leogr
commented
11 months ago Status Update
I'm delighted to announce that we've completed all the action items recommended by our TOC sponsors (@TheFoxAtWork and @justincormack) and are on track with the proposed July and August timeline! Of course, this early completion doesn't imply a slowdown in our commitment to improving the project. Instead, it's renovated with the invaluable knowledge we've acquired from our experiences over the past few months.
As we reach this significant milestone, I've detailed a comprehensive, step-by-step status update below. I hope this information proves useful to you.
I've got to give a big shout-out to every person in the Falco community and the extended CNCF family who has been involved in this effort. Your contributions and support have made these initiatives fly. A special thank you goes to @nate-double-u for the help he's provided us.
cc @falcosecurity/core-maintainers
Get Feedback
Under the guidance of Taylor Dolezal, we've engaged multiple end-users to gather their feedback on Falco usage. We've established a robust process for receiving end-user feedback, including interviews with specific sets of questions aimed at understanding how Falco is used within their respective architectures. These interviews are converted into end-user case studies which we will continue to publish on https://falco.org/about/ecosystem/ as well as linking them from the falco.org home page.
Activities completed include:
- Trendyol case study: Highlighting how Trendyol uses Falco to develop a threat detection system by utilizing Kubernetes audit logs and kernel events to monitor user behavior in production clusters. This allows them to detect operational anti-patterns, improve visibility, and identify malicious actors.
- R6 case study: Showcasing how R6 Security employs Falco to enhance their moving threat detection platform, Phoenix.
Technical Writing / Documentation
In collaboration with Nate Waddington, we've worked on improving the Falco messaging and enhancing the quality of the Falco documentation, particularly focusing on new user onboarding. Based on his feedback and assessment, we've simplified and updated the Falco getting started guide and provided clear instructions on adopting Falco, including what additional projects users will need to make the most of Falco. Almost all of the website has been revised and improved. For full detail, see the related task list above.
Completed activities worth mentioning include:
- Enhancing Falco messaging throughout falco.org and Falco GitHub repositories.
- Enhancing clarity about each Falco component.
- Improving cross-references between all repositories, plugins, libraries, etc., leading to the main documentation site and the main repository, as well as the evolution repository.
- Facilitating a better understanding of Falco content by adding a referenceable glossary on falco.org with frequently used terms. This includes references for individuals to learn more about eBPF, kernel security, syscalls, and more by adding links to third-party official documentation and websites.
- Massive reworking on rules documentation with clear instructions on styling and how to use, customize, and fine-tune rules according to various use cases (see the related section below for more detail).
Use Case Development
We have increased clarity on Falco use cases and added two primary use cases on a dedicated falco.org/about/use-cases/ page.
Completed activities include:
- Threat Detection use case: Added additional blogs and guides demonstrating how Falco can be used for threat detection. For example:
- Compliance use case: Added additional blogs and guides showcasing how Falco can be used for Regulatory Compliance. Examples include:
Kernel Version Testing
We've successfully implemented our Driver Kernel Testing Framework proposal. This effort includes the creation of a specific falcosecurity/kernel-testing sub-project featuring Ansible playbooks and Dockerfiles to manage FireCracker microVMs for testing drivers against a range of distros/kernel versions. We've also established CI jobs on the falcosecurity/libs repository to execute tests and generate a markdown table with the results on GitHub pages: https://falcosecurity.github.io/libs/matrix/. The CI is impressively speedy, completing runs in approximately 15 minutes. This accomplishment was made possible thanks to the CNCF Community Infrastructure Lab (CIL), which we leverage to run our CI jobs for kernel testing.
Lastly, we're also considering further enhancements beyond the initial scope of this initiative. So, stay tuned!
Rule Modularity/Assumptions
Building upon the Falco Rules Adoption, Management, and Maturity Framework proposal, we have made substantial progress in the adoption of Falco rules. We have successfully established a rule maturity framework and completed a comprehensive round of tagging and enhancing rules. This includes augmenting descriptions and providing tuning advice for stable rules. The newly introduced style guide has been applied to existing rules.
To streamline the adoption process, we've put forth a thorough style guide and an adoption guide on our website. We have also included a dedicated contributing guide within the rules repository to facilitate participation from contributors. To improve accessibility for adopters, we've introduced an overview document and improved cross-links to official documentation on our website.
Looking ahead, we're working on additional enhancements that are currently in the pipeline, expected to be completed by the Falco 0.36 release.
TheFoxAtWork
poiana
In alignment with the suggestions from our TOC sponsors, we're actively focusing on specific areas to improve The Falco Project, aiming to be fully prepared for the forthcoming Graduation Public Comment phase.
Comprehensive details of the proposed path are outlined in the following document :point_down:
https://docs.google.com/document/d/12l65c6qC91akgFjzw7BM3KdNJAa5LyDG17sdpdfwf3g/edit?usp=sharing
This issue serves as a tracker for all related activities (see the task lists below).
Get Feedback
Tech Writing / Documentation
We will use #falco-docs channel on the CNCF Slack to discuss those efforts.
Use Case Development
Develop two primary use cases
Kernel Version Testing
Rule Modularity/Assumptions