falco

Commit Graph

Author	SHA1	Message	Date
Samuel Gaist	4d03686999	refactor(userspace/engine): fix variable scope Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>	2025-09-16 09:38:29 +02:00
Samuel Gaist	2da40e798b	refactor(userspace/engine): const correctness Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>	2025-09-16 09:38:29 +02:00
Leonardo Grasso	21350a282c	new(userspapace/engine): add `capture` and `capture_duration` to rules loader Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2025-08-12 11:25:43 +02:00
Federico Di Pierro	6e4b7663ca	cleanup(userspace/engine,userspace/falco): drop `replace_container_info` flag. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2025-05-06 10:06:43 +02:00
Federico Di Pierro	11f6fc5d14	cleanup(userspace/engine): deprecated `%container.info`. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2025-05-06 10:06:43 +02:00
Federico Di Pierro	9f1bc7d518	fix(userspace/engine): expand `%container.info` extra format to empty string. Also, remove `container_id container_name` fields from `-pc` output. These fields are now automatically appended since the `container` plugin marks them as suggested. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2025-02-26 13:08:26 +01:00
Poiana	50b98b30e5	chore(falco): apply code formatting Signed-off-by: Poiana <poiana.bot@gmail.com>	2024-09-30 13:25:31 +02:00
Luca Guerra	5c959d0b1b	update(falco): use std::include for readability Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-09-13 15:58:36 +02:00
Luca Guerra	7005983409	update(engine): modify append_output format Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-09-13 15:58:36 +02:00
Luca Guerra	d210ed2e4f	new(app): add append_output configuration option with fields and format Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-09-09 15:31:24 +02:00
Luca Guerra	b8e5e2e8dd	update(engine): allow using -p to pass a format to plugin events Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-06-11 09:19:39 +02:00
Gianmatteo Palmieri	1c66b640f2	Revert "fix(engine): apply output substitutions for all sources" This reverts commit `4ef7c9553a`. Signed-off-by: Gianmatteo Palmieri <mail@gian.im>	2024-06-05 12:43:19 +02:00
Jason Dellaluce	fa8e780b07	update(userspace/engine): propagate compiler warnings Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2024-05-08 20:23:55 +02:00
Gianmatteo Palmieri	d1707bef63	fix(engine): apply output substitutions for all sources Signed-off-by: Gianmatteo Palmieri <mail@gian.im>	2024-03-25 19:33:06 +01:00
Samuel Gaist	f9b17b67f8	refactor(engine): fix variable / function shadowing Improve variable names in the code surrounding the changes. Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>	2024-02-29 16:20:34 +01:00
Gianmatteo Palmieri	ea781477d6	fix(engine): logical issue in exceptions condition Signed-off-by: Gianmatteo Palmieri <mail@gian.im>	2024-02-28 08:28:26 +01:00
Federico Aponte	4d66a50d5b	fix: pessimizing move warning Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>	2024-02-26 14:59:22 +01:00
Jason Dellaluce	b515f0a079	refactor(usersapace): adapt to changes libs Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2024-02-23 11:39:07 +01:00
Samuel Gaist	5e497a4119	fix(c++): improve const correctness Reported by cppcheck Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>	2024-02-15 22:16:33 +01:00
Jason Dellaluce	0cc1c5b44f	refactor(userspace/engine): reduce allocations during rules loading Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2024-02-09 14:50:05 +01:00
Jason Dellaluce	4cffcedba1	refactor: remove refs to gen_event class family Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2024-02-06 10:25:53 +01:00
Mark Stemm	1e0430dff9	Make compile_condition() a protected method for use in subclasses Move the part of compile_rule_infos that actually compiled a condition string into a sinsp_filter into a standalone method compile_condition(). That way it can be used by classes that derive from rule_loader::compiler() and want to compile condition strings. This implementation also saves the compiled filter as a part of the falco_rule object so it does not need to be compiled again wihin the falco engine after rules loading. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2024-01-30 20:24:33 +01:00
Mark Stemm	eed5b906a8	Provide the entire compile output to ruleset vs individual add()s In order to support external rules loaders that may extend the falco rules format with new top level objects, move away from providing individual filter objects to the filter_ruleset via calls to add(). Instead, pass the entire compile output returned by the compiler to the ruleset using a new method add_compile_output(). Custom users can then cast back the compile output to the appropriate derived class for use in the ruleset. Move the declaration of the compile output to a standalone class so it can be used by rulesets without including the entire rules loader header files, and add a new factory method new_compile_output() to the compiler so it can create a derived class if necessary. This change is backwards-compatible with existing rulesets, as the default implementation of add_compile_output() simply iterates over rules and calls add() for each rule. This change also speeds up rule loading. Previously, each rule condition was compiled twice: 1. First, in the compiler, to see if it was valid. 2. Second, in the falco engine before providing each rule to the ruleset. Add the compiled filter to the falco_rule object instead of throwing it away in the compiler. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2024-01-30 20:24:33 +01:00
