Falco – Falco Plugins

Blog: GitLab Container Registry now supports Falcoctl OCI Artifacts

Fri, 11 Aug 2023 00:00:00 +0000

Today, we'd like to share with the Falco community the latest contribution we (w/Emin Aktas) made to GitLab Container Registry.

We noticed that GitLab Container Registry didn't support Falcoctl OCI Artifact mediaTypes while we were pushing the Falco rules stored from GitHub container registry to GitLab container registry. We decided then to contribute to GitLab Container Registry by adding the support for Falcoctl OCI Artifact mediaTypes.

Error: PUT https://registry.gitlab.com/v2/x/falcosecurity/rules/k8saudit-rules/manifests/1: MANIFEST_INVALID: manifest invalid; unknown media type: application/vnd.cncf.falco.rulesfile.config.v1+json
Error: PUT https://registry.gitlab.com/v2/x/falcosecurity/plugins/k8saudit/manifests/sha256:b29c97a6590486f8b3b83644677e11d2f68e201a7035699189653d7f571d7e13: MANIFEST_INVALID: manifest invalid; unknown media type: application/vnd.cncf.falco.plugin.config.v1+json

You can learn more about our contribution here. Once the feature is released, planned for GitLab 16.3, it will allow you to pull and push Falcoctl OCI Artifacts from and to GitLab Container Registry.

Falcoctl is one of the newest development efforts from the Falco community. It is a CLI tool that allows you to manage the complete lifecycle of your Falco rules and plugins by leveraging the power of OCI Artifacts.

For those who are not familiar with the OCI Artifacts concept, the OCI Artifacts specification is a way to extend the OCI Registry specification to support storing and retrieving arbitrary content, you can learn more about OCI Artifacts concept, here. OCI Artifacts are important because today's moden software requires storing more than just container images in OCI registries such as the following artifacts would be great use-case examples of that:

Helm charts
WebAssembly modules
Falco rules and plugins. :)
...many other custom artifacts

You can even create your own custom OCI Artifacts. A key thing of OCI registries is uniquely identifying the type. This is done by using a media type, which is a string that identifies the type of content stored in the registry. The media type is used to determine how to interpret the content when it is retrieved from the registry. To learn more about how you can write your own custom OCI Artifacts, you can check out the OCI Artifacts Authoring guide.

Distributing software artifacts as OCI Artifacts served by OCI registries offers a standardized, secured, and efficient way to consume and reuse content within the container ecosystem, making it easier to integrate, distribute, and manage them across different environments and tools.

Hope you can enjoy the new feature once it's released. See you next time! :)

Blog: Monitoring your EKS clusters audit logs

Tue, 30 May 2023 00:00:00 +0000

This blog post is an update of a post of November 2022

At the beginning of the year 2022, Falco introduced a game changing feature, the Falco Plugins. They allow Falco to monitor and trigger alerts for any kind of event. Since the launch of the new plugin framework the Falco community has collaborated to create plugins for Github, AWS CloudTrail and Okta. A plugin has also replaced the way Falco consumes the Audit Logs generated by a K8s API server through a dedicated plugin. With these plugins, Falco covers more in depth the aspects of your infrastructure and allows you to use a single syntax for rules.

For months (okay, maybe years...), our adopters have asked us for a way to monitor K8s Audit Logs. The previous implementation used an internal web server to receive the logs from the Kubernetes API, although it was functional, it was a very manual process to install and manage clusters. This method didn't support clusters managed by cloud providers, such as EKS, AKS, or GKE as they had to capture the Audit Logs for their own usage and then add them to their log aggregators.

This situation is now solved thanks to the plugin framework and we're proud to announce the first release of the plugin for EKS Audit Logs: k8saudit-eks!!!

How it works

AWS captures the Audit Logs and exposes them in the CloudWatch Logs service. We have made available libs to create a clean session with the AWS API and pull logs from the relevant Cloudwatch Logs Stream. You can reuse these libs for any plugin you'd like to create for any Amazon service.

