falcosecurity · poiana · Oct 10, 2024 · Sep 30, 2024 · Sep 30, 2024
diff --git a/falco.yaml b/falco.yaml
@@ -1155,6 +1155,14 @@ metrics:
 # Falco, the `base_syscalls` option allows for finer end-user control of
 # syscalls traced by Falco.
 #
+# --- [base_syscalls.all]
+#
+# `base_syscalls.all` enables monitoring of all events supported by Falco and
+# defined in rules and configs.
+# By default some events, such as `write`, are ignored (run `falco -i` to get
+# the full list) unless base_syscalls.all is true.
+# This option may negatively impact performance.
+#
 # --- [base_syscalls.custom_set]
 #
 # CAUTION: Misconfiguration of this setting may result in incomplete Falco event

diff --git a/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp b/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp
@@ -528,6 +528,43 @@ TEST_F(test_falco_engine, selection_empty_custom_base_set_repair) {
 	ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size());
 }
 
+TEST_F(test_falco_engine, selection_base_syscalls_all) {
+	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
+
+	falco::app::state s7;
+	s7.engine = m_engine;
+
+	// simulate empty custom set but repair option set.
+	s7.config->m_base_syscalls_custom_set = {};
+	s7.config->m_base_syscalls_repair = true;
+	s7.config->m_base_syscalls_all = true;
+	auto result = falco::app::actions::configure_interesting_sets(s7);
+	auto s7_rules_set = s7.engine->sc_codes_for_ruleset(s_sample_source, s_sample_ruleset);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+	auto selected_sc_names = libsinsp::events::sc_set_to_event_names(s7.selected_sc_set);
+	auto expected_sc_names = strset_t({// note: expecting syscalls from mock rules and
+	                                   // `sinsp_repair_state_sc_set` enforced syscalls
+	                                   "connect",
+	                                   "accept",
+	                                   "accept4",
+	                                   "umount2",
+	                                   "open",
+	                                   "ptrace",
+	                                   "mmap",
+	                                   "execve",
+	                                   "procexit",
+	                                   "bind",
+	                                   "socket",
+	                                   "clone3",
+	                                   "close",
+	                                   "setuid"});
+	ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);
+	auto s7_state_set = libsinsp::events::sinsp_repair_state_sc_set(s7_rules_set);
+	ASSERT_EQ(s7.selected_sc_set, s7_state_set);
+	ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size());
+}
+
 TEST(ConfigureInterestingSets, ignored_set_expected_size) {
 	// unit test fence to make sure we don't have unexpected regressions
 	// in the ignored set, to be updated in the future

diff --git a/userspace/falco/app/actions/configure_interesting_sets.cpp b/userspace/falco/app/actions/configure_interesting_sets.cpp
@@ -200,12 +200,22 @@ static void select_event_set(falco::app::state& s,
 		                          concat_set_in_order(non_rules_sc_set_names) + "\n");
 	}
 
-	/* -A flag behavior:
+	/* base_syscall.all / -A flag behavior:
 	 * (1) default: all syscalls in rules included, sinsp state enforcement
 	       without high volume syscalls
-	 * (2) -A flag set: all syscalls in rules included, sinsp state enforcement
+	 * (2) set: all syscalls in rules included, sinsp state enforcement
 	       and allowing high volume syscalls */
-	if(!s.options.all_events) {
+	bool all_events = false;
+	if(s.options.all_events) {
+		falco_logger::log(falco_logger::level::WARNING,
+		                  "The -A option is deprecated and will be removed. Use -o "
+		                  "base_syscalls.all=true instead.");
+		all_events = true;
+	}
+	if(s.config->m_base_syscalls_all) {
+		all_events = true;
+	}
+	if(!(s.options.all_events || s.config->m_base_syscalls_all)) {
 		auto ignored_sc_set = falco::app::ignored_sc_set();
 		auto erased_sc_set = s.selected_sc_set.intersect(ignored_sc_set);
 		s.selected_sc_set = s.selected_sc_set.diff(ignored_sc_set);

diff --git a/userspace/falco/app/options.cpp b/userspace/falco/app/options.cpp
@@ -104,7 +104,7 @@ void options::define(cxxopts::Options& opts)
 #endif
 		("config-schema",            "Print the config json schema and exit.", cxxopts::value(print_config_schema)->default_value("false"))
 		("rule-schema",              "Print the rule json schema and exit.", cxxopts::value(print_rule_schema)->default_value("false"))
-		("A",                        "Monitor all events supported by Falco and defined in rules and configs. Some events are ignored by default when -A is not specified (the -i option lists these events ignored). Using -A can impact performance. This option has no effect when reproducing events from a capture file.", cxxopts::value(all_events)->default_value("false"))
+		("A",                        "DEPRECATED: use -o base_syscalls.all=true instead. Monitor all events supported by Falco and defined in rules and configs. Some events are ignored by default when -A is not specified (the -i option lists these events ignored). Using -A can impact performance. This option has no effect when reproducing events from a capture file.", cxxopts::value(all_events)->default_value("false"))
 		("b,print-base64",           "Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.")
 		("disable-source",           "Turn off a specific <event_source>. By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times, but turning off all event sources simultaneously is not permitted. This option can not be mixed with --enable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(disable_sources), "<event_source>")
 		("dry-run",                  "Run Falco without processing events. It can help check that the configuration and rules do not have any errors.", cxxopts::value(dry_run)->default_value("false"))

diff --git a/userspace/falco/config_json_schema.h b/userspace/falco/config_json_schema.h
@@ -277,6 +277,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
             "type": "object",
             "additionalProperties": false,
             "properties": {
+                "all": {
+                    "type": "boolean"
+                },
                 "custom_set": {
                     "type": "array",
                     "items": {

diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp
@@ -85,6 +85,7 @@ falco_configuration::falco_configuration():
         m_syscall_evt_timeout_max_consecutives(1000),
         m_falco_libs_thread_table_size(DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE),
         m_falco_libs_snaplen(0),
+        m_base_syscalls_all(false),
         m_base_syscalls_repair(false),
         m_metrics_enabled(false),
         m_metrics_interval_str("5000"),
@@ -577,6 +578,7 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	m_config.get_sequence<std::unordered_set<std::string>>(m_base_syscalls_custom_set,
 	                                                       std::string("base_syscalls.custom_set"));
 	m_base_syscalls_repair = m_config.get_scalar<bool>("base_syscalls.repair", false);
+	m_base_syscalls_all = m_config.get_scalar<bool>("base_syscalls.all", false);
 
 	m_metrics_enabled = m_config.get_scalar<bool>("metrics.enabled", false);
 	m_metrics_interval_str = m_config.get_scalar<std::string>("metrics.interval", "5000");

diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h
@@ -179,6 +179,7 @@ class falco_configuration {
 
 	// User supplied base_syscalls, overrides any Falco state engine enforcement.
 	std::unordered_set<std::string> m_base_syscalls_custom_set;
+	bool m_base_syscalls_all;
 	bool m_base_syscalls_repair;
 
 	// metrics configs