falco

package
v0.0.0-...-4c71962 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 29, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// DefaultMaxDuration is the default max duration of a Falco run
	DefaultMaxDuration = time.Second * 180
	//
	// DefaultExecutable is the default path of the Falco executable
	DefaultExecutable = "/usr/bin/falco"
	//
	// DefaultConfigFile is the default path of the Falco config file
	DefaultConfigFile = "/etc/falco/falco.yaml"
)

Variables

View Source 
var (
	// PrivilegedDockerBinds is the set of Docker binds required by Falco
	// when running as a Docker privileged container
	PrivilegedDockerBinds = []string{
		"/dev:/host/dev",
		"/proc:/host/proc:ro",
		"/var/run/docker.sock:/host/var/run/docker.sock",
	}
	FalcoConfig = DefaultConfigFile
)

Functions

func NewPluginConfig 

func NewPluginConfig(configName string, plugins ...*PluginConfigInfo) (run.FileAccessor, error)

NewPluginConfig helps creating valid Falco configuration files (i.e. falco.yaml) loading one or more plugins.

Types

type Alert 

type Alert struct {
	Time         time.Time              `json:"time"`
	Rule         string                 `json:"rule"`
	Output       string                 `json:"output"`
	Priority     string                 `json:"priority"`
	Source       string                 `json:"source"`
	Hostname     string                 `json:"hostname"`
	Tags         []string               `json:"tags"`
	OutputFields map[string]interface{} `json:"output_fields"`
}

Alert represent an alert produced by a Falco rule.

type Detections 

type Detections []*Alert

Detections represents a list of Falco alerts.

func (Detections) Count 

func (d Detections) Count() int

Count returns the amount of alerts in the list of detections.

func (Detections) OfPriority 

func (d Detections) OfPriority(p string) Detections

OfPriority returns the list of detections that have a given priority.

func (Detections) OfRule 

func (d Detections) OfRule(v interface{}) Detections

OfRule returns the list of detections that have a given rule name. The rule name can either be a string or a *regexp.Regexp.

type ListDescription 

type ListDescription struct {
	Details ListDetailsDescription `json:"details"`
	Info    ListInfoDescription    `json:"info"`
}

type ListDetailsDescription 

type ListDetailsDescription struct {
	ItemsCompiled []string `json:"items_compiled"`
	Lists         []string `json:"lists"`
	Plugins       []string `json:"plugins"`
	Used          bool     `json:"used"`
}

type ListInfoDescription 

type ListInfoDescription struct {
	Items []string `json:"items"`
	Name  string   `json:"name"`
}

type MacroDescription 

type MacroDescription struct {
	Details MacroDetailsDescription `json:"details"`
	Info    MacroInfoDescription    `json:"info"`
}

type MacroDetailsDescription 

type MacroDetailsDescription struct {
	ConditionCompiled  string   `json:"condition_compiled"`
	ConditionFields    []string `json:"condition_fields"`
	ConditionOperators []string `json:"condition_operators"`
	Events             []string `json:"events"`
	Lists              []string `json:"lists"`
	Macros             []string `json:"macros"`
	Plugins            []string `json:"plugins"`
	Used               bool     `json:"used"`
}

type MacroInfoDescription 

type MacroInfoDescription struct {
	Condition string `json:"condition"`
	Name      string `json:"name"`
}

type PluginConfigInfo 

type PluginConfigInfo struct {
	Name       string
	Library    string
	OpenParams string
	InitConfig interface{}
}

PluginConfigInfo represents the info about a single plugin in a Falco configuration file (i.e. falco.yaml). InitConfig can be either a string or a json-serializable object.

type PluginVersionRequirement 

type PluginVersionRequirement struct {
	Name    string `json:"name"`
	Version string `json:"version"`
}

type PluginVersionRequirementDescription 

type PluginVersionRequirementDescription struct {
	Alternatives []PluginVersionRequirement `json:"alternatives"`
	PluginVersionRequirement
}

type RuleDescription 

type RuleDescription struct {
	Details RuleDetailsDescription `json:"details"`
	Info    RuleInfoDescription    `json:"info"`
}

