Integrate Witness, Falco, Tracee, Cilium, etc. for demo of runtime visibility

buildsec / frsca

https://buildsec.github.io/frsca

Apache License 2.0

227 stars 31 forks source link

Integrate Witness, Falco, Tracee, Cilium, etc. for demo of runtime visibility #212

Open mlieberman85 opened 2 years ago

mlieberman85 commented 2 years ago

secure software factory ref arch

SSF is an implementation of Secure Software Factory Ref Arch as shown above. A gap we currently have is in runtime visibility space. We should explore various runtime visibility (tracing, eBPF) tools to see how we could integrate them into SSF.

Common ones to explore are:

Witness
Falco
Tracee
Cilium

SSF is intended to abstract out underlying implementations but we do want to explore which ones might be easiest to integrate for the default.

colek42 commented 2 years ago

I would like to have a better understanding of how were can interrogate Cillum and Falco to generate attestations.

witness knows the PID and all of the metadata for the CI process

@fkautz do you have any implementation ideas?

fkautz commented 2 years ago

We can look at pulling information from cilium and Falco and use them in the attestation process. Normalize, correlate, and sign the information gathered.

e.g. should be possible to capture network policy configuration, connection information, and other relevant info and correlate with the information traced by witness.

Would need some work to gather and perform the correlation, but would give us the ability to look for anomalies.

colek42 commented 2 years ago

@mlieberman85 how do you see cilium fitting in?

colek42 commented 2 years ago

We can look at pulling information from cilium and Falco and use them in the attestation process. Normalize, correlate, and sign the information gathered.

Option 1

Falco has a GRPC API that we can connect to over UDS. This seems like a good fit.

I think we can hack in some code to connect to the Falco API to listen to events happening in the system when the commandrun attestor is working.

Option 2

I'm not sure if this will work, but may fit in better with witrness' model.

Create a Falco Source Plugin. that filters events we care about for witness. We can then communicate these events to witness using a postrun attestor.

ChaosInTheCRD commented 2 years ago

Hi everyone! This is awesome :) I was in the process of trying to build a Kubernetes tool that can create 'Falco Attestations' in a similar way to what is discussed here. I would love to talk about this more and understand how Tracee, Witness and Cilium all ties in.

colek42 commented 2 years ago

https://github.com/cilium/tetragon seems like a good fit for integration with witness. I added an issue here: https://github.com/testifysec/witness/issues/186