github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-18 18:58:41 +00:00
Code Issues Projects Releases Wiki Activity
Files
new/plugin-system-api-additions-prerebase
falco/userspace/engine/formats.h
Mark Stemm 5d245f6569 Minimally working rule loading + eval w/ plugins 
First minimally working version with plugins + rule loading/rule
evaluation:

 - In the falco engine, hold rulesets for plugins in a map from plugin
   id to falco ruleset.
 - Add new methods "add_plugin_filter" to rules.cpp/falco_engine
   that adds a filter for a given source and compiled filter. This
   isn't strictly necessary, as the plugin filterchecks are added when
   a plugin is registered, but it more cleanly separates filters for
   syscalls and plugins.
 - When loading rules, if the source is not syscall or k8s_audit,
   assume it's a plugin filter and call add_plugin_filter.
 - In process_sinsp_event, if the event type is PLUGINEVENT_E, use the
   plugins rulesets map instead of m_sinsp_rules, looking up the
   appropriate source from the plugin.

This doesn't handle extractor plugins yet and I only tested the very
minimal happy path but I did get rules loaded and working.
2021-07-09 11:30:21 -07:00

70 lines
1.9 KiB
C++
Raw Permalink Blame History

/*
Copyright (C) 2020 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#pragma once
#include <string>
#include <map>
#include <memory>
#include "sinsp.h"
extern "C"
{
#include "lua.h"
#include "lualib.h"
#include "lauxlib.h"
}
#include "json_evt.h"
#include "falco_engine.h"
class sinsp_evt_formatter;
class falco_formats
{
public:
static void init(sinsp *inspector,
falco_engine *engine,
lua_State *ls,
bool json_output,
bool json_include_output_property);
static void create_sinsp_formatter(lua_State *ls, const std::string &format);
static void delete_sinsp_formatter(lua_State *ls);
// formatter = falco.formatter(format_string)
static int lua_formatter(lua_State *ls);
// falco.free_formatter(formatter)
static int lua_free_formatter(lua_State *ls);
static void format_sinsp_event(const gen_event *evt, const std::string &format,
std::string &line, std::string &json_line, std::string &sformat);
static string format_event(const gen_event *evt, const std::string &rule, const std::string &source,
const std::string &level, const std::string &format);
static map<string, string> resolve_tokens(const gen_event *evt, const std::string &source,
const std::string &format);
static sinsp *s_inspector;
static falco_engine *s_engine;
static std::unique_ptr<sinsp_evt_formatter_cache> s_formatters;
static bool s_json_output;
static bool s_json_include_output_property;
};
Reference in New Issue View Git Blame Copy Permalink