Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new(metrics): add file sha256sum metrics for loaded config and rules files #3187

Merged

Conversation

incertum
Copy link
Contributor

@incertum incertum commented May 8, 2024

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

/kind release

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area tests

/area proposals

/area CI

What this PR does / why we need it:

This PR adds the sha256sum for each loaded config and rules file as individual metric. These metrics complement existing informational metrics such as the Falco version or kernelrelease of the host and especially help to track deployment upgrade convergence and integrity. When hot reloading Falco and having watch config files setting enabled, the state is re-initialized and as such the new sha256sum is calculated.

Note: This PR only adds the new metrics, thus deferring future metrics code consolidations to the next release dev cycle.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

new(metrics): add file sha256sum metrics for loaded config and rules files

Copy link

github-actions bot commented May 8, 2024

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

@incertum incertum force-pushed the sha256-config-rules-files-metrics branch from f9607c8 to 0cc454d Compare May 8, 2024 12:43
@incertum
Copy link
Contributor Author

incertum commented May 8, 2024

/milestone 0.38.0

@poiana poiana added this to the 0.38.0 milestone May 8, 2024
@incertum incertum force-pushed the sha256-config-rules-files-metrics branch from 0cc454d to 9c5a8b6 Compare May 9, 2024 16:12
@incertum incertum changed the title wip: new(metrics): add file sha256sum metrics for loaded config and rules files new(metrics): add file sha256sum metrics for loaded config and rules files May 9, 2024
@incertum
Copy link
Contributor Author

incertum commented May 9, 2024

This is now ready for review.

@@ -83,6 +84,9 @@ falco::app::run_result falco::app::actions::load_rules_files(falco::app::state&
{
falco_logger::log(falco_logger::level::WARNING,res->as_string(true, rc) + "\n");
}
#if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
s.config->m_loaded_rules_filenames_sha256sum.push_back(falco::utils::calculate_file_sha256sum(filename));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if m_loaded_rules_filenames_sha256sum (and m_loaded_configs_filenames_sha256sum) was instead a unoredered_set<string>string, where key is filename and value is sha256sum?
This would allow metrics and stats writer to just iterate over m_loaded_rules_filenames_sha256sum (and m_loaded_configs_filenames) keys.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If that's more desirable, no problems to change it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would simplify a bit the falco_metrics and stats_writer loops, making them more readable.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok.

Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: why is all of this linux only?

@incertum
Copy link
Contributor Author

Question: why is all of this linux only?

Main purpose of metrics is at runtime when running Falco on Linux. I am not sure why we would need it when we load a capture file on macOS or Windows. In addition, most metrics already only work on Linux. More thoughts?

Support for macOS or Windows likely requires a different approach as that openssl lib I am using is not available.

@FedeDP
Copy link
Contributor

FedeDP commented May 10, 2024

I was thinking if running Falco on eg: windows with plugins and their rules, one could still want the shasums in the metrics.

Support for macOS or Windows likely requires a different approach as that openssl lib I am using is not available.

No problem then, we can introduce it later if someone needs it!

@incertum
Copy link
Contributor Author

I was thinking if running Falco on eg: windows with plugins and their rules, one could still want the shasums in the metrics.

Support for macOS or Windows likely requires a different approach as that openssl lib I am using is not available.

No problem then, we can introduce it later if someone needs it!

Yeah, right now it's actually not even working well for plugins only even on Linux. Needless to say, metrics still requires lots of work over the next n releases.

Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link
Contributor

poiana commented May 10, 2024

LGTM label has been added.

Git tree hash: dcb2a70aa3d6111480fd1c016a4db4f24a8b665d

@FedeDP
Copy link
Contributor

FedeDP commented May 13, 2024

CI Build / test-dev-packages / test-packages (pull_request) Failing after 4m

I am investigating the TestFalco_Legacy_KernelUpgrade failure since it also fails on #3191

incertum and others added 5 commits May 13, 2024 16:34
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
…files

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
@incertum incertum force-pushed the sha256-config-rules-files-metrics branch from 8c2d430 to f9c7dc1 Compare May 13, 2024 16:34
@poiana poiana removed the lgtm label May 13, 2024
@poiana poiana requested a review from FedeDP May 13, 2024 16:34
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana poiana added the lgtm label May 13, 2024
@poiana
Copy link
Contributor

poiana commented May 13, 2024

LGTM label has been added.

Git tree hash: dc0266cc27417ce5e855648589ac81944db7ea34

@poiana
Copy link
Contributor

poiana commented May 14, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, incertum, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [FedeDP,incertum,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@leogr
Copy link
Member

leogr commented May 14, 2024

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

false positive
/unhold

@poiana poiana merged commit 60e6798 into falcosecurity:master May 14, 2024
35 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

4 participants