This release introduces a new plugin system for defining additional event sources and event extractors to Falco. The plugin system includes SDKs to simplify development and this release ships with a new AWS CloudTrail plugin, explains InfoQ.
The new plugin system aims to standardize how additional event sources, known as source plugins, can be added to the Falco engine. In fact, extractor plugins can be written that focus on field extraction from events generated either by the core libraries or other plugins. Plugins can be written in nearly any language as long as they export the required functions. The preferred language for plugin development is Go followed by C++ with SDKs released for both languages to simplify plugin development.
Falco’s rules engine is able to detect abnormal activity within applications, containers, hosts, and the container platform. It makes use of Linux kernel instrumentation to monitor system calls from the kernel.
Source plugins define a new event source and are able to extract information from events based on fields. After being extracted, the plugin returns a set of supported fields upon which filtering expressions or Falco rule conditions can be used in combination with relational or logical operators.
Source plugins must also provide a plugin ID, which is a globally unique value and must be registered within the Falco repository. A new plugin can be registered by opening a pull request with details on the plugin against the plugin registry file. If no set is provided, the plugin will be presented with all generated events. It is the plugin’s responsibility to detect values it does not support and react accordingly.
The AWS Cloudtrail plugin is able to catch log files containing Cloudtrail events, parse these files, and emit events for each log entry. Logs can be obtained from a S3 bucket, a SQS queue that emits SNS notifications, or a local filesystem path. Exported fields include the event time, AWS region, and resource instance name. In addition to the plugin, new rules have been added to monitor for suspicious activity within Cloudtrail logs. For example, this rule detects console access without multi-factor authentication: