@@ -75,102 +76,106 @@ static void restart_falco(int signal)
|
||||
g_restart = true;
|
||||
}
|
||||
|
||||
// //
|
||||
// // Program help
|
||||
// //
|
||||
// static void usage()
|
||||
// {
|
||||
// printf(
|
||||
// "Falco version: " FALCO_VERSION "\n"
|
||||
// "Usage: falco [options]\n\n"
|
||||
// "Options:\n"
|
||||
|
||||
// " -c Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
|
||||
// " -A Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.\n"
|
||||
// " --alternate-lua-dir <path> Specify an alternate path for loading Falco lua files\n"
|
||||
// " -b, --print-base64 Print data buffers in base64.\n"
|
||||
// " This is useful for encoding binary data that needs to be used over media designed to.\n"
|
||||
// " --cri <path> Path to CRI socket for container metadata.\n"
|
||||
// " Use the specified socket to fetch data from a CRI-compatible runtime.\n"
|
||||
// " -d, --daemon Run as a daemon.\n"
|
||||
// " --disable-cri-async Disable asynchronous CRI metadata fetching.\n"
|
||||
// " This is useful to let the input event wait for the container metadata fetch\n"
|
||||
// " to finish before moving forward. Async fetching, in some environments leads\n"
|
||||
// " to empty fields for container metadata when the fetch is not fast enough to be\n"
|
||||
// " completed asynchronously. This can have a performance penalty on your environment\n"
|
||||
// " depending on the number of containers and the frequency at which they are created/started/stopped\n"
|
||||
// " --disable-source <event_source>\n"
|
||||
// " Disable a specific event source.\n"
|
||||
// " Available event sources are: syscall, k8s_audit.\n"
|
||||
// " It can be passed multiple times.\n"
|
||||
// " Can not disable both the event sources.\n"
|
||||
|
||||
// " -e <events_file> Read the events from <events_file> (in .scap format for sinsp events, or jsonl for\n"
|
||||
// " k8s audit events) instead of tapping into live.\n"
|
||||
// #ifndef MINIMAL_BUILD
|
||||
// " -k <url>, --k8s-api <url>\n"
|
||||
// " Enable Kubernetes support by connecting to the API server specified as argument.\n"
|
||||
// " E.g. \"http://admin:password@127.0.0.1:8080\".\n"
|
||||
// " The API server can also be specified via the environment variable FALCO_K8S_API.\n"
|
||||
// " -K <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>], --k8s-api-cert <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>]\n"
|
||||
// " Use the provided files names to authenticate user and (optionally) verify the K8S API server identity.\n"
|
||||
// " Each entry must specify full (absolute, or relative to the current directory) path to the respective file.\n"
|
||||
// " Private key password is optional (needed only if key is password protected).\n"
|
||||
// " CA certificate is optional. For all files, only PEM file format is supported. \n"
|
||||
// " Specifying CA certificate only is obsoleted - when single entry is provided \n"
|
||||
// " for this option, it will be interpreted as the name of a file containing bearer token.\n"
|
||||
// " Note that the format of this command-line option prohibits use of files whose names contain\n"
|
||||
// " ':' or '#' characters in the file name.\n"
|
||||
// #endif
|
||||
|
||||
|
||||
|
||||
|
||||
// #ifndef MINIMAL_BUILD
|
||||
// " -m <url[,marathon_url]>, --mesos-api <url[,marathon_url]>\n"
|
||||
// " Enable Mesos support by connecting to the API server\n"
|
||||
// " specified as argument. E.g. \"http://admin:password@127.0.0.1:5050\".\n"
|
||||
// " Marathon url is optional and defaults to Mesos address, port 8080.\n"
|
||||
// " The API servers can also be specified via the environment variable FALCO_MESOS_API.\n"
|
||||
// #endif
|
||||
// " -M <num_seconds> Stop collecting after <num_seconds> reached.\n"
|
||||
|
||||
// " -o, --option <key>=<val> Set the value of option <key> to <val>. Overrides values in configuration file.\n"
|
||||
// " <key> can be a two-part <key>.<subkey>\n"
|
||||
// " -p <output_format>, --print <output_format>\n"
|
||||
// " Add additional information to each falco notification's output.\n"
|
||||
// " With -pc or -pcontainer will use a container-friendly format.\n"
|
||||
// " With -pk or -pkubernetes will use a kubernetes-friendly format.\n"
|
||||
// " With -pm or -pmesos will use a mesos-friendly format.\n"
|
||||
// " Additionally, specifying -pc/-pk/-pm will change the interpretation\n"
|
||||
// " of %%container.info in rule output fields.\n"
|
||||
// " -P, --pidfile <pid_file> When run as a daemon, write pid to specified file\n"
|
||||
// " -r <rules_file> Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml).\n"
|
||||
// " Can be specified multiple times to read from multiple files/directories.\n"
|
||||
// " -s <stats_file> If specified, append statistics related to Falco's reading/processing of events\n"
|
||||
// " to this file (only useful in live mode).\n"
|
||||
// " --stats-interval <msec> When using -s <stats_file>, write statistics every <msec> ms.\n"
|
||||
// " This uses signals, so don't recommend intervals below 200 ms.\n"
|
||||
// " Defaults to 5000 (5 seconds).\n"
|
||||
// " -S <len>, --snaplen <len>\n"
|
||||
// " Capture the first <len> bytes of each I/O buffer.\n"
|
||||
// " By default, the first 80 bytes are captured. Use this\n"
|
||||
// " option with caution, it can generate huge trace files.\n"
|
||||
|
||||
|
||||
// " -U,--unbuffered Turn off output buffering to configured outputs.\n"
|
||||
// " This causes every single line emitted by falco to be flushed,\n"
|
||||
// " which generates higher CPU usage but is useful when piping those outputs\n"
|
||||
// " into another process or into a script.\n"
|
||||
// " -u, --userspace Parse events from userspace.\n"
|
||||
// " To be used in conjunction with the ptrace(2) based driver (pdig).\n"
|
||||
// " -V, --validate <rules_file> Read the contents of the specified rules(s) file and exit.\n"
|
||||
// " Can be specified multiple times to validate multiple files.\n"
|
||||
// " -v Verbose output.\n"
|
||||
|
||||
// "\n"
|
||||
// );
|
||||
// }
|
||||
//
|
||||
// Program help
|
||||
//
|
||||
static void usage()
|
||||
{
|
||||
printf(
|
||||
"Falco version: " FALCO_VERSION "\n"
|
||||
"Usage: falco [options]\n\n"
|
||||
"Options:\n"
|
||||
" -h, --help Print this page\n"
|
||||
" -c Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
|
||||
" -A Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.\n"
|
||||
" --alternate-lua-dir <path> Specify an alternate path for loading Falco lua files\n"
|
||||
" -b, --print-base64 Print data buffers in base64.\n"
|
||||
" This is useful for encoding binary data that needs to be used over media designed to.\n"
|
||||
" --cri <path> Path to CRI socket for container metadata.\n"
|
||||
" Use the specified socket to fetch data from a CRI-compatible runtime.\n"
|
||||
" -d, --daemon Run as a daemon.\n"
|
||||
" --disable-cri-async Disable asynchronous CRI metadata fetching.\n"
|
||||
" This is useful to let the input event wait for the container metadata fetch\n"
|
||||
" to finish before moving forward. Async fetching, in some environments leads\n"
|
||||
" to empty fields for container metadata when the fetch is not fast enough to be\n"
|
||||
" completed asynchronously. This can have a performance penalty on your environment\n"
|
||||
" depending on the number of containers and the frequency at which they are created/started/stopped\n"
|
||||
" --disable-source <event_source>\n"
|
||||
" Disable a specific event source.\n"
|
||||
" Available event sources are: syscall, k8s_audit.\n"
|
||||
" It can be passed multiple times.\n"
|
||||
" Can not disable both the event sources.\n"
|
||||
" -D <substring> Disable any rules with names having the substring <substring>. Can be specified multiple times.\n"
|
||||
" Can not be specified with -t.\n"
|
||||
" -e <events_file> Read the events from <events_file> (in .scap format for sinsp events, or jsonl for\n"
|
||||
" k8s audit events) instead of tapping into live.\n"
|
||||
#ifndef MINIMAL_BUILD
|
||||
" -k <url>, --k8s-api <url>\n"
|
||||
" Enable Kubernetes support by connecting to the API server specified as argument.\n"
