falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.44k stars 903 forks source link

Support Falco running with sandboxed runtimes #1413

Open egernst opened 4 years ago

egernst commented 4 years ago

Motivation

Falco is great. I want Falco. But I also want to run the workload using a sandboxed runtime like kata containers. I hate choosing; I want both things.

Feature

It'd be awesome to be able to run either the kernel module or eBPF inside the guest kernel and have this available for Falco on the host. From taking a quick look @ https://sysdig.com/blog/understanding-common-library-implementation/, I'm hopeful that this is feasible, and we could have SCAP <-> sinsp communication occur over vsock between the guest/host.

Alternatives

I have to choose either Falco or sandboxed runtime.

Additional context

I haven't spent a lot of time yet looking through Falco yet, but before investing I am interested in high-level feedback like:

ghost commented 4 years ago

+1 this - we run a lot of gVisor workloads because they're higher risk, and so getting insights into these would be awesome

leogr commented 4 years ago

I think this is something we should discuss during our community call.

Please join us if you want!

terenceli commented 4 years ago

Hi, I'm also very interested in this feature request. Any update information?

egernst commented 4 years ago

I'll join a future community call. Thanks @leogr !

poiana commented 3 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

pidydx commented 3 years ago

Has there been any discussion or movement on this?

poiana commented 3 years ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

bergwolf commented 3 years ago

I'm also very interested in seeing it happen. Is there a community call every week?

leodido commented 3 years ago

Indeed there is. :)

Every Wed. More details at https://github.com/falcosecurity/community

On Fri, 23 Apr 2021 at 09:17 Peng Tao @.***> wrote:

I'm also very interested in seeing it happen. Is there a community call every week?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/falcosecurity/falco/issues/1413#issuecomment-825448178, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA5J42VFI5EQN2Q6FYO53DTKENJTANCNFSM4RYRVE6A .

-- L.

poiana commented 3 years ago

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana commented 3 years ago

@poiana: Closing this issue.

In response to [this](https://github.com/falcosecurity/falco/issues/1413#issuecomment-846539796): >Rotten issues close after 30d of inactivity. > >Reopen the issue with `/reopen`. > >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Provide feedback via https://github.com/falcosecurity/community. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
poiana commented 3 years ago

@lining2020x: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to [this](https://github.com/falcosecurity/falco/issues/1413#issuecomment-939249790): >/reopen Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
lining2020x commented 3 years ago

/reopen

poiana commented 3 years ago

@lining2020x: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to [this](https://github.com/falcosecurity/falco/issues/1413#issuecomment-939249831): >/reopen Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
leogr commented 3 years ago

/reopen

poiana commented 3 years ago

@leogr: Reopened this issue.

In response to [this](https://github.com/falcosecurity/falco/issues/1413#issuecomment-939723287): >/reopen Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
leogr commented 3 years ago

/remove-lifecycle rotten

poiana commented 2 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

leogr commented 2 years ago

/remove-lifecycle stale

poiana commented 2 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

jasondellaluce commented 2 years ago

/remove-lifecycle stale

poiana commented 2 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

jasondellaluce commented 2 years ago

/remove-lifecycle stale

leogr commented 2 years ago

cc @LucaGuerra

poiana commented 2 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

leogr commented 2 years ago

/remove-lifecycle stale cc @FedeDP

poiana commented 1 year ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

FedeDP commented 1 year ago

/remove-lifecycle stale

leogr commented 1 year ago

/help

poiana commented 1 year ago

@leogr: This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to [this](https://github.com/falcosecurity/falco/issues/1413): >/help Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
poiana commented 1 year ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

leogr commented 1 year ago

/remove-lifecycle stale

poiana commented 1 year ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana commented 1 year ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

leogr commented 1 year ago

/remove-lifecycle stale /remove-lifecycle rotten

poiana commented 1 year ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Andreagit97 commented 1 year ago

/remove-lifecycle stale

roshaaaan commented 9 months ago

Hi, I wanted to ask if this feature is on the roadmap. I would appreciate any feedback you may have.

Feature: It'd be awesome to be able to run either the kernel module or eBPF inside the guest kernel and have this available for Falco on the host. From taking a quick look @ https://sysdig.com/blog/understanding-common-library-implementation/, I'm hopeful that this is feasible, and we could have SCAP <-> sinsp communication occur over vsock between the guest/host.

Andreagit97 commented 9 months ago

Hi, I wanted to ask if this feature is on the roadmap. I would appreciate any feedback you may have.

Hey @roshaaaan at the moment we just support Gvisor, we don't have anything planned in the roadmap about this topic but this is for sure something we are interested in!

poiana commented 6 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Andreagit97 commented 6 months ago

/remove-lifecycle stale

poiana commented 3 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Andreagit97 commented 3 months ago

/remove-lifecycle stale

poiana commented 1 week ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale