Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Runtime Security Project Falco Adds Extensible Plugin Framework

Runtime Security Project Falco Adds Extensible Plugin Framework

This item in japanese

Falco, a cloud-native runtime security project, has released version 0.31.0. This release introduces a new plugin system for defining additional event sources and event extractors to Falco. The plugin system includes SDKs to simplify development and this release ships with a new AWS CloudTrail plugin.

Falco can detect and alert on behaviors that make Linux system calls. Falco's rules engine is able to detect abnormal activity within applications, containers, hosts, and the container platform. It makes use of Linux kernel instrumentation to monitor system calls from the kernel. Alerts can be triggered on the use of specific system calls, the arguments to those calls, or by the properties of the calling process. These rules include behaviors such as privilege escalation using privileged containers, namespace changes, read/writes to well-known directories, or creating symlinks.

The new plugin system added in this release aims to standardize how additional event sources, known as source plugins, can be added to the Falco engine. In addition to source plugins, extractor plugins can be written that focus on field extraction from events generated either by the core libraries or other plugins. Plugins can be written in nearly any language as long as they export the required functions. However, the preferred language for plugin development is Go followed by C++ with SDKs released for both languages to simplify plugin development.

Falco architecture with new plugin framework

Falco architecture with new plugin framework (source: Falco)

Source plugins define a new event source and are able to extract information from events based on fields. Once extracted, the plugin returns a set of supported fields upon which filtering expressions or Falco rule conditions can be used in combination with relational or logical operators. Events returned by source plugins specify an event source. This is distinct from the plugin's name to allow for multiple plugins to specify the same event source.

Source plugins must also provide a plugin ID, which is a globally unique value and must be registered within the Falco repository. This ID is saved in in-memory event objects and is later used to identify the associated plugin that injected the event. It is also saved in capture files and used to recreate the in-memory event objects when later reading the capture files. A new plugin can be registered by opening a pull request with details on the plugin against the plugin registry file.

The second type of plugin, extractor plugins, do not provide a new event source and instead extract fields from other event sources. Extractor plugins can optionally provide a set of event sources that they will parse events from. If no set is provided, the plugin will be presented with all generated events. It is the plugin's responsibility to detect values it does not support and react accordingly.

It should be noted that plugins are trusted code within Falco and run within the same thread and address space as Falco. As such it is possible for plugins to crash Falco. The assumption by the Falco team is that the user is controlling and monitoring plugin loading.

The new AWS Cloudtrail plugin is able to fetch log files containing Cloudtrail events, parse these files, and emit events for each log entry. Logs can be obtained from an S3 bucket, am SQS queue that emits SNS notifications, or a local filesystem path. Exported fields include the event time, AWS region, and resource instance name. In addition to the plugin, new rules have been added to monitor for suspicious activity within Cloudtrail logs. For example, this rule detects console access without multi-factor authentication:

- rule: Console Login Without MFA
  desc: Detect a console login without MFA.
  condition:"ConsoleLogin" and ct.error=""
    and json.value[/userIdentity/type]!="AssumedRole" and json.value[/responseElements/ConsoleLogin]="Success"
    and json.value[/additionalEventData/MFAUsed]="No"
    Detected a console login without MFA (requesting user=%ct.user, requesting IP=%ct.srcip, AWS region=%ct.region)
  priority: CRITICAL
  source: aws_cloudtrail

The changelog contains more details on these changes and additional improvements within the release. Falco is open-source and available for download under the Apache 2.0 license. The team has regular office hours to support users.

About the Author

Rate this Article