|
||||
" E.g. \"http://admin:password@127.0.0.1:8080\".\n"
|
||||
" The API server can also be specified via the environment variable FALCO_K8S_API.\n"
|
||||
" -K <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>], --k8s-api-cert <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>]\n"
|
||||
" Use the provided files names to authenticate user and (optionally) verify the K8S API server identity.\n"
|
||||
" Each entry must specify full (absolute, or relative to the current directory) path to the respective file.\n"
|
||||
" Private key password is optional (needed only if key is password protected).\n"
|
||||
" CA certificate is optional. For all files, only PEM file format is supported. \n"
|
||||
" Specifying CA certificate only is obsoleted - when single entry is provided \n"
|
||||
" for this option, it will be interpreted as the name of a file containing bearer token.\n"
|
||||
" Note that the format of this command-line option prohibits use of files whose names contain\n"
|
||||
" ':' or '#' characters in the file name.\n"
|
||||
#endif
|
||||
" -L Show the name and description of all rules and exit.\n"
|
||||
" -l <rule> Show the name and description of the rule with name <rule> and exit.\n"
|
||||
" --list [<source>] List all defined fields. If <source> is provided, only list those fields for\n"
|
||||
" the source <source>. Current values for <source> are \"syscall\", \"k8s_audit\"\n"
|
||||
#ifndef MINIMAL_BUILD
|
||||
" -m <url[,marathon_url]>, --mesos-api <url[,marathon_url]>\n"
|
||||
" Enable Mesos support by connecting to the API server\n"
|
||||
" specified as argument. E.g. \"http://admin:password@127.0.0.1:5050\".\n"
|
||||
" Marathon url is optional and defaults to Mesos address, port 8080.\n"
|
||||
" The API servers can also be specified via the environment variable FALCO_MESOS_API.\n"
|
||||
#endif
|
||||
" -M <num_seconds> Stop collecting after <num_seconds> reached.\n"
|
||||
" -N When used with --list, only print field names.\n"
|
||||
" -o, --option <key>=<val> Set the value of option <key> to <val>. Overrides values in configuration file.\n"
|
||||
" <key> can be a two-part <key>.<subkey>\n"
|
||||
" -p <output_format>, --print <output_format>\n"
|
||||
" Add additional information to each falco notification's output.\n"
|
||||
" With -pc or -pcontainer will use a container-friendly format.\n"
|
||||
" With -pk or -pkubernetes will use a kubernetes-friendly format.\n"
|
||||
" With -pm or -pmesos will use a mesos-friendly format.\n"
|
||||
" Additionally, specifying -pc/-pk/-pm will change the interpretation\n"
|
||||
" of %%container.info in rule output fields.\n"
|
||||
" -P, --pidfile <pid_file> When run as a daemon, write pid to specified file\n"
|
||||
" -r <rules_file> Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml).\n"
|
||||
" Can be specified multiple times to read from multiple files/directories.\n"
|
||||
" -s <stats_file> If specified, append statistics related to Falco's reading/processing of events\n"
|
||||
" to this file (only useful in live mode).\n"
|
||||
" --stats-interval <msec> When using -s <stats_file>, write statistics every <msec> ms.\n"
|
||||
" This uses signals, so don't recommend intervals below 200 ms.\n"
|
||||
" Defaults to 5000 (5 seconds).\n"
|
||||
" -S <len>, --snaplen <len>\n"
|
||||
" Capture the first <len> bytes of each I/O buffer.\n"
|
||||
" By default, the first 80 bytes are captured. Use this\n"
|
||||
" option with caution, it can generate huge trace files.\n"
|
||||
" --support Print support information including version, rules files used, etc. and exit.\n"
|
||||
" -T <tag> Disable any rules with a tag=<tag>. Can be specified multiple times.\n"
|
||||
" Can not be specified with -t.\n"
|
||||
" -t <tag> Only run those rules with a tag=<tag>. Can be specified multiple times.\n"
|
||||
" Can not be specified with -T/-D.\n"
|
||||
" -U,--unbuffered Turn off output buffering to configured outputs.\n"
|
||||
" This causes every single line emitted by falco to be flushed,\n"
|
||||
