Documentation ¶
Index ¶
- Constants
- Variables
- func NewPluginConfig(configName string, plugins ...*PluginConfigInfo) (run.FileAccessor, error)
- type Alert
- type Detections
- type ListDescription
- type ListDetailsDescription
- type ListInfoDescription
- type MacroDescription
- type MacroDetailsDescription
- type MacroInfoDescription
- type PluginConfigInfo
- type PluginVersionRequirement
- type PluginVersionRequirementDescription
- type RuleDescription
- type RuleDetailsDescription
- type RuleInfoDescription
- type RuleValidation
- type RuleValidationInfo
- type RuleValidationInfos
- func (d RuleValidationInfos) Count() int
- func (d RuleValidationInfos) OfCode(v string) RuleValidationInfos
- func (d RuleValidationInfos) OfItemName(v string) RuleValidationInfos
- func (d RuleValidationInfos) OfItemType(v string) RuleValidationInfos
- func (d RuleValidationInfos) OfMessage(v interface{}) RuleValidationInfos
- type RuleValidationResult
- type RulesetDescription
- type TestOption
- func WithAllEvents() TestOption
- func WithArgs(args ...string) TestOption
- func WithCaptureFile(f run.FileAccessor) TestOption
- func WithConfig(f run.FileAccessor) TestOption
- func WithContext(ctx context.Context) TestOption
- func WithContextDeadline(duration time.Duration) TestOption
- func WithDisabledRules(rules ...string) TestOption
- func WithDisabledSources(sources ...string) TestOption
- func WithDisabledTags(tags ...string) TestOption
- func WithEnabledSources(sources ...string) TestOption
- func WithEnabledTags(tags ...string) TestOption
- func WithEnvVars(vars map[string]string) TestOption
- func WithExtraFiles(files ...run.FileAccessor) TestOption
- func WithMinRulePriority(priority string) TestOption
- func WithOutputJSON() TestOption
- func WithRules(rules ...run.FileAccessor) TestOption
- func WithRulesValidation(rules ...run.FileAccessor) TestOption
- func WithStopAfter(duration time.Duration) TestOption
- type TestOutput
- func (t *TestOutput) Detections() Detections
- func (t *TestOutput) DurationExceeded() bool
- func (t *TestOutput) Err() error
- func (t *TestOutput) ExitCode() int
- func (t *TestOutput) RuleValidation() *RuleValidation
- func (t *TestOutput) RulesetDescription() *RulesetDescription
- func (t *TestOutput) Stderr() string
- func (t *TestOutput) Stdout() string
- func (t *TestOutput) StdoutJSON() map[string]interface{}
Constants ¶
const ( // DefaultMaxDuration is the default max duration of a Falco run DefaultMaxDuration = time.Second * 180 // // DefaultExecutable is the default path of the Falco executable DefaultExecutable = "/usr/bin/falco" // // DefaultConfigFile is the default path of the Falco config file DefaultConfigFile = "/etc/falco/falco.yaml" )
Variables ¶
var ( // PrivilegedDockerBinds is the set of Docker binds required by Falco // when running as a Docker privileged container PrivilegedDockerBinds = []string{ "/dev:/host/dev", "/proc:/host/proc:ro", "/var/run/docker.sock:/host/var/run/docker.sock", } FalcoConfig = DefaultConfigFile )
Functions ¶
func NewPluginConfig ¶
func NewPluginConfig(configName string, plugins ...*PluginConfigInfo) (run.FileAccessor, error)
NewPluginConfig helps creating valid Falco configuration files (i.e. falco.yaml) loading one or more plugins.
Types ¶
type Alert ¶
type Alert struct { Time time.Time `json:"time"` Rule string `json:"rule"` Output string `json:"output"` Priority string `json:"priority"` Source string `json:"source"` Hostname string `json:"hostname"` Tags []string `json:"tags"` OutputFields map[string]interface{} `json:"output_fields"` }
Alert represent an alert produced by a Falco rule.
type Detections ¶
type Detections []*Alert
Detections represents a list of Falco alerts.
func (Detections) Count ¶
func (d Detections) Count() int
Count returns the amount of alerts in the list of detections.
func (Detections) OfPriority ¶
func (d Detections) OfPriority(p string) Detections
OfPriority returns the list of detections that have a given priority.
func (Detections) OfRule ¶
func (d Detections) OfRule(v interface{}) Detections
OfRule returns the list of detections that have a given rule name. The rule name can either be a string or a *regexp.Regexp.
