From 5e5e04e674db43fd1d102c55bbcd555f52909df0 Mon Sep 17 00:00:00 2001 From: Leonardo Di Giovanna Date: Fri, 20 Sep 2024 16:47:58 +0200 Subject: [PATCH 1/4] fix(falco_metrics)!: split tags label into multiple tag_ labels Signed-off-by: Leonardo Di Giovanna --- userspace/falco/falco_metrics.cpp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/userspace/falco/falco_metrics.cpp b/userspace/falco/falco_metrics.cpp index 162423878a9..4b02be21baf 100644 --- a/userspace/falco/falco_metrics.cpp +++ b/userspace/falco/falco_metrics.cpp @@ -218,10 +218,10 @@ std::string falco_metrics::to_text(const falco::app::state& state) /* Examples ... # HELP falcosecurity_falco_rules_matches_total https://falco.org/docs/metrics/ # TYPE falcosecurity_falco_rules_matches_total counter - falcosecurity_falco_rules_matches_total{priority="4",rule_name="Read sensitive file untrusted",source="syscall",tags="T1555, container, filesystem, host, maturity_stable, mitre_credential_access"} 10 + falcosecurity_falco_rules_matches_total{priority="4",rule_name="Read sensitive file untrusted",source="syscall",tag_T1555="true",tag_container="true",tag_filesystem="true",tag_host="true",tag_maturity_stable="true",tag_mitre_credential_access="true"} 10 # HELP falcosecurity_falco_rules_matches_total https://falco.org/docs/metrics/ # TYPE falcosecurity_falco_rules_matches_total counter - falcosecurity_falco_rules_matches_total{priority="5",rule_name="Unexpected UDP Traffic",source="syscall",tags="TA0011, container, host, maturity_incubating, mitre_exfiltration, network"} 1 + falcosecurity_falco_rules_matches_total{priority="5",rule_name="Unexpected UDP Traffic",source="syscall",tag_TA0011="true",tag_container="true",tag_host="true",tag_maturity_incubating="true",tag_mitre_exfiltration="true",tag_network="true"} 1 */ auto metric = libs::metrics::libsinsp_metrics::new_metric("rules_matches", METRICS_V2_RULE_COUNTERS, @@ -230,12 +230,14 @@ std::string falco_metrics::to_text(const falco::app::state& state) METRIC_VALUE_METRIC_TYPE_MONOTONIC, rules_by_id[i]->load()); prometheus_metrics_converter.convert_metric_to_unit_convention(metric); - const std::map& const_labels = { + std::map const_labels = { {"rule_name", rule->name}, {"priority", std::to_string(rule->priority)}, {"source", rule->source}, - {"tags", concat_set_in_order(rule->tags)} }; + std::for_each(rule->tags.cbegin(), rule->tags.cend(), [&const_labels](std::string const& tag) { + const_labels.emplace(std::string{"tag_"} + tag, "true"); + }); prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(metric, "falcosecurity", "falco", const_labels); } } From 7e07643a073adb48b825a20e9631ba4dc60263fe Mon Sep 17 00:00:00 2001 From: Leonardo Di Giovanna Date: Fri, 20 Sep 2024 16:51:16 +0200 Subject: [PATCH 2/4] fix(falco_metrics)!: use full name for configs and rules files Signed-off-by: Leonardo Di Giovanna --- userspace/falco/falco_metrics.cpp | 4 ++-- userspace/falco/stats_writer.cpp | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/userspace/falco/falco_metrics.cpp b/userspace/falco/falco_metrics.cpp index 4b02be21baf..7ff703643d1 100644 --- a/userspace/falco/falco_metrics.cpp +++ b/userspace/falco/falco_metrics.cpp @@ -102,13 +102,13 @@ std::string falco_metrics::to_text(const falco::app::state& state) for (const auto& item : state.config.get()->m_loaded_rules_filenames_sha256sum) { fs::path fs_path = item.first; - prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus("sha256_rules_files", "falcosecurity", "falco", {{"file_name", fs_path.filename().stem()}, {"sha256", item.second}}); + prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus("sha256_rules_files", "falcosecurity", "falco", {{"file_name", fs_path.filename()}, {"sha256", item.second}}); } for (const auto& item : state.config.get()->m_loaded_configs_filenames_sha256sum) { fs::path fs_path = item.first; - prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus("sha256_config_files", "falcosecurity", "falco", {{"file_name", fs_path.filename().stem()}, {"sha256", item.second}}); + prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus("sha256_config_files", "falcosecurity", "falco", {{"file_name", fs_path.filename()}, {"sha256", item.second}}); } static std::string ifinfo_json_escaped; diff --git a/userspace/falco/stats_writer.cpp b/userspace/falco/stats_writer.cpp index 7e2a6303ed1..851f46eadb2 100644 --- a/userspace/falco/stats_writer.cpp +++ b/userspace/falco/stats_writer.cpp @@ -345,7 +345,7 @@ void stats_writer::collector::get_metrics_output_fields_wrapper( for (const auto& item : m_writer->m_config->m_loaded_rules_filenames_sha256sum) { fs::path fs_path = item.first; - std::string metric_name_file_sha256 = fs_path.filename().stem(); + std::string metric_name_file_sha256 = fs_path.filename(); metric_name_file_sha256 = "falco.sha256_rules_file." + falco::utils::sanitize_rule_name(metric_name_file_sha256); output_fields[metric_name_file_sha256] = item.second; } @@ -353,7 +353,7 @@ void stats_writer::collector::get_metrics_output_fields_wrapper( for (const auto& item : m_writer->m_config->m_loaded_configs_filenames_sha256sum) { fs::path fs_path = item.first; - std::string metric_name_file_sha256 = fs_path.filename().stem(); + std::string metric_name_file_sha256 = fs_path.filename(); metric_name_file_sha256 = "falco.sha256_config_file." + falco::utils::sanitize_rule_name(metric_name_file_sha256); output_fields[metric_name_file_sha256] = item.second; } From 90a5fd6bcb5248c8932ef16c92e16ab42adcb471 Mon Sep 17 00:00:00 2001 From: Leonardo Di Giovanna Date: Mon, 23 Sep 2024 12:33:20 +0200 Subject: [PATCH 3/4] fix(falco_metrics): remove ifinfo_json stat/metric Using JSON as value prevents any meaningful aggregation for the stats. Splitting these information into multiple labels can drastically increase the number of dimensions, as the number of interfaces and addresses can be high in some environment. Moreover, these information are not currently refreshed, even if they can frequently change. Given these reasons, remove ifinfo_json from stats and metrics. Signed-off-by: Leonardo Di Giovanna --- userspace/falco/falco_metrics.cpp | 33 ------------------------------- userspace/falco/stats_writer.cpp | 33 ------------------------------- userspace/falco/stats_writer.h | 1 - 3 files changed, 67 deletions(-) diff --git a/userspace/falco/falco_metrics.cpp b/userspace/falco/falco_metrics.cpp index 7ff703643d1..a053de06d11 100644 --- a/userspace/falco/falco_metrics.cpp +++ b/userspace/falco/falco_metrics.cpp @@ -111,39 +111,6 @@ std::string falco_metrics::to_text(const falco::app::state& state) prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus("sha256_config_files", "falcosecurity", "falco", {{"file_name", fs_path.filename()}, {"sha256", item.second}}); } - static std::string ifinfo_json_escaped; - auto ipv4list = inspector->get_ifaddr_list().get_ipv4_list(); - auto ipv6list = inspector->get_ifaddr_list().get_ipv6_list(); - nlohmann::json ipv4_json; - nlohmann::json ipv6_json; - if(ipv4list) - { - for (const auto& item : *ipv4list) - { - if(item.m_name == "lo") - { - continue; - } - ipv4_json[item.m_name] = item.addr_to_string(); - } - } - - if(ipv6list) - { - for (const auto& item : *ipv6list) - { - if(item.m_name == "lo") - { - continue; - } - ipv6_json[item.m_name] = item.addr_to_string(); - } - } - nlohmann::json ifinfo_json; - ifinfo_json["ipv4"] = ipv4_json; - ifinfo_json["ipv6"] = ipv6_json; - ifinfo_json_escaped = ifinfo_json.dump(); - prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus("host_ifinfo_json", "falcosecurity", "falco", {{"host_ifinfo_json", ifinfo_json_escaped}}); #endif for (const std::string& source: inspector->event_sources()) diff --git a/userspace/falco/stats_writer.cpp b/userspace/falco/stats_writer.cpp index 851f46eadb2..fac1b76843c 100644 --- a/userspace/falco/stats_writer.cpp +++ b/userspace/falco/stats_writer.cpp @@ -358,39 +358,6 @@ void stats_writer::collector::get_metrics_output_fields_wrapper( output_fields[metric_name_file_sha256] = item.second; } - auto ipv4list = inspector->get_ifaddr_list().get_ipv4_list(); - auto ipv6list = inspector->get_ifaddr_list().get_ipv6_list(); - nlohmann::json ipv4_json; - nlohmann::json ipv6_json; - if(ipv4list) - { - for (const auto& item : *ipv4list) - { - if(item.m_name == "lo") - { - continue; - } - ipv4_json[item.m_name] = item.addr_to_string(); - } - } - - if(ipv6list) - { - for (const auto& item : *ipv6list) - { - if(item.m_name == "lo") - { - continue; - } - ipv6_json[item.m_name] = item.addr_to_string(); - } - } - nlohmann::json ifinfo_json; - ifinfo_json["ipv4"] = ipv4_json; - ifinfo_json["ipv6"] = ipv6_json; - m_ifinfo_json_escaped = ifinfo_json.dump(); - output_fields["falco.host_ifinfo_json"] = m_ifinfo_json_escaped; - #endif output_fields["evt.source"] = src; for (size_t i = 0; i < sizeof(all_driver_engines) / sizeof(const char*); i++) diff --git a/userspace/falco/stats_writer.h b/userspace/falco/stats_writer.h index f85f509bb04..b25ed4dd609 100644 --- a/userspace/falco/stats_writer.h +++ b/userspace/falco/stats_writer.h @@ -80,7 +80,6 @@ class stats_writer uint64_t m_last_n_evts = 0; uint64_t m_last_n_drops = 0; uint64_t m_last_num_evts = 0; - std::string m_ifinfo_json_escaped; }; stats_writer(const stats_writer&) = delete; From d6fe0d95163b622192fdedf0695e28ce464f75ca Mon Sep 17 00:00:00 2001 From: Leonardo Di Giovanna Date: Mon, 23 Sep 2024 13:03:04 +0200 Subject: [PATCH 4/4] cleanup(falco_metrics): remove unused falco_utils import Signed-off-by: Leonardo Di Giovanna --- userspace/falco/falco_metrics.cpp | 2 -- 1 file changed, 2 deletions(-) diff --git a/userspace/falco/falco_metrics.cpp b/userspace/falco/falco_metrics.cpp index a053de06d11..f9362bc242c 100644 --- a/userspace/falco/falco_metrics.cpp +++ b/userspace/falco/falco_metrics.cpp @@ -19,8 +19,6 @@ limitations under the License. #include "falco_metrics.h" -#include "falco_utils.h" - #include "app/state.h" #include