" which generates higher CPU usage but is useful when piping those outputs\n"
|
||||
" into another process or into a script.\n"
|
||||
" -u, --userspace Parse events from userspace.\n"
|
||||
" To be used in conjunction with the ptrace(2) based driver (pdig).\n"
|
||||
" -V, --validate <rules_file> Read the contents of the specified rules(s) file and exit.\n"
|
||||
" Can be specified multiple times to validate multiple files.\n"
|
||||
" -v Verbose output.\n"
|
||||
" --version Print version number.\n"
|
||||
"\n"
|
||||
);
|
||||
}
|
||||
|
||||
static void display_fatal_err(const string &msg)
|
||||
{
|
||||
@@ -244,17 +249,14 @@ uint64_t do_inspect(falco_engine *engine,
|
||||
int &result)
|
||||
{
|
||||
uint64_t num_evts = 0;
|
||||
int32_t rc;
|
||||
sinsp_evt* ev;
|
||||
StatsFileWriter writer;
|
||||
uint64_t duration_start = 0;
|
||||
|
||||
sdropmgr.init(inspector,
|
||||
outputs,
|
||||
config.m_syscall_evt_drop_actions,
|
||||
config.m_syscall_evt_drop_rate,
|
||||
config.m_syscall_evt_drop_max_burst,
|
||||
config.m_syscall_evt_simulate_drops);
|
||||
// sdropmgr.init(inspector,
|
||||
// outputs,
|
||||
// config.m_syscall_evt_drop_actions,
|
||||
// config.m_syscall_evt_drop_rate,
|
||||
// config.m_syscall_evt_drop_max_burst,
|
||||
// config.m_syscall_evt_simulate_drops);
|
||||
|
||||
if (stats_filename != "")
|
||||
{
|
||||
@@ -266,15 +268,74 @@ uint64_t do_inspect(falco_engine *engine,
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// Loop through the events
|
||||
//
|
||||
uint32_t ndevs = inspector->get_open_ndevs();
|
||||
std::vector<std::thread> threads(ndevs);
|
||||
for(size_t i = 0; i < ndevs; i++)
|
||||
{
|
||||
threads.push_back(std::thread([inspector, engine, outputs, i, all_events] {
|
||||
int32_t rc;
|
||||
sinsp_evt *ev;
|
||||
//
|
||||
// Loop through the events
|
||||
//
|
||||
while(1)
|
||||
{
|
||||
rc = inspector->next_per_cpu(&ev, i);
|
||||
|
||||
// writer.handle();
|
||||
|
||||
if(rc == SCAP_TIMEOUT)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
else if(rc == SCAP_EOF)
|
||||
{
|
||||
break; // todo > capire
|
||||
}
|
||||
else if(rc != SCAP_SUCCESS)
|
||||
{
|
||||
//
|
||||
// Event read error.
|
||||
// Notify that we're exiting, and then die with an error.
|
||||
//
|
||||
cerr << "rc = " << rc << endl;
|
||||
throw sinsp_exception(inspector->getlasterr().c_str()); // TODO(leodido,fntlnz)
|
||||
}
|
||||
|
||||
// if(!sdropmgr.process_event(inspector, ev))
|
||||
// {
|
||||
// result = EXIT_FAILURE;
|
||||
// break;
|
||||
// }
|
||||
|
||||
if(!ev->simple_consumer_consider() && !all_events)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
// As the inspector has no filter at its level, all
|
||||
// events are returned here. Pass them to the falco
|
||||
// engine, which will match the event against the set
|
||||
// of rules. If a match is found, pass the event to
|
||||
// the outputs.
|
||||
unique_ptr<falco_engine::rule_result> res = engine->process_sinsp_event(ev);
|
||||
if(res)
|
||||
{
|
||||
outputs->handle_event(res->evt, res->rule, res->source, res->priority_num, res->format);
|
||||
}
|
||||
|
||||
// num_evts++;
|
||||
}
|
||||
}));
|
||||
}
|
||||
auto deadline = std::chrono::steady_clock::now() + std::chrono::nanoseconds(duration_to_tot_ns);
|
||||
|
||||
while(1)
|
||||
{
|
||||
|
||||
rc = inspector->next(&ev);
|
||||
|
||||
writer.handle();
|
||||
if(std::chrono::steady_clock::now() >= deadline)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
if(g_reopen_outputs)
|
||||
{
|
||||
@@ -287,63 +348,19 @@ uint64_t do_inspect(falco_engine *engine,
|
||||
falco_logger::log(LOG_INFO, "SIGINT received, exiting...\n");
|
||||
break;
|
||||
}
|
||||
else if (g_restart)
|
||||
else if(g_restart)
|
||||
{
|
||||
falco_logger::log(LOG_INFO, "SIGHUP received, restarting...\n");
|
||||
break;
|
||||
}
|
||||
else if(rc == SCAP_TIMEOUT)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
else if(rc == SCAP_EOF)
|
||||
{
|
||||
break;
|
||||
}
|
||||
else if(rc != SCAP_SUCCESS)
|
||||
{
|
||||
//
|
||||
// Event read error.