type RuleDetailsDescription 

type RuleDetailsDescription struct {
	ConditionCompiled  string   `json:"condition_compiled"`
	ConditionFields    []string `json:"condition_fields"`
	ConditionOperators []string `json:"condition_operators"`
	Events             []string `json:"events"`
	ExceptionFields    []string `json:"exception_fields"`
	ExceptionNames     []string `json:"exception_names"`
	ExceptionOperators []string `json:"exception_operators"`
	Lists              []string `json:"lists"`
	Macros             []string `json:"macros"`
	OutputCompiled     string   `json:"output_compiled"`
	OutputFields       []string `json:"output_fields"`
	Plugins            []string `json:"plugins"`
}

type RuleInfoDescription 

type RuleInfoDescription struct {
	Condition   string   `json:"condition"`
	Description string   `json:"description"`
	Enabled     bool     `json:"enabled"`
	Name        string   `json:"name"`
	Output      string   `json:"output"`
	Priority    string   `json:"priority"`
	Source      string   `json:"source"`
	Tags        []string `json:"tags"`
}

type RuleValidation 

type RuleValidation struct {
	Results []*RuleValidationResult `json:"falco_load_results"`
}

RuleValidation represents a list of validation results of Falco rules files.

func (*RuleValidation) AllErrors 

func (r *RuleValidation) AllErrors() RuleValidationInfos

AllErrors returns the merged list of errors from all the validated Falco rules files.

func (RuleValidation) AllWarnings 

func (r RuleValidation) AllWarnings() RuleValidationInfos

AllWarnings returns the merged list of warnings from all the validated Falco rules files.

func (RuleValidation) At 

func (r RuleValidation) At(index int) *RuleValidationResult

At returns the validation result at the given index in the set. Returns an empty validation result if the index is out of bounds. todo(jasondellaluce): should we panic/fatal in this case?

type RuleValidationInfo 

type RuleValidationInfo struct {
	Code     string `json:"code"`
	Codedesc string `json:"codedesc"`
	Message  string `json:"message"`
	Context  struct {
		Locations []struct {
			ItemName string `json:"item_name"`
			ItemType string `json:"item_type"`
			Position struct {
				Line   int    `json:"line"`
				Column int    `json:"column"`
				Offset int    `json:"offset"`
				Name   string `json:"name"`
			} `json:"position"`
		} `json:"locations"`
	} `json:"context"`
}

RuleValidationInfo represent a single error or warning resulting from the validation of a Falco rules file.

type RuleValidationInfos 

type RuleValidationInfos []*RuleValidationInfo

RuleValidationInfos represent group of errors or warnings resulting from the validation of a Falco rules file.

func (RuleValidationInfos) Count 

func (d RuleValidationInfos) Count() int

Count returns the amount of validation infos in the list.

func (RuleValidationInfos) OfCode 

func (d RuleValidationInfos) OfCode(v string) RuleValidationInfos

OfCode returns the validation info entries with the given code.

func (RuleValidationInfos) OfItemName 

func (d RuleValidationInfos) OfItemName(v string) RuleValidationInfos

OfItemName returns the validation info entries with the given item name.

func (RuleValidationInfos) OfItemType 

func (d RuleValidationInfos) OfItemType(v string) RuleValidationInfos

OfItemType returns the validation info entries with the given item type.

func (RuleValidationInfos) OfMessage 

func (d RuleValidationInfos) OfMessage(v interface{}) RuleValidationInfos

OfMessage returns the validation info entries with the given message. The message can either be a string or a *regexp.Regexp.

type RuleValidationResult 

type RuleValidationResult struct {
	Successful bool                `json:"successful"`
	Name       string              `json:"name"`
	Errors     RuleValidationInfos `json:"errors"`
	Warnings   RuleValidationInfos `json:"warnings"`
}

RuleValidationResult represents the validation result of a Falco rules file.

type RulesetDescription 

type RulesetDescription struct {
	RequiredEngineVersion  string                                `json:"required_engine_version"`
	RequiredPluginVersions []PluginVersionRequirementDescription `json:"required_plugin_versions"`
	Lists                  []ListDescription                     `json:"lists"`
	Macros                 []MacroDescription                    `json:"macros"`
	Rules                  []RuleDescription                     `json:"rules"`
}

RulesetDescription represent the description of the knowledge of the Falco engine after loading one or more rules files.

type TestOption 

type TestOption func(*testOptions)

TestOption is an option for testing Falco

func WithAllEvents 

func WithAllEvents() TestOption

WithAllEvents runs Falco with all events enabled through the `-A` option.

func WithArgs 

func WithArgs(args ...string) TestOption

WithArgs runs Falco with the given arguments.

func WithCaptureFile 

func WithCaptureFile(f run.FileAccessor) TestOption

WithCaptureFile runs Falco reading events from a capture file through the `-o engine.kind=replay` option.