Jason Dellaluce	ccf62a3745	fix(userspace/engine): avoid storing escaped strings in engine defs Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2024-01-23 11:58:09 +01:00
Federico Aponte	44b7352180	cleanup: fix several warnings from a Clang build Signed-off-by: Federico Aponte <federico.aponte@sysdig.com>	2023-12-06 16:40:26 +01:00
Jason Dellaluce	390a13bd40	update(userspace): optimizations in validation and description steps Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2023-12-02 09:38:15 +01:00
Roberto Scolaro	b7cef5bab2	fix(userspace/engine): fix memory leak Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>	2023-10-17 21:20:15 +02:00
Jason Dellaluce	d3e1a1f746	chore(userspace/engine): apply codespell suggestions Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2023-09-28 12:39:20 +02:00
Jason Dellaluce	8f411f3d3b	refactor(userspace/engine): modularize rules files compilation Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2023-09-28 12:39:20 +02:00
Leonardo Grasso	fe50ac22ee	update: add SPDX license identifier See https://github.com/falcosecurity/evolution/issues/318 Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2023-09-21 13:21:47 +02:00
Leonardo Grasso	35cb960917	update(userspace/engine): align `%container.info` defaults with new rule styles Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2023-09-08 19:00:04 +02:00
Jason Dellaluce	c8122ff474	fix(userspace/engine): support appending to unknown sources Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2023-09-01 06:46:31 +02:00
Jason Dellaluce	901fca2257	update(userspace/engine): upgrade skip-if-unknown-filter YAML field Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2023-08-31 18:33:30 +02:00
Lorenzo Susini	1195b1e7f0	update(userspace/engine): better modularize the code for getting json details Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>	2023-05-19 15:56:05 +02:00
Lorenzo Susini	e11b4c4430	update(userspace/engine): add event codes to json output Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>	2023-05-19 15:56:05 +02:00
Jason Dellaluce	c603055acf	fix(userspace/engine): don't count async event for evttype warning Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2023-05-19 12:15:04 +02:00
Jason Dellaluce	9bfce8cfae	update(userspace): make sure that async event is always matched in rules Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2023-05-19 12:15:04 +02:00
Jason Dellaluce	6c38ecaf0e	update(userspace/engine): adapt engine classes to new libsinsp event definitions Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2023-02-21 14:31:28 +01:00
Jason Dellaluce	eaeec7c079	fix(userspace): avoid using std namespace in sources Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2023-02-08 15:30:29 +01:00
Jason Dellaluce	25ddc3c6a2	update(userspace/engine): broader err catching support in macro resolver Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-12-13 15:06:10 +01:00
Mark Stemm	83b12bab1d	Fix(engine): include parse positions in compile errors Now that ASTs have parse positions and the compiler will return the position of the last error, use that in falco rules to return errors within condition strings instead of reporting the position as the beginning of the condition. This led to a change in the filter_ruleset interface--now, an ast is compiled to a filter before being passed to the filter_ruleset object. That avoids polluting the interface with a lot of details about rule_loader contexts, errors, etc. The ast is still provided in case the filter_ruleset wants to do indexing/analysis of the filter. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2022-12-01 17:03:52 +01:00
Jason Dellaluce	9ee0298c4d	fix(userspace/engine): avoid macro/list used checks if we encounter an error Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-10-12 14:03:20 +02:00
Jason Dellaluce	8aea0935c9	chore(userspace/engine): remove unused var Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00
Jason Dellaluce	9b5f3ee99e	refactor(userspace/engine): clean up rule compiler Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00
Jason Dellaluce	b900e46dfe	refactor(userspace/engine): split rule loader git history (3) Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-09-27 10:42:59 +02:00

45 Commits