|
||||
// Notify the chisels that we're exiting, and then die with an error.
|
||||
//
|
||||
cerr << "rc = " << rc << endl;
|
||||
throw sinsp_exception(inspector->getlasterr().c_str());
|
||||
}
|
||||
}
|
||||
|
||||
if (duration_start == 0)
|
||||
for(auto &t : threads)
|
||||
{
|
||||
if(t.joinable())
|
||||
{
|
||||
duration_start = ev->get_ts();
|
||||
} else if(duration_to_tot_ns > 0)
|
||||
{
|
||||
if(ev->get_ts() - duration_start >= duration_to_tot_ns)
|
||||
{
|
||||
break;
|
||||
}
|
||||
t.join();
|
||||
}
|
||||
|
||||
if(!sdropmgr.process_event(inspector, ev))
|
||||
{
|
||||
result = EXIT_FAILURE;
|
||||
break;
|
||||
}
|
||||
|
||||
if(!ev->simple_consumer_consider() && !all_events)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
// As the inspector has no filter at its level, all
|
||||
// events are returned here. Pass them to the falco
|
||||
// engine, which will match the event against the set
|
||||
// of rules. If a match is found, pass the event to
|
||||
// the outputs.
|
||||
unique_ptr<falco_engine::rule_result> res = engine->process_sinsp_event(ev);
|
||||
if(res)
|
||||
{
|
||||
outputs->handle_event(res->evt, res->rule, res->source, res->priority_num, res->format);
|
||||
}
|
||||
|
||||
num_evts++;
|
||||
}
|
||||
|
||||
return num_evts;
|
||||
@@ -392,7 +409,8 @@ static void print_all_ignored_events(sinsp *inspector)
|
||||
|
||||
static void list_source_fields(falco_engine *engine, bool verbose, bool names_only, std::string &source)
|
||||
{
|
||||
if(!source.empty() && !(source == "syscall" || source == "k8s_audit"))
|
||||
if(source.size() > 0 &&
|
||||
!(source == "syscall" || source == "k8s_audit"))
|
||||
{
|
||||
throw std::invalid_argument("Value for --list must be \"syscall\" or \"k8s_audit\"");
|
||||
}
|
||||
@@ -409,7 +427,7 @@ static void list_source_fields(falco_engine *engine, bool verbose, bool names_on
|
||||
//
|
||||
// ARGUMENT PARSING AND PROGRAM SETUP
|
||||
//
|
||||
int falco_init()
|
||||
int falco_init(int argc, char **argv)
|
||||
{
|
||||
int result = EXIT_SUCCESS;
|
||||
sinsp* inspector = NULL;
|
||||
@@ -510,197 +528,198 @@ int falco_init()
|
||||
set<string> disabled_rule_tags;
|
||||
set<string> enabled_rule_tags;
|
||||
|
||||
// //
|
||||
// // Parse the args
|
||||
// //
|
||||
// while((op = getopt_long(argc, argv,
|
||||
// "hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UuvV:w:",
|
||||
// long_options, &long_index)) != -1)
|
||||
// {
|
||||
// switch(op)
|
||||
// {
|
||||
// case 'h':
|
||||
// usage();
|
||||
// goto exit;
|
||||
// case 'c':
|
||||
// conf_filename = optarg;
|
||||
// break;
|
||||
// case 'A':
|
||||
// all_events = true;
|
||||
// break;
|
||||
// case 'b':
|
||||
// event_buffer_format = sinsp_evt::PF_BASE64;
|
||||
// break;
|
||||
// case 'd':
|
||||
// daemon = true;
|
||||
// break;
|
||||
// case 'D':
|
||||
// substring = optarg;
|
||||
// disabled_rule_substrings.insert(substring);
|
||||
// break;
|
||||
// case 'e':
|
||||
// trace_filename = optarg;
|
||||
// #ifndef MINIMAL_BUILD
|
||||
// k8s_api = new string();
|
||||
// mesos_api = new string();
|
||||
// #endif
|
||||
// break;
|
||||
// case 'F':
|
||||
// list_flds = optarg;
|
||||
// break;
|
||||
// case 'i':
|
||||
// print_ignored_events = true;
|
||||
// break;
|
||||
// #ifndef MINIMAL_BUILD
|
||||
// case 'k':
|
||||
// k8s_api = new string(optarg);
|
||||
// break;
|
||||
// case 'K':
|
||||