Usage

The configuration for the usage of the plugin is:

plugins:
 - name: k8saudit-eks
 library_path: libk8saudit-eks.so
 init_config:
 region: "{REGION}"
 profile: "{AWS_PROFILE}"
 shift: 10
 polling_interval: 10
 use_async: false
 buffer_size: 500
 open_params: "{CLUSTER_NAME}"
 - name: json
 library_path: libjson.so
 init_config: ""

load_plugins: [k8saudit-eks, json]

With:

init_config:
- profile: The Profile to use to create the session, env var AWS_PROFILE if present
- region: The Region of your EKS cluster, env var AWS_REGION is used if present
- use_async: If true then async extraction optimization is enabled (Default: true)
- polling_interval: Polling Interval in seconds (default: 5s)
- shift: Time shift in past in seconds (default: 1s)
- buffer_size: Buffer Size (default: 200)
open_params: A string which contains the name of your EKS Cluster (required).

If you run Falco inside an EKS cluster with a setup of an OIDC provider, the profile and region parameters can be omitted in favor of a service account + IAM Role (see the official docs).

IAM

Whatever the method you use for the authentication to the AWS API, you need to set up this minimal policy to your user/role:

{
 "Version":"2012-10-17",
 "Statement":[
 {
 "Sid":"ReadAccessToCloudWatchLogs",
 "Effect":"Allow",
 "Action":[
 "logs:Describe*",
 "logs:FilterLogEvents",
 "logs:Get*",
 "logs:List*"
 ],
 "Resource":[
 "arn:aws:logs:${REGION}:${ACCOUNT_ID}:log-group:/aws/eks/${CLUSTER_NAME}/cluster:*"
 ]
 }
 ]
}

With:

REGION: The Region of your EKS cluster
ACCOUNT_ID: The ID of the account running the EKS cluster
CLUSTER_NAME: The name of your cluster EKS cluster (same value than in your plugin configuration)

Default Rules

A good thing about Kubernetes is that it brings standards into our industry. Despite a few differences, the cluster works in the same way and produces the same format of logs. This helps us enormously. By creating the k8saudit plugin we declared the fields to extract, as well as some default rules, which we can reuse for any plugin that consumes the same Audit Logs. It is a time saver for both, developers and adopters.

You can find the proposed default rules here.

Installation

For the installation, we'll use falcoctl. We can use it as a CLI tool for a locale installation or as a sidecar for Kubernetes. See this blog post for more information.

Local installation

In this example, we'll see how to install the k8saudit-eks in a local host.

First, add the index of artifacts for falcoctl:

sudo falcoctl index add falcosecurity https://falcosecurity.github.io/falcoctl/index.yaml

Install the latest version of the plugins:

sudo falcoctl artifact install k8saudit-eks

sudo falcoctl artifact install json

As the output notices, the plugins will be now available in /usr/share/plugins:

 INFO Reading all configured index files from "/root/.config/falcoctl/indexes.yaml"
 INFO Resolving dependencies ...
 INFO Installing the following artifacts: [ghcr.io/falcosecurity/plugins/plugin/k8saudit-eks:latest]
 INFO Preparing to pull "ghcr.io/falcosecurity/plugins/plugin/k8saudit-eks:latest"
 INFO Pulling b2daf90a878e: ############################################# 100%
 INFO Pulling 60b0846d1e18: ############################################# 100%
 INFO Pulling 12c7f0f5f00e: ############################################# 100%
 INFO Artifact successfully installed in "/usr/share/plugins"

 INFO Reading all configured index files from "/root/.config/falcoctl/indexes.yaml"
 INFO Resolving dependencies ...
 INFO Installing the following artifacts: [ghcr.io/falcosecurity/plugins/plugin/json:latest]
 INFO Preparing to pull "ghcr.io/falcosecurity/plugins/plugin/json:latest"
 INFO Pulling 087dba2e76d6: ############################################# 100%
 INFO Pulling c4cb35bb528a: ############################################# 100%
 INFO Pulling 9b50ea237bc6: ############################################# 100%
 INFO Artifact successfully installed in "/usr/share/plugins"

After installing the k8saudit-eks plugin, we also need to install the rules that it uses. (Those rules are the same as the k8saudit plugin rules.):

sudo falcoctl artifact install k8saudit-rules --resolve-deps=false

And we get the rules in /etc/falco:

 INFO Reading all configured index files from "/root/.config/falcoctl/indexes.yaml"
 INFO Installing the following artifacts: [ghcr.io/falcosecurity/plugins/ruleset/k8saudit:latest]
 INFO Preparing to pull "ghcr.io/falcosecurity/plugins/ruleset/k8saudit:latest"
 INFO Pulling b8c6b1def3eb: ############################################# 100%
 INFO Pulling 6b6f3231f2b2: ############################################# 100%
 INFO Pulling 91b2b7a9944d: ############################################# 100%
 INFO Artifact successfully installed in "/etc/falco"

By default, the installation of a ruleset comes with the associated plugins. In this blog, we have installed them on our own, this is why --resolve-deps is set to false.

We now have the plugins and rules in our system. The last step is to configure Falco to use them. Modify your /etc/yaml to make it looks like the following (with the relevant values for REGION, ACCOUNT_ID, and CLUSTER_NAME):

rules_files:
 ...
 - /etc/k8s_audit_rules.yaml

plugins:
 - name: k8saudit-eks
 library_path: libk8saudit-eks.so
 init_config:
 region: "{REGION}"
 profile: "{AWS_PROFILE}"
 shift: 10
 polling_interval: 10
 use_async: false
 buffer_size: 500
 open_params: "{CLUSTER_NAME}"
 - name: json
 library_path: libjson.so
 init_config: ""

load_plugins: ["k8saudit-eks","json"]
...

You can now start Falco ( sudo /usr/bin/falco --disable-source syscall) and monitor the audit logs of your EKS cluster:

Wed May 10 14:07:18 2023: Falco version: 0.34.1 (x86_64)
Wed May 10 14:07:18 2023: Falco initialized with configuration file: /etc/yaml
Wed May 10 14:07:18 2023: Loading plugin 'k8saudit-eks' from file /usr/share/plugins/libk8saudit-eks.so
Wed May 10 14:07:18 2023: Loading plugin 'json' from file /usr/share/plugins/libjson.so
Wed May 10 14:07:18 2023: Loading rules from file /etc/k8s_audit_rules.yaml
Wed May 10 14:07:18 2023: Loading rules from file /etc/rules.d/override-k8saudit.yaml
Wed May 10 14:07:18 2023: Starting health webserver with threadiness 4, listening on port 8765
Wed May 10 14:07:18 2023: Enabled event sources: k8s_audit
Wed May 10 14:07:18 2023: Opening capture with plugin 'k8saudit-eks'

In this example, we also disable the collection of the syscalls with the option --disable-source syscall. The k8saudit-eks plugin works with a pull model, you should have only one Falco instance collecting the audit logs to avoid any duplication of alerts. We dedicate that instance to that role.

And get alerts:

14:09:17.699479000: Informational K8s Serviceaccount Created (user=system:node:ip-192-168-34-135.ec2.internal serviceaccount=default ns=default resource=serviceaccounts resp=201 decision=allow reason=)
14:09:24.046826000: Notice Attach/Exec to pod (user=kubernetes-admin pod=kubecon resource=pods ns=default action=exec command=sh)

Kubernetes installation

Next, we will see how to install the k8saudit-eks plugin with the falcoctl tool in a Kubernetes setup. We'll use the official Helm chart with the following values.yaml file:

serviceAccount:
 create: true
 annotations:
 - eks.amazonaws.com/role-arn: {ROLE_ARN}

falco:
 rules_files:
 - /etc/falco/k8s_audit_rules.yaml
 - /etc/falco/rules.d
 plugins:
 - name: k8saudit-eks
 library_path: libk8saudit-eks.so
 init_config:
 shift: 10
 polling_interval: 10
 use_async: false
 buffer_size: 500
 open_params: "{CLUSTER_NAME}"
 - name: json
 library_path: libjson.so
 init_config: ""
 load_plugins: [k8saudit-eks, json]

falcosidekick:
 enabled: true

driver:
 enabled: false
collectors:
 enabled: false

controller:
 kind: deployment
 deployment:
 replicas: 1

falcoctl:
 indexes:
 - name: falcosecurity
 url: https://falcosecurity.github.io/falcoctl/index.yaml
 artifact:
 install:
 enabled: true
 follow:
 enabled: true
 config:
 artifact:
 allowedTypes:
 - plugin
 - rulesfile
 install:
 resolveDeps: false
 refs: [k8saudit-rules:0, k8saudit-eks:0, json:0]
 follow:
 refs: [k8saudit-rules:0]

Let's look into this configuration section by section:

serviceAccount:
 create: true
 annotations:
 - eks.amazonaws.com/role-arn: {ROLE_ARN}

With EKS, we can use an OIDC provider and annotations on the service accounts to allow access to the AWS API ( see the official docs). This section allows you to set which ROLE_ARN to use.

falco:
 rules_files:
 - /etc/falco/k8s_audit_rules.yaml
 - /etc/falco/rules.d
 plugins:
 - name: k8saudit-eks
 library_path: libk8saudit-eks.so
 init_config:
 shift: 10
 polling_interval: 10
 use_async: false
 buffer_size: 500
 open_params: "{CLUSTER_NAME}"
 - name: json
 library_path: libjson.so
 init_config: ""
 load_plugins: [k8saudit-eks, json]

As the local installation, this section sets the used plugins.

driver:
 enabled: false
collectors:
 enabled: false

controller:
 kind: deployment
 deployment:
 replicas: 1

To collect and monitor all the syscalls, Falco must be deployed as a DaemontSet in your cluster, to have one instance per Kernel. In this example, we're deploying Falco with the k8saudit-eks plugin, which relies on a pull model. To avoid several Falco pods to collect the same audit logs and duplicate the alerts, we MUST install Falco with the k8saudit-eks plugin only once. The Helm chart allows to use a one replica deployment and to disable the syscalls and K8s metdadata collections, this is the purpose of this section.

falcoctl:
 indexes:
 - name: falcosecurity
 url: https://falcosecurity.github.io/falcoctl/index.yaml
 artifact:
 install:
 enabled: true
 follow:
 enabled: true
 config:
 artifact:
 allowedTypes:
 - plugin
 - rulesfile
 install:
 resolveDeps: false
 refs: [k8saudit-rules:0, k8saudit-eks:0, json:0]
 follow:
 refs: [k8saudit-rules:0]

The last section sets up falcoctl. It will install the requested plugins and rules and track new versions of the rules.

Now you can run your helm install command:

helm install falco-k8saudit-eks -n falco falcosecurity/falco -f ./values.yml

And see the result:

$ kubectl get pods -n falco

NAME READY STATUS RESTARTS AGE
falco-k8saudit-eks-96d7f6f99-vwjgc 2/2 Running 0 70m

