Only processing K8s Audit Logs

[levigross]

Motivation
I would like to be able to just use unprivileged (not running as root or with CAP_SYS_ADMIN) falco to process K8s audit events.

The important bit here, is that Falco should be able to do this while running unprivileged (because all that I can know needs to run is the webserver and the falco rules engine).

Feature
When Falco is started in user mode, and set to ignore the syscall source - don't require falco to run as root.

Alternatives

Leave things as is....

Additional context

First I want to say that I appreciate the work involved in creating and maintaining an OSS project. Thank you!!

Second, please take this request with in a respectful tone (this is something I would like, not something that I am demanding)

Finally, I was looking into doing it -- and I would be happy to brainstorm on ideas for implementation (if you find this worthy).

Thanks,
Levi

[FedeDP]

Hi! Thanks for this feature request!
As far as I know, falco already provides a way to disable syscalls monitoring, thus avoiding the need to be run as root or with CAP_SYS_ADMIN:
--disable-source syscall -> (see falco -h for more info!)

Is this what you want?

[levigross]

I am getting an error running that as nobody :)

[FedeDP]

I'll give it a look!

[FedeDP]

I am getting an error running that as nobody :)

Mind to share the error?
Thanks!

[levigross]

Runtime error: scap_open_live() error creating the process list. Make sure you have root credentials.. Exiting.

[levigross]

This is running with:

1. Dropping all capabilities
2. Running as nobody

[FedeDP]

Running as nobody

If you instead run as your user, does it work?
I guess that parsing /proc could be completely skipped in case syscalls source is disabled.
@leogr any hint on this?

[leogr]

Hey @levigross
That is interesting. I haven't yet considered the nobody user, which totally makes sense in your use case.

@FedeDP, I agree. I don't see any valid reason to scan /proc if sycalls source is disabled. We shall dig into sinsp::open_nodriver() to know why that is happening.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale

Update: we will likely port the current k8s audit log impl. to a plugin that would not require any priviledege, capabilities, etc...

I will keep you posted

[jasondellaluce]

Hey @levigross, keep an eye open for this 👉🏼 #1952

This is the PR that finalizes the porting of K8S Audit to the plugin implementation. Assuming this will get merged soon, from the next release of Falco you'll be able to run Falco in K8S Audit-only mode as a plugin, which should run as unprivileged with no issue.

[jasondellaluce]

This can now be closed, because since #1952 k8s audit log support has been ported to the plugin system. Running this without syscalls is the only supported mode right now.