add new log line for the status in_progress of the actions

Signed-off-by: Thomas Labarussias <[email protected]>
falcosecurity · Jan 20, 2025 · 12b6864 · 12b6864
1 parent 95ec850
commit 12b6864
Show file tree

Hide file tree

Showing 22 changed files with 134 additions and 136 deletions.
diff --git a/actionners/actionners.go b/actionners/actionners.go
@@ -112,7 +112,7 @@ func Init() error {
 		for _, actionner := range *defaultActionners {
 			if category == actionner.Information().Category {
 				if err := actionner.Init(); err != nil {
-					utils.PrintLog("error", utils.LogLine{Message: "init", Error: err.Error(), Category: actionner.Information().Category, Status: utils.FailureStr})
+					utils.PrintLog(utils.ErrorStr, utils.LogLine{Message: "init", Error: err.Error(), Category: actionner.Information().Category, Status: utils.FailureStr})
 					return err
 				}
 				enabledCategories[category] = true
@@ -176,15 +176,15 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
 
 	if rule.DryRun == trueStr {
 		log.Output = "no action, dry-run is enabled"
-		utils.PrintLog("info", log)
+		utils.PrintLog(utils.InfoStr, log)
 		return err
 	}
 
 	actionner := actionners.FindActionner(action.GetActionner())
 	if actionner == nil {
 		log.Status = utils.FailureStr
 		log.Error = fmt.Sprintf("unknown actionner '%v'", action.GetActionner())
-		utils.PrintLog("error", log)
+		utils.PrintLog(utils.ErrorStr, log)
 		return fmt.Errorf("unknown actionner '%v'", action.GetActionner())
 	}
 
@@ -194,7 +194,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
 	if err2 := actionner.Checks(event, action); err2 != nil {
 		log.Status = utils.FailureStr
 		log.Error = err2.Error()
-		utils.PrintLog("error", log)
+		utils.PrintLog(utils.ErrorStr, log)
 		span.SetStatus(codes.Error, err2.Error())
 		span.RecordError(err2)
 		span.End()
@@ -225,6 +225,11 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
 		trace.WithAttributes(attribute.String("actionner.name", action.GetActionnerName())),
 	)
 	defer span.End()
+
+	logP := log
+	logP.Status = utils.InProgressStr
+	utils.PrintLog(utils.InfoStr, logP)
+
 	result, data, err := actionner.Run(event, action)
 	span.SetAttributes(attribute.String("action.result", result.Status))
 	span.SetAttributes(attribute.String("action.output", result.Output))
@@ -257,15 +262,15 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
 		log.Error = err.Error()
 		span.SetStatus(codes.Error, err.Error())
 		span.RecordError(err)
-		utils.PrintLog("error", log)
+		utils.PrintLog(utils.ErrorStr, log)
 		go notifiers.Notify(actx, rule, action, event, log)
 		return err
 	}
 	log.Status = utils.SuccessStr
 	span.AddEvent(result.Output)
 	span.SetStatus(codes.Ok, "action successfully completed")
 
-	utils.PrintLog("info", log)
+	utils.PrintLog(utils.InfoStr, log)
 	go notifiers.Notify(actx, rule, action, event, log)
 
 	if actionner.Information().RequireOutput {
@@ -282,7 +287,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
 			logO.Status = utils.FailureStr
 			logO.Error = err.Error()
 			logO.OutputTarget = "n/a"
-			utils.PrintLog("error", logO)
+			utils.PrintLog(utils.ErrorStr, logO)
 			metrics.IncreaseCounter(logO)
 			span.SetStatus(codes.Error, err.Error())
 			span.RecordError(err)
@@ -295,7 +300,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
 			err = fmt.Errorf("empty output")
 			logO.Status = utils.FailureStr
 			logO.Error = err.Error()
-			utils.PrintLog("error", logO)
+			utils.PrintLog(utils.ErrorStr, logO)
 			metrics.IncreaseCounter(logO)
 			span.SetStatus(codes.Error, err.Error())
 			span.RecordError(err)
@@ -311,7 +316,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
 			logO.Status = utils.FailureStr
 			logO.OutputTarget = target
 			logO.Error = err.Error()
-			utils.PrintLog("error", logO)
+			utils.PrintLog(utils.ErrorStr, logO)
 			metrics.IncreaseCounter(logO)
 			span.SetAttributes(attribute.String("output.target", target))
 			span.SetStatus(codes.Error, err.Error())
@@ -331,7 +336,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
 		if err2 := o.Checks(output); err2 != nil {
 			logO.Status = utils.FailureStr
 			logO.Error = err2.Error()
-			utils.PrintLog("error", logO)
+			utils.PrintLog(utils.ErrorStr, logO)
 			metrics.IncreaseCounter(logO)
 			span.SetStatus(codes.Error, err2.Error())
 			span.RecordError(err2)
@@ -357,7 +362,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
 