type ListDescription ¶
type ListDescription struct { Details ListDetailsDescription `json:"details"` Info ListInfoDescription `json:"info"` }
type ListDetailsDescription ¶
type ListInfoDescription ¶
type MacroDescription ¶
type MacroDescription struct { Details MacroDetailsDescription `json:"details"` Info MacroInfoDescription `json:"info"` }
type MacroDetailsDescription ¶
type MacroDetailsDescription struct { ConditionCompiled string `json:"condition_compiled"` ConditionFields []string `json:"condition_fields"` ConditionOperators []string `json:"condition_operators"` Events []string `json:"events"` Lists []string `json:"lists"` Macros []string `json:"macros"` Plugins []string `json:"plugins"` Used bool `json:"used"` }
type MacroInfoDescription ¶
type PluginConfigInfo ¶
type PluginConfigInfo struct { Name string Library string OpenParams string InitConfig interface{} }
PluginConfigInfo represents the info about a single plugin in a Falco configuration file (i.e. falco.yaml). InitConfig can be either a string or a json-serializable object.
type PluginVersionRequirementDescription ¶
type PluginVersionRequirementDescription struct { Alternatives []PluginVersionRequirement `json:"alternatives"` PluginVersionRequirement }
type RuleDescription ¶
type RuleDescription struct { Details RuleDetailsDescription `json:"details"` Info RuleInfoDescription `json:"info"` }
type RuleDetailsDescription ¶
type RuleDetailsDescription struct { ConditionCompiled string `json:"condition_compiled"` ConditionFields []string `json:"condition_fields"` ConditionOperators []string `json:"condition_operators"` Events []string `json:"events"` ExceptionFields []string `json:"exception_fields"` ExceptionNames []string `json:"exception_names"` ExceptionOperators []string `json:"exception_operators"` Lists []string `json:"lists"` Macros []string `json:"macros"` OutputCompiled string `json:"output_compiled"` OutputFields []string `json:"output_fields"` Plugins []string `json:"plugins"` }
type RuleInfoDescription ¶
type RuleValidation ¶
type RuleValidation struct {
Results []*RuleValidationResult `json:"falco_load_results"`
}
RuleValidation represents a list of validation results of Falco rules files.
func (*RuleValidation) AllErrors ¶
func (r *RuleValidation) AllErrors() RuleValidationInfos
AllErrors returns the merged list of errors from all the validated Falco rules files.
func (RuleValidation) AllWarnings ¶
func (r RuleValidation) AllWarnings() RuleValidationInfos
AllWarnings returns the merged list of warnings from all the validated Falco rules files.
func (RuleValidation) At ¶
func (r RuleValidation) At(index int) *RuleValidationResult
At returns the validation result at the given index in the set. Returns an empty validation result if the index is out of bounds. todo(jasondellaluce): should we panic/fatal in this case?
type RuleValidationInfo ¶
type RuleValidationInfo struct { Code string `json:"code"` Codedesc string `json:"codedesc"` Message string `json:"message"` Context struct { Locations []struct { ItemName string `json:"item_name"` ItemType string `json:"item_type"` Position struct { Line int `json:"line"` Column int `json:"column"` Offset int `json:"offset"` Name string `json:"name"` } `json:"position"` } `json:"locations"` } `json:"context"` }
RuleValidationInfo represent a single error or warning resulting from the validation of a Falco rules file.
type RuleValidationInfos ¶
type RuleValidationInfos []*RuleValidationInfo
RuleValidationInfos represent group of errors or warnings resulting from the validation of a Falco rules file.
func (RuleValidationInfos) Count ¶
func (d RuleValidationInfos) Count() int
Count returns the amount of validation infos in the list.
func (RuleValidationInfos) OfCode ¶
func (d RuleValidationInfos) OfCode(v string) RuleValidationInfos
OfCode returns the validation info entries with the given code.
func (RuleValidationInfos) OfItemName ¶
func (d RuleValidationInfos) OfItemName(v string) RuleValidationInfos
OfItemName returns the validation info entries with the given item name.
func (RuleValidationInfos) OfItemType ¶
func (d RuleValidationInfos) OfItemType(v string) RuleValidationInfos
OfItemType returns the validation info entries with the given item type.
func (RuleValidationInfos) OfMessage ¶
func (d RuleValidationInfos) OfMessage(v interface{}) RuleValidationInfos
OfMessage returns the validation info entries with the given message. The message can either be a string or a *regexp.Regexp.
type RuleValidationResult ¶
type RuleValidationResult struct { Successful bool `json:"successful"` Name string `json:"name"` Errors RuleValidationInfos `json:"errors"` Warnings RuleValidationInfos `json:"warnings"` }
RuleValidationResult represents the validation result of a Falco rules file.
type RulesetDescription ¶
type RulesetDescription struct { RequiredEngineVersion string `json:"required_engine_version"` RequiredPluginVersions []PluginVersionRequirementDescription `json:"required_plugin_versions"` Lists []ListDescription `json:"lists"` Macros []MacroDescription `json:"macros"` Rules []RuleDescription `json:"rules"` }
RulesetDescription represent the description of the knowledge of the Falco engine after loading one or more rules files.
type TestOption ¶
type TestOption func(*testOptions)
TestOption is an option for testing Falco
func WithAllEvents ¶
func WithAllEvents() TestOption
WithAllEvents runs Falco with all events enabled through the `-A` option.