// k8s_api_cert = new string(optarg);
|
||||
// break;
|
||||
// #endif
|
||||
// case 'L':
|
||||
// describe_all_rules = true;
|
||||
// break;
|
||||
// case 'l':
|
||||
// describe_rule = optarg;
|
||||
// break;
|
||||
// #ifndef MINIMAL_BUILD
|
||||
// case 'm':
|
||||
// mesos_api = new string(optarg);
|
||||
// break;
|
||||
// #endif
|
||||
// case 'M':
|
||||
// duration_to_tot = atoi(optarg);
|
||||
// if(duration_to_tot <= 0)
|
||||
// {
|
||||
// throw sinsp_exception(string("invalid duration") + optarg);
|
||||
// }
|
||||
// break;
|
||||
// case 'N':
|
||||
// names_only = true;
|
||||
// break;
|
||||
// case 'o':
|
||||
// cmdline_options.push_back(optarg);
|
||||
// break;
|
||||
// case 'P':
|
||||
// pidfilename = optarg;
|
||||
// break;
|
||||
// case 'p':
|
||||
// if(string(optarg) == "c" || string(optarg) == "container")
|
||||
// {
|
||||
// output_format = "container=%container.name (id=%container.id)";
|
||||
// replace_container_info = true;
|
||||
// }
|
||||
// else if(string(optarg) == "k" || string(optarg) == "kubernetes")
|
||||
// {
|
||||
// output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id";
|
||||
// replace_container_info = true;
|
||||
// }
|
||||
// else if(string(optarg) == "m" || string(optarg) == "mesos")
|
||||
// {
|
||||
// output_format = "task=%mesos.task.name container=%container.id";
|
||||
// replace_container_info = true;
|
||||
// }
|
||||
// else
|
||||
// {
|
||||
// output_format = optarg;
|
||||
// replace_container_info = false;
|
||||
// }
|
||||
// break;
|
||||
// case 'r':
|
||||
// falco_configuration::read_rules_file_directory(string(optarg), rules_filenames);
|
||||
// break;
|
||||
// case 'S':
|
||||
// snaplen = atoi(optarg);
|
||||
// break;
|
||||
// case 's':
|
||||
// stats_filename = optarg;
|
||||
// break;
|
||||
// case 'T':
|
||||
// disabled_rule_tags.insert(optarg);
|
||||
// break;
|
||||
// case 't':
|
||||
// enabled_rule_tags.insert(optarg);
|
||||
// break;
|
||||
// case 'U':
|
||||
// buffered_outputs = false;
|
||||
// buffered_cmdline = true;
|
||||
// break;
|
||||
// case 'u':
|
||||
// userspace = true;
|
||||
// break;
|
||||
// case 'v':
|
||||
// verbose = true;
|
||||
// break;
|
||||
// case 'V':
|
||||
// validate_rules_filenames.push_back(optarg);
|
||||
// break;
|
||||
// case 'w':
|
||||
// outfile = optarg;
|
||||
// break;
|
||||
// case '?':
|
||||
// result = EXIT_FAILURE;
|
||||
// goto exit;
|
||||
//
|
||||
// Parse the args
|
||||
//
|
||||
while((op = getopt_long(argc, argv,
|
||||
"hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UuvV:w:",
|
||||
long_options, &long_index)) != -1)
|
||||
{
|
||||
switch(op)
|
||||
{
|
||||
case 'h':
|
||||
usage();
|
||||
goto exit;
|
||||
case 'c':
|
||||
conf_filename = optarg;
|
||||
break;
|
||||
case 'A':
|
||||
all_events = true;
|
||||
break;
|
||||
case 'b':
|
||||
event_buffer_format = sinsp_evt::PF_BASE64;
|
||||
break;
|
||||
case 'd':
|
||||
daemon = true;
|
||||
break;
|
||||
case 'D':
|
||||
substring = optarg;
|
||||
disabled_rule_substrings.insert(substring);
|
||||
break;
|
||||
case 'e':
|
||||
trace_filename = optarg;
|
||||
#ifndef MINIMAL_BUILD
|
||||
k8s_api = new string();
|
||||
mesos_api = new string();
|
||||
#endif
|
||||
break;
|
||||
case 'F':
|
||||
list_flds = optarg;
|
||||
break;
|
||||
case 'i':
|
||||
print_ignored_events = true;
|
||||
break;
|
||||
#ifndef MINIMAL_BUILD
|
||||
case 'k':
