diff --git a/test/falco_k8s_audit_tests.yaml b/test/falco_k8s_audit_tests.yaml index aad80f84f48..be4c28caa60 100644 --- a/test/falco_k8s_audit_tests.yaml +++ b/test/falco_k8s_audit_tests.yaml @@ -19,6 +19,7 @@ trace_files: !mux compat_engine_v4_create_disallowed_pod: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml @@ -30,6 +31,7 @@ trace_files: !mux compat_engine_v4_create_allowed_pod: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml @@ -40,6 +42,7 @@ trace_files: !mux compat_engine_v4_create_privileged_pod: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml @@ -50,6 +53,7 @@ trace_files: !mux compat_engine_v4_create_privileged_trusted_pod: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -60,6 +64,7 @@ trace_files: !mux compat_engine_v4_create_unprivileged_pod: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml @@ -69,6 +74,7 @@ trace_files: !mux compat_engine_v4_create_hostnetwork_pod: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml @@ -79,6 +85,7 @@ trace_files: !mux compat_engine_v4_create_hostnetwork_trusted_pod: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -90,6 +97,7 @@ trace_files: !mux user_outside_allowed_set: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -101,6 +109,7 @@ trace_files: !mux user_in_allowed_set: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -113,6 +122,7 @@ trace_files: !mux create_disallowed_pod: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -124,6 +134,7 @@ trace_files: !mux create_allowed_pod: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -134,6 +145,7 @@ trace_files: !mux create_privileged_pod: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -145,6 +157,7 @@ trace_files: !mux create_privileged_no_secctx_1st_container_2nd_container_pod: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -156,6 +169,7 @@ trace_files: !mux create_privileged_2nd_container_pod: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -166,6 +180,7 @@ trace_files: !mux create_privileged_trusted_pod: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -175,6 +190,7 @@ trace_files: !mux create_unprivileged_pod: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -183,6 +199,7 @@ trace_files: !mux create_unprivileged_trusted_pod: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -193,6 +210,7 @@ trace_files: !mux create_sensitive_mount_pod: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -204,6 +222,7 @@ trace_files: !mux create_sensitive_mount_2nd_container_pod: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -214,6 +233,7 @@ trace_files: !mux create_sensitive_mount_trusted_pod: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -223,6 +243,7 @@ trace_files: !mux create_unsensitive_mount_pod: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -231,6 +252,7 @@ trace_files: !mux create_unsensitive_mount_trusted_pod: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -241,6 +263,7 @@ trace_files: !mux create_hostnetwork_pod: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -251,6 +274,7 @@ trace_files: !mux create_hostnetwork_trusted_pod: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -260,6 +284,7 @@ trace_files: !mux create_nohostnetwork_pod: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -268,6 +293,7 @@ trace_files: !mux create_nohostnetwork_trusted_pod: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -278,6 +304,7 @@ trace_files: !mux create_nodeport_service: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -289,6 +316,7 @@ trace_files: !mux create_nonodeport_service: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -299,6 +327,7 @@ trace_files: !mux create_configmap_private_creds: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -310,6 +339,7 @@ trace_files: !mux create_configmap_no_private_creds: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -320,6 +350,7 @@ trace_files: !mux anonymous_user: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -331,6 +362,7 @@ trace_files: !mux pod_exec: detect: True detect_level: NOTICE + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -342,6 +374,7 @@ trace_files: !mux pod_attach: detect: True detect_level: NOTICE + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -353,6 +386,7 @@ trace_files: !mux namespace_outside_allowed_set: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -364,6 +398,7 @@ trace_files: !mux namespace_in_allowed_set: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -375,6 +410,7 @@ trace_files: !mux create_pod_in_kube_system_namespace: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -386,6 +422,7 @@ trace_files: !mux create_pod_in_kube_public_namespace: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -397,6 +434,7 @@ trace_files: !mux create_serviceaccount_in_kube_system_namespace: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -408,6 +446,7 @@ trace_files: !mux create_serviceaccount_in_kube_public_namespace: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -419,6 +458,7 @@ trace_files: !mux system_clusterrole_deleted: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -430,6 +470,7 @@ trace_files: !mux system_clusterrole_modified: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -441,6 +482,7 @@ trace_files: !mux