$ kubectl logs falco-k8saudit-eks-96d7f6f99-vwjgc -n falco -c falco
Wed May 10 14:07:18 2023: Falco version: 0.34.1 (x86_64)
Wed May 10 14:07:18 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Wed May 10 14:07:18 2023: Loading plugin 'k8saudit-eks' from file /usr/share/falco/plugins/libk8saudit-eks.so
Wed May 10 14:07:18 2023: Loading plugin 'json' from file /usr/share/falco/plugins/libjson.so
Wed May 10 14:07:18 2023: Loading rules from file /etc/falco/k8s_audit_rules.yaml
Wed May 10 14:07:18 2023: Loading rules from file /etc/falco/rules.d/override-k8saudit.yaml
Wed May 10 14:07:18 2023: Starting health webserver with threadiness 4, listening on port 8765
Wed May 10 14:07:18 2023: Enabled event sources: k8s_audit
Wed May 10 14:07:18 2023: Opening capture with plugin 'k8saudit-eks'
{"hostname":"falco-k8saudit-eks-96d7f6f99-vwjgc","output":"14:09:17.699479000: Informational K8s Serviceaccount Created (user=system:node:ip-192-168-34-135.ec2.internal serviceaccount=default ns=default resource=serviceaccounts resp=201 decision=allow reason=)","priority":"Informational","rule":"K8s Serviceaccount Created","source":"k8s_audit","tags":["k8s"],"time":"2023-05-10T14:09:17.699479000Z", "output_fields": {"evt.time":1683727757699479000,"ka.auth.decision":"allow","ka.auth.reason":"","ka.response.code":"201","ka.target.name":"default","ka.target.namespace":"default","ka.target.resource":"serviceaccounts","ka.user.name":"system:node:ip-192-168-34-135.ec2.internal"}}
{"hostname":"falco-k8saudit-eks-96d7f6f99-vwjgc","output":"14:09:24.046826000: Notice Attach/Exec to pod (user=kubernetes-admin pod=kubecon resource=pods ns=default action=exec command=sh)","priority":"Notice","rule":"Attach/Exec Pod","source":"k8s_audit","tags":["k8s"],"time":"2023-05-10T14:09:24.046826000Z", "output_fields": {"evt.time":1683727764046826000,"ka.target.name":"kubecon","ka.target.namespace":"default","ka.target.resource":"pods","ka.target.subresource":"exec","ka.uri.param[command]":"sh","ka.user.name":"kubernetes-admin"}}

Disclaimer

Our tests noticed some latencies between the presence of the logs in the CloudWatch Logs Stream and their evaluation by Falco. This is more visible with highly requested API servers. The solution is to adapt the size of your nodes where Falco runs, considering a minimal size of 2xlarge as a safe option.

Conclusion

With this first Plugin for a managed K8s solution, we hope to open the door for new contributions from the community for other flavors like GKE and AKS. If you need to create a plugin for another AWS service, take also a look at the libs we created to help the developers.

You can find us in the Falco community. Please feel free to reach out to us for any questions, suggestions, or even for a friendly chat!

If you would like to find out more about Falco:

Get started in Falco.org
Check out the Falco project in GitHub.
Get involved in the Falco community.
Meet the maintainers on the Falco Slack.
Follow @falco_org on Twitter.

Blog: Falcoctl: install and manage your rules and plugins

Fri, 24 Feb 2023 00:00:00 +0000

Since the launch of the plugin framework in January 2022, our adopters have requested an out-of-the-box solution to manage the lifecycle of rules (installation, updates). We heard your request and also created a guide to help you smoothly install the plugins. The Falco maintainers proposed the following solution to help with these issues: falcoctl. Falcoctl is a CLI tool that performs several useful tasks for Falco.

This blog post describes key concepts around falcoctl to help you get started.

Glossary

Before diving into all the details, here's a glossary of the key words to understand how falcoctl works. An exhaustive list can be found in the README.

Artifact: An artifact is an element falcoctl can manipulate, right now, only rulesfiles and plugins are considered.
Index: A .yaml file containing a list of available artifacts with their registries and repositories. The tool's default configuration contains an index file pointing to the officially supported artifacts from the falcosecurity organization, see here. Users can also maintain their own index files, pointing to registries and repositories containing custom rulesfiles and plugins.
Registry: A registry stores the artifacts, that falcoctl understands in regards to the OCI standard, any compliant OCI can be used. The official registry uses Github Packages.
Repository: similar to containers, it belongs to a registry and contains one or more versions (tags) of an artifact.