 		if err != nil {
 			logO.Error = err.Error()
-			utils.PrintLog("error", logO)
+			utils.PrintLog(utils.ErrorStr, logO)
 			span.SetStatus(codes.Error, err.Error())
 			span.RecordError(err)
 			go notifiers.Notify(octx, rule, action, event, logO)
@@ -367,7 +372,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
 		span.SetStatus(codes.Ok, "output successfully completed")
 		span.AddEvent(result.Output)
 
-		utils.PrintLog("info", logO)
+		utils.PrintLog(utils.InfoStr, logO)
 		go notifiers.Notify(octx, rule, action, event, logO)
 		span.End()
 		return nil
@@ -390,7 +395,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
 			logO.OutputTarget = target
 			logO.Status = utils.FailureStr
 			logO.Error = err.Error()
-			utils.PrintLog("error", logO)
+			utils.PrintLog(utils.ErrorStr, logO)
 			span.SetAttributes(attribute.String("output.target", target))
 			span.SetStatus(codes.Error, err.Error())
 			span.RecordError(err)
@@ -410,7 +415,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
 			err = fmt.Errorf("empty output")
 			logO.Status = utils.FailureStr
 			logO.Error = err.Error()
-			utils.PrintLog("error", logO)
+			utils.PrintLog(utils.ErrorStr, logO)
 			metrics.IncreaseCounter(logO)
 			span.SetStatus(codes.Error, err.Error())
 			span.RecordError(err)
@@ -436,7 +441,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
 
 		if err != nil {
 			logO.Error = err.Error()
-			utils.PrintLog("error", logO)
+			utils.PrintLog(utils.ErrorStr, logO)
 			span.SetStatus(codes.Error, err.Error())
 			span.RecordError(err)
 			go notifiers.Notify(octx, rule, action, event, logO)
@@ -446,7 +451,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
 		span.SetStatus(codes.Ok, "output successfully completed")
 		span.AddEvent(result.Output)
 
-		utils.PrintLog("info", logO)
+		utils.PrintLog(utils.InfoStr, logO)
 		go notifiers.Notify(octx, rule, action, event, logO)
 		span.End()
 		return nil
@@ -492,7 +497,7 @@ func StartConsumer(eventsC <-chan nats.MessageWithContext) {
 		}
 
 		if !config.PrintAllEvents {
-			utils.PrintLog("info", log)
+			utils.PrintLog(utils.InfoStr, log)
 		}
 
 		for _, i := range triggeredRules {
@@ -512,7 +517,7 @@ func StartConsumer(eventsC <-chan nats.MessageWithContext) {
 			span.SetStatus(codes.Ok, "match detected")
 			span.End()
 
-			utils.PrintLog("info", log)
+			utils.PrintLog(utils.InfoStr, log)
 			metrics.IncreaseCounter(log)
 
 			for _, a := range i.GetActions() {
@@ -533,7 +538,7 @@ func StartConsumer(eventsC <-chan nats.MessageWithContext) {
 								TraceID:   e.TraceID,
 								Error:     err.Error(),
 							}
-							utils.PrintLog("error", log)
+							utils.PrintLog(utils.ErrorStr, log)
 							if a.IgnoreErrors != trueStr {
 								break
 							}

diff --git a/actionners/kubernetes/drain/drain.go b/actionners/kubernetes/drain/drain.go
@@ -118,7 +118,7 @@ func (a Actionner) Run(event *events.Event, action *rules.Action) (utils.LogLine
 	return a.RunWithClient(*client, event, action)
 }
 
