diff --git a/plugins/anomalydetection/src/plugin.cpp b/plugins/anomalydetection/src/plugin.cpp index 6b3d3541..8e8b378e 100644 --- a/plugins/anomalydetection/src/plugin.cpp +++ b/plugins/anomalydetection/src/plugin.cpp @@ -19,6 +19,7 @@ limitations under the License. #include #include +#include void anomalydetection::log_error(std::string err_mess) { @@ -434,6 +435,13 @@ bool anomalydetection::init(falcosecurity::init_input& in) m_thread_manager.start_periodic_count_min_sketch_reset_worker(i, (uint64_t)m_reset_timers[i], m_count_min_sketches); } + // More custom inits + struct stat st_ = {0}; + if(stat("/proc/self/cmdline", &st_) == 0) + { + m_falco_start_ts_epoch_ns = st_.st_ctim.tv_sec * SECOND_TO_NS + st_.st_ctim.tv_nsec; + } + return true; } @@ -461,6 +469,14 @@ std::vector anomalydetection::get_fields() true, // index false, }}, + {ft::FTYPE_UINT64, "anomaly.falco.duration_ns", + "Falco agent run duration in nanoseconds", + "Falco agent run duration in nanoseconds, which could be useful for ignoring some rare events at launch time while Falco is just starting to build up the counts in the sketch data structures (if applicable).", + { // field arg + false, // key + false, // index + false, + }}, }; const int fields_size = sizeof(fields) / sizeof(fields[0]); static_assert(fields_size == ANOMALYDETECTION_FIELD_MAX, "Wrong number of anomaly fields."); @@ -496,6 +512,13 @@ bool anomalydetection::extract(const falcosecurity::extract_fields_input& in) req.set_value(behavior_profile_concat_str, true); } return true; + case ANOMALYDETECTION_FALCO_DURATION_NS: + { + auto now = std::chrono::duration_cast( + std::chrono::system_clock::now().time_since_epoch()).count(); + req.set_value((uint64_t)(now - m_falco_start_ts_epoch_ns), true); + } + return true; default: m_lasterr = "unknown extraction request"; return false; diff --git a/plugins/anomalydetection/src/plugin.h b/plugins/anomalydetection/src/plugin.h index abcd6ef7..fe4af24a 100644 --- a/plugins/anomalydetection/src/plugin.h +++ b/plugins/anomalydetection/src/plugin.h @@ -36,6 +36,7 @@ limitations under the License. #define UINT32_MAX (4294967295U) #define PPM_AT_FDCWD -100 +#define SECOND_TO_NS 1000000000ULL struct sinsp_param { @@ -53,6 +54,7 @@ class anomalydetection { ANOMALYDETECTION_COUNT_MIN_SKETCH_COUNT = 0, ANOMALYDETECTION_COUNT_MIN_SKETCH_BEHAVIOR_PROFILE_CONCAT_STR, + ANOMALYDETECTION_FALCO_DURATION_NS, ANOMALYDETECTION_FIELD_MAX }; @@ -138,6 +140,9 @@ class anomalydetection // Manages plugin side threads, such as resetting the count min sketch data structures ThreadManager m_thread_manager; + // Epoch of Falco agent run start, re-creates libs agent_info->start_ts_epoch info + uint64_t m_falco_start_ts_epoch_ns; + bool m_count_min_sketch_enabled = false; uint32_t m_n_sketches = 0; std::vector> m_gamma_eps;