Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Feature]: Dry run option that outputs the syscalls used by rules #2372

Closed
incertum opened this issue Jan 25, 2023 · 6 comments
Closed

[New Feature]: Dry run option that outputs the syscalls used by rules #2372

incertum opened this issue Jan 25, 2023 · 6 comments
Labels
kind/feature lifecycle/stale
Milestone
0.35.0

Comments

@incertum
Copy link
Contributor

Motivation + Feature

As extension to #2371, "Dry run option that outputs the syscalls used by rules" proposed by @happy-dude.

Quote @happy-dude from #2361 (comment)

is it possible to have a "dry-run" option that reads in the ruleset (rules.yaml) and outputs the set of syscalls that will be inspected

  • as part of the Falco state engine
  • from the dynamic set (rules.yaml)
  • and from the additional set?
    This can help for debugging by making it clear what is causing a particular syscall to be inspected.

Quote @jasondellaluce from #2361 (comment)

Dry run option that outputs the syscalls used by rules: I see this request falling into the umbrella of "printing descriptive information about one or more rules (up until the whole ruleset)". We have other feature requests like this (see: #1814), and I think we should make this happen. In my opinion, enhancing --list-syscalls might not be the right call because it's only supposed to print static data. Instead, we also have -L and -l that are meant to print informations about rules specifically. I think we could enhance the output of those commands to include the set of matching events and other info as well. Plus, I'm recently advocating the idea of making all Falco outputs optionally machine-readable in JSON format in the future (see special notes for your reviewer in: #2351), and in which case we could include extra information in the JSON output compared to the plain-text counterpart.
@jasondellaluce
Copy link
Contributor

/milestone 0.35.0

@poiana poiana added this to the 0.35.0 milestone Jan 25, 2023
@poiana
Copy link
Contributor

poiana commented Apr 25, 2023

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@jasondellaluce jasondellaluce mentioned this issue May 12, 2023
Merged
@Andreagit97 Andreagit97 mentioned this issue May 18, 2023
Closed
@jasondellaluce
Copy link
Contributor

I think this is now addressed in: #2544

@FedeDP
Copy link
Contributor

FedeDP commented May 23, 2023

@incertum should we close this?

@incertum
Copy link
Contributor Author

I think we can close it, opened it on behalf of @happy-dude. I think there is still an outstanding request to be able to print the syscalls from each rule as debug print during a dry-run, but we can maybe open a new issue with more specific instructions in this regard @happy-dude WDYT? Or btw am I missing that we now have such a print option already?

@happy-dude
Copy link
Contributor

Works for me! I'm wondering if something like that is necessary now after having gained some experience writing rules and with the utility of base_syscalls 🤔

But I digress! Feel free to close and I'll open another issue ticket if the need rises 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature lifecycle/stale
Projects
None yet
Milestone
0.35.0
Development

No branches or pull requests
5 participants
@happy-dude @FedeDP @jasondellaluce @incertum @poiana