new(falco): print all events with flags #2771
Conversation
LucaGuerra
force-pushed
the
new/print-all-events
branch
from
7b33152 to
d6e4536
Compare
|
|
||
| // This is the result of running the following command: | ||
| // FALCO="falco -c ./falco.yaml" | ||
| // echo $($FALCO --version | grep 'Engine:' | awk '{print $2}') $(echo $($FALCO --version | grep 'Schema version:' | awk '{print $3}') $($FALCO --list --markdown | grep '^`' | sort) $($FALCO --list-syscall-events | sort) | sha256sum) | ||
| // It represents the fields supported by this version of Falco, | ||
| // the event types, and the underlying driverevent schema. It's used to | ||
| // detetect changes in engine version in our CI jobs. | ||
| #define FALCO_ENGINE_CHECKSUM "41b5dc700216b243d294b40c46264d4e89d0ee00098fdc1c21bb4b1e7639da06" | ||
| #define FALCO_ENGINE_CHECKSUM "98c6e665031b95c666a9ab02d5470e7008e8636bf02f4cc410912005b90dff5c" |
There was a problem hiding this comment.
Note for the reviewer: the list of events did not change, but the format did so we need to update the checksum. Updating the engine version should be OK but if I forgot something and it's not please let me know and I'll revert
| printf("\n\n## Plugin events\n\n"); | ||
| print_events(events_bc.pluginevents, s.options.markdown); |
There was a problem hiding this comment.
Do we intend to print all events (regardless of the data source) here? If so, I would change the option name from --list-syscall-events to --list-events.
cc @falcosecurity/falco-maintainers
There was a problem hiding this comment.
yes agree with leo i would change it to --list-events
There was a problem hiding this comment.
I noticed that this flag never printed syscall events, but always printed all events. Yes, I introduced it and decided the name 😅 . So I agree with you, let me change it to --list-events.
Why do we need this? 🤔 |
Even after our recent changes and optimizations, some events require the We need to convey this information to users somehow otherwise people would (rightly) expect all events to work in all cases! If you have ideas about how to make it clearer I'd be happy to hear it but that's the one idea I found right now. |
Signed-off-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Luca Guerra <luca@guerra.sh>
LucaGuerra
force-pushed
the
new/print-all-events
branch
from
baade08 to
eedfba2
Compare
Signed-off-by: Luca Guerra <luca@guerra.sh>
LucaGuerra
force-pushed
the
new/print-all-events
branch
from
eedfba2 to
dfeb056
Compare
|
LGTM label has been added. Git tree hash: b9547690cc9b80af1e6cfe8037c4065c3535f65e
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Andreagit97, FedeDP, LucaGuerra The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
/area engine
What this PR does / why we need it:
This patch changes the way events are printed, especially in markdown format. See this page: https://falco.org/docs/reference/rules/supported-events/ . There are significant changes:
-Aflag is requiredUpdating the event list is just a matter of running
./userspace/falco/falco --list-syscall-events --markdownand saving the output in thesupported-events.mdin the website.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: