Skip to content

Commit

Permalink
new(userspace,cmake): honor new plugins exposed suggested output form…
Browse files Browse the repository at this point in the history
…ats.

Signed-off-by: Federico Di Pierro <[email protected]>
  • Loading branch information
FedeDP committed Oct 22, 2024
1 parent e4cbffc commit 307ad8f
Show file tree
Hide file tree
Showing 6 changed files with 45 additions and 4 deletions.
4 changes: 2 additions & 2 deletions cmake/modules/driver.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,9 @@ else()
# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
if(NOT DRIVER_VERSION)
set(DRIVER_VERSION "4403a842c0602acea7e02851c90098fc0f2b0ebf")
set(DRIVER_VERSION "90c1520c24f4c9123273f0c9c6689cab0f9907e9")
set(DRIVER_CHECKSUM
"SHA256=06e9d4562dcaea4d0e6cdf05c52958492cfbe1c4af282f8731bbe07c6e6817b7"
"SHA256=80776d0c2c0b94291cb8814330155635dded66c38ed9682b8f9605aca7f9380a"
)
endif()

Expand Down
4 changes: 2 additions & 2 deletions cmake/modules/falcosecurity-libs.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,9 @@ else()
# version (or branch, or commit) just pass the variable - ie., `cmake
# -DFALCOSECURITY_LIBS_VERSION=dev ..`
if(NOT FALCOSECURITY_LIBS_VERSION)
set(FALCOSECURITY_LIBS_VERSION "4403a842c0602acea7e02851c90098fc0f2b0ebf")
set(FALCOSECURITY_LIBS_VERSION "90c1520c24f4c9123273f0c9c6689cab0f9907e9")
set(FALCOSECURITY_LIBS_CHECKSUM
"SHA256=06e9d4562dcaea4d0e6cdf05c52958492cfbe1c4af282f8731bbe07c6e6817b7"
"SHA256=80776d0c2c0b94291cb8814330155635dded66c38ed9682b8f9605aca7f9380a"
)
endif()

Expand Down
6 changes: 6 additions & 0 deletions falco.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -571,6 +571,12 @@ buffered_outputs: false
# deploying it in production.
rule_matching: first

# [Incubating] `suggested_formats`
#
# When enabled, Falco will honor requests by extractor plugins
# that suggest certain fields to be part of outputs.
suggested_formats: true

# [Stable] `outputs_queue`
#
# Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter
Expand Down
32 changes: 32 additions & 0 deletions userspace/falco/app/actions/init_falco_engine.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,23 @@ limitations under the License.
#include "actions.h"
#include <libsinsp/plugin_manager.h>
#include <falco_common.h>
#include <algorithm>

using namespace falco::app;
using namespace falco::app::actions;

static inline std::string format_suggested_field(const filter_check_info* info) {
std::ostringstream out;

// Replace "foo.bar" with "foo_bar"
auto name = info->m_name;
std::replace(name.begin(), name.end(), '.', '_');

// foo_bar=%foo.bar
out << name << "=%" << info->m_name;
return out.str();
}

void configure_output_format(falco::app::state& s) {
for(auto& eo : s.config->m_append_output) {
if(eo.m_format != "") {
Expand All @@ -45,6 +58,25 @@ void configure_output_format(falco::app::state& s) {
}
}

// Add suggested filtercheck formats to each source output
if(s.config->m_suggested_formats) {
for(auto& src : s.loaded_sources) {
auto src_info = s.source_infos.at(src);
auto& filterchecks = *src_info->filterchecks;
std::vector<const filter_check_info*> fields;
filterchecks.get_all_fields(fields);
for(const auto& fld : fields) {
if(fld->m_flags & EPF_FORMAT_SUGGESTED) {
s.engine->add_extra_output_format(format_suggested_field(fld),
src,
{},
"",
false);
}
}
}
}

// See https://falco.org/docs/rules/style-guide/
const std::string container_info =
"container_id=%container.id container_image=%container.image.repository "
Expand Down
2 changes: 2 additions & 0 deletions userspace/falco/configuration.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ falco_configuration::falco_configuration():
m_rule_matching(falco_common::rule_matching::FIRST),
m_watch_config_files(true),
m_buffered_outputs(false),
m_suggested_formats(true),
m_outputs_queue_capacity(DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE),
m_time_format_iso_8601(false),
m_buffer_format_base64(false),
Expand Down Expand Up @@ -483,6 +484,7 @@ void falco_configuration::load_yaml(const std::string &config_name) {
}

m_buffered_outputs = m_config.get_scalar<bool>("buffered_outputs", false);
m_suggested_formats = m_config.get_scalar<bool>("suggested_formats", true);
m_outputs_queue_capacity =
m_config.get_scalar<size_t>("outputs_queue.capacity",
DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE);
Expand Down
1 change: 1 addition & 0 deletions userspace/falco/configuration.h
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,7 @@ class falco_configuration {
bool m_time_format_iso_8601;
bool m_buffer_format_base64;
uint32_t m_output_timeout;
bool m_suggested_formats;

bool m_grpc_enabled;
uint32_t m_grpc_threadiness;
Expand Down

0 comments on commit 307ad8f

Please sign in to comment.