Closed jasondellaluce closed 1 year ago
jasondellaluce
commented
1 year ago Note, this issue is strongly tied to https://github.com/falcosecurity/libs/issues/991, because interacting with the libsinsp internal state related to system calls would inevitably require the plugin API to support those kind of events.
/milestone 0.11.0
/assign
johananl
commented
1 year ago Following our Slack discussion, it would be great if the plugin ecosystem would support enriching events with data from arbitrary external sources. For example, if Falco runs on AWS or Azure and a syscall event has an IP address in one of its fields, I'd like to be able to query the various AWS or Azure APIs while passing the IP address as an argument and store the result from the external API in a new field in the event.
A specific example could be resolving an IP address against the official IP address ranges database of the relevant cloud provider (example, example) and storing the name of the relevant AWS/Azure service in a new field in the event.
FedeDP
commented
1 year ago /milestone 0.12.0
FedeDP
commented
1 year ago /milestone 0.11.0
Motivation
The plugin system has been launched with the intention of extending the libraries by accessing a controlled subset of their capabilities. Currently, the plugin API only allows implementing and consuming extra event sources, such as the one of K8S audit and AWS cloudtrail events. However, one of the biggest missing points which have been requested by the community since the launch of the feature, is the ability to write plugins that deal with system calls.
Feature
Extending the plugin API to support:
PPME_PLUGIN_EVENT_EAdditional context