Use falcoctl locally

The following steps explain the basic concepts used to install falcoctl locally.

Installation

For a Linux amd64 system:

LATEST=$(curl -sI https://github.com/falcosecurity/falcoctl/releases/latest | awk '/location: /{gsub("\r","",$2);split($2,v,"/");print substr(v[8],2)}')
curl --fail -LS "https://github.com/falcosecurity/falcoctl/releases/download/v${LATEST}/falcoctl_${LATEST}_linux_amd64.tar.gz" | tar -xz falcoctl
sudo install -o root -g root -m 0755 falcoctl /usr/local/bin/falcoctl

Other environments are described in the README

Now you are able to confirm that the installation went well. Check the version:

❯ falcoctl version

Client Version: 0.4.0

Print the help:

❯ falcoctl --help

 __ _ _ _
 / _| __ _| | ___ ___ ___| |_| |
 | |_ / _ | |/ __/ _ \ / __| __| |
 | _| (_| | | (_| (_) | (__| |_| |
 |_| \__,_|_|\___\___/ \___|\__|_|


The official CLI tool for working with Falco and its ecosystem components.

Usage:
 falcoctl [command]

Available Commands:
 artifact Interact with Falco artifacts
 completion Generate the autocompletion script for the specified shell
 help Help with any command
 index Interact with index
 registry Interact with OCI registries
 tls Generate and install TLS material for Falco
 version Print the falcoctl version information

Flags:
 --config string config file to be used for falcoctl (default "/etc/falcoctl/falcoctl.yaml")
 --disable-styling Disable output styling such as spinners, progress bars and colors. Styling is automatically disabled if not attached to a tty (default false)
 -h, --help help for falcoctl
 -v, --verbose Enable verbose logs (default false)

Use "falcoctl [command] --help" for more information about a command.

Index

Before being able to download and install artifacts, we need to configure an index, we provide one for all official artifacts, plugins and rules:

sudo falcoctl index add falcosecurity https://falcosecurity.github.io/falcoctl/index.yaml

To confirm the installation:

❯ sudo falcoctl index list
NAME URL ADDED UPDATED
falcosecurity https://falcosecurity.github.io/falcoctl/index.yaml 2023-02-14 14:57:33 2023-02-14 15:48:43

The index is not automatically updated, when a new artifact is added to the list, you can refresh your local cache with:

sudo falcoctl index update falcosecurity

Configuration

The default configuration of falcoctl is /etc/falcoctl/falcoctl.yaml, as it can store secrets, like credentials to private registries, the file is protected by default.

❯ sudo cat /etc/falcoctl/falcoctl.yaml

indexes:
- name: falcosecurity
 url: https://falcosecurity.github.io/falcoctl/index.yaml

To know more about available settings, see the official docs.

Search for artifacts

Everything is set up and ready. We can search for new artifacts:

❯ sudo falcoctl artifact search falco

INDEX ARTIFACT TYPE REGISTRY REPOSITORY
falcosecurity falco-rules rulesfile ghcr.io falcosecurity/rules/falco-rules

❯ sudo falcoctl artifact search kubernetes

INDEX ARTIFACT TYPE REGISTRY REPOSITORY
falcosecurity k8saudit plugin ghcr.io falcosecurity/plugins/plugin/k8saudit
falcosecurity k8saudit-rules rulesfile ghcr.io falcosecurity/plugins/ruleset/k8saudit

Note the TYPE column to determine the kind of artifact.

