Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish events to Falco via a Falco plugin #21

Merged
merged 5 commits into from
Feb 23, 2022
Merged

Publish events to Falco via a Falco plugin #21

merged 5 commits into from
Feb 23, 2022

Conversation

alban
Copy link
Member

@alban alban commented Feb 17, 2022

Publish events to Falco via a Falco plugin

This PR adds:

  • A Falco plugin libseccompagent.so that is used by the Falco process. It
    receives events on gRPC via the unix socket
    /run/seccomp-agent-falco-plugin.sock available via the /run host volume.

  • A Falco middleware. Users of the Seccomp Agent can add MIDDLEWARE=falco in
    the SeccompProfile's listenerMetadata field. Example:

    listenerPath: "/run/seccomp-agent.socket"
listenerMetadata: "DEFAULT_ACTION=freeze-container\nMIDDLEWARE=falco"

Tested on the following configuration:

  • Typhoon on AKS with Cilium
  • Flatcar Container Linux Alpha (>= 3127.0.0)
  • Security Profiles Operator (SPO) >= v0.4.1
  • Falco installed with helm install falco -f falco-values.yaml falcosecurity/falco

The file falco-values.yaml comes from https://github.com/falcosecurity/charts/blob/master/falco/values.yaml but with
the following changes:

ebpf:
  enabled: true
...
falco:
  plugins:
    - name: seccompagent
      library_path: /host/opt/libseccompagent.so
      init_config: '{"flushinterval": 1}'
  loadPlugins: [seccompagent]
...
customRules:
  seccomp_agent_rules.yaml: |-
    - rule: Seccomp Agent
      desc: Seccomp Agent
      condition: seccompagent.syscall in (unshare,mount)
      output: id=%seccompagent.id syscall=%seccompagent.syscall
      priority: DEBUG
      source: seccompagent
      tags: [docker]
...
extraVolumes:
- hostPath:
    path: /opt
    type: ""
  name: opt
- hostPath:
    path: /run
    type: ""
  name: run
extraVolumeMounts:
- mountPath: /host/opt
  name: opt
- mountPath: /run
  name: run

How to use

Testing done

$ kubectl exec -ti mypod -- sh
# unshare -u
<frozen>

Falco logs:

Thu Feb 17 15:08:02 2022: Loading rules from file /etc/falco/rules.d/seccomp_agent_rules.yaml:
Thu Feb 17 15:08:02 2022: Starting internal webserver, listening on port 8765
15:08:32.690234000: Debug id=TODO syscall=unshare
Thu Feb 17 15:09:36 2022: Runtime error: SSL Socket handler (k8s_api_handler_state): Connection closed.. Exiting.

leogr
leogr reviewed Feb 17, 2022
View reviewed changes
falco-plugin/seccomp_agent_rules.yaml
@@ -0,0 +1,7 @@
- rule: Seccomp Agent
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- rule: Seccomp Agent
- required_engine_version: 11
- rule: Seccomp Agent

Not strictly required, but recommended.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated, thanks!

@alban alban marked this pull request as ready for review February 21, 2022 15:40
@alban
Copy link
Member Author

alban commented Feb 21, 2022

I updated the Falco rule in this way:

- rule: Seccomp Agent
  desc: Seccomp Agent
  condition: seccompagent.syscall != ""
  output: id=%seccompagent.id pid=%seccompagent.pid syscall=%seccompagent.syscall k8s=(namespace=%seccompagent.k8s.namespace pod=%seccompagent.k8s.pod container=%seccompagent.k8s.container pid=%seccompagent.k8s.pid pidfilter=%seccompagent.k8s.pidfilter)
  priority: DEBUG
  source: seccompagent
  tags: [seccompagent]

And it produces events like this:

14:58:47.397944000: Debug id=16871330094686025027 pid=166477 syscall=unshare k8s=(namespace=default pod=mypod container=container1 pid=166406 pidfilter=166449)
14:59:32.554236000: Debug id=13504239354496022167 pid=167070 syscall=unshare k8s=(namespace=default pod=mypod container=container1 pid=166996 pidfilter=167070)

alban
alban commented Feb 21, 2022
View reviewed changes
falco-plugin/main.go Outdated
Comment on lines 63 to 70
return &plugins.Info{
ID: 5,
Name: "seccompagent",
Description: "Seccomp Agent Events",
Contact: "github.com/kinvolk/seccompagent/",
Version: "0.1.0",
RequiredAPIVersion: "0.3.0",
EventSource: "seccompagent",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which ID should I use?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can switch to KSA, KSecAgent or something else? It can be Kinvolk Seccomp Agent, but the K can be also Kubernetes.

I think KSA might be too used (like Kubernetes Service Account, Kubernetes Security Announce), but this seems to ask for something shorter

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To sync with falcosecurity/plugins#73

@rata rata self-requested a review February 21, 2022 16:26
rata
rata approved these changes Feb 23, 2022
View reviewed changes
Copy link
Member

@rata rata left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks, great PR!

@alban in a follow-up PR it will be great to add some doc of any way to deploy/play with falco in a k8s cluster.

falco-plugin/main.go
Comment on lines +57 to +58
extractor.Register(p)
source.Register(p)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
extractor.Register(p)
source.Register(p)
// TODO: Check if we want to use an extractor/source plugin. Right now this is cargo-cult from docker plugin.
extractor.Register(p)
source.Register(p)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We tested without extractor.Register() and it was not working correctly.

falco-plugin/main.go Show resolved Hide resolved
@alban @rata
Update falco-plugin/main.go
7e9504d 
Co-authored-by: Rodrigo Campos <rata@users.noreply.github.com>
@alban alban merged commit 9c4ed3b into main Feb 23, 2022
@alban alban deleted the alban_falco branch February 23, 2022 14:28
@alban alban mentioned this pull request Feb 23, 2022
Merged
rata
rata reviewed Feb 24, 2022
View reviewed changes
falco-plugin/main.go
Comment on lines +140 to +141
msgC := make(chan SeccompAgentMessage)
errC := make(chan error)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alban We might want to change the channel to be buffered, so it doesn't block if one message is in the channel already.

Not sure what would be a good size, though. But we probably need to change this in a follow-up PR. What do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leogr leogr leogr left review comments

@rata rata rata approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alban @rata @leogr