Docker Events Plugin
This is a POC for a Falco Plugin allowing to gather events from a locale docker daemon.
⚠️ This is a POC, don't use in Production, join us on Slack kubernetes#falco to discuss about.
Requirements
You need:
Go>= 1.17Falco>= 0.31jsonplugin forFalco
Build
make
Configurations
falco.yaml
plugins:
- name: docker
library_path: /etc/falco/audit/libdocker.so
init_config: ''
open_params: ''
- name: json
library_path: /etc/falco/json/libjson.so
init_config: ""
load_plugins: [docker,json]
stdout_output:
enabled: true
rules.yaml
The source for rules must be docker. See example:
- rule: Dummy Rule
desc: Dummy Rule
condition: docker.status in (start,create,die)
output: status=%docker.status from=%docker.from type=%docker.type action=%docker.action name=%docker.attributes.name
priority: DEBUG
source: docker
tags: [docker]
Usage
falco -c falco.yaml -r docker_rules.yaml
Results
14:53:29.092313000: Debug status=create from=alpine type=container action=create name=pensive_haibt
14:53:29.092787000: Debug status=start from=alpine type=container action=start name=pensive_haibt
14:53:29.092899000: Debug status=die from=alpine type=container action=die name=pensive_haibt
