Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

k8saudit plugin - Log File Backend, recursively check the directory #182

Closed
AleksVAnd opened this issue Oct 18, 2022 · 7 comments · Fixed by #184
Closed

k8saudit plugin - Log File Backend, recursively check the directory #182

AleksVAnd opened this issue Oct 18, 2022 · 7 comments · Fixed by #184
Assignees
@AleksVAnd
Labels
kind/bug Something isn't working

Comments

@AleksVAnd
Copy link
Contributor

AleksVAnd commented Oct 18, 2022
edited
Loading

Describe the bug

The k8s audit plugin doesn't recursively search the directory for log files.

How to reproduce it

For retention purposes, configure k8s to save audit logs as files. Modify the values.yaml of to mount the volume from the host to /var/log/k8saudit on the Falco containers. Configure the plugin's open_params to point to the container audit directory.

Expected behaviour

According to the Falco book (O'Reilly, 2022, page 153), for log files the config should be with ">":
open_params: >
/file/path

The greater than (>) sign includes the carriage return (\n) which is an invalid symbol for the Golang URL parser. It worked when I just typed the URL on the same line as the key.

Falco opens the directory, recursively searches the contents and parses each audit file it finds.

Evidence

pod/falco-fusion-falco-66b76889c4-47lzk
Tue Oct 18 08:08:00 2022: Falco version 0.32.2
Tue Oct 18 08:08:00 2022: Falco initialized with configuration file /etc/falco/falco.yaml
Tue Oct 18 08:08:00 2022: Loading plugin (k8saudit) from file /usr/share/falco/plugins/libk8saudit.so
Tue Oct 18 08:08:00 2022: Loading plugin (json) from file /usr/share/falco/plugins/libjson.so
Tue Oct 18 08:08:00 2022: Configured rules filenames:
Tue Oct 18 08:08:00 2022:    /etc/falco/falco_rules.yaml
Tue Oct 18 08:08:00 2022:    /etc/falco/falco_rules.local.yaml
Tue Oct 18 08:08:00 2022: Loading rules from file /etc/falco/falco_rules.yaml:
Tue Oct 18 08:08:00 2022: Loading rules from file /etc/falco/falco_rules.local.yaml:
Tue Oct 18 08:08:00 2022: Watching /etc/falco/falco.yaml
Tue Oct 18 08:08:00 2022: Watching /etc/falco/falco_rules.yaml.
Tue Oct 18 08:08:00 2022: Watching /etc/falco/falco_rules.local.yaml.
Tue Oct 18 08:08:00 2022: Starting internal webserver, listening on port 8765
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:
Syscall event drop monitoring:
   - event drop detected: 0 occurrences
   - num times actions taken: 0
Error: read /var/log/k8saudit: is a directory

Environment

  • Falco version:
    0.32.2
  • System info:
    23~20.04.2-Ubuntu SMP
  • Cloud provider or hardware configuration:
  • OS:
    NAME="Ubuntu"
    VERSION="20.04.5 LTS (Focal Fossa)"
  • Kernel:
    Linux testlab-0 5.15.0-1017-gcp 23~20.04.2-Ubuntu SMP x86_64
  • Installation method:
    Helm chart
    Additional context
    None
@AleksVAnd AleksVAnd added the kind/bug Something isn't working label Oct 18, 2022
@leogr
Copy link
Member

leogr commented Oct 18, 2022

Hey @AleksVAnd

Thank you for reporting this!

A book author here, and IMO you are right 😸 The example in the book with > is misleading, and the plugin (written in Go) does not handle the \n.

We should consider fixing this in Falco (since the yaml conversion happens there) or in the plugin. 🤔 cc @jasondellaluce

@jasondellaluce
Copy link
Contributor

I think this should be fixed on two fronts:

  1. Trimming the string on Falco before passing it to the plugin
  2. Supporting the directory traversal in the k8saudit plugin, which is something we don't have so far

@AleksVAnd
Copy link
Contributor Author

AleksVAnd commented Oct 18, 2022
edited
Loading

Thank you for the quick response! There seems to be a nice module for this https://github.com/karrick/godirwalk
UPDATE: https://engineering.kablamo.com.au/posts/2021/quick-comparison-between-go-file-walk-implementations
Some benchmarking from 2021 shows the native filepath.WalkDir is as good as or better than other implementations.

@yardenshoham yardenshoham mentioned this issue Oct 19, 2022
Merged
@AleksVAnd
Copy link
Contributor Author

AleksVAnd commented Oct 20, 2022
edited
Loading

Thank you, Yarden. The audit log configuration for Kubernetes includes rotation of the files but it's a flat structure - only a single directory. Therefore, it is not necessary to recursively search the input path.

I would like to try and implement a for loop logic in k8saudit.go - please assign me.

@jasondellaluce
Copy link
Contributor

Since falcosecurity/falco#2267 already addresses the fiexes on the Falco side, I'm gonna move this issue to falcosecurity/plugins for clarity.

@jasondellaluce jasondellaluce transferred this issue from falcosecurity/falco Oct 20, 2022
@jasondellaluce
Copy link
Contributor

I would like to try and implement a for loop logic in k8saudit.go - please assign me.

/assign AleksVAnd

It would be great if you're willing to help making these changes to the k8saudit plugin! Please let me know if you encounter any difficulties.

@AleksVAnd AleksVAnd mentioned this issue Oct 21, 2022
Merged
@AleksVAnd
Copy link
Contributor Author

Thank you for the guidance, Jason! I look forward to becoming more experienced in Falco and contributing further.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AleksVAnd AleksVAnd

Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(plugins/k8saudit): Recursively parse the files in a directory AleksVAnd/plugins
3 participants
@leogr @jasondellaluce @AleksVAnd