attach_cluster_admin_role: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -452,6 +494,7 @@ trace_files: !mux create_cluster_role_wildcard_resources: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -463,6 +506,7 @@ trace_files: !mux create_cluster_role_wildcard_verbs: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -474,6 +518,7 @@ trace_files: !mux create_writable_cluster_role: detect: True detect_level: NOTICE + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -485,6 +530,7 @@ trace_files: !mux create_pod_exec_cluster_role: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -496,6 +542,7 @@ trace_files: !mux create_deployment: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -507,6 +554,7 @@ trace_files: !mux delete_deployment: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -518,6 +566,7 @@ trace_files: !mux create_service: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -529,6 +578,7 @@ trace_files: !mux delete_service: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -540,6 +590,7 @@ trace_files: !mux create_configmap: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -551,6 +602,7 @@ trace_files: !mux delete_configmap: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -562,6 +614,7 @@ trace_files: !mux create_namespace: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -575,6 +628,7 @@ trace_files: !mux delete_namespace: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -586,6 +640,7 @@ trace_files: !mux create_serviceaccount: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -597,6 +652,7 @@ trace_files: !mux delete_serviceaccount: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -608,6 +664,7 @@ trace_files: !mux create_clusterrole: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -619,6 +676,7 @@ trace_files: !mux delete_clusterrole: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -630,6 +688,7 @@ trace_files: !mux create_clusterrolebinding: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -641,6 +700,7 @@ trace_files: !mux delete_clusterrolebinding: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -652,6 +712,7 @@ trace_files: !mux create_secret: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -664,6 +725,7 @@ trace_files: !mux create_service_account_token_secret: detect: False detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -673,6 +735,7 @@ trace_files: !mux create_kube_system_secret: detect: False detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -682,6 +745,7 @@ trace_files: !mux delete_secret: detect: True detect_level: INFO + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -692,6 +756,7 @@ trace_files: !mux fal_01_003: detect: False + enable_source: k8s_audit rules_file: - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml @@ -702,6 +767,7 @@ trace_files: !mux json_pointer_correct_parse: detect: True detect_level: WARNING + enable_source: k8s_audit rules_file: - ./rules/k8s_audit/single_rule_with_json_pointer.yaml detect_counts: diff --git a/test/falco_test.py b/test/falco_test.py index 4a5e5ed0eca..bc27bacc478 100644 --- a/test/falco_test.py +++ b/test/falco_test.py @@ -97,6 +97,7 @@ def setUp(self): self.all_events = self.params.get('all_events', '*', default=False) self.priority = self.params.get('priority', '*', default='debug') self.addl_cmdline_opts = self.params.get('addl_cmdline_opts', '*', default='') + self.enable_source = self.params.get('enable_source', '*', default='') self.rules_file = self.params.get( 'rules_file', '*', default=os.path.join(self.basedir, '../rules/falco_rules.yaml')) @@ -114,6 +115,13 @@ def setUp(self): self.json_output = True if not isinstance(self.validate_rules_file, list): self.validate_rules_file = [self.validate_rules_file] + + # can be either empty, a string, or a list + if self.enable_source == '': + self.enable_source = [] + else: + if not isinstance(self.enable_source, list): + self.enable_source = [self.enable_source] self.rules_args = "" @@ -630,10 +638,15 @@ def test(self): if self.trace_file: trace_arg = "-e {}".format(self.trace_file) + extra_cmdline = '' + for source in self.enable_source: + extra_cmdline += ' --enable-source="{}"'.format(source) + extra_cmdline += ' ' + self.addl_cmdline_opts + # Run falco cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o json_include_tags_property={} -o priority={} -v {}'.format( self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output, - self.json_include_output_property, self.json_include_tags_property, self.priority, self.addl_cmdline_opts) + self.json_include_output_property, self.json_include_tags_property, self.priority, extra_cmdline) for tag in self.disable_tags: cmd += ' -T {}'.format(tag) diff --git a/test/falco_tests_plugins.yaml b/test/falco_tests_plugins.yaml index 59c732f2a1f..03fe7fbfbae 100644 --- a/test/falco_tests_plugins.yaml +++ b/test/falco_tests_plugins.yaml @@ -35,6 +35,7 @@ trace_files: !mux stdout_contains: "ct.id" detect_create_instance: + enable_source: aws_cloudtrail detect: True detect_level: INFO rules_file: @@ -44,6 +45,7 @@ trace_files: !mux conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml detect_create_instance_bigevent: + enable_source: aws_cloudtrail detect: True detect_level: INFO