func WithArgs ¶
func WithArgs(args ...string) TestOption
WithArgs runs Falco with the given arguments.
func WithCaptureFile ¶
func WithCaptureFile(f run.FileAccessor) TestOption
WithCaptureFile runs Falco reading events from a capture file through the `-o engine.kind=replay` option.
func WithConfig ¶
func WithConfig(f run.FileAccessor) TestOption
WithConfig runs Falco with the given config file through the `-c` option.
func WithContext ¶
func WithContext(ctx context.Context) TestOption
WithContext runs Falco with a given context.
func WithContextDeadline ¶
func WithContextDeadline(duration time.Duration) TestOption
WithContextDeadline runs Falco with a maximum context deadline.
func WithDisabledRules ¶
func WithDisabledRules(rules ...string) TestOption
WithDisabledRules runs Falco with disabled rules through the `-D` option.
func WithDisabledSources ¶
func WithDisabledSources(sources ...string) TestOption
WithDisabledSources runs Falco with disabled event sources through the `--disable-source` option.
func WithDisabledTags ¶
func WithDisabledTags(tags ...string) TestOption
WithDisabledTags runs Falco with disabled rules tags through the `-T` option.
func WithEnabledSources ¶
func WithEnabledSources(sources ...string) TestOption
WithEnabledSources runs Falco with enabled event sources through the `--enable-source` option.
func WithEnabledTags ¶
func WithEnabledTags(tags ...string) TestOption
WithEnabledTags runs Falco with enabled rules tags through the `-t` option.
func WithEnvVars ¶
func WithEnvVars(vars map[string]string) TestOption
WithEnvVars runs Falco with a given set of environment varibles.
func WithExtraFiles ¶
func WithExtraFiles(files ...run.FileAccessor) TestOption
WithExtraFiles runs Falco with a given set of extra loaded files. This can be used to make the underlying runner aware of files referred to by Falco, its config, or arguments set with WithArgs.
func WithMinRulePriority ¶
func WithMinRulePriority(priority string) TestOption
WithMinRulePriority runs Falco by forcing a mimimum rules priority.
func WithOutputJSON ¶
func WithOutputJSON() TestOption
WithOutputJSON runs Falco by forcing a the output in JSON format.
func WithRules ¶
func WithRules(rules ...run.FileAccessor) TestOption
WithRules runs Falco with the given rules files through the `-r` option.
func WithRulesValidation ¶
func WithRulesValidation(rules ...run.FileAccessor) TestOption
WithRulesValidation runs Falco with the given rules files to be validated through the `-V` option.
func WithStopAfter ¶
func WithStopAfter(duration time.Duration) TestOption
WithStopAfter tells Falco to stop after 'duration' with the `-M` option.
type TestOutput ¶
type TestOutput struct {
// contains filtered or unexported fields
}
TestOutput is the output of a Falco test run
func Test ¶
func Test(runner run.Runner, options ...TestOption) *TestOutput
Test runs a Falco runner with the given test options, and produces an output representing the outcome of the run.
func (*TestOutput) Detections ¶
func (t *TestOutput) Detections() Detections
Detections converts the output of the Falco run into a list of rule detections. Returns nil if Falco wasn't run for rules detection.
func (*TestOutput) DurationExceeded ¶
func (t *TestOutput) DurationExceeded() bool
DurationExceeded returns true if the Falco run exceeded the expected duration or if the context had expired.
func (*TestOutput) Err ¶
func (t *TestOutput) Err() error
Err returns a non-nil error in case of issues when running Falco.
func (*TestOutput) ExitCode ¶
func (t *TestOutput) ExitCode() int
ExitCode returns the numeric exit code of the Falco process.
func (*TestOutput) RuleValidation ¶
func (t *TestOutput) RuleValidation() *RuleValidation
RuleValidation converts the output of the Falco run into a list of validation results of Falco rules files. Returns nil if Falco wasn't run for rules files validation.
func (*TestOutput) RulesetDescription ¶
func (t *TestOutput) RulesetDescription() *RulesetDescription
RulesetDescription converts the output of the Falco run into a an struct describing the knowledge of the Falco engine after loading one or more rules files. This is achieved with the Falco `-L` option combined with the JSON output enabled. Returns nil if Falco wasn't run for rules descriptions.
func (*TestOutput) Stderr ¶
func (t *TestOutput) Stderr() string
Stderr returns a string containing the stderr output of the Falco run.
func (*TestOutput) Stdout ¶
func (t *TestOutput) Stdout() string
Stdout returns a string containing the stdout output of the Falco run.
func (*TestOutput) StdoutJSON ¶
func (t *TestOutput) StdoutJSON() map[string]interface{}
StdoutJSON deserializes the stdout of the Falco run using the JSON encoding. Returns true if the stdout is not encoded as JSON.