From 11682f4dc74d94e0982f68a040d162066f1f4c06 Mon Sep 17 00:00:00 2001 From: Thomas Labarussias Date: Thu, 28 Mar 2024 14:24:03 +0100 Subject: [PATCH] extend the output fields with talon specific fields, useful if the payload is forwarded to a third party like AWS Lambda (#195) Signed-off-by: Thomas Labarussias --- actionners/actionners.go | 5 ++++- internal/events/events.go | 2 +- internal/rules/rules.go | 26 ++++++++++++++++++++++++-- rules.yaml | 32 +++++++++++++++----------------- 4 files changed, 44 insertions(+), 21 deletions(-) diff --git a/actionners/actionners.go b/actionners/actionners.go index 5374bdf3..67f255c5 100644 --- a/actionners/actionners.go +++ b/actionners/actionners.go @@ -351,7 +351,10 @@ func StartConsumer(eventsC <-chan string) { metrics.IncreaseCounter(log) for _, a := range i.GetActions() { - if err := runAction(i, a, event); err != nil && a.IgnoreErrors == falseStr { + e := new(events.Event) + *e = *event + i.ExtendOutputFields(e, a) + if err := runAction(i, a, e); err != nil && a.IgnoreErrors == falseStr { break } if a.Continue == falseStr || a.Continue != trueStr && !GetDefaultActionners().FindActionner(a.GetActionner()).MustDefaultContinue() { diff --git a/internal/events/events.go b/internal/events/events.go index 1b4a55f9..49430fb2 100644 --- a/internal/events/events.go +++ b/internal/events/events.go @@ -43,7 +43,7 @@ func DecodeEvent(payload io.Reader) (*Event, error) { } if event.Source == "" { - event.Source = "syscalls" + event.Source = "syscall" } if event.TraceID == "" { diff --git a/internal/rules/rules.go b/internal/rules/rules.go index fef1b56c..a7a9456a 100644 --- a/internal/rules/rules.go +++ b/internal/rules/rules.go @@ -1,6 +1,7 @@ package rules import ( + "encoding/json" "errors" "fmt" "os" @@ -50,8 +51,9 @@ type outputfield struct { } const ( - trueStr string = "true" - falseStr string = "false" + trueStr string = "true" + falseStr string = "false" + falcoTalonOutputField string = "falco-talon." ) var rules *[]*Rule @@ -527,3 +529,23 @@ func (rule *Rule) comparePriority(event *events.Event) bool { } return false } + +func (rule *Rule) ExtendOutputFields(event *events.Event, action *Action) { + event.OutputFields[falcoTalonOutputField+"rule"] = rule.Name + if rule.Continue != "" { + event.OutputFields[falcoTalonOutputField+"rule.continue"] = rule.Continue + } + if rule.DryRun != "" { + event.OutputFields[falcoTalonOutputField+"rule.dry_run"] = rule.DryRun + } + event.OutputFields[falcoTalonOutputField+"action"] = action.Name + if action.Continue != "" { + event.OutputFields[falcoTalonOutputField+"action.continue"] = action.Continue + } + if action.IgnoreErrors != "" { + event.OutputFields[falcoTalonOutputField+"action.ignore_errors"] = action.IgnoreErrors + } + j, _ := json.Marshal(action.Parameters) + event.OutputFields[falcoTalonOutputField+"action.parameters"] = string(j) + event.OutputFields[falcoTalonOutputField+"actionner"] = action.Actionner +} diff --git a/rules.yaml b/rules.yaml index 81eaef6a..dca25435 100644 --- a/rules.yaml +++ b/rules.yaml @@ -21,8 +21,6 @@ aws_lambda_alias_or_version: $LATEST aws_lambda_invocation_type: RequestResponse - - - rule: Suspicious outbound connection match: rules: @@ -41,22 +39,22 @@ actions: - action: Labelize Pod as Suspicious -- rule: Test invoke lambda - match: - rules: - - Test invoke lambda - actions: - - action: Invoke Lambda function +# - rule: Test invoke lambda +# match: +# rules: +# - Test invoke lambda +# actions: +# - action: Invoke Lambda function -- rule: Delete unknown namespace - match: - rules: - - K8s Namespace Created - output_fields: - - ka.target.namespace=todelete - actions: - - action: Delete the namespace - actionner: kubernetes:delete +# - rule: Delete unknown namespace +# match: +# rules: +# - K8s Namespace Created +# output_fields: +# - ka.target.namespace=todelete +# actions: +# - action: Delete the namespace +# actionner: kubernetes:delete - rule: Calico netpol match: