allow to use env vars in the exec/script, all the key fields (priorit…

…y, rule, tags, output_fields, ...) of the falco event are exported + consider '-' as the value to remove a label (#197) * allow to use env vars in the exec/script, all the key fields (priority, rule, tags, output_fields, ...) of the falco event are exported Signed-off-by: Thomas Labarussias <[email protected]> * consider '-' to remove the labels, the empty value is not considering when kubernetes create the rule file from a configmap Signed-off-by: Thomas Labarussias <[email protected]> --------- Signed-off-by: Thomas Labarussias <[email protected]>
falcosecurity · Mar 31, 2024 · 10af943 · 10af943
1 parent 1e61dc6
commit 10af943
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 1 deletion.
diff --git a/actionners/kubernetes/exec/exec.go b/actionners/kubernetes/exec/exec.go
@@ -5,6 +5,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"os"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/tools/remotecommand"
@@ -38,6 +39,9 @@ func Action(action *rules.Action, event *events.Event) (utils.LogLine, error) {
 		*command = parameters["command"].(string)
 	}
 
+	event.ExportEnvVars()
+	*command = os.ExpandEnv(*command)
+
 	client := kubernetes.GetClient()
 
 	p, _ := client.GetPod(pod, namespace)

diff --git a/actionners/kubernetes/labelize/labelize.go b/actionners/kubernetes/labelize/labelize.go
@@ -40,6 +40,9 @@ func Action(action *rules.Action, event *events.Event) (utils.LogLine, error) {
 		if fmt.Sprintf("%v", j) == "" {
 			continue
 		}
+		if fmt.Sprintf("%v", j) == "-" {
+			continue
+		}
 		payload = append(payload, patch{
 			Op:    "replace",
 			Path:  metadataLabels + i,
@@ -63,7 +66,7 @@ func Action(action *rules.Action, event *events.Event) (utils.LogLine, error) {
 	payload = make([]patch, 0)
 	action.GetParameters()
 	for i, j := range parameters["labels"].(map[string]interface{}) {
-		if fmt.Sprintf("%v", j) != "" {
+		if fmt.Sprintf("%v", j) != "-" {
 			continue
 		}
 		payload = append(payload, patch{

diff --git a/actionners/kubernetes/script/script.go b/actionners/kubernetes/script/script.go
@@ -52,6 +52,9 @@ func Action(action *rules.Action, event *events.Event) (utils.LogLine, error) {
 		*script = string(fileContent)
 	}
 
+	event.ExportEnvVars()
+	*script = os.ExpandEnv(*script)
+
 	reader := strings.NewReader(*script)
 
 	client := kubernetes.GetClient()

diff --git a/internal/events/events.go b/internal/events/events.go
@@ -2,7 +2,9 @@ package events
 
 import (
 	"encoding/json"
+	"fmt"
 	"io"
+	"os"
 	"regexp"
 	"strings"
 	"time"
@@ -15,6 +17,7 @@ type Event struct {
 	Output       string                 `json:"output"`
 	Priority     string                 `json:"priority"`
 	Rule         string                 `json:"rule"`
+	Hostname     string                 `json:"hostname"`
 	Time         time.Time              `json:"time"`
 	Source       string                 `json:"source"`
 	OutputFields map[string]interface{} `json:"output_fields"`
@@ -121,6 +124,24 @@ func (event *Event) GetRemoteProtocol() string {
 	return ""
 }
 
+func (event *Event) ExportEnvVars() {
+	for i, j := range event.OutputFields {
+		key := strings.ReplaceAll(strings.ToUpper(i), ".", "_")
+		key = strings.ReplaceAll(key, "[", "_")
+		key = strings.ReplaceAll(key, "]", "")
+		os.Setenv(key, fmt.Sprintf("%v", j))
+	}
+	os.Setenv("PRIORITY", event.Priority)
+	os.Setenv("HOSTNAME", event.Hostname)
+	os.Setenv("RULE", event.Rule)
+	os.Setenv("SOURCE", event.Source)
+	var tags []string
+	for _, i := range event.Tags {
+		tags = append(tags, fmt.Sprintf("%v", i))
+	}
+	os.Setenv("TAGS", strings.Join(tags, ","))
+}
+
 func (event *Event) String() string {
 	e, _ := json.Marshal(*event)
 	return string(e)