search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.37k stars 901 forks source link

[TRACKING] New `anomalydetection` Plugin - Targeting First Release for Falco 0.39.0 #3117

Open incertum opened 8 months ago

incertum commented 8 months ago

Motivation

This issue is to track the development progress for a new anomalydetection plugin, as outlined in the Proposal.

The objective is to provide updates on the progress of the development, ensuring alignment with the proposed framework. Additionally, it aims to identify any potential blockers that may hinder progress.

The initial scope will focus exclusively on "CountMinSketch Powered Probabilistic Counting and Filtering" for a subset of syscalls and a selection of options to define behavior profiles. The primary objective of this new framework is to offer tangible advantages in real-world production environments and substantially improve the usability of standard Falco rules. Essentially, this framework eliminates the requirement for meticulous tuning of individual rules and facilitates the utilization of probabilistic count estimates to alleviate the impact of noisy rules. Additionally, it enables the creation of broader Falco rules.

Edit: v1 PR can be found here: https://github.com/falcosecurity/plugins/pull/419

poiana commented 5 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

incertum commented 5 months ago

/remove-lifecycle stale

On track.

incertum commented 3 months ago

CC @@an1245, @quentinkhoo

incertum commented 2 months ago

Just moved the PR out of Draft mode. It is now feature-complete and ready for review. The README has also been updated with more info.

Starting the testing on some more beefy test servers as we speak ... plus will also attempt to provide some useful initial use case guidelines (something that is missing right now).

The plugin will work with Falco >= 0.38.2.

incertum commented 2 months ago

After initial review let's setup the CI to publish some test artifacts @jasondellaluce.

FedeDP commented 1 month ago

Hey Melissa, is the plugin ready? Otherwise can we move to 0.40.0? :D Thanks!

leogr commented 1 month ago

I moved this to 0.40. However, this should not be tied to the Falco release.

Anyway, just talked with @jasondellaluce and I guess we can merge the plugin PR soon.