Falco output aws instance metadata

Question

I run falco and falcosidekick with docker compose, without k8s.

I need to retrive aws instance metadata to falco rules output. I've found the jevt field class but I encountered an error on falco container start

Invalid output format 'command=%jevt.value[/awsRegion': 'invalid formatting token jevt.value[/awsRegion']

Here my rules:

- rule: Terminal shell in container
  desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
  condition: >
    spawned_process and container
    and shell_procs and proc.tty != 0
    and container_entrypoint
    and not user_expected_terminal_shell_in_container_conditions
  output: >
    command=%jevt.value["/awsRegion"]
  priority: NOTICE
  tags: [ container, shell, mitre_execution ]

How can I do? Thank you

Answer 1

Falco doesn't query AWS metadata, so I retrieved the metadata with an aws cli describe-instances and passed the metadata to falcosidekick container.

#loading EC2 metadata
INSTANCE_ID=$(curl http://169.254.169.254/latest/meta-data/instance-id)
INSTANCE_IP=$(aws ec2 describe-instances --instance-id "$INSTANCE_ID" --region eu-west-1 --query 'Reservations[*].Instances[*].{InstanceIp:PublicIpAddress}' --output text)
CLUSTER_NAME=$(aws ec2 describe-instances --instance-id "$INSTANCE_ID" --region eu-west-1 --query 'Reservations[*].Instances[*].{ClusterName:Tags[?Key==`Name`]|[0].Value}' --output text)

docker run -d -p 2801:2801 -d \
  -e CUSTOMFIELDS=INSTANCE_ID:"$INSTANCE_ID",INSTANCE_IP:"$INSTANCE_IP",CLUSTER_NAME:"$CLUSTER_NAME" \
  --name falcosidekick \
  falcosecurity/falcosidekick

Answer 2

several things to know:

• the syntax for jevt.value is jevt.value[/awsRegion] (no quotes)
• these kind fields are for events in json format, it works for kubernetes audit logs but in your case where the rule is based on syscalls
• falco will not query aws metadata either, you will not have this information in your output like this

Regards,