|
||||
k8s_api = new string(optarg);
|
||||
break;
|
||||
case 'K':
|
||||
k8s_api_cert = new string(optarg);
|
||||
break;
|
||||
#endif
|
||||
case 'L':
|
||||
describe_all_rules = true;
|
||||
break;
|
||||
case 'l':
|
||||
describe_rule = optarg;
|
||||
break;
|
||||
#ifndef MINIMAL_BUILD
|
||||
case 'm':
|
||||
mesos_api = new string(optarg);
|
||||
break;
|
||||
#endif
|
||||
case 'M':
|
||||
duration_to_tot = atoi(optarg);
|
||||
if(duration_to_tot <= 0)
|
||||
{
|
||||
throw sinsp_exception(string("invalid duration") + optarg);
|
||||
}
|
||||
break;
|
||||
case 'N':
|
||||
names_only = true;
|
||||
break;
|
||||
case 'o':
|
||||
cmdline_options.push_back(optarg);
|
||||
break;
|
||||
case 'P':
|
||||
pidfilename = optarg;
|
||||
break;
|
||||
case 'p':
|
||||
if(string(optarg) == "c" || string(optarg) == "container")
|
||||
{
|
||||
output_format = "container=%container.name (id=%container.id)";
|
||||
replace_container_info = true;
|
||||
}
|
||||
else if(string(optarg) == "k" || string(optarg) == "kubernetes")
|
||||
{
|
||||
output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id";
|
||||
replace_container_info = true;
|
||||
}
|
||||
else if(string(optarg) == "m" || string(optarg) == "mesos")
|
||||
{
|
||||
output_format = "task=%mesos.task.name container=%container.id";
|
||||
replace_container_info = true;
|
||||
}
|
||||
else
|
||||
{
|
||||
output_format = optarg;
|
||||
replace_container_info = false;
|
||||
}
|
||||
break;
|
||||
case 'r':
|
||||
falco_configuration::read_rules_file_directory(string(optarg), rules_filenames);
|
||||
break;
|
||||
case 'S':
|
||||
snaplen = atoi(optarg);
|
||||
break;
|
||||
case 's':
|
||||
stats_filename = optarg;
|
||||
break;
|
||||
case 'T':
|
||||
disabled_rule_tags.insert(optarg);
|
||||
break;
|
||||
case 't':
|
||||
enabled_rule_tags.insert(optarg);
|
||||
break;
|
||||
case 'U':
|
||||
buffered_outputs = false;
|
||||
buffered_cmdline = true;
|
||||
break;
|
||||
case 'u':
|
||||
userspace = true;
|
||||
break;
|
||||
case 'v':
|
||||
verbose = true;
|
||||
break;
|
||||
case 'V':
|
||||
validate_rules_filenames.push_back(optarg);
|
||||
break;
|
||||
case 'w':
|
||||
outfile = optarg;
|
||||
break;
|
||||
case '?':
|
||||
result = EXIT_FAILURE;
|
||||
goto exit;
|
||||
|
||||
// case 0:
|
||||
// if(string(long_options[long_index].name) == "version")
|
||||
// {
|
||||
// printf("Falco version: %s\n", FALCO_VERSION);
|
||||
// printf("Driver version: %s\n", DRIVER_VERSION);
|
||||
// return EXIT_SUCCESS;
|
||||
// }
|
||||
// else if (string(long_options[long_index].name) == "cri")
|
||||
// {
|
||||
// if(optarg != NULL)
|
||||
// {
|
||||
// cri_socket_path = optarg;
|
||||
// }
|
||||
// }
|
||||
// else if (string(long_options[long_index].name) == "disable-cri-async")
|
||||
// {
|
||||
// cri_async = false;
|
||||
// }
|
||||
// else if (string(long_options[long_index].name) == "list")
|
||||
// {
|
||||
// list_flds = true;
|
||||
// if(optarg != NULL)
|
||||
// {
|
||||
// list_flds_source = optarg;
|
||||
// }
|
||||
// }
|
||||
// else if (string(long_options[long_index].name) == "stats-interval")
|
||||
// {
|
||||
// stats_interval = atoi(optarg);
|
||||
// }
|
||||
// else if (string(long_options[long_index].name) == "support")
|
||||
// {
|
||||
// print_support = true;
|
||||
// }
|
||||
// else if (string(long_options[long_index].name) == "disable-source")
|
||||
// {
|
||||
// if(optarg != NULL)
