falcosecurity · poiana · Sep 28, 2021 · Sep 23, 2021 · Sep 23, 2021 · leogr
diff --git a/falco.yaml b/falco.yaml
@@ -46,6 +46,12 @@ json_output: false
 # (user=root ....") in the json output.
 json_include_output_property: true
 
+# When using json output, whether or not to include the "tags" property
+# itself in the json output. If set to true, outputs caused by rules
+# with no tags will have a "tags" field set to an empty array. If set to
+# false, the "tags" field will not be included in the json output at all.
+json_include_tags_property: true
+
 # Send information logs to stderr and/or syslog Note these are *not* security
 # notification logs! These are just Falco lifecycle (and possibly error) logs.
 log_stderr: true

diff --git a/test/confs/psp.yaml b/test/confs/psp.yaml
@@ -43,6 +43,12 @@ json_output: false
 # (user=root ....") in the json output.
 json_include_output_property: true
 
+# When using json output, whether or not to include the "tags" property
+# itself in the json output. If set to true, outputs caused by rules
+# with no tags will have a "tags" field set to an empty array. If set to
+# false, the "tags" field will not be included in the json output at all.
+json_include_tags_property: true
+
 # Send information logs to stderr and/or syslog Note these are *not* security
 # notification logs! These are just Falco lifecycle (and possibly error) logs.
 log_stderr: true

diff --git a/test/falco_test.py b/test/falco_test.py
@@ -90,6 +90,8 @@ def setUp(self):
         self.json_output = self.params.get('json_output', '*', default=False)
         self.json_include_output_property = self.params.get(
             'json_include_output_property', '*', default=True)
+        self.json_include_tags_property = self.params.get(
+            'json_include_tags_property', '*', default=True)
         self.all_events = self.params.get('all_events', '*', default=False)
         self.priority = self.params.get('priority', '*', default='debug')
         self.rules_file = self.params.get(
@@ -388,10 +390,11 @@ def check_json_output(self, res):
             for line in res.stdout.decode("utf-8").splitlines():
                 if line.startswith('{'):
                     obj = json.loads(line)
+                    attrs = ['time', 'rule', 'priority']
                     if self.json_include_output_property:
-                        attrs = ['time', 'rule', 'priority', 'output']
-                    else:
-                        attrs = ['time', 'rule', 'priority']
+                        attrs.append('output')
+                    if self.json_include_tags_property:
+                        attrs.append('tags')
                     for attr in attrs:
                         if not attr in obj:
                             self.fail(
@@ -614,8 +617,9 @@ def test(self):
                 self.log.debug("Converted Rules: {}".format(psp_rules))
 
         # Run falco
-        cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o priority={} -v'.format(
-            self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output, self.json_include_output_property, self.priority)
+        cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o json_include_tags_property={} -o priority={} -v'.format(
+            self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output,
+            self.json_include_output_property, self.json_include_tags_property, self.priority)
 
         for tag in self.disable_tags:
             cmd += ' -T {}'.format(tag)

diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml
@@ -1111,6 +1111,25 @@ trace_files: !mux
     trace_file: trace_files/cat_write.scap
     stdout_contains: "^(?!.*Warning An open of /dev/null was seen.*)"
 
+  json_output_no_tags_property:
+    json_output: True
+    json_include_tags_property: False
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/rule_append.yaml
+    trace_file: trace_files/cat_write.scap
+    stdout_contains: "^(?!.*\"tags\":[ ]*\\[.*\\],.*)"
+
+  json_output_empty_tags_property:
+    json_output: True
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/rule_append.yaml
+    trace_file: trace_files/cat_write.scap
+    stdout_contains: "^(.*\"tags\":[ ]*\\[\\],.*)"
+
   in_operator_netmasks:
     detect: True
     detect_level: INFO

diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp
@@ -177,7 +177,8 @@ void falco_engine::load_rules(const string &rules_content, bool verbose, bool al
 	// json_output to false.
 	bool json_output = false;
 	bool json_include_output_property = false;
-	falco_formats::init(m_inspector, this, m_ls, json_output, json_include_output_property);
+	bool json_include_tags_property = false;
+	falco_formats::init(m_inspector, this, m_ls, json_output, json_include_output_property, json_include_tags_property);
 
 	m_rules->load_rules(rules_content, verbose, all_events, m_extra, m_replace_container_info, m_min_priority, required_engine_version);
 }

diff --git a/userspace/engine/formats.cpp b/userspace/engine/formats.cpp
@@ -24,6 +24,7 @@ sinsp *falco_formats::s_inspector = NULL;
 falco_engine *falco_formats::s_engine = NULL;
 bool falco_formats::s_json_output = false;
 bool falco_formats::s_json_include_output_property = true;
+bool falco_formats::s_json_include_tags_property = true;
 std::unique_ptr<sinsp_evt_formatter_cache> falco_formats::s_formatters = NULL;
 
