-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
new(libsinsp): add concatenated process lineage filter fields + sinsp_filter_check_thread helpers cleanup #1625
base: master
Are you sure you want to change the base?
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: incertum The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
7dd75f2
to
ec010c9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I proposed some code cleanups. This is not an issue of this PR of course but since we are not in a rush we can maybe find a way to reduce code duplication
Yeah I had similar thoughts that we are getting to a point where there is lots of code duplication in this regard (not limited to the type of fields touched in this PR). I'll check what makes sense to clean up in this PR! |
ec010c9
to
df1a23a
Compare
@Andreagit97 added 3 cleanup commits on top, performing significant consolidation w/ new helpers, beyond the initial request. WDYT and do you have additional ideas? |
@incertum |
…splay fields * Less loops and more efficient if you want to export all process ancestors up to a certain level anyways * More convenient and intuitive display of information -> security analysts prefer an output like this /bin/java->/bin/bash->/bin/python->/bin/bash to quickly understand the process origins * Enhanced threat detection capabilities -> can string match exact lineage / sequence * Needed in the planned anomaly detection framework Signed-off-by: Melissa Kilby <[email protected]>
Signed-off-by: Melissa Kilby <[email protected]>
Signed-off-by: Melissa Kilby <[email protected]>
Signed-off-by: Melissa Kilby <[email protected]>
df1a23a
to
8a35134
Compare
It seems that while simply rebasing worked, there are updates needed because a few things changed I suspect ... will look into it soon. |
Considering what we have today for the Today we have:
A possible solution could be
Where:
Moreover, we need to implement other operators on the list, like In this way, we can uniform our filter checks and solve the issues we have highlighted in this PR with |
👍 |
This would break the existing use of
Frankly I think the current variants are actually pretty clear, I don't see direct benefits of changing the naming. If you don't mind me asking, what are the benefits? It could also backfire and be less user friendly? WDYT?
Forgive me, I still don't understand the issues with
I believe it comes down to the algorithm. Many rules search in
This also opens up new searches as we could now search for sublists where the executable path, for example, ended with a string ... something the string representation cannot truly handle the way we would want to. In summary: Understanding that the filterchecks are the core of effectively using Falco, I rather would like to expose too many variants and empower end users. Comparatively they have been much easier to maintain. Historically we have had many many more issues in our parsers. Let's support:
|
According to its description in sinsp
This behavior should be covered by the new
I just think that these filter checks are doing almost the same thing in the end, they are accessing a single ancestor in the lineage. Providing users with just one method for doing it, is more intuitive IMO. Of course, this is just my idea let's see what other thinks. Moreover having just one unique method will simplify our lives and will help us keep the code "bug-free". BTW yes this would be a long-term plan,
Uhm this is not an issue, I used the wrong word sorry, it's just a matter of what Jason well explained here #1625 (comment). Why do we need to support a new string representation of the lineage with Let's consider again the new proposed filter check Moreover, as a side note, these days we are working on the possibility of comparing 2 filter checks so |
Hey folks, It looks like we have a lot of ideas here, but we haven't reached a consensus, so I will try to summarize the discussion, collect feedback, and come back with a design proposal. /assign |
SGTM Leo. |
Also depending on the proposal we may end up using this PR just for some sinsp_filter_check_thread helpers cleanup and create a new one for the new fields? We will see, whichever makes the most sense. |
Proposal [1/2]: introducing
|
SGTM, only suggestion would be to perhaps follow existing more specific naming conventions, for instance:
|
Option A is acceptable for me as an extension of my proposal. |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
This PR is too mixed with cleanups and new features. Will split this off into 2 PRs in the new dev cycle.
/milestone 0.19.0 |
Hey! I wanted to add something to this discussion.
we might be able to navigate the Just an idea that we might want to take into account when we design this better! |
/milestone 0.20.0 |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area libsinsp
Does this PR require a change in the driver versions?
What this PR does / why we need it:
Note: I don't think we need this for the other proc.a* fields aka only for the process names, exe, and exepaths ...
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: