forked from falcosecurity/falco
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update the falco binary to add support for plugins. - Keep track of an "event source", which is initially "syscall" but changes to the input plugin's source if an source plugin ends up being loaded. - New argument --list-plugins will return info on any loaded plugins, using sinsp_plugin::plugin_infos. - Create filter/formatter factories for plugins. This ensures that filterchecks for syscalls are not used for plugins and vice versa. - Use sinsp_plugin::register_plugin() to load each plugin found in config. The first source plugin found (if any) calls engine->add_source withthe source plugin's event source. - If a second source plugin is found, exit with an error. - Extractor plugins must be compatible with the event source (usually the plugin event source, but could be "syscall"). If not, exit with an error. - Multiple Extractor plugins are allowed, but they can not have overlapping compatible event sources. This is mostly to avoid confusion, but we might change this later. - After loading plugins, use engine is_plugin_compatible to ensure that the plugin is compatible with any required_plugin_version blocks in falco rules. - Normally falco would log warnings if too many SCAP_TIMEOUT results were received. These are more expected when using plugins, so only log these warnings when using syscalls. Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Loris Degioanni <loris@sysdig.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
- Loading branch information
1 parent
2cfda0d
commit 6eaf5b0
Showing
1 changed file
with
143 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters