Using the pmatch Operator to Match File System Paths
This section provides more detail on the
pmatch (prefix match) operator.
pmatch operator matches a left hand side filesystem path that is the value for a given falco field like
fs.path.name, etc. against a set of right hand side filesystem path prefixes. It returns true if any of the right hand side paths is a prefix of the left hand side path. Here's an example:
fd.name pmatch (/var/run, /var/spool, /etc, /boot)
If the value for
/var/spool/maillog, this expression would evaluate to true. If the value for
/opt/data/file.txt, this expression would evaluate to false.
Functionally, it is equivalent to the following:
fd.name startswith /var/run or fd.name startswith /var/spool or fd.name startswith /etc or fd.name startswith /boot
pmatch allows the comparison to be done in parallel, against all prefixes at once, instead of individually.
The implementation of
pmatch builds a tree-like data structure using all the right hand side paths, broken on directory separators, and then traverses the tree using the path components from the left hand side path. If the traversal gets to a leaf node in the tree, it evaluates to true.
pmatch Can Contain Globs
As of Falco 0.36, the right hand paths used by
pmatch can contain glob wildcards. Here's an example:
fd.name pmatch (/var/*/*.txt, /etc, /boot)
This expression would evaluate to true for
/var/spool/log.txt as well as
This matching differs from the
glob operator as
glob requires the left hand side to fully match the glob, while
pmatch still allows for a prefix match. So for an expression like
fd.name pmatch (/var/*) vs
fd.name glob /var/* and when fd.name has the value
/var/run/file.txt, the pmatch expression would evaluate to true while the glob expression would not. When glob is evaluated against a path, wildcards don't cross directory separators. See the sentence "Globbing is applied on each of the components of a pathname separately." at the man page for glob.
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.