 const static struct luaL_Reg ll_falco[] =
@@ -36,12 +37,14 @@ void falco_formats::init(sinsp *inspector,
 			 falco_engine *engine,
 			 lua_State *ls,
 			 bool json_output,
-			 bool json_include_output_property)
+			 bool json_include_output_property,
+			 bool json_include_tags_property)
 {
 	s_inspector = inspector;
 	s_engine = engine;
 	s_json_output = json_output;
 	s_json_include_output_property = json_include_output_property;
+	s_json_include_tags_property = json_include_tags_property;
 
 	// todo(leogr): we should have used std::make_unique, but we cannot since it's not C++14
 	s_formatters = std::unique_ptr<sinsp_evt_formatter_cache>(new sinsp_evt_formatter_cache(s_inspector));
@@ -207,11 +210,22 @@ string falco_formats::format_event(const gen_event *evt, const std::string &rule
 			event["output"] = line;
 		}
 
-		for (auto &tag : tags)
+		if(s_json_include_tags_property)
 		{
-			rule_tags[rule_tags_idx++] = tag;
+			if (tags.size() == 0) 
+			{
+				// This sets an empty array
+				rule_tags = Json::arrayValue;
+			}
+			else
+			{
+				for (auto &tag : tags)
+				{
+					rule_tags[rule_tags_idx++] = tag;
+				}
+			}
+			event["tags"] = rule_tags;
 		}
-		event["tags"] = rule_tags;
 
 		full_line = writer.write(event);
 

diff --git a/userspace/engine/formats.h b/userspace/engine/formats.h
@@ -37,7 +37,8 @@ class falco_formats
 			 falco_engine *engine,
 			 lua_State *ls,
 			 bool json_output,
-			 bool json_include_output_property);
+			 bool json_include_output_property,
+			 bool json_include_tags_property);
 
 	// formatter = falco.formatter(format_string)
 	static int lua_formatter(lua_State *ls);
@@ -56,4 +57,5 @@ class falco_formats
 	static std::unique_ptr<sinsp_evt_formatter_cache> s_formatters;
 	static bool s_json_output;
 	static bool s_json_include_output_property;
+	static bool s_json_include_tags_property;
 };
diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp
@@ -71,6 +71,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 
 	m_json_output = m_config->get_scalar<bool>("json_output", false);
 	m_json_include_output_property = m_config->get_scalar<bool>("json_include_output_property", true);
+	m_json_include_tags_property = m_config->get_scalar<bool>("json_include_tags_property", true);
 
 	falco::outputs::config file_output;
 	file_output.name = "file";

diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h
@@ -195,6 +195,7 @@ class falco_configuration
 	std::list<std::string> m_rules_filenames;
 	bool m_json_output;
 	bool m_json_include_output_property;
+	bool m_json_include_tags_property;
 	std::string m_log_level;
 	std::vector<falco::outputs::config> m_outputs;
 	uint32_t m_notifications_rate;

diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp
@@ -1122,6 +1122,7 @@ int falco_init(int argc, char **argv)
 
 		outputs->init(config.m_json_output,
 			config.m_json_include_output_property,
+			config.m_json_include_tags_property,
 			config.m_output_timeout,
 			config.m_notifications_rate, config.m_notifications_max_burst,
 			config.m_buffered_outputs,

diff --git a/userspace/falco/falco_outputs.cpp b/userspace/falco/falco_outputs.cpp
@@ -62,6 +62,7 @@ falco_outputs::~falco_outputs()
 
 void falco_outputs::init(bool json_output,
 		  bool json_include_output_property,
+		  bool json_include_tags_property,
 		  uint32_t timeout,
 		  uint32_t rate, uint32_t max_burst, bool buffered,
 		  bool time_format_iso_8601, std::string hostname)
@@ -79,6 +80,7 @@ void falco_outputs::init(bool json_output,
 	// So we can safely update them.
 	falco_formats::s_json_output = json_output;
 	falco_formats::s_json_include_output_property = json_include_output_property;
+	falco_formats::s_json_include_tags_property = json_include_tags_property;
 
 	m_timeout = std::chrono::milliseconds(timeout);
 

diff --git a/userspace/falco/falco_outputs.h b/userspace/falco/falco_outputs.h
@@ -40,6 +40,7 @@ class falco_outputs
 
 	void init(bool json_output,
 		  bool json_include_output_property,
+		  bool json_include_tags_property,
 		  uint32_t timeout,
 		  uint32_t rate, uint32_t max_burst, bool buffered,
 		  bool time_format_iso_8601, std::string hostname);