rules_file: diff --git a/userspace/falco/CMakeLists.txt b/userspace/falco/CMakeLists.txt index cdd6fe03d3c..667a79f1af5 100644 --- a/userspace/falco/CMakeLists.txt +++ b/userspace/falco/CMakeLists.txt @@ -37,6 +37,7 @@ set( app_actions/print_support.cpp app_actions/print_syscall_events.cpp app_actions/print_version.cpp + app_actions/select_event_sources.cpp app_actions/start_grpc_server.cpp app_actions/start_webserver.cpp app_actions/validate_rules_files.cpp diff --git a/userspace/falco/app_actions/init_falco_engine.cpp b/userspace/falco/app_actions/init_falco_engine.cpp index 6fe513aee21..09e6ffaf050 100644 --- a/userspace/falco/app_actions/init_falco_engine.cpp +++ b/userspace/falco/app_actions/init_falco_engine.cpp @@ -76,28 +76,6 @@ application::run_result application::init_falco_engine() syscall_formatter_factory->set_output_format(gen_event_formatter::OF_JSON); } - for(const auto &src : m_options.disable_sources) - { - if (m_state->enabled_sources.find(src) == m_state->enabled_sources.end()) - { - return run_result::fatal("Attempted disabling unknown event source: " + src); - } - m_state->enabled_sources.erase(src); - } - - // todo(jasondellaluce,leogr): change this once we attain multiple active source - if(m_state->enabled_sources.empty()) - { - return run_result::fatal("At least one event source needs to be enabled"); - } - - /* Print all enabled sources. */ - std::ostringstream os; - std::copy(m_state->enabled_sources.begin(), m_state->enabled_sources.end(), std::ostream_iterator(os, ",")); - std::string result = os.str(); - result.pop_back(); - falco_logger::log(LOG_INFO, "Enabled sources: " + result + "\n"); - m_state->engine->set_min_priority(m_state->config->m_min_priority); return run_result::ok(); diff --git a/userspace/falco/app_actions/load_plugins.cpp b/userspace/falco/app_actions/load_plugins.cpp index f767e7c5878..e198dc32502 100644 --- a/userspace/falco/app_actions/load_plugins.cpp +++ b/userspace/falco/app_actions/load_plugins.cpp @@ -28,7 +28,8 @@ application::run_result application::load_plugins() } #endif - // The only enabled event source is syscall by default + // By default only the syscall event source is loaded and enabled + m_state->loaded_sources = {falco_common::syscall_source}; m_state->enabled_sources = {falco_common::syscall_source}; std::string err = ""; @@ -54,8 +55,11 @@ application::run_result application::load_plugins() + "' already loaded"); } loaded_plugin = plugin; - m_state->enabled_sources = {plugin->event_source()}; m_state->inspector->set_input_plugin(p.m_name, p.m_open_params); + + m_state->loaded_sources.insert(plugin->event_source()); + // todo(jasondellaluce): change this once we support multiple enabled event sources + m_state->enabled_sources = {plugin->event_source()}; } // Init filtercheck list for the plugin's source and add the diff --git a/userspace/falco/app_actions/select_event_sources.cpp b/userspace/falco/app_actions/select_event_sources.cpp new file mode 100644 index 00000000000..476b152b8de --- /dev/null +++ b/userspace/falco/app_actions/select_event_sources.cpp @@ -0,0 +1,81 @@ +/* +Copyright (C) 2022 The Falco Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +#include "application.h" + +using namespace falco::app; + +application::run_result application::select_event_sources() +{ + // event sources selection is meaningless when reading trace files + if (!is_capture_mode()) + { + if (!m_options.enable_sources.empty() && !m_options.disable_sources.empty()) + { + return run_result::fatal("You can not mix --enable-source and --disable-source"); + } + + if (!m_options.enable_sources.empty()) + { + m_state->enabled_sources.clear(); + for(const auto &src : m_options.enable_sources) + { + if (m_state->loaded_sources.find(src) == m_state->loaded_sources.end()) + { + return run_result::fatal("Attempted enabling an unknown event source: " + src); + } + m_state->enabled_sources.insert(src); + } + } + else if (!m_options.disable_sources.empty()) + { + // this little hack ensure that the single-source samentic gets respected + // todo(jasondellaluce): remove this insert once we support multiple enabled event sources + m_state->enabled_sources = m_state->loaded_sources; + + for(const auto &src : m_options.disable_sources) + { + if (m_state->loaded_sources.find(src) == m_state->loaded_sources.end()) + { + return run_result::fatal("Attempted disabling an unknown event source: " + src); + } + m_state->enabled_sources.erase(src); + } + } + + if(m_state->enabled_sources.empty()) + { + return run_result::fatal("Must enable at least one event source"); + } + + // these two little hacks ensure that the single-source samentic gets respected + // todo(jasondellaluce): remove these two once we support multiple enabled event sources + if(m_state->enabled_sources.size() > 1) + { + return run_result::fatal("Can not enable more than one event source"); + } + if(*m_state->enabled_sources.begin() == falco_common::syscall_source) + { + m_state->inspector->m_input_plugin = nullptr; + } + + /* Print all enabled sources. */ + std::ostringstream os; + std::copy(m_state->enabled_sources.begin(), m_state->enabled_sources.end(), std::ostream_iterator(os, ",")); + std::string result = os.str(); + result.pop_back(); + falco_logger::log(LOG_INFO, "Enabled event sources: " + result + "\n"); + } + + return run_result::ok(); +} \ No newline at end of file diff --git a/userspace/falco/app_cmdline_options.cpp b/userspace/falco/app_cmdline_options.cpp index 2833ebbdaf5..64ee6768137 100644 --- a/userspace/falco/app_cmdline_options.cpp +++ b/userspace/falco/app_cmdline_options.cpp @@ -160,9 +160,10 @@ void cmdline_options::define() ("cri", "Path to CRI socket for container metadata. Use the specified socket to fetch data from a CRI-compatible runtime. If not specified, uses libs default. It can be passed multiple times to specify socket to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "") ("d,daemon", "Run as a daemon.", cxxopts::value(daemon)->default_value("false")) ("disable-cri-async", "Disable asynchronous CRI metadata fetching. This is useful to let the input event wait for the container metadata fetch to finish before moving forward. Async fetching, in some environments leads to empty fields for container metadata when the fetch is not fast enough to be completed asynchronously. This can have a performance penalty on your environment depending on the number of containers and the frequency at which they are created/started/stopped.", cxxopts::value(disable_cri_async)->default_value("false")) - ("disable-source", "Disable a specific event source. Available event sources are: syscall or any source from a configured plugin with event sourcing capability. It can be passed multiple times. Can not disable all event sources.", cxxopts::value(disable_sources), "") + ("disable-source", "Disable a specific event source. Available event sources are: syscall or any source from a configured plugin with event sourcing capability. It can be passed multiple times. It has no offect when reading events from a trace file. Can not disable all event sources. Can not be mixed with enable-source.", cxxopts::value(disable_sources), "") ("D", "Disable any rules with names having the substring . Can be specified multiple times. Can not be specified with -t.", cxxopts::value(disabled_rule_substrings), "") - ("e", "Read the events from in .scap format instead of tapping into live.", cxxopts::value(trace_filename), "") + ("e", "Read the events from a trace file in .scap format instead of tapping into live.", cxxopts::value(trace_filename), "") + ("enable-source", "Enable a specific event source. If used, only event sources passed with this options get enabled. Available event sources are: syscall or any source from a configured plugin with event sourcing capability. It can be passed multiple times. It has no offect when reading events from a trace file. Can not be mixed with disable-source.", cxxopts::value(enable_sources), "") #ifdef HAS_GVISOR ("g,gvisor-config", "Parse events from gVisor using the specified configuration file. A falco-compatible configuration file can be generated with --gvisor-generate-config and can be used for both runsc and Falco.", cxxopts::value(gvisor_config), "") ("gvisor-generate-config", "Generate a configuration file that can be used for gVisor.", cxxopts::value(gvisor_generate_config_with_socket)->implicit_value("/tmp/gvisor.sock"), "") diff --git a/userspace/falco/app_cmdline_options.h b/userspace/falco/app_cmdline_options.h index 427c52f11fa..6543194b3f1 100644 --- a/userspace/falco/app_cmdline_options.h +++ b/userspace/falco/app_cmdline_options.h @@ -42,6 +42,7 @@ class cmdline_options { bool disable_cri_async; std::vector disable_sources; std::vector disabled_rule_substrings; + std::vector enable_sources; std::string trace_filename; std::string gvisor_config; std::string gvisor_generate_config_with_socket; diff --git a/userspace/falco/application.cpp b/userspace/falco/application.cpp index 7a88472e060..39ea3edfc1e 100644 --- a/userspace/falco/application.cpp +++ b/userspace/falco/application.cpp @@ -41,6 +41,7 @@ application::run_result::~run_result() application::state::state() : restart(false), terminate(false), + loaded_sources({falco_common::syscall_source}), enabled_sources({falco_common::syscall_source}) { config = std::make_shared(); @@ -136,6 +137,7 @@ bool application::run(std::string &errstr, bool &restart) std::bind(&application::init_inspector, this), std::bind(&application::load_plugins, this), std::bind(&application::init_falco_engine, this), + std::bind(&application::select_event_sources, this), std::bind(&application::list_fields, this), std::bind(&application::validate_rules_files, this), std::bind(&application::load_rules_files, this), diff --git a/userspace/falco/application.h b/userspace/falco/application.h index c6ee5ff102d..60586af0b40 100644 --- a/userspace/falco/application.h +++ b/userspace/falco/application.h @@ -69,6 +69,7 @@ class application { std::shared_ptr outputs; std::shared_ptr engine; std::shared_ptr inspector; + std::set loaded_sources; std::set enabled_sources; // The event source index that correspond to "syscall" @@ -200,6 +201,7 @@ class application { run_result print_syscall_events(); run_result print_version(); run_result process_events(); + run_result select_event_sources(); #ifndef MINIMAL_BUILD run_result start_grpc_server(); run_result start_webserver();