update(anomalydetection): helper new filtercheck / output field anoma…

…ly.falco.duration_ns Signed-off-by: Melissa Kilby <[email protected]>
falcosecurity · Aug 15, 2024 · 2fbffa5 · 2fbffa5
1 parent ad444b7
commit 2fbffa5
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/plugins/anomalydetection/src/plugin.cpp b/plugins/anomalydetection/src/plugin.cpp
@@ -19,6 +19,7 @@ limitations under the License.
 
 #include <optional>
 #include <filesystem>
+#include <sys/stat.h>
 
 void anomalydetection::log_error(std::string err_mess)
 {
@@ -434,6 +435,13 @@ bool anomalydetection::init(falcosecurity::init_input& in)
         m_thread_manager.start_periodic_count_min_sketch_reset_worker<uint64_t>(i, (uint64_t)m_reset_timers[i], m_count_min_sketches);
     }
 
+    // More custom inits
+    struct stat st_ = {0};
+	if(stat("/proc/self/cmdline", &st_) == 0)
+	{
+		m_falco_start_ts_epoch_ns = st_.st_ctim.tv_sec * SECOND_TO_NS + st_.st_ctim.tv_nsec;
+	}
+
     return true;
 }
 
@@ -461,6 +469,14 @@ std::vector<falcosecurity::field_info> anomalydetection::get_fields()
                 true,  // index
                 false,
              }},
+             {ft::FTYPE_UINT64, "anomaly.falco.duration_ns", 
+             "Falco agent run duration in nanoseconds",
+             "Falco agent run duration in nanoseconds, which could be useful for ignoring some rare events at launch time while Falco is just starting to build up the counts in the sketch data structures (if applicable).",
+             { // field arg
+                false, // key
+                false,  // index
+                false,
+             }},
     };
     const int fields_size = sizeof(fields) / sizeof(fields[0]);
     static_assert(fields_size == ANOMALYDETECTION_FIELD_MAX, "Wrong number of anomaly fields.");
@@ -496,6 +512,13 @@ bool anomalydetection::extract(const falcosecurity::extract_fields_input& in)
             req.set_value(behavior_profile_concat_str, true);
         }
         return true;
+    case ANOMALYDETECTION_FALCO_DURATION_NS:
+        {
+            auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(
+                std::chrono::system_clock::now().time_since_epoch()).count();
+            req.set_value((uint64_t)(now - m_falco_start_ts_epoch_ns), true);
+        }
+        return true;
     default:
         m_lasterr = "unknown extraction request";
         return false;

diff --git a/plugins/anomalydetection/src/plugin.h b/plugins/anomalydetection/src/plugin.h
@@ -36,6 +36,7 @@ limitations under the License.
 
 #define UINT32_MAX (4294967295U)
 #define PPM_AT_FDCWD -100
+#define SECOND_TO_NS 1000000000ULL
 
 struct sinsp_param
 {
@@ -53,6 +54,7 @@ class anomalydetection
     {
         ANOMALYDETECTION_COUNT_MIN_SKETCH_COUNT = 0,
         ANOMALYDETECTION_COUNT_MIN_SKETCH_BEHAVIOR_PROFILE_CONCAT_STR,
+        ANOMALYDETECTION_FALCO_DURATION_NS,
         ANOMALYDETECTION_FIELD_MAX
     };
 
@@ -138,6 +140,9 @@ class anomalydetection
     // Manages plugin side threads, such as resetting the count min sketch data structures
     ThreadManager m_thread_manager;
 
+    // Epoch of Falco agent run start, re-creates libs agent_info->start_ts_epoch info
+    uint64_t m_falco_start_ts_epoch_ns;
+
     bool m_count_min_sketch_enabled = false;
     uint32_t m_n_sketches = 0;
     std::vector<std::vector<double>> m_gamma_eps;