func WithConfig 

func WithConfig(f run.FileAccessor) TestOption

WithConfig runs Falco with the given config file through the `-c` option.

func WithContext 

func WithContext(ctx context.Context) TestOption

WithContext runs Falco with a given context.

func WithContextDeadline 

func WithContextDeadline(duration time.Duration) TestOption

WithContextDeadline runs Falco with a maximum context deadline.

func WithDisabledRules 

func WithDisabledRules(rules ...string) TestOption

WithDisabledRules runs Falco with disabled rules through the `-D` option.

func WithDisabledSources 

func WithDisabledSources(sources ...string) TestOption

WithDisabledSources runs Falco with disabled event sources through the `--disable-source` option.

func WithDisabledTags 

func WithDisabledTags(tags ...string) TestOption

WithDisabledTags runs Falco with disabled rules tags through the `-T` option.

func WithEnabledSources 

func WithEnabledSources(sources ...string) TestOption

WithEnabledSources runs Falco with enabled event sources through the `--enable-source` option.

func WithEnabledTags 

func WithEnabledTags(tags ...string) TestOption

WithEnabledTags runs Falco with enabled rules tags through the `-t` option.

func WithEnvVars 

func WithEnvVars(vars map[string]string) TestOption

WithEnvVars runs Falco with a given set of environment varibles.

func WithExtraFiles 

func WithExtraFiles(files ...run.FileAccessor) TestOption

WithExtraFiles runs Falco with a given set of extra loaded files. This can be used to make the underlying runner aware of files referred to by Falco, its config, or arguments set with WithArgs.

func WithMinRulePriority 

func WithMinRulePriority(priority string) TestOption

WithMinRulePriority runs Falco by forcing a mimimum rules priority.

func WithOutputJSON 

func WithOutputJSON() TestOption

WithOutputJSON runs Falco by forcing a the output in JSON format.

func WithRules 

func WithRules(rules ...run.FileAccessor) TestOption

WithRules runs Falco with the given rules files through the `-r` option.

func WithRulesValidation 

func WithRulesValidation(rules ...run.FileAccessor) TestOption

WithRulesValidation runs Falco with the given rules files to be validated through the `-V` option.

func WithStopAfter 

func WithStopAfter(duration time.Duration) TestOption

WithStopAfter tells Falco to stop after 'duration' with the `-M` option.

type TestOutput 

type TestOutput struct {
	// contains filtered or unexported fields
}

TestOutput is the output of a Falco test run

func Test 

func Test(runner run.Runner, options ...TestOption) *TestOutput

Test runs a Falco runner with the given test options, and produces an output representing the outcome of the run.

func (*TestOutput) Detections 

func (t *TestOutput) Detections() Detections

Detections converts the output of the Falco run into a list of rule detections. Returns nil if Falco wasn't run for rules detection.

func (*TestOutput) DurationExceeded 

func (t *TestOutput) DurationExceeded() bool

DurationExceeded returns true if the Falco run exceeded the expected duration or if the context had expired.

func (*TestOutput) Err 

func (t *TestOutput) Err() error

Err returns a non-nil error in case of issues when running Falco.

func (*TestOutput) ExitCode 

func (t *TestOutput) ExitCode() int

ExitCode returns the numeric exit code of the Falco process.

func (*TestOutput) RuleValidation 

func (t *TestOutput) RuleValidation() *RuleValidation

RuleValidation converts the output of the Falco run into a list of validation results of Falco rules files. Returns nil if Falco wasn't run for rules files validation.

func (*TestOutput) RulesetDescription 

func (t *TestOutput) RulesetDescription() *RulesetDescription

RulesetDescription converts the output of the Falco run into a an struct describing the knowledge of the Falco engine after loading one or more rules files. This is achieved with the Falco `-L` option combined with the JSON output enabled. Returns nil if Falco wasn't run for rules descriptions.

func (*TestOutput) Stderr 

func (t *TestOutput) Stderr() string

Stderr returns a string containing the stderr output of the Falco run.

func (*TestOutput) Stdout 

func (t *TestOutput) Stdout() string

Stdout returns a string containing the stdout output of the Falco run.

func (*TestOutput) StdoutJSON 

func (t *TestOutput) StdoutJSON() map[string]interface{}

StdoutJSON deserializes the stdout of the Falco run using the JSON encoding. Returns true if the stdout is not encoded as JSON.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.