-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcli.go
More file actions
54 lines (48 loc) · 2.98 KB
/
cli.go
File metadata and controls
54 lines (48 loc) · 2.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
package main
import (
"flag"
"log/slog"
"os"
"strings"
"time"
)
// CLI flags for the Linux eBPF sensor.
var (
policyPath = flag.String("policy", "", "path to policy JSON (v2 rules or legacy patterns); omit for built-in defaults")
metricsAddr = flag.String("metrics-addr", "", "HTTP listen address for metrics and health (e.g. :9090); empty disables")
logLevel = flag.String("log-level", envOrDefault("LOG_LEVEL", "info"), "log level: debug, info, warn, error")
ringbufBytes = flag.Uint("ringbuf-bytes", 0, "BPF ring buffer size in bytes (power of 2, multiple of page size; 0=16MiB)")
logRedactedPreview = flag.Bool("log-redacted-preview", true, "include redacted_preview field on policy_alert logs")
alertMaxGlobal = flag.Int("alert-max-per-window", 0, "max policy alerts per window across all PIDs (0=unlimited)")
alertMaxPerPID = flag.Int("alert-max-per-pid-per-window", 0, "max policy alerts per PID per window (0=unlimited)")
alertWindow = flag.Duration("alert-window", time.Minute, "window for alert rate limits")
alertDedupeWindow = flag.Duration("alert-dedupe-window", 0, "suppress duplicate alerts for the same PID+rule within this window (0=off)")
allowlistPath = flag.String("allowlist", "", "optional JSON allowlist ({\"comm_prefixes\":[\"...\"]}) to skip alerts")
enableBpfBlocking = flag.Bool("enable-bpf-blocking", false, "load block rules into BPF (cleartext wipe in kernel when matched)")
logPayloadSHA256 = flag.Bool("log-payload-sha256", false, "include SHA-256 of rolling plaintext buffer on policy_alert")
showVersion = flag.Bool("version", false, "print version and exit")
k8sEnrich = flag.Bool("k8s-enrich", false, "add k8s_namespace, k8s_pod, k8s_pod_uid to policy_alert via cgroups + API (requires NODE_NAME env and in-cluster credentials with list/watch pods)")
// Optional cleartext feeds (ingest HTTP, stdin JSONL, hook socket) for tests and auxiliary capture.
captureIngestAddr = flag.String("capture-ingest-addr", "", "HTTP listen address for POST /v1/ingest/chunk cleartext bridge (e.g. 127.0.0.1:9092; avoid :9091 if Prometheus uses it); empty disables")
captureIngestToken = flag.String("capture-ingest-token", "", "optional bearer / X-Spectral-Capture-Token secret; if empty, SPECTRAL_CAPTURE_INGEST_TOKEN env is used when set")
captureStdinJSONL = flag.Bool("capture-stdin-jsonl", false, "read ChunkRequest JSON values from stdin (one JSON object after another) and feed HandleChunk")
captureHookSocket = flag.String("capture-hook-socket", "", "binary TLS hook protocol: unix:/path or tcp:127.0.0.1:PORT (see internal/capture/hookwire)")
)
func envOrDefault(key, def string) string {
if v := strings.TrimSpace(os.Getenv(key)); v != "" {
return v
}
return def
}
func parseLogLevel(s string) slog.Level {
switch strings.ToLower(strings.TrimSpace(s)) {
case "debug":
return slog.LevelDebug
case "warn", "warning":
return slog.LevelWarn
case "error":
return slog.LevelError
default:
return slog.LevelInfo
}
}