|
||||
// {
|
||||
// disable_sources.insert(optarg);
|
||||
// }
|
||||
// }
|
||||
// else if (string(long_options[long_index].name)== "alternate-lua-dir")
|
||||
// {
|
||||
// if(optarg != NULL)
|
||||
// {
|
||||
// alternate_lua_dir = optarg;
|
||||
// if (alternate_lua_dir.back() != '/') {
|
||||
// alternate_lua_dir += '/';
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// break;
|
||||
case 0:
|
||||
if(string(long_options[long_index].name) == "version")
|
||||
{
|
||||
printf("Falco version: %s\n", FALCO_VERSION);
|
||||
printf("Driver version: %s\n", DRIVER_VERSION);
|
||||
return EXIT_SUCCESS;
|
||||
}
|
||||
else if (string(long_options[long_index].name) == "cri")
|
||||
{
|
||||
if(optarg != NULL)
|
||||
{
|
||||
cri_socket_path = optarg;
|
||||
}
|
||||
}
|
||||
else if (string(long_options[long_index].name) == "disable-cri-async")
|
||||
{
|
||||
cri_async = false;
|
||||
}
|
||||
else if (string(long_options[long_index].name) == "list")
|
||||
{
|
||||
list_flds = true;
|
||||
if(optarg != NULL)
|
||||
{
|
||||
list_flds_source = optarg;
|
||||
}
|
||||
}
|
||||
else if (string(long_options[long_index].name) == "stats-interval")
|
||||
{
|
||||
stats_interval = atoi(optarg);
|
||||
}
|
||||
else if (string(long_options[long_index].name) == "support")
|
||||
{
|
||||
print_support = true;
|
||||
}
|
||||
else if (string(long_options[long_index].name) == "disable-source")
|
||||
{
|
||||
if(optarg != NULL)
|
||||
{
|
||||
disable_sources.insert(optarg);
|
||||
}
|
||||
}
|
||||
else if (string(long_options[long_index].name)== "alternate-lua-dir")
|
||||
{
|
||||
if(optarg != NULL)
|
||||
{
|
||||
alternate_lua_dir = optarg;
|
||||
if (alternate_lua_dir.back() != '/') {
|
||||
alternate_lua_dir += '/';
|
||||
}
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
// default:
|
||||
// break;
|
||||
// }
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// }
|
||||
inspector = new sinsp();
|
||||
inspector->set_buffer_format(event_buffer_format);
|
||||
|
||||
@@ -916,14 +935,14 @@ int falco_init()
|
||||
throw std::runtime_error(string("Could not uname() to find system info: %s\n") + strerror(errno));
|
||||
}
|
||||
|
||||
// for(char **arg = argv; *arg; arg++)
|
||||
// {
|
||||
// if(cmdline.size() > 0)
|
||||
// {
|
||||
// cmdline += " ";
|
||||
// }
|
||||
// cmdline += *arg;
|
||||
// }
|
||||
for(char **arg = argv; *arg; arg++)
|
||||
{
|
||||
if(cmdline.size() > 0)
|
||||
{
|
||||
cmdline += " ";
|
||||
}
|
||||
cmdline += *arg;
|
||||
}
|
||||
|
||||
support["version"] = FALCO_VERSION;
|
||||
support["system_info"]["sysname"] = sysinfo.sysname;
|
||||
@@ -1373,23 +1392,13 @@ exit:
|
||||
//
|
||||
// MAIN
|
||||
//
|
||||
int main(int argc, const char **argv)
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
try
|
||||
{
|
||||
auto cli = new falco::cli(argc, argv);
|
||||
cli->run();
|
||||
}
|
||||
catch(const cxxopts::OptionException &e)
|
||||
{
|
||||
display_fatal_err("Error parsing options: " + string(e.what()) + "\n");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
int rc;
|
||||
|
||||
// g_restart will cause the falco loop to exit, but we
|
||||
// should reload everything and start over.
|
||||
while((rc = falco_init()) == EXIT_SUCCESS && g_restart)
|
||||
while((rc = falco_init(argc, argv)) == EXIT_SUCCESS && g_restart)
|
||||
{
|
||||
g_restart = false;
|
||||
optind = 1;
|
||||
|
||||
Reference in New Issue
Block a user