-func (a Actionner) RunWithClient(client k8s.DrainClient, event *events.Event, action *rules.Action) (utils.LogLine, *models.Data, error) {
+func (a Actionner) RunWithClient(client k8s.Client, event *events.Event, action *rules.Action) (utils.LogLine, *models.Data, error) {
 	podName := event.GetPodName()
 	namespace := event.GetNamespaceName()
 	objects := map[string]string{}
@@ -191,7 +191,7 @@ func (a Actionner) RunWithClient(client k8s.DrainClient, event *events.Event, ac
 					FieldSelector: fmt.Sprintf("spec.nodeName=%s", nodeName),
 				})
 				if err2 != nil {
-					utils.PrintLog("warning", utils.LogLine{Message: fmt.Sprintf("error listing pods on node '%v': %v", nodeName, err2)})
+					utils.PrintLog(utils.WarningStr, utils.LogLine{Message: fmt.Sprintf("error listing pods on node '%v': %v", nodeName, err2)})
 					continue
 				}
 
@@ -234,28 +234,28 @@ func (a Actionner) RunWithClient(client k8s.DrainClient, event *events.Event, ac
 			case utils.ReplicaSetStr:
 				replicaSetName, err := k8s.GetOwnerName(p)
 				if err != nil {
-					utils.PrintLog("warning", utils.LogLine{Message: fmt.Sprintf("error getting pod owner name: %v", err)})
+					utils.PrintLog(utils.WarningStr, utils.LogLine{Message: fmt.Sprintf("error getting pod owner name: %v", err)})
 					atomic.AddInt32(&otherErrorsCount, 1)
 					return
 				}
 				if parameters.MinHealthyReplicas != "" {
 					replicaSet, err := client.GetReplicaSet(replicaSetName, p.Namespace)
 					if err != nil {
-						utils.PrintLog("warning", utils.LogLine{Message: fmt.Sprintf("error getting replica set for pod '%v': %v", p.Name, err)})
+						utils.PrintLog(utils.WarningStr, utils.LogLine{Message: fmt.Sprintf("error getting replica set for pod '%v': %v", p.Name, err)})
 						atomic.AddInt32(&otherErrorsCount, 1)
 						return
 					}
 					minHealthyReplicasValue, kind, err := helpers.ParseMinHealthyReplicas(parameters.MinHealthyReplicas)
 					if err != nil {
-						utils.PrintLog("warning", utils.LogLine{Message: fmt.Sprintf("error parsing min_healthy_replicas: %v", err)})
+						utils.PrintLog(utils.WarningStr, utils.LogLine{Message: fmt.Sprintf("error parsing min_healthy_replicas: %v", err)})
 						atomic.AddInt32(&otherErrorsCount, 1)
 						return
 					}
 					switch kind {
 					case "absolut":
 						healthyReplicasCount, err := k8s.GetHealthyReplicasCount(replicaSet)
 						if err != nil {
-							utils.PrintLog("warning", utils.LogLine{Message: fmt.Sprintf("error getting health replicas count for pod '%v': %v", p.Name, err)})
+							utils.PrintLog(utils.WarningStr, utils.LogLine{Message: fmt.Sprintf("error getting health replicas count for pod '%v': %v", p.Name, err)})
 							atomic.AddInt32(&otherErrorsCount, 1)
 							return
 						}
@@ -267,7 +267,7 @@ func (a Actionner) RunWithClient(client k8s.DrainClient, event *events.Event, ac
 						healthyReplicasValue, err := k8s.GetHealthyReplicasCount(replicaSet)
 						minHealthyReplicasAbsoluteValue := int64(float64(minHealthyReplicasValue) / 100.0 * float64(healthyReplicasValue))
 						if err != nil {
-							utils.PrintLog("warning", utils.LogLine{Message: fmt.Sprintf("error getting health replicas count for pod '%v': %v", p.Name, err)})
+							utils.PrintLog(utils.WarningStr, utils.LogLine{Message: fmt.Sprintf("error getting health replicas count for pod '%v': %v", p.Name, err)})
 							atomic.AddInt32(&otherErrorsCount, 1)
 							return
 						}
@@ -280,7 +280,7 @@ func (a Actionner) RunWithClient(client k8s.DrainClient, event *events.Event, ac
 			}
 
