Skip to content

Commit 231de33

Browse files
committed
Rate limit hunt dispatcher housekeeping thread
This ensures that this IO intensive operation does not impact on server performance. Also: * Allow query to take a limit callback for early exit. * Redesign the file upload GUI in the upload artifact pack screen. * Fix watch_ebpf() to create a default policy if only events were passed - this is needed for backwards compatibility. * The template() VQL function now accepts a `html` parameter which allows using go's html/template instead. This should be safe for generating HTML
1 parent 9ddb189 commit 231de33

File tree

19 files changed

+616
-449
lines changed

19 files changed

+616
-449
lines changed

actions/proto/vql.pb.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
Queries:
2+
# Exit query with callback
3+
- |
4+
SELECT * FROM query(query={
5+
SELECT _value AS Value FROM range(end=100)
6+
}, exit="x=>x.Value >= 3")
Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
# Exit query with callback
2+
Query: SELECT * FROM query(query={
3+
SELECT _value AS Value FROM range(end=100)
4+
}, exit="x=>x.Value >= 3")
5+
6+
Output: [
7+
{
8+
"Value": 0
9+
},
10+
{
11+
"Value": 1
12+
},
13+
{
14+
"Value": 2
15+
}
16+
]
17+

bin/debian.go

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -121,7 +121,12 @@ func doServerDeb() error {
121121
directory_name=Output,
122122
release=Release)`
123123

124-
return runQueryWithEnv(query, builder, "json")
124+
err = runQueryWithEnv(query, builder, "json")
125+
if err != nil {
126+
return err
127+
}
128+
129+
return logger.Error
125130
}
126131

127132
func doClientDeb() error {
@@ -181,7 +186,12 @@ func doClientDeb() error {
181186
directory_name=Output,
182187
release=Release)`
183188

184-
return runQueryWithEnv(query, builder, "json")
189+
err = runQueryWithEnv(query, builder, "json")
190+
if err != nil {
191+
return err
192+
}
193+
194+
return logger.Error
185195
}
186196

187197
func init() {

bin/fuse_unix.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -153,7 +153,7 @@ func doFuseZip() error {
153153

154154
<-ctx.Done()
155155

156-
return nil
156+
return logger.Error
157157
}
158158

159159
func init() {

bin/offline_decrypt.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -125,5 +125,5 @@ FROM stat(filename=copy(
125125
fmt.Printf("Password is: %v\n", password)
126126
}
127127

128-
return nil
128+
return logger.Error
129129
}

bin/rpm.go

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -85,7 +85,7 @@ func doClientRPM() error {
8585
if *rpm_command_release == "" {
8686
*rpm_command_release = "A"
8787
}
88-
88+
8989
logger := &LogWriter{config_obj: sm.Config}
9090
builder := services.ScopeBuilder{
9191
Config: sm.Config,
@@ -106,7 +106,12 @@ func doClientRPM() error {
106106
release=Release)
107107
`
108108

109-
return runQueryWithEnv(query, builder, "json")
109+
err = runQueryWithEnv(query, builder, "json")
110+
if err != nil {
111+
return err
112+
}
113+
114+
return logger.Error
110115
}
111116

112117
// Systemd based start up scripts (CentOS 7+)
@@ -146,12 +151,12 @@ func doServerRPM() error {
146151
if *server_rpm_command_output == "" {
147152
*server_rpm_command_output = "."
148153
}
149-
154+
150155
// By default it should be set to A
151156
if *rpm_command_release == "" {
152157
*rpm_command_release = "A"
153158
}
154-
159+
155160
logger := &LogWriter{config_obj: sm.Config}
156161
builder := services.ScopeBuilder{
157162
Config: sm.Config,
@@ -172,7 +177,12 @@ func doServerRPM() error {
172177
release=Release)
173178
`
174179

175-
return runQueryWithEnv(query, builder, "json")
180+
err = runQueryWithEnv(query, builder, "json")
181+
if err != nil {
182+
return err
183+
}
184+
185+
return logger.Error
176186
}
177187

178188
func init() {

config/proto/config.pb.go

Lines changed: 403 additions & 390 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/proto/config.proto

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1175,6 +1175,7 @@ message Defaults {
11751175

11761176
// How often to refresh the hunt index (default 600 sec)
11771177
int64 hunt_dispatcher_refresh_sec = 43;
1178+
uint64 hunt_dispatcher_refresh_rate = 60;
11781179

11791180
// By default new cells only list 50 rows if there is no custom
11801181
// cell template. This is to make refreshing the cell

docs/references/vql.yaml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7879,6 +7879,7 @@
78797879
The tracker has two queries: a sync_query and an update_query. The update
78807880
query resets the internal database.
78817881
type: Function
7882+
version: 2
78827883
args:
78837884
- name: sync_query
78847885
type: StoredQuery
@@ -7891,13 +7892,19 @@
78917892
type: StoredQuery
78927893
description: An Event query that produces live updates of the tracker state.
78937894
- name: max_size
7894-
type: int64
7895+
type: uint64
78957896
description: Maximum size of process tracker LRU.
7897+
- name: max_expiry
7898+
type: uint64
7899+
description: Expire process records older than this much.
78967900
- name: enrichments
78977901
type: string
78987902
description: One or more VQL lambda functions that can enrich the data for the
78997903
process.
79007904
repeated: true
7905+
- name: cache
7906+
type: string
7907+
description: The path to the cache file - if not set we use a memory based cache.
79017908
platforms:
79027909
- darwin_amd64_cgo
79037910
- darwin_arm64_cgo
@@ -11838,7 +11845,7 @@
1183811845
1183911846
## Tracee policies.
1184011847
11841-
As of release 0.76, when calling this plugins, callers can supply
11848+
As of release 0.76, when calling this plugin, callers can supply
1184211849
a tracee policy instead of a list of events. The policy is a YAML
1184311850
file in a format described
1184411851
[here](https://aquasecurity.github.io/tracee/v0.14/docs/policies/)
@@ -12852,3 +12859,4 @@
1285212859
- linux_amd64_cgo
1285312860
- windows_386_cgo
1285412861
- windows_amd64_cgo
12862+

0 commit comments

Comments
 (0)