Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update(engine): modify append_output format #3322

Merged
merged 4 commits into from
Sep 13, 2024
Merged

update(engine): modify append_output format #3322

merged 4 commits into from
Sep 13, 2024

Conversation

LucaGuerra
Copy link
Contributor

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area engine

What this PR does / why we need it:

Having discussed this feature with @leogr and @Issif we came to the conclusion that it could be better to modify the format of append_output to something like this example:

append_output:
  - match:
      source: syscall
      tags: 
        - bar
        - foo
      rule: rule A
    extra_output: "gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]"
    extra_fields:
      - ka.verb
      - home_directory: "${HOME}"
      - my_field: "this is event number %evt.num"

tags, source, rule are ANDed together and also when multiple tags are specified those are all ANDed together as well.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

@poiana poiana requested review from incertum and Kaizhe September 12, 2024 15:03
@poiana poiana added the size/L label Sep 12, 2024
@github-actions GitHub Actions
Copy link

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

leogr
leogr previously approved these changes Sep 12, 2024
View reviewed changes
@poiana poiana added the lgtm label Sep 12, 2024
@poiana
Copy link
Contributor

poiana commented Sep 12, 2024

LGTM label has been added.

Git tree hash: b99934e0070d45b144746852aa90bea53118a345

@FedeDP
Copy link
Contributor

FedeDP commented Sep 13, 2024

/milestone 0.39.0

@poiana poiana added this to the 0.39.0 milestone Sep 13, 2024
FedeDP
FedeDP reviewed Sep 13, 2024
View reviewed changes
userspace/engine/rule_loader_compiler.cpp Outdated
@@ -501,9 +502,18 @@ void rule_loader::compiler::compile_rule_infos(
continue;
}

if (extra.m_tag != "" && r.tags.count(extra.m_tag) == 0)
if (extra.m_tags.size() != 0)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exctract an helper method since the same check is also used below?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed by using a single function instead.

@FedeDP
Copy link
Contributor

FedeDP commented Sep 13, 2024

I think we need to update configuration.cpp json schema too!
/hold

@LucaGuerra
Copy link
Contributor Author

@FedeDP damn I forgot 🤣 , will fix. thanks

@leogr
Copy link
Member

leogr commented Sep 13, 2024

I think we need to update configuration.cpp json schema too! /hold

Good catch!

side topic: it would be nice to introduce some automatic check

@FedeDP
Copy link
Contributor

FedeDP commented Sep 13, 2024

side topic: it would be nice to introduce some automatic check

There is an automatic check that loads the falco.yaml from the CMAKE_CURRENT_SOURCE_DIR; but in this case, the new option is not present by default in the Falco yaml thus the test passes fine.

@LucaGuerra LucaGuerra force-pushed the update/append_output-format branch from 91413c8 to 02308b3 Compare September 13, 2024 11:26
@poiana poiana removed the lgtm label Sep 13, 2024
@poiana poiana requested a review from leogr September 13, 2024 11:26
@LucaGuerra LucaGuerra force-pushed the update/append_output-format branch from 6c02aad to 957bb62 Compare September 13, 2024 13:29
@poiana poiana added the lgtm label Sep 13, 2024
@poiana
Copy link
Contributor

poiana commented Sep 13, 2024

LGTM label has been added.

Git tree hash: bbfa0e0fffbcc70350dbb99b7dd9aa25d4774125

FedeDP
FedeDP approved these changes Sep 13, 2024
View reviewed changes
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link
Contributor

poiana commented Sep 13, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@FedeDP
Copy link
Contributor

FedeDP commented Sep 13, 2024

/unhold

@poiana poiana merged commit cd0d607 into falcosecurity:master Sep 13, 2024
35 of 36 checks passed
@LucaGuerra LucaGuerra deleted the update/append_output-format branch September 13, 2024 15:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FedeDP FedeDP FedeDP approved these changes

@leogr leogr leogr approved these changes

@incertum incertum Awaiting requested review from incertum

@Kaizhe Kaizhe Awaiting requested review from Kaizhe

Assignees

@leogr leogr

@FedeDP FedeDP

Labels
approved area/engine dco-signoff: yes kind/feature lgtm release-note-none size/L
Projects
Falco Roadmap
Status: Done
Milestone
0.39.0
Development

Successfully merging this pull request may close these issues.
4 participants
@LucaGuerra @poiana @FedeDP @leogr