mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-22 20:29:39 +00:00
a0a6914b6a
- in lua, look for a tags attribute to each rule. This is passed up in add_filter as a tags argument (as a lua table). If not present, an empty table is used. The tags table is iterated to populate a set of tags as strings, which is passed to add_filter(). - A new method falco_engine::enable_rule_by_tag is similar to enable_rule(), but is given a set of tag strings. Any rules containing one of the tags is enabled/disabled. - The list of event types has been changed to a set to more accurately reflect its purpose. - New argument to falco -T allows disabling all rules matching a given tag, via enable_rule_by_tag(). It can be provided multiple times. - New argument to falco -t allows running those rules matching a given tag. If provided all rules are first disabled. It can be provided multiple times, but can not be combined with -T or -D (disable rules by name) - falco_enging supports the notion of a ruleset. The idea is that you can choose a set of rules that are enabled/disabled by using enable_rule()/enable_rule_by_tag() in combination with a ruleset. Later, in process_event() you include that ruleset and the rules you had previously enabled will be run. - rulsets are provided as strings in enable_rule()/enable_rule_by_tag() and as numbers in process_event()--this avoids the overhead of string lookups per-event. Ruleset ids are created on the fly as needed. A utility method find_ruleset_id() looks up the ruleset id for a given name. The default ruleset is NULL string/0 numeric if not provided. - Although the ruleset is a useful falco engine feature, it isn't that important to the falco standalone program, so it's not documented. However, you can change the ruleset by providing FALCO_RULESET in the environment.
Installation
The sysdig grammar uses the lpeg parser. For now install it using luarocks:
luarocks install lpeg.