The search is made through names and keywords as we can find them in the index.yaml:

- name: k8saudit
 type: plugin
 registry: ghcr.io
 repository: falcosecurity/plugins/plugin/k8saudit
 description: Read Kubernetes Audit Events and monitor Kubernetes Clusters
 home: https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit
 keywords:
 - audit
 - audit-log
 - audit-events
 - kubernetes
 license: Apache-2.0
 maintainers:
 - email: cncf-falco-dev@lists.cncf.io
 name: The Falco Authors
 sources:
 - https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit

Installation of artifacts

Installation of Rules

It's time to install our first artifact, the beloved falco default rules.

❯ sudo falcoctl artifact install falco-rules

 INFO Reading all configured index files from "/root/.config/falcoctl/indexes.yaml"
 INFO Resolving dependencies ...
 INFO Installing the following artifacts: [ghcr.io/falcosecurity/rules/falco-rules:latest]
 INFO Preparing to pull "ghcr.io/falcosecurity/rules/falco-rules:latest"
 INFO Pulling ad24f8acf278: ############################################# 100%
 INFO Pulling 0d3705a4650f: ############################################# 100%
 INFO Pulling 0957c1ef3fe4: ############################################# 100%
 INFO Artifact successfully installed in "/etc/falco"

By default, the latest version is used, but you can specify a targeted tag sudo falcoctl artifact install falco-rules:0.5.0.

All official artifacts come with floating tags, for example:

0 for the last 0.x.x
0.5 for the last 0.5.x
etc

You can find the available versions (tags) with:

❯ sudo falcoctl artifact info falco-rules
REF TAGS
ghcr.io/falcosecurity/rules/falco-rules 0.0.0 0.1.0-rc1 0.1.0 0.1.0 latest

You can also directly check in Github: https://github.com/falcosecurity/rules/pkgs/container/rules%2Ffalco-rules

When you install a ruleset requiring specific plugins, the relative plugins are also installed!

❯ sudo falcoctl artifact install k8saudit-rules:0.5

 INFO Reading all configured index files from "/root/.config/falcoctl/indexes.yaml"
 INFO Resolving dependencies ...
 INFO Installing the following artifacts: [ghcr.io/falcosecurity/plugins/ruleset/k8saudit:0.5 json:0.6.0 k8saudit:0.5.0]
 INFO Preparing to pull "ghcr.io/falcosecurity/plugins/ruleset/k8saudit:0.5"
 INFO Pulling cb5233c876c3: ############################################# 100%
 INFO Pulling 4383c69ba0ad: ############################################# 100%
 INFO Pulling 2c6ca9f7dac5: ############################################# 100%
 INFO Artifact successfully installed in "/etc/falco"
 INFO Preparing to pull "ghcr.io/falcosecurity/plugins/plugin/json:0.6.0"
 INFO Pulling 65a28b294bff: ############################################# 100%
 INFO Pulling 15fb7eddd978: ############################################# 100%
 INFO Pulling f4ca8f34ad16: ############################################# 100%
 INFO Artifact successfully installed in "/usr/share/falco/plugins"
 INFO Preparing to pull "ghcr.io/falcosecurity/plugins/plugin/k8saudit:0.5.0"
 INFO Pulling 3e249d372a35: ############################################# 100%
 INFO Pulling c4abb288df01: ############################################# 100%
 INFO Pulling 5e5cfe270518: ############################################# 100%
 INFO Artifact successfully installed in "/usr/share/falco/plugins"

Installation of Plugins

Like rules, plugins can be installed with one simple command:

❯ sudo falcoctl artifact install github

 INFO Reading all configured index files from "/root/.config/falcoctl/indexes.yaml"
 INFO Resolving dependencies ...
 INFO Installing the following artifacts: [ghcr.io/falcosecurity/plugins/plugin/github:latest]
 INFO Preparing to pull "ghcr.io/falcosecurity/plugins/plugin/github:latest"
 INFO Pulling 19dc1c0f62a0: ############################################# 100%
 INFO Pulling d97aadfc1199: ############################################# 100%
 INFO Pulling 5b9143db2a1d: ############################################# 100%
 INFO Artifact successfully installed in "/usr/share/falco/plugins"

Easy!

