fix: updated some warning strings; properly refresh lua files embedded in falco

userspace/engine/lua/CMakeLists.txt

@@ -10,7 +10,7 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 
-file(GLOB_RECURSE lua_module_files ${CMAKE_CURRENT_SOURCE_DIR} *.lua)
+file(GLOB_RECURSE lua_files ${CMAKE_CURRENT_SOURCE_DIR} *.lua)
 
 add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/falco_engine_lua_files.cpp
 	COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/lua-to-cpp.sh ${CMAKE_CURRENT_SOURCE_DIR} ${LYAML_LUA_DIR} ${CMAKE_CURRENT_BINARY_DIR}

userspace/engine/lua/rule_loader.lua

@@ -1059,9 +1059,9 @@ function load_rules(rules_content,
 
 	 else
 	    num_evttypes = falco_rules.add_filter(rules_mgr, lua_parser, v['rule'], v['source'], v['tags'])
-	    if num_evttypes == 0 or num_evttypes > 100 then
+	    if v['source'] == "syscall" and (num_evttypes == 0 or num_evttypes > 100) then
 	       if warn_evttypes == true then
-		  msg = "Rule "..v['rule']..": warning (no-evttype):"
+		  msg = "Rule "..v['rule']..": warning (no-evttype):\n".."         matches too many evt.type values.\n".."         This has a significant performance penalty.\n"
 		  warnings[#warnings + 1] = msg
 	       end
 	    end

userspace/engine/rules.cpp

@@ -452,7 +452,7 @@ void falco_rules::load_rules(const string &rules_content,
 			throw falco_exception(os.str());
 		}
 
-		if (verbose && os.str() != "") {
+		if (os.str() != "") {
 			// We don't really have a logging callback
 			// from the falco engine, but this would be a
 			// good place to use it.

userspace/engine/ruleset.cpp

@@ -68,6 +68,9 @@ void falco_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_wrapper>
 {
 	std::set<uint16_t> fevttypes = wrap->filter->evttypes();
 
+	// TODO: who fills this one for rules without evt.type specified?
+	// Can this be actually empty?
+	// Is m_filter_all_event_types useful?
 	if(fevttypes.empty())
 	{
 		// Should run for all event types

userspace/falco/falco.cpp

@@ -456,11 +456,29 @@ static void check_for_ignored_events(sinsp &inspector, falco_engine &engine)
 			std::string name = etable[evtnum].name;
 			if(warn_event_names.find(name) == warn_event_names.end())
 			{
-				printf("Loaded rules use event %s, but this event is not returned unless running falco with -A\n", name.c_str());
 				warn_event_names.insert(name);
 			}
 		}
 	}
+
+	// Print a single warning with the list of ignored events
+	if (!warn_event_names.empty())
+	{
+		std::string skipped_events;
+		bool first = true;
+		for (const auto& evtname : warn_event_names)
+		{
+			if (first)
+			{
+				skipped_events += evtname;
+				first = false;
+			} else
+			{
+				skipped_events += "," + evtname;
+			}
+		}
+		fprintf(stderr,"Loaded rules match events (%s), but these events are not returned unless running falco with -A\n", skipped_events.c_str());
+	}
 }
 
 static void list_source_fields(falco_engine *engine, bool verbose, bool names_only, std::string &source)
@@ -1041,6 +1059,7 @@ int falco_init(int argc, char **argv)
 				{
 					os << "Type: extractor plugin" << std::endl;
 				}
+				os << std::endl;
 			}
 
 			printf("%lu Plugins Loaded:\n\n%s\n", infos.size(), os.str().c_str());
@@ -1138,11 +1157,6 @@ int falco_init(int argc, char **argv)
 			engine->enable_rule_by_tag(enabled_rule_tags, true);
 		}
 
-		// For syscalls, see if any event types used by the
-		// loaded rules are ones with the EF_DROP_SIMPLE_CONS
-		// label.
-		check_for_ignored_events(*inspector, *engine);
-
 		if(print_support)
 		{
 			nlohmann::json support;
@@ -1206,6 +1220,10 @@ int falco_init(int argc, char **argv)
 
 		if(!all_events)
 		{
+			// For syscalls, see if any event types used by the
+			// loaded rules are ones with the EF_DROP_SIMPLE_CONS
+			// label.
+			check_for_ignored_events(*inspector, *engine);
 			// Drop EF_DROP_SIMPLE_CONS kernel side
 			inspector->set_simple_consumer();
 			// Eventually, drop any EF_DROP_SIMPLE_CONS event