-
Notifications
You must be signed in to change notification settings - Fork 893
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add names descriptions #64
Conversation
Add name and description fields to all rules. The name field is actually a field called 'rule', which corresponds to the 'macro' field for macros. Within the rule loader, the state changes slightly. There are two indices into the set of rules 'rules_by_name' and 'rules_by_idx' (formerly 'outputs'). They both now contain the original table from the yaml parse. One field 'level' is added which is the priority mapped to a number. Get rid of the notion of default priority or output. Every rule must now provide both. Go through all current rules and add names and descriptions.
When run with -l <rule>, falco will print the name/description of the single rule <rule> and exit. With -L, falco will print the name/description of all rules. All the work is done in lua in the rule loader. A new lua function describe_rule calls the local function describe_single_rule once or multiple times depending on -l/-L. describe_single_rule prints the rule name and a wrapped version of the rule description.
Actually hold off on reviewing until I've taken a pass over each rule's output to clean it up as well. |
Try to clean up the language of the existing rule set, expanding the output when possible, removing %evt.dir in most cases. There is one substantive change: the mkdir half of modify_binary_dirs was split out into its own rule mkdir_binary_dirs.
Ok, I did a pass tidying, go ahead and take a look. @ldegio if you'd like to do a pass go ahead and add commits to this branch. |
👍 |
actually hold on, can you also update the rule snippets in the readme? |
(and document the meaning and use of the new fields) |
Include full macros and rule for write_binary_dir.
Ok README updated. |
A new macro package_mgmt_binaries includes dpkg and rpm. Those programs are allowed to create directories and modify files below binary directories. I'm not adding them to other trusted sets for now, though.
Rule-syntax-and-design is a (broken link to) a wiki page that i need to delete. But let's get this in, we can fix the readme later. 👍 |
We'll probably want a more formal set of documentation soon, but at least they're mentioned now. Also remove socket from the list of discarded events, thinking ahead to when draios/sysdig#591 will be merged.
Also added to rules section. I'll merge first thing tomorrow once I also merge @ldegio's branch to this one. |
rule file improvement pass
For rules where evt.args had useful information but too much information, add back specific values that have just the useful argument from the event: - spawned shells contain the commandline--it's the exit half of the exec event so the current commandline is what was exec()d to. - setuid contains the uid being switched to. While I was testing these, I had a couple of other fixes: - In the spawn shells rule, only track execve events so you don't catch clone() events that precede an exec. - in spawn_process only consider the exit half of the exec event.
Detail added back, wanna take one more look @henridf ? |
looks good! |
This fixes #57.
@henridf