 			if err := client.EvictPod(p); err != nil {
-				utils.PrintLog("warning", utils.LogLine{Message: fmt.Sprintf("error evicting pod '%v': %v", p.Name, err)})
+				utils.PrintLog(utils.WarningStr, utils.LogLine{Message: fmt.Sprintf("error evicting pod '%v': %v", p.Name, err)})
 				atomic.AddInt32(&evictionErrorsCount, 1)
 				return
 			}
@@ -293,7 +293,7 @@ func (a Actionner) RunWithClient(client k8s.DrainClient, event *events.Event, ac
 				for {
 					select {
 					case <-timeout:
-						utils.PrintLog("error", utils.LogLine{Message: fmt.Sprintf("pod '%v' did not terminate within the max_wait_period", pod.Name)})
+						utils.PrintLog(utils.ErrorStr, utils.LogLine{Message: fmt.Sprintf("pod '%v' did not terminate within the max_wait_period", pod.Name)})
 						atomic.AddInt32(&evictionWaitPeriodErrorsCount, 1)
 						return
 

diff --git a/actionners/kubernetes/sysdig/sysdig.go b/actionners/kubernetes/sysdig/sysdig.go
@@ -57,7 +57,7 @@ rules:
   actionner: kubernetes:sysdig
   parameters:
     duration: 10
-    snaplen: 1024
+    buffer_size: 1024
   output:
     target: aws:s3
     parameters:
@@ -78,9 +78,8 @@ type Parameters struct {
 }
 
 const (
-	baseName     string = "falco-talon-sysdig-"
-	defaultImage string = "issif/sysdig:latest"
-	// defaultImage       string = "sysdig/sysdig:latest"
+	baseName           string = "falco-talon-sysdig-"
+	defaultImage       string = "issif/sysdig:latest"
 	defaultScope       string = "pod"
 	defaultTTL         int    = 60
 	defaultDuration    int    = 5
@@ -158,10 +157,6 @@ func (a Actionner) Run(event *events.Event, action *rules.Action) (utils.LogLine
 		parameters.Duration = defaultDuration
 	}
 
-	if parameters.Duration > 30 {
-		parameters.Duration = defaultMaxDuration
-	}
-
 	if parameters.Image == "" {
 		parameters.Image = defaultImage
 	}

diff --git a/cmd/root.go b/cmd/root.go
@@ -21,7 +21,7 @@ no-code solution. With easy rules, you can perform actions over compromised pods
 func Execute() {
 	err := RootCmd.Execute()
 	if err != nil {
-		utils.PrintLog("fatal", utils.LogLine{Error: err.Error()})
+		utils.PrintLog(utils.FatalStr, utils.LogLine{Error: err.Error()})
 	}
 }
 

