From 2d0c31b3ffacc221887ed5f2d2dafba6b2e6585d Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Mon, 30 Sep 2024 11:02:50 +0000 Subject: [PATCH 1/2] new(falco): add base_syscalls.all option to falco.yaml Signed-off-by: Luca Guerra --- falco.yaml | 8 ++++ .../test_configure_interesting_sets.cpp | 37 +++++++++++++++++++ .../actions/configure_interesting_sets.cpp | 2 +- userspace/falco/config_json_schema.h | 3 ++ userspace/falco/configuration.cpp | 2 + userspace/falco/configuration.h | 1 + 6 files changed, 52 insertions(+), 1 deletion(-) diff --git a/falco.yaml b/falco.yaml index e9e0da6e937..c917967ec69 100644 --- a/falco.yaml +++ b/falco.yaml @@ -1155,6 +1155,14 @@ metrics: # Falco, the `base_syscalls` option allows for finer end-user control of # syscalls traced by Falco. # +# --- [base_syscalls.all] +# +# `base_syscalls.all` enables monitoring of all events supported by Falco and +# defined in rules and configs. +# By default some events, such as `write`, are ignored (run `falco -i` to get +# the full list) unless base_syscalls.all is true. +# This option may negatively impact performance. +# # --- [base_syscalls.custom_set] # # CAUTION: Misconfiguration of this setting may result in incomplete Falco event diff --git a/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp b/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp index 40a6215283b..2150019eb18 100644 --- a/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp +++ b/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp @@ -528,6 +528,43 @@ TEST_F(test_falco_engine, selection_empty_custom_base_set_repair) { ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size()); } +TEST_F(test_falco_engine, selection_base_syscalls_all) { + load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml"); + + falco::app::state s7; + s7.engine = m_engine; + + // simulate empty custom set but repair option set. + s7.config->m_base_syscalls_custom_set = {}; + s7.config->m_base_syscalls_repair = true; + s7.config->m_base_syscalls_all = true; + auto result = falco::app::actions::configure_interesting_sets(s7); + auto s7_rules_set = s7.engine->sc_codes_for_ruleset(s_sample_source, s_sample_ruleset); + ASSERT_TRUE(result.success); + ASSERT_EQ(result.errstr, ""); + auto selected_sc_names = libsinsp::events::sc_set_to_event_names(s7.selected_sc_set); + auto expected_sc_names = strset_t({// note: expecting syscalls from mock rules and + // `sinsp_repair_state_sc_set` enforced syscalls + "connect", + "accept", + "accept4", + "umount2", + "open", + "ptrace", + "mmap", + "execve", + "procexit", + "bind", + "socket", + "clone3", + "close", + "setuid"}); + ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names); + auto s7_state_set = libsinsp::events::sinsp_repair_state_sc_set(s7_rules_set); + ASSERT_EQ(s7.selected_sc_set, s7_state_set); + ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size()); +} + TEST(ConfigureInterestingSets, ignored_set_expected_size) { // unit test fence to make sure we don't have unexpected regressions // in the ignored set, to be updated in the future diff --git a/userspace/falco/app/actions/configure_interesting_sets.cpp b/userspace/falco/app/actions/configure_interesting_sets.cpp index 86f2b894867..8d084a9c576 100644 --- a/userspace/falco/app/actions/configure_interesting_sets.cpp +++ b/userspace/falco/app/actions/configure_interesting_sets.cpp @@ -205,7 +205,7 @@ static void select_event_set(falco::app::state& s, without high volume syscalls * (2) -A flag set: all syscalls in rules included, sinsp state enforcement and allowing high volume syscalls */ - if(!s.options.all_events) { + if(!(s.options.all_events || s.config->m_base_syscalls_all)) { auto ignored_sc_set = falco::app::ignored_sc_set(); auto erased_sc_set = s.selected_sc_set.intersect(ignored_sc_set); s.selected_sc_set = s.selected_sc_set.diff(ignored_sc_set); diff --git a/userspace/falco/config_json_schema.h b/userspace/falco/config_json_schema.h index 430b9123e79..34081bc4ece 100644 --- a/userspace/falco/config_json_schema.h +++ b/userspace/falco/config_json_schema.h @@ -277,6 +277,9 @@ const char config_schema_string[] = LONG_STRING_CONST( "type": "object", "additionalProperties": false, "properties": { + "all": { + "type": "boolean" + }, "custom_set": { "type": "array", "items": { diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index fe8e217ba59..26f2fd96691 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -85,6 +85,7 @@ falco_configuration::falco_configuration(): m_syscall_evt_timeout_max_consecutives(1000), m_falco_libs_thread_table_size(DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE), m_falco_libs_snaplen(0), + m_base_syscalls_all(false), m_base_syscalls_repair(false), m_metrics_enabled(false), m_metrics_interval_str("5000"), @@ -577,6 +578,7 @@ void falco_configuration::load_yaml(const std::string &config_name) { m_config.get_sequence>(m_base_syscalls_custom_set, std::string("base_syscalls.custom_set")); m_base_syscalls_repair = m_config.get_scalar("base_syscalls.repair", false); + m_base_syscalls_all = m_config.get_scalar("base_syscalls.all", false); m_metrics_enabled = m_config.get_scalar("metrics.enabled", false); m_metrics_interval_str = m_config.get_scalar("metrics.interval", "5000"); diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index 02e6bf24db6..f330f238b8f 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -179,6 +179,7 @@ class falco_configuration { // User supplied base_syscalls, overrides any Falco state engine enforcement. std::unordered_set m_base_syscalls_custom_set; + bool m_base_syscalls_all; bool m_base_syscalls_repair; // metrics configs From a208172e43bc60fca83b9c38b3727e6e33334798 Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Mon, 30 Sep 2024 11:03:45 +0000 Subject: [PATCH 2/2] chore(falco): deprecated -A Signed-off-by: Luca Guerra --- .../app/actions/configure_interesting_sets.cpp | 14 ++++++++++++-- userspace/falco/app/options.cpp | 2 +- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/userspace/falco/app/actions/configure_interesting_sets.cpp b/userspace/falco/app/actions/configure_interesting_sets.cpp index 8d084a9c576..a6e42fad327 100644 --- a/userspace/falco/app/actions/configure_interesting_sets.cpp +++ b/userspace/falco/app/actions/configure_interesting_sets.cpp @@ -200,11 +200,21 @@ static void select_event_set(falco::app::state& s, concat_set_in_order(non_rules_sc_set_names) + "\n"); } - /* -A flag behavior: + /* base_syscall.all / -A flag behavior: * (1) default: all syscalls in rules included, sinsp state enforcement without high volume syscalls - * (2) -A flag set: all syscalls in rules included, sinsp state enforcement + * (2) set: all syscalls in rules included, sinsp state enforcement and allowing high volume syscalls */ + bool all_events = false; + if(s.options.all_events) { + falco_logger::log(falco_logger::level::WARNING, + "The -A option is deprecated and will be removed. Use -o " + "base_syscalls.all=true instead."); + all_events = true; + } + if(s.config->m_base_syscalls_all) { + all_events = true; + } if(!(s.options.all_events || s.config->m_base_syscalls_all)) { auto ignored_sc_set = falco::app::ignored_sc_set(); auto erased_sc_set = s.selected_sc_set.intersect(ignored_sc_set); diff --git a/userspace/falco/app/options.cpp b/userspace/falco/app/options.cpp index 892e41e98a8..7f5285ec5ca 100644 --- a/userspace/falco/app/options.cpp +++ b/userspace/falco/app/options.cpp @@ -104,7 +104,7 @@ void options::define(cxxopts::Options& opts) #endif ("config-schema", "Print the config json schema and exit.", cxxopts::value(print_config_schema)->default_value("false")) ("rule-schema", "Print the rule json schema and exit.", cxxopts::value(print_rule_schema)->default_value("false")) - ("A", "Monitor all events supported by Falco and defined in rules and configs. Some events are ignored by default when -A is not specified (the -i option lists these events ignored). Using -A can impact performance. This option has no effect when reproducing events from a capture file.", cxxopts::value(all_events)->default_value("false")) + ("A", "DEPRECATED: use -o base_syscalls.all=true instead. Monitor all events supported by Falco and defined in rules and configs. Some events are ignored by default when -A is not specified (the -i option lists these events ignored). Using -A can impact performance. This option has no effect when reproducing events from a capture file.", cxxopts::value(all_events)->default_value("false")) ("b,print-base64", "Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.") ("disable-source", "Turn off a specific . By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times, but turning off all event sources simultaneously is not permitted. This option can not be mixed with --enable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(disable_sources), "") ("dry-run", "Run Falco without processing events. It can help check that the configuration and rules do not have any errors.", cxxopts::value(dry_run)->default_value("false"))