Kubernetes Audit Events

[ajinkya1986]

Motivation

To enable kubernetes audit events in Cloud Environments

Feature

How do we enable kubernetes audit events in Cloud like AWS,Azure and GCP.

[Issif]

Hello,

Few months ago, we introduced the plugins to extend the number of inputs for Falco. We already prepared a plugin to replace the current implementation for audit logs and the plugins for managed k8s will follow in next weeks.

[srinijalagam]

Hi , I am working with falco-1.19.0, once I have enabled k8saudit plugin , i see below error and i do not see this plugin is available with version mentioned in drivers folder. can someone upload file

`[SUCCESS] Cleaning phase correctly terminated.

================ Cleaning phase ================

• Looking for a falco module locally (kernel 4.18.0-1.2007201736.el7_7.emrs.altmvl.x86_64)
• Trying to download a prebuilt falco module from https://download.falco.org/driver/39ae7d40496793cf3d3e7890c9bbdc202263836b/falco_centos_4.18.0-1.2007201736.el7_7.emrs.altmvl.x86_64_1.ko curl: (22) The requested URL returned error: 404 Unable to find a prebuilt falco module
• Trying to dkms install falco module with GCC /usr/bin/gcc DIRECTIVE: MAKE="'/tmp/falco-dkms-make'" `

[eric-engberg]

I'm getting the following error when I try to enable auditlog

2022-06-13T19:32:30.575962573Z

• Setting up /usr/src links from host
• Running falco-driver-loader for: falco version=0.32.0, driver version=39ae7d40496793cf3d3e7890c9bbdc202263836b
• Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
• Mounting debugfs
• Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/39ae7d40496793cf3d3e7890c9bbdc202263836b/falco_amazonlinux2_5.4.156-83.273.amzn2.x86_64_1.o
• Skipping compilation, eBPF probe is already present in /root/.falco/falco_amazonlinux2_5.4.156-83.273.amzn2.x86_64_1.o
• eBPF probe located in /root/.falco/falco_amazonlinux2_5.4.156-83.273.amzn2.x86_64_1.o

• Success: eBPF probe symlinked to /root/.falco/falco-bpf.o Mon Jun 13 19:35:15 2022: Falco version 0.32.0 (driver version 39ae7d40496793cf3d3e7890c9bbdc202263836b) Mon Jun 13 19:35:15 2022: Falco initialized with configuration file /etc/falco/falco.yaml Mon Jun 13 19:35:15 2022: Loading plugin (k8saudit) from file /usr/share/falco/plugins/libk8saudit.so Mon Jun 13 19:35:15 2022: Loading rules from file /etc/falco/falco_rules.yaml: Mon Jun 13 19:35:15 2022: Loading rules from file /etc/falco/falco_rules.local.yaml: Mon Jun 13 19:35:16 2022: Loading rules from file /etc/falco/k8s_audit_rules.yaml: Error: Could not load rules file /etc/falco/k8s_audit_rules.yaml: 1 errors: Rule Disallowed K8s User: error filter_check called with nonexistent field jevt.value[/stage]

• rule: Disallowed K8s User desc: Detect any k8s operation by users outside of an allowed set of users. condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users) output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code) priority: WARNING source: k8s_audit tags: [k8s]

# In a local/user rules file, you could override this macro to # explicitly enumerate the container images that you want to run in # your environment. In this main falco rules file, there isn't any way # to know all the containers that can run, so any container is # allowed, by using the always_true macro. In the overridden macro, the condition # would look something like (ka.req.pod.containers.image.repository in (my-repo/my-image))

[SanaZulfiqar73]

@eric-engberg Can you add your configurations (i.e. values.yaml) when you enable audit logs?

[eric-engberg]

https://gist.github.com/eric-engberg/899e8d19de0c400c5ec4223dece6aad3

[MueChr]

@eric-engberg I run in the same issue. The problem was solved, after I enabled the json plugin too.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

[poiana]

@poiana: Closing this issue.

In response to [this](https://github.com/falcosecurity/charts/issues/336#issuecomment-1327894864): >Rotten issues close after 30d of inactivity. > >Reopen the issue with `/reopen`. > >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Provide feedback via https://github.com/falcosecurity/community. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.