[UMBRELLA] Requested Plugins #228
Description
In January 2022, Falco introduced its first version of a Plugin framework to extend its available inputs. The framework has been enhanced in the following months to have something production ready for adopters.
Existing Plugins
We, the maintainers of Falco, created a bunch of Plugins to replace deprecated features (k8saudit) or to follow mediatic security events (Okta breach).
Right now, we have registered (excluding dummy plugins)
SDK
To make the development of plugins easier, 2 SDK are provided: Go and C++.
We can notice all plugins have been written in Go, it can be explained by several factors:
Go is easier to than C++
It’s a common language in web development, so in adopters’ infras
Falco’s ecosystem already embeds different Go codebases (Falcosidekick, Falcosidekick-UI, Falcoctl, Driverkit, Falco-exporter, Event-generator)
Libs
Writing a plugin from scratch could be complicated for the contributors, this is why we could also provide libraries to keep them focus on the extraction logic and not the asides (auth, polling, create a web server, etc). The main goal of these libs is to avoid duplicate codes across plugins, allowing to keep an uniformity.
This approach has been started with 2 libs for AWS:
- AWS Session: allows to create easily a session for AWS API
- AWS Cloudwatch: allows to set filters and starts the polling of log entries from Cloudwatch
To “open” Falco to more sources, we could create shared libs for generic usages:
- Web Server: to collect JSON webhook payloads
- File reader: to follow new entries in a file
- Kafka: to be a consumer of a topic
- SQS: to poll a queue
- RabbitMQ: to be a consumer of an exchange
- MQTT: for IoT
We also need to address the most common Cloud Providers and their specific log aggregator systems with the basic functions which are:
- Authentication to the API
- Creation of a client for the log service
- Gathering of logs
- Looping over the results
By providing these libs, it will be easier for developers to create new plugins for specific usages with these Cloud Providers.
Plugins
The purpose of this issue is to list the requested plugins by the community, the volunteers to develop them and their statuses.
The following table will be kept updated to avoid people to search through N issues.
| Plugin | Description | Issue # | Developer | Repo URL | Status |
|---|---|---|---|---|---|
| k8saudit-gke | Collect K8S Audit Logs from GKE | @sboschman | Completed | ||
| k8saudit-aks | Collect K8S Audit Logs from AKS | #123 | @nissessenap | In Progress | |
| k8saudit-openshift | Collect K8S Audit Logs from OpenShift | Requested | |||
| redshift | Collect Audit Logs from Redshift | #117 | Requested | ||
| slack | Collect Audit Logs from Slack | Requested | |||
| k8saudit-admission | Collect Audit Logs from K8S Control Plane through an admission controller | @RichardoC | https://github.com/RichardoC/k8sadmission | In Progress |
### Tasks
- [ ] https://github.com/falcosecurity/plugins/issues/243
- [ ] https://github.com/falcosecurity/plugins/issues/368
- [ ] https://github.com/falcosecurity/plugins/issues/123