New transformer: basename()

[leogr]

Motivation

The basename() transformer will make it easier for rule authors to write concise and effective rules, particularly for fields returning a full path by extracting the base name from a field returning a full path.

Note that this is particularly useful in conjunction with proc.exepath which provides the resolved symlink path eventually, since proc.exe can't provide the resolved path because it, by convention, equals to argv[0].

Feature

Introduce the basename(<path>) transformer that works similarly to the basename util.

This transformer returns the base name of a given <path> (i.e. a string) as an argument.

Alternatives

No compelling alternatives. For the record, some discarded solutions:

1. changing proc.exe (breaking change + inconsistency)
   • See https://github.com/falcosecurity/libs/pull/1779/files
2. adding new fields (eg. proc.exepath.basename) comes with too many cons:
   • redundant with fields modifiers (ie. basename())
   • would require similar fields for proc.pexepath and proc.aexepath, increasing complexity
   • the solution is not reusable

Additional context

cc @darryk10 @loresuso

[loresuso]

I fully support this feature request!

Just the first thing that comes to mind, introducing basename would also probably conflict with fd.filename, that is basename(fd.name) would be totally the same thing as fd.filename. We would probably need a deprecation plan for that field or other similar ones if any.

[leogr]

fd.filename. We would probably need a deprecation plan for that field or other similar ones if any.

Totally 👍

[LucaGuerra]

/assign