diff --git a/cmd/rules.go b/cmd/rules.go
@@ -34,7 +34,7 @@ var rulesChecksCmd = &cobra.Command{
 		}
 		rules := ruleengine.ParseRules(config.RulesFiles)
 		if rules == nil {
-			utils.PrintLog("fatal", utils.LogLine{Error: "invalid rules", Message: "rules"})
+			utils.PrintLog(utils.FatalStr, utils.LogLine{Error: "invalid rules", Message: "rules"})
 		}
 		defaultActionners := actionners.ListDefaultActionners()
 		defaultOutputs := outputs.ListDefaultOutputs()
@@ -45,36 +45,36 @@ var rulesChecksCmd = &cobra.Command{
 				for _, j := range i.GetActions() {
 					actionner := defaultActionners.FindActionner(j.GetActionner())
 					if actionner == nil {
-						utils.PrintLog("error", utils.LogLine{Error: "unknown actionner", Rule: i.GetName(), Action: j.GetName(), Actionner: j.GetActionner(), Message: "rules"})
+						utils.PrintLog(utils.ErrorStr, utils.LogLine{Error: "unknown actionner", Rule: i.GetName(), Action: j.GetName(), Actionner: j.GetActionner(), Message: "rules"})
 						valid = false
 						continue
 					}
 					if err := actionner.CheckParameters(j); err != nil {
-						utils.PrintLog("error", utils.LogLine{Error: err.Error(), Rule: i.GetName(), Action: j.GetName(), Actionner: j.GetActionner(), Message: "rules"})
+						utils.PrintLog(utils.ErrorStr, utils.LogLine{Error: err.Error(), Rule: i.GetName(), Action: j.GetName(), Actionner: j.GetActionner(), Message: "rules"})
 						valid = false
 					}
 					o := j.GetOutput()
 					if o == nil && actionner.Information().RequireOutput {
-						utils.PrintLog("error", utils.LogLine{Error: "an output is required", Rule: i.GetName(), Action: j.GetName(), Actionner: j.GetActionner(), Message: "rules"})
+						utils.PrintLog(utils.ErrorStr, utils.LogLine{Error: "an output is required", Rule: i.GetName(), Action: j.GetName(), Actionner: j.GetActionner(), Message: "rules"})
 						valid = false
 					}
 					if actionner != nil {
 						o := j.GetOutput()
 						if o == nil && actionner.Information().RequireOutput {
-							utils.PrintLog("error", utils.LogLine{Error: "an output is required", Rule: i.GetName(), Action: j.GetName(), Actionner: j.GetActionner(), Message: "rules"})
+							utils.PrintLog(utils.ErrorStr, utils.LogLine{Error: "an output is required", Rule: i.GetName(), Action: j.GetName(), Actionner: j.GetActionner(), Message: "rules"})
 							valid = false
 						}
 						if o != nil {
 							output := defaultOutputs.FindOutput(o.GetTarget())
 							if output == nil {
-								utils.PrintLog("error", utils.LogLine{Error: "unknown target", Rule: i.GetName(), Action: j.GetName(), OutputTarget: o.GetTarget(), Message: "rules"})
+								utils.PrintLog(utils.ErrorStr, utils.LogLine{Error: "unknown target", Rule: i.GetName(), Action: j.GetName(), OutputTarget: o.GetTarget(), Message: "rules"})
 								valid = false
 							} else if len(o.Parameters) == 0 {
-								utils.PrintLog("error", utils.LogLine{Error: "missing parameters for the output", Rule: i.GetName(), Action: j.GetName(), OutputTarget: o.GetTarget(), Message: "rules"})
+								utils.PrintLog(utils.ErrorStr, utils.LogLine{Error: "missing parameters for the output", Rule: i.GetName(), Action: j.GetName(), OutputTarget: o.GetTarget(), Message: "rules"})
 								valid = false
 							} else {
 								if err := output.CheckParameters(o); err != nil {
-									utils.PrintLog("error", utils.LogLine{Error: err.Error(), Rule: i.GetName(), Action: j.GetName(), OutputTarget: o.GetTarget(), Message: "rules"})
+									utils.PrintLog(utils.ErrorStr, utils.LogLine{Error: err.Error(), Rule: i.GetName(), Action: j.GetName(), OutputTarget: o.GetTarget(), Message: "rules"})
 									valid = false
 								}
 							}
@@ -84,9 +84,9 @@ var rulesChecksCmd = &cobra.Command{
 			}
 		}
 		if !valid {
-			utils.PrintLog("fatal", utils.LogLine{Error: "invalid rules", Message: "rules"})
+			utils.PrintLog(utils.FatalStr, utils.LogLine{Error: "invalid rules", Message: "rules"})
 		}
-		utils.PrintLog("info", utils.LogLine{Result: "rules file valid", Message: "rules"})
+		utils.PrintLog(utils.InfoStr, utils.LogLine{Result: "rules file valid", Message: "rules"})
 	},
 }
 
@@ -104,7 +104,7 @@ var rulesPrintCmd = &cobra.Command{
 		}
 		rules := ruleengine.ParseRules(config.RulesFiles)
 		if rules == nil {
-			utils.PrintLog("fatal", utils.LogLine{Error: "invalid rules", Message: "rules"})
+			utils.PrintLog(utils.FatalStr, utils.LogLine{Error: "invalid rules", Message: "rules"})
 		}
 		type yamlFile struct {
 			Name        string   `yaml:"rule"`
@@ -136,7 +136,7 @@ var rulesPrintCmd = &cobra.Command{
 
 		var q []yamlFile
 		if err := copier.Copy(&q, &rules); err != nil {
-			utils.PrintLog("fatal", utils.LogLine{Error: err.Error()})
+			utils.PrintLog(utils.FatalStr, utils.LogLine{Error: err.Error()})
 		}
 
 		b, _ := yaml.Marshal(q)