0

I am using runtime detection tool Falco to analyse the container behavior for at least 40 seconds, using filters that detect newly spawning and executing processes store the incident file art /opt/falco-incident.txt containing the detected incidents. I try to format the output result one per line, in the format [timestamp],[uid],[user-name],[processName]

I created the yaml file audit.yaml

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  namespace: ""
  verb: ""
  resources:
  - group: ""
    resource: ""
  - name: audit
    hostPath:
      path: /etc/kubernetes/audit.yaml
      type: File
  - name: audit-log
    hostPath:
      path: /var/log/all-resources.log
      type: FileOrCreate
  - mountPath: /etc/kubernetes/audit.yaml
    name: audit
    readOnly: true
  - mountPath: /var/log/all-resources.log
    name: audit-log
    readOnly: false

I edited the kube-apiserver with adding this 3 lines

 - --audit-policy-file=/etc/kubernetes/audit.yaml
 - --audit-log-path=/var/log/all-resources.log
 - --audit-log-maxage=1

The main question is: How and where to define the desired output which should look like this ?

[timestamp],[uid],[user-name],[processName]

[timestamp],[uid],[user-name],[processName]

....

O.Man
  • 585
  • 2
  • 9
  • 20
  • Please provide more details. Are you asking how the default output from the falco can be formatted to the desired one? Or are you asking about k8s audit policy configuration? – Mark May 05 '21 at 14:36
  • Yes i need to edit the default output from the falce and format it to this way [timestamp],[uid],[user-name],[processName] – O.Man May 05 '21 at 15:30
  • IT looks like your audit policy is improper, please refer to [Audit policy](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy) especially [Log backend], [Webhook backend]. In audit.k8s.io/v1 we don't have such parameters like: mountPath, hostPath it should be specified in kube-apiserver yaml file. Please provide used yaml/deployment, current audit events, falco events - preferred in json format. Did you try [program_output] in falco config and pipe the output into [jq](https://falco.org/docs/alerts/#program-output-example-posting-to-a-slack-incoming-webhook) – Mark May 11 '21 at 13:59
  • Is there a way to print the output in this format – Vaibhav Jain Jul 20 '21 at 21:42

2 Answers2

2

I think you are going in the wrong direction. The question specifies using Falco tool so you need to edit the falco_rules.local.yaml file. THis has nothing to do with the Auditing policy. It could be something like this:

- rule: spawned_process_in_container
  desc: A process was spawned in the container.
  condition: container.name = "pod" and evt.type = execve
  output: "%evt.time,%user.uid,%user.name,%proc.name"
  priority: ERROR

And when you try to run you can use the below command for running it 40 seconds

falco -M 40 -r /etc/falco/falco_rules.local.yaml > log.txt

This will run the falco for 40 seconds with your given conditions and push the result in your desired format to log.txt file.

P.S: I know this is quite late to answer but someone else might benefit from this.

Sammy
  • 107
  • 6
0

The custom rule should be defined in the file etc/falco/falco_rules_local.yaml. Please check the rules already present in etc/falco/falco_rules.yaml and use the same format to define the new rules.

Ashok Kumar
  • 1
  • Is there a way to print the output in this format ? – Vaibhav Jain Jul 20 '21 at 21:41