Gsoc Week-3 and Week-4 updates
This week I worked on creating
parsers for the syscalls that I added previously. I learnt how metadata is extracted from
the syscalls to provied user with more context on the triggred syscall. We also compiled Falco's main repository from which
the web application will be built on. As always, thanks to my mentor Jason Dellaluce for assisting me!
Wasm Target For Falco 🦅
Similar approch to libs was followed here as well. We first modified
cmakelist to add the wasm target and added the
preprossesor checks for emscripten. Finally we added
CI to build and test wasm target for flaco.
More information about this, here.
A quick run of
falco --help command through
root@rohithraju:~/code/falco/build_emcc# node ./userspace/falco/falco.js --help Falco - Cloud Native Runtime Security Usage: falco [OPTION...] -h, --help Print this page -c <path> Configuration file. If not specified uses /etc/falco/falco.yaml. -A Monitor all events supported by Falco defined in rules and configs. Please use the -i option to list the events ignored by default without -A. This option affects live captures only. Setting -A can impact performance. -b, --print-base64 Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format. --cri <path> Path to CRI socket for container metadata. Use the specified socket to fetch data from a CRI-compatible runtime. If not specified, uses the libs default. This option can be passed multiple times to specify socket to be tried until a successful one is found. -d, --daemon Run as a daemon. --disable-cri-async Disable asynchronous CRI metadata fetching. This is useful to let the input event wait for the container metadata fetch to finish before moving forward. Async fetching, in some environments leads to empty fields for container metadata when the fetch is not fast enough to be completed asynchronously. This can have a performance penalty on your environment depending on the number of containers and the frequency at which they are created/started/stopped. --disable-source <event_source> Disable a specific event source. By default, all loaded sources get enabled. Available sources are 'syscall' and all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times. This has no offect when reading events from a trace file. Can not disable all event sources. Can not be mixed with --enable-source. --dry-run Run Falco without proceesing events. Can be useful for checking that the configuration and rules do not have any errors. -D <substring> Disable any rules with names having the substring <substring>. This option can be passed multiple times. Can not be mixed with -t. -e <events_file> Read the events from a trace file <events_file> in .scap format instead of tapping into live. --enable-source <event_source> Enable a specific event source. If used, all loaded sources get disabled by default and only the ones passed with this option get enabled. Available sources are 'syscall' and all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times. This has no offect when reading events from a trace file. Can not be mixed with --disable-source. -i Print all high volume syscalls that are ignored by default for performance reasons (i.e. without the -A flag) and exit. -L Show the name and description of all rules and exit. If json_output is set to true, it prints details about all rules, macros and lists in JSON format -l <rule> Show the name and description of the rule with name <rule> and exit. If json_output is set to true, it prints details about the rule in JSON format --list [=<source>(=)] List all defined fields. If <source> is provided, only list those fields for the source <source>. Current values for <source> are "syscall" or any source from a configured plugin with event sourcing capability. --list-syscall-events List all defined system call events. --list-plugins Print info on all loaded plugins and exit. -M <num_seconds> Stop collecting after <num_seconds> reached. (default: 0) --markdown When used with --list/--list-syscall-events, print the content in Markdown format -N When used with --list, only print field names. --nodriver Capture for system events without drivers. If a loaded plugin has event sourcing capability and can produce system events, it will be used to for event collection. -o, --option <opt>=<val> Set the value of option <opt> to <val>. Overrides values in configuration file. <opt> can be identified using its location in configuration file using dot notation. Elements which are entries of lists can be accessed via square brackets . E.g. base.id = val base.subvalue.subvalue2 = val base.list=val --plugin-info <plugin_name> Print info for a single plugin and exit. This includes all descriptivo info like name and author, along with the schema format for the init configuration and a list of suggested open parameters. <plugin_name> can be the name of the plugin or its configured library_path. -p, --print <output_format> Add additional information to each falco notification's output. With -pc or -pcontainer will use a container-friendly format. With -pk or -pkubernetes will use a kubernetes-friendly format. Additionally, specifying -pc/-pk will change the interpretation of %container.info in rule output fields. -P, --pidfile <pid_file> When run as a daemon, write pid to specified file (default: /var/run/falco.pid) -r <rules_file> Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml). This option can be passed multiple times to read from multiple files/directories. -s <stats_file> If specified, append statistics related to Falco's reading/processing of events to this file (only useful in live mode). --stats-interval <msec> When using -s <stats_file>, write statistics every <msec> ms. This uses signals, and has a minimum threshold of 100 ms. Defaults to 5000 (5 seconds). -S, --snaplen <len> Capture the first <len> bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can have a strong performance impact. (default: 0) --support Print support information including version, rules files used, etc. and exit. -T <tag> Disable any rules with a tag=<tag>. This option can be passed multiple times. Can not be mized with -t -t <tag> Only run those rules with a tag=<tag>. This option can be passed multiple times. Can not be mixed with -T/-D. -U, --unbuffered Turn off output buffering to configured outputs. This causes every single line emitted by falco to be flushed which generates higher CPU usage but is useful when piping those outputs into another process or into a script. -u, --userspace Parse events from userspace. To be used in conjunction with the ptrace(2) based driver (pdig) -V, --validate <rules_file> Read the contents of the specified rules(s) file and exit. This option can be passed multiple times to validate multiple files. -v Verbose output. --version Print version number. --page-size Print the system page size (may help you to choose the right syscall ring-buffer size).
Overall, I had so much fun building parsers for memfd_syscall and diving into the Falco's main repository. Going foward, I'll be working on front-end side of things which is very exciting. I'll have to come up with UI/UX designs which takes be back to the days I started my web developemt journey. I'm super ready to flex my creative muscles 😁.