CODEWITHSUNDEEP
kubernetesfalco
O.Man
O.Man

Reputation: 639

Falco output formation

I am using runtime detection tool Falco to analyse the container behavior for at least 40 seconds, using filters that detect newly spawning and executing processes store the incident file art /opt/falco-incident.txt containing the detected incidents. I try to format the output result one per line, in the format [timestamp],[uid],[user-name],[processName]

I created the yaml file audit.yaml

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  namespace: ""
  verb: ""
  resources:
  - group: ""
    resource: ""
  - name: audit
    hostPath:
      path: /etc/kubernetes/audit.yaml
      type: File
  - name: audit-log
    hostPath:
      path: /var/log/all-resources.log
      type: FileOrCreate
  - mountPath: /etc/kubernetes/audit.yaml
    name: audit
    readOnly: true
  - mountPath: /var/log/all-resources.log
    name: audit-log
    readOnly: false

I edited the kube-apiserver with adding this 3 lines

 - --audit-policy-file=/etc/kubernetes/audit.yaml
 - --audit-log-path=/var/log/all-resources.log
 - --audit-log-maxage=1

The main question is: How and where to define the desired output which should look like this ?

[timestamp],[uid],[user-name],[processName]

[timestamp],[uid],[user-name],[processName]

....

Upvotes: 0

Views: 1633

Answers (2)

Sammy
Sammy

Reputation: 137

I think you are going in the wrong direction. The question specifies using Falco tool so you need to edit the falco_rules.local.yaml file. THis has nothing to do with the Auditing policy. It could be something like this:

- rule: spawned_process_in_container
  desc: A process was spawned in the container.
  condition: container.name = "pod" and evt.type = execve
  output: "%evt.time,%user.uid,%user.name,%proc.name"
  priority: ERROR

And when you try to run you can use the below command for running it 40 seconds

falco -M 40 -r /etc/falco/falco_rules.local.yaml > log.txt

This will run the falco for 40 seconds with your given conditions and push the result in your desired format to log.txt file.

P.S: I know this is quite late to answer but someone else might benefit from this.

Upvotes: 4

Ashok Kumar
Ashok Kumar

Reputation: 1

The custom rule should be defined in the file etc/falco/falco_rules_local.yaml. Please check the rules already present in etc/falco/falco_rules.yaml and use the same format to define the new rules.

Upvotes: 0

Related Questions