falco
falco copied to clipboard
wip: new(metrics): add file sha256sum metrics for loaded config and rules files
What type of PR is this?
Uncomment one (or more)
/kind <>
lines:
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind release
Any specific area of the project related to this PR?
Uncomment one (or more)
/area <>
lines:
/area build
/area engine
/area tests
/area proposals
/area CI
What this PR does / why we need it:
This PR adds the sha256sum for each loaded config and rules file as individual metric. These metrics complement existing informational metrics such as the Falco version or kernelrelease of the host and especially help to track deployment upgrade convergence and integrity.
Note: This PR only adds the new metrics, thus deferring future metrics code consolidations to the next release dev cycle.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
new(metrics): add file sha256sum metrics for loaded config and rules files
This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.
Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.
/hold
/milestone 0.38.0
This is now ready for review.
Question: why is all of this linux only?
Main purpose of metrics is at runtime when running Falco on Linux. I am not sure why we would need it when we load a capture file on macOS or Windows. In addition, most metrics already only work on Linux. More thoughts?
Support for macOS or Windows likely requires a different approach as that openssl lib I am using is not available.
I was thinking if running Falco on eg: windows with plugins and their rules, one could still want the shasums in the metrics.
Support for macOS or Windows likely requires a different approach as that openssl lib I am using is not available.
No problem then, we can introduce it later if someone needs it!
I was thinking if running Falco on eg: windows with plugins and their rules, one could still want the shasums in the metrics.
Support for macOS or Windows likely requires a different approach as that openssl lib I am using is not available.
No problem then, we can introduce it later if someone needs it!
Yeah, right now it's actually not even working well for plugins only even on Linux. Needless to say, metrics still requires lots of work over the next n releases.
LGTM label has been added.
CI Build / test-dev-packages / test-packages (pull_request) Failing after 4m
I am investigating the TestFalco_Legacy_KernelUpgrade
failure since it also fails on https://github.com/falcosecurity/falco/pull/3191
LGTM label has been added.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: FedeDP, incertum, leogr
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [FedeDP,incertum,leogr]
Approvers can indicate their approval by writing /approve
in a comment
Approvers can cancel approval by writing /approve cancel
in a comment
This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.
Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.
/hold
false positive /unhold