Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow overrides #177

Merged
merged 3 commits into from
Dec 29, 2016
Merged

Allow overrides #177

merged 3 commits into from
Dec 29, 2016

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented Dec 28, 2016

Allow a subsequent yaml file to override a list, macro, or rule specified in a prior yaml file.

This fixes #176.

@mstemm
Add ability to clear loaded rules.
e8b7d67 
Add the ability to clear the set of loaded rules from lua. It simply
recreates the sinsp_evttype_filter instance m_evttype_filter, which is
now a unique_ptr.
@mstemm
Allow any macro/list/rule to be overridden
e166ecc 
Allow any list/macro/rule to be overridden by a subsequent file. The
persistent state that lives across invocations of load_rules are the 3
arrays ordered_{list,macro,rule}_names, which have the
lists/macros/rules in the order in which they first appear, and tables
{rules,macros,lists}_by_name, which maps from a name to a yaml object.

With each call to load_rules, the set of loaded rules is reset and the
state of expanded lists, compiled macros, compiled rules, and rule
metadata are recreated from scratch, using the ordered_*_names arrays
and *_by_name tables. That way, any list/macro/rule can be redefined in
a subsequent file with new values.
@mstemm
tests for overriding rules/macros/lists
1e04b9b 
New tests that test every possible override:

 - Overriding a rule with one that doesn't match
 - Overriding a macro to one that doesn't match
 - Overriding a top level list to a binary that doesn't match
 - Overriding an embedded list to one that doesn't match

In each case, the override results in no longer matching an open by the
program "cat".
@mstemm mstemm merged commit 9ecdf30 into dev Dec 29, 2016
@mstemm mstemm deleted the allow-overrides branch December 29, 2016 21:32
mstemm added a commit that referenced this pull request Dec 30, 2016
@mstemm
Add cchh/sysdig as a trusted container.
327a96d 
Add cchh/sysdig as a trusted container. We'll probably remove this once
the next agent release occurs that has the fix
#177.
mstemm added a commit that referenced this pull request Dec 30, 2016
@mstemm
Add cchh/sysdig as a trusted container.
777e311 
Add cchh/sysdig as a trusted container. We'll probably remove this once
the next agent release occurs that has the fix
#177.

Also switch to using pmatch (parallel prefix search) to make the rule
cleaner and faster.
@mstemm mstemm mentioned this pull request Dec 30, 2016
Merged
mstemm added a commit that referenced this pull request Dec 30, 2016
@mstemm
Add cchh/sysdig as a trusted container.
0ec14b7 
Add cchh/sysdig as a trusted container. We'll probably remove this once
the next agent release occurs that has the fix
#177.

Also reformat to avoid long lines.
mstemm added a commit that referenced this pull request Dec 30, 2016
@mstemm
Add cchh/sysdig as a trusted container.
77a5429 
Add cchh/sysdig as a trusted container. We'll probably remove this once
the next agent release occurs that has the fix
#177.

Also reformat to avoid long lines.
mstemm added a commit that referenced this pull request Jan 27, 2017
@mstemm
Remove cchh image.
e21fecf 
We had added this image while the changes in
#177 made it to everyone. This is in
a release now, so we'll remove it from the rule set.
@mstemm mstemm mentioned this pull request Jan 27, 2017
Merged
leogr pushed a commit to falcosecurity/rules that referenced this pull request Dec 21, 2022
@mstemm
Add cchh/sysdig as a trusted container.
7e7f0b5 
Add cchh/sysdig as a trusted container. We'll probably remove this once
the next agent release occurs that has the fix
falcosecurity/falco#177.

Also reformat to avoid long lines.
leogr pushed a commit to falcosecurity/rules that referenced this pull request Dec 21, 2022
@mstemm
Remove cchh image.
6ccea25 
We had added this image while the changes in
falcosecurity/falco#177 made it to everyone. This is in
a release now, so we'll remove it from the rule set.
leogr pushed a commit to falcosecurity/rules that referenced this pull request Dec 21, 2022
@mstemm
Add cchh/sysdig as a trusted container.
9500083 
Add cchh/sysdig as a trusted container. We'll probably remove this once
the next agent release occurs that has the fix
falcosecurity/falco#177.

Also reformat to avoid long lines.
leogr pushed a commit to falcosecurity/rules that referenced this pull request Dec 21, 2022
@mstemm
Remove cchh image.
5cabe6f 
We had added this image while the changes in
falcosecurity/falco#177 made it to everyone. This is in
a release now, so we'll remove it from the rule set.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Additional falco rules files should be able to override any macro/list/rule
1 participant
@mstemm