c3f7d15e26
Currently, the falco event generator only generates system call activity. This adds support for k8s_audit events by adding a script + supporting k8s object files that generate activity that matches the k8s audit event ruleset. The main script is k8s_event_generator.sh, which loops over the files in the yaml subdirectory, running kubectl apply -f for each. In the interests of keeping things self-contained, all objects are created in a `falco-event-generator` namespace. This means that some activity related with cluster roles/cluster role bindings is not performed. Each k8s object has annotations that note: 1. The specific falco rules that should trigger. 2. A user-friendly message to print when apply-ing the file. You can provide a specific rule name to the script. If provided, only those objects related to that rule will trigger. The default is "all", meaning that all objects are created. The script loops forever, deleting the falco-event-generator namespace after each iteration. Additionally, the docker image has been updated to also copy the script + supporting files, as well as fetching the latest available `kubectl` binary. The entrypoint is now a script that allows choosing between: - syscall activity: run with .... "syscall" - k8s_audit activity: run with .... "k8s_audit" - spawn a shell: run with .... "bash" The default is "syscall" to preserve existing behavior. In most cases, you'll need to provide kube config files/directories that allow access to your cluster. A command like the following will work: ``` docker run -v $HOME/.kube:/root/.kube -it falcosecurity/falco-event-generator k8s_audit ``` Signed-off-by: Mark Stemm <mark.stemm@gmail.com> |
||
|---|---|---|
| .github | ||
| audits | ||
| cmake | ||
| cpack/debian | ||
| docker | ||
| examples | ||
| integrations | ||
| proposals | ||
| rules | ||
| scripts | ||
| test | ||
| tests | ||
| userspace | ||
| .clang-format | ||
| .cmake-format | ||
| .gitignore | ||
| .luacheckrc | ||
| .travis.yml | ||
| .yamllint.conf | ||
| ADOPTERS.md | ||
| CHANGELOG.md | ||
| CMakeCPackOptions.cmake | ||
| CMakeLists.txt | ||
| CODE_OF_CONDUCT.md | ||
| CONTRIBUTING.md | ||
| COPYING | ||
| falco.yaml | ||
| GOVERNANCE.md | ||
| OWNERS | ||
| README.md | ||
Falco
Latest release
v0.18.0 Read the change log
Dev Branch: 
Master Branch: 
CII Best Practices:
Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the Falco CNCF project proposal.
What kind of behaviors can Falco detect?
Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:
- A shell is running inside a container.
- A container is running in privileged mode, or is mounting a sensitive path, such as
/proc, from the host. - A server process is spawning a child process of an unexpected type.
- Unexpected read of a sensitive file, such as
/etc/shadow. - A non-device file is written to
/dev. - A standard system binary, such as
ls, is making an outbound network connection.
Installing Falco
A comprehensive installation guide for Falco is available in the documentation website.
How do you compare Falco with other security tools?
One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a blog post comparing Falco with other tools.
Documentation
See Falco Documentation to quickly get started using Falco.
Join the Community
- Join the mailing list for news and a Google calendar invite for our Falco open source meetings. Note: this is the only way to get a calendar invite for our open meetings.
- Website for Falco.
- Join our Public Slack channel for Falco announcements and discussions.
Community call
Are you using Falco? Do you have have ideas for things to do with Falco? How can Falco be better?
Falco has bi-weekly community call which is an open call to discuss Falco from a user perspective. These happen on opposite weeks of Repo planning calls.
Wednesdays at 8am Pacific on Zoom.
Repo planning
Do you want to contribute to Falco? Are you interested in working on Falco? Do you want to fix something or make something better?
Falco has bi-weekly planning meetings which is an open call to discuss upcoming Falco releases, and assign open GitHub issues to engineers. These happen on opposite weeks of office hours calls.
Wednesdays at 8am Pacific on Zoom.
License Terms
Falco is licensed to you under the Apache 2.0 open source license.
Contributing
See the CONTRIBUTING.md.
Security
Security Audit
A third party security audit was performed by Cure53, you can see the full report here.
Reporting security vulnerabilities
Please report security vulnerabilities following the community process documented here.