Open Issif opened 1 year ago
NissesSenap
commented
1 year ago @Issif sadly I won't be able to work on the k8saudit-aks feature due to that I have changed job and I don't use Azure anymore. I might be able to look at the GKE feature, but it won't happen for at least 6 months (have lots of other stuff I have to fix first).
Issif
commented
1 year ago @NissesSenap no problem, I get that. If you have a WIP repo, please share it as reference
NissesSenap
commented
1 year ago Sadly, I never got that far
Issif
commented
1 year ago Np
poiana
commented
1 year ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
jasondellaluce
commented
1 year ago /remove-lifecycle stale
poiana
commented
11 months ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
poiana
commented
10 months ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Andreagit97
commented
10 months ago /remove-lifecycle rotten
poiana
commented
7 months ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Andreagit97
commented
7 months ago /remove-lifecycle stale
sboschman
commented
6 months ago Hi, I have been working on a k8saudit-gke plugin. Currently I have it deployed in our Falco pipeline to test drive. Still needs a bit of documentation and code cleanup, so it is not ready for a pr yet.
Once I am ready to open a pr, is anyone from the Falco team willing to assist in getting it merged into the plugins codebase? Helping out with practical stuff like reserving a plugin ID, maybe bumping the go version in the ci workflow and having the ci rule validator accept gke specific modification rules (1). Can you arrange help @Issif , or ?
(1) It seems the validator only accepts a complete rule with all fields. The gke specific rules file I made uses the new override section to modify the k8s audit rules from the k8saudit plugin, so the gke specific stuff is not in the default/base/standard k8saudit rules file.
I noticed the default k8saudit rules do contain EKS specific rule extensions. My concern is this might compromise the effectiveness of Falco's threat detection. For example EKS system 'users' (like eks:node-manager) are excluded from triggering rules. I can imagine these system user names are protected/enforced by EKS, and you can not create them yourself. But on a different cloud these names might not be protected, allowing a shady person to use these usernames to bypass Falco's detection rules.
Issif
commented
6 months ago I can help you for sure. For the CI, we need to see with @jasondellaluce too
Issif
commented
4 months ago /assign
poiana
commented
3 weeks ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
In January 2022, Falco introduced its first version of a Plugin framework to extend its available inputs. The framework has been enhanced in the following months to have something production ready for adopters.
Existing Plugins
We, the maintainers of Falco, created a bunch of Plugins to replace deprecated features (k8saudit) or to follow mediatic security events (Okta breach).
Right now, we have registered (excluding dummy plugins)
SDK
To make the development of plugins easier, 2 SDK are provided: Go and C++. We can notice all plugins have been written in Go, it can be explained by several factors: Go is easier to than C++ It’s a common language in web development, so in adopters’ infras Falco’s ecosystem already embeds different Go codebases (Falcosidekick, Falcosidekick-UI, Falcoctl, Driverkit, Falco-exporter, Event-generator)
Libs
Writing a plugin from scratch could be complicated for the contributors, this is why we could also provide libraries to keep them focus on the extraction logic and not the asides (auth, polling, create a web server, etc). The main goal of these libs is to avoid duplicate codes across plugins, allowing to keep an uniformity.
This approach has been started with 2 libs for AWS:
To “open” Falco to more sources, we could create shared libs for generic usages:
We also need to address the most common Cloud Providers and their specific log aggregator systems with the basic functions which are:
By providing these libs, it will be easier for developers to create new plugins for specific usages with these Cloud Providers.
Plugins
The purpose of this issue is to list the requested plugins by the community, the volunteers to develop them and their statuses.
The following table will be kept updated to avoid people to search through N issues.