Follow artifacts

A great feature of falcoctl is its ability to run as a daemon to periodically check the artifacts' repositories and automatically install new versions. The configuration of the behavior is also in /etc/falcoctl/falcoctl.yaml.

indexes:
 - name: falcosecurity
 url: https://falcosecurity.github.io/falcoctl/index.yaml
artifact:
 install:
 refs:
 - k8saudit:0.5.0
 follow:
 every: 6h0m0s
 falcoVersions: http://localhost:8765/versions
 refs:
 - k8saudit:-rules:0.5

The install section lists the references of the artifacts we want to install at deployment of falcoctl. The follow section lists those we want to automatically update and check every for frequency.

Some plugins and rules versions depend on the falco version, falcoctl request, and the falco type of /versions and API endpoint that gather intel, this is why we have the falcoVersions field in the configuration.

We do not advise to disable the plugins, as they are binaries, and could lead to security breaks.

Systemd service

To help you set falcoctl as a daemon, here's a systemd service template /etc/systemd/system/falcoctl.service:

[Unit]
Description=Falcoctl
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
ExecStart=/usr/local/bin/falcoctl artifact follow

To enable/start the new service:

❯ systemctl enable falcoctl
❯ systemctl start falcoctl
❯ systemctl status falcoctl

● falcoctl.service - Falcoctl
 Loaded: loaded (/etc/systemd/system/falcoctl.service; static)
 Active: active (running) since Thu 2023-02-16 16:46:32 CET; 1h ago
 Main PID: 567876 (falcoctl)
 Tasks: 9 (limit: 38132)
 Memory: 6.8M
 CPU: 15ms
 CGroup: /system.slice/falcoctl.service
 └─567876 /usr/local/bin/falcoctl artifact follow

Use falcoctl in Kubernetes with Helm

The last version of the falco helm chart, v3.0.0 includes falcoctl as an init container and sidecar, to accordingly install and follow artifacts.

Add the official Helm repo

Nothing new under the sun, a classic helm command:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Configure the installation and followed by the artifacts

Like any other values, we can set the values.yaml field to choose the artifacts to install and follow the index we use for.

...
falcoctl:
 artifact:
 install:
 enabled: true
 follow:
 enabled: true
 config:
 indexes:
 - name: falcosecurity
 url: https://falcosecurity.github.io/falcoctl/index.yaml
 artifact:
 allowedTypes:
 - rulesfile
 - plugin
 install:
 resolveDeps: true
 refs: [k8saudit-rules:0.5, falco-rules:0]
 follow:
 refs: [k8saudit-rules:0.5, falco-rules:0]
 every: 6h
...

The resolveDeps: true avoids listing the plugin at install, and will be automatically installed with the rules.

Here's the final command to bootstrap a very basic installation with these settings:

helm install falco -n falco -f values.yaml falcosecurity/falco --create-namespace

Disable falcoctl in the chart

If for some reason you don't want to use falcoctl to manage artifacts, you can disable its installation by following these steps:

helm install falco \
 --set falcoctl.artifact.install.enabled=false \
 --set falcoctl.artifact.follow.enabled=false

Conclusion

In this blog post we learned some of the basic falcoctl usages that we can run locally and in our Kubernetes clusters with helm. It helps to manage the lifecycle of the rules and the plugins with an out of the box solution like falcoctl`. Stay tuned as the plugin ecosystem is growing and we are seeing the development of more features and enhancements. More posts will also be out soon to detail more advanced usages, such as using private registries and creating your own artifacts. See you soon!

Per usual, if you have any feedback or need help, you can find us at any of the following locations.

Get started in Falco.org
Check out the Falcoctl project on GitHub.
Check out the Falco Rules on GitHub.
Check out the Falco Plugins on GitHub.
Get involved in the Falco community.
Meet the maintainers on the Falco Slack.
Follow @falco_org on Twitter.