Add names descriptions #64
Conversation
Add name and description fields to all rules. The name field is actually a field called 'rule', which corresponds to the 'macro' field for macros. Within the rule loader, the state changes slightly. There are two indices into the set of rules 'rules_by_name' and 'rules_by_idx' (formerly 'outputs'). They both now contain the original table from the yaml parse. One field 'level' is added which is the priority mapped to a number. Get rid of the notion of default priority or output. Every rule must now provide both. Go through all current rules and add names and descriptions.
When run with -l <rule>, falco will print the name/description of the single rule <rule> and exit. With -L, falco will print the name/description of all rules. All the work is done in lua in the rule loader. A new lua function describe_rule calls the local function describe_single_rule once or multiple times depending on -l/-L. describe_single_rule prints the rule name and a wrapped version of the rule description.
|
Actually hold off on reviewing until I've taken a pass over each rule's output to clean it up as well. |
Try to clean up the language of the existing rule set, expanding the output when possible, removing %evt.dir in most cases. There is one substantive change: the mkdir half of modify_binary_dirs was split out into its own rule mkdir_binary_dirs.
|
Ok, I did a pass tidying, go ahead and take a look. @ldegio if you'd like to do a pass go ahead and add commits to this branch. |
|
👍 |
|
actually hold on, can you also update the rule snippets in the readme? |
|
(and document the meaning and use of the new fields) |
Include full macros and rule for write_binary_dir.
|
Ok README updated. |
A new macro package_mgmt_binaries includes dpkg and rpm. Those programs are allowed to create directories and modify files below binary directories. I'm not adding them to other trusted sets for now, though.
|
Rule-syntax-and-design is a (broken link to) a wiki page that i need to delete. But let's get this in, we can fix the readme later. 👍 |
We'll probably want a more formal set of documentation soon, but at least they're mentioned now. Also remove socket from the list of discarded events, thinking ahead to when draios/sysdig#591 will be merged.
|
Also added to rules section. I'll merge first thing tomorrow once I also merge @ldegio's branch to this one. |
rule file improvement pass
For rules where evt.args had useful information but too much information, add back specific values that have just the useful argument from the event: - spawned shells contain the commandline--it's the exit half of the exec event so the current commandline is what was exec()d to. - setuid contains the uid being switched to. While I was testing these, I had a couple of other fixes: - In the spawn shells rule, only track execve events so you don't catch clone() events that precede an exec. - in spawn_process only consider the exit half of the exec event.
|
Detail added back, wanna take one more look @henridf ? |
|
looks good! |
This fixes #57.
@henridf