new(anomalydetection): Initial Scope - CountMinSketch Powered Probabilistic Counting and Filtering

plugins/anomalydetection/.gitignore

@@ -0,0 +1,6 @@
+*.so
+*.a
+*.o
+.vscode
+build*
+libanomalydetection.so

plugins/anomalydetection/CMakeLists.txt

@@ -0,0 +1,57 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+cmake_minimum_required(VERSION 3.22)
+
+list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
+
+option(BUILD_TESTS "Enable tests" ON)
+
+# Project metadata
+project(
+  anomalydetection
+  VERSION 0.1.0
+  DESCRIPTION "Falco Anomaly Detection Plugin"
+  LANGUAGES CXX)
+
+# Dependencies
+include(FetchContent)
+include(plugin-sdk-cpp)
+include(libs) # Temporarily include libs for initial dev
+include(xxhash)
+
+# Project target
+file(GLOB_RECURSE anomalydetection_SOURCES "${CMAKE_CURRENT_SOURCE_DIR}/src/*.cpp")
+add_library(anomalydetection SHARED ${anomalydetection_SOURCES} )
+set_target_properties(anomalydetection PROPERTIES CXX_EXTENSIONS OFF)
+
+# Project compilation options
+target_compile_options(anomalydetection PRIVATE "-fPIC")
+target_compile_options(anomalydetection PRIVATE "-Wl,-z,relro,-z,now")
+target_compile_options(anomalydetection PRIVATE "-fstack-protector-strong")
+# When compiling in Debug mode, this will define the DEBUG symbol for use in your code
+target_compile_options(anomalydetection PUBLIC "$<$<CONFIG:DEBUG>:-DDEBUG>")
+target_compile_features(anomalydetection PUBLIC cxx_std_17)
+
+# Project includes
+target_include_directories(
+  anomalydetection PRIVATE "${PLUGIN_SDK_INCLUDE}" "${XXHASH_INCLUDE}" "${LIBS_INCLUDE}")
+
+# Project linked libraries
+target_link_libraries(anomalydetection ${_REFLECTION})
+
+# Testing
+if(BUILD_TESTS)
+  add_subdirectory(test)
+endif()

plugins/anomalydetection/Makefile

@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+NAME := anomalydetection
+OUTPUT := lib$(NAME).so
+
+all: $(OUTPUT)
+
+clean:
+	rm -rf build $(OUTPUT)
+# Temporarily include libs for initial dev
+$(OUTPUT):
+	mkdir -p build \
+	&& cd build \
+	&& cmake \
+	-DCMAKE_BUILD_TYPE=Release \
+	-DMINIMAL_BUILD=ON \
+	-DUSE_BUNDLED_LIBELF=OFF \
+	-DCREATE_TEST_TARGETS=OFF \
+	../ \
+	&& make -j6 anomalydetection \
+	&& cp ./$(OUTPUT) ../$(OUTPUT)
+
+readme:
+	@$(READMETOOL) -p ./$(OUTPUT) -f README.md

plugins/anomalydetection/cmake/modules/libs.cmake

@@ -0,0 +1,26 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+message(STATUS "Fetching libs at 'https://github.com/falcosecurity/libs.git'")
+
+FetchContent_Declare(
+  libs
+  GIT_REPOSITORY https://github.com/falcosecurity/libs.git
+  GIT_TAG 273299c5832ab7efa6a93547f7c3bd55706b135c
+  CONFIGURE_COMMAND "" BUILD_COMMAND "")
+
+FetchContent_MakeAvailable(libs)
+set(LIBS_INCLUDE "${libs_SOURCE_DIR}")
+set(LIBS_DIR "${libs_SOURCE_DIR}")
+message(STATUS "Using libs include at '${LIBS_INCLUDE}'")

plugins/anomalydetection/cmake/modules/plugin-sdk-cpp.cmake

@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+message(
+  STATUS
+    "Fetching plugin-sdk-cpp at 'https://github.com/falcosecurity/plugin-sdk-cpp.git'"
+)
+
+FetchContent_Declare(
+  plugin-sdk-cpp
+  GIT_REPOSITORY https://github.com/falcosecurity/plugin-sdk-cpp.git
+  GIT_TAG 1c46ba02e8e9fe30a8362a54e99a6c3c804661f6)
+
+FetchContent_MakeAvailable(plugin-sdk-cpp)
+set(PLUGIN_SDK_INCLUDE "${plugin-sdk-cpp_SOURCE_DIR}/include")
+message(STATUS "Using plugin-sdk-cpp include at '${PLUGIN_SDK_INCLUDE}'")

plugins/anomalydetection/cmake/modules/xxhash.cmake

@@ -0,0 +1,31 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+message(
+  STATUS
+    "Fetching xxhash at 'https://raw.githubusercontent.com/Cyan4973/xxHash/v0.8.2/xxhash.h'"
+)
+
+FetchContent_Declare(
+  # BSD 2-Clause License
+  xxhash
+  URL "https://raw.githubusercontent.com/Cyan4973/xxHash/v0.8.2/xxhash.h"
+  URL_HASH SHA256=be275e9db21a503c37f24683cdb4908f2370a3e35ab96e02c4ea73dc8e399c43 
+  DOWNLOAD_NAME "xxhash.h"
+  DOWNLOAD_NO_EXTRACT TRUE
+)
+
+FetchContent_MakeAvailable(xxhash)
+set(XXHASH_INCLUDE "${xxhash_SOURCE_DIR}")
+message(STATUS "Using xxhash include at '${XXHASH_INCLUDE}'")