profile
viewpoint
Kris Nóva kris-nova Sysdig San Francisco https://nivenly.com v important business lady

hjacobs/kubernetes-on-aws-users 110

List of companies/organizations running Kubernetes on AWS

falcosecurity/falcoctl 41

Administrative tooling for Falco.

falcosecurity/falco-kubernetes-workshop 17

A lightweight workshop build on the shoulders of giants.

freebsd-docker/kubernetes-bootstrap 9

Tools to bootstrap kubernetes on FreeBSD

franktheunicorn/predict-pr-comments 7

Predict comments on PRs

devinteske/figput 3

Configuration Putter

kris-nova/apiserver-builder 1

apiserver-builder implements libraries and tools to quickly and easily build Kubernetes apiservers to support custom resource types

kris-nova/audacity 1

Audio Editor : : : : developer list at : : https://lists.sourceforge.net/lists/listinfo/audacity-devel

kris-nova/azkabin 1

Magical executables for working with Azure

issue openedfalcosecurity/falco

Error running with eBPF on Kernel >= 5.8.5

<!-- Please use this template while reporting a bug and provide as much info as possible. Not doing so may result in your bug not being addressed in a timely manner. Thanks! -->

Describe the bug

Running Falco with BPF on kernels 8.5 and 9 result in runtime error

<!-- A clear and concise description of what the bug is. -->

How to reproduce it

Compile Falco 0.26.1

git clone git@github.com:falcosecurity/falco.git
cd falco
git checkout tags/0.26.1 -b tag-0.26.1
mkdir build
cd build
cmake ../ \
      -DBUILD_BPF="ON" \
      -DBUILD_WARNINGS_AS_ERRORS="OFF" \
      -DCMAKE_BUILD_TYPE="Release" \
      -DCMAKE_INSTALL_PREFIX="/usr" \
      -DFALCO_ETC_DIR="/etc/falco" \
      -DUSE_BUNDLED_DEPS=ON
make bpf
make falco
sudo cp driver/bpf/probe.o /root/.falco/falco-bpf.o
sudo cp userspace/falco/falco /usr/bin/falco

Run Falco with eBPF

sudo FALCO_BPF_PROBE="" falco

Runtime Error

1178: (25) if r1 > 0x80 goto pc+679
 R0=inv(id=0) R1_w=inv(id=0,umax_value=128,var_off=(0x0; 0xff)) R2_w=inv(id=0) R3_w=map_value(id=0,off=0,ks=4,vs=1612,imm=0) R5_w=inv(id=0) R6_w=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=4,vs=77,imm=0) R8=inv(id=0) R9=inv4294967294 R10=fp0 fp-72=mmmmmmmm fp-80=map_value fp-88=map_value fp-96=map_value fp-104=map_value fp-112=map_value fp-120=ctx fp-128=map_value fp-136=mmmmmmmm fp-144=mmmmmmmm fp-152=map_value fp-160=inv16 fp-168=mmmmmmmm fp-176=map_value fp-184=mmmmmmmm fp-192=mmmmmmmm
1179: (79) r1 = *(u64 *)(r10 -96)
1180: (bf) r3 = r8
1181: (85) call bpf_probe_read#4
R2 min value is negative, either use unsigned or 'var &= const'
processed 2228 insns (limit 1000000) max_states_per_insn 1 total_states 93 peak_states 93 mark_read 39
Wed Oct 28 10:40:39 2020: Runtime error: bpf_load_program() err=13 event=filler/sys_read_x message=0: (bf) r6 = r1
1: (b7) r1 = 0
2: (63) *(u32 *)(r10 -72) = r1
last_idx 2 first_idx 0
regs=2 stack=0 before 1: (b7) r1 = 0
3: (bf) r2 = r10
4: (07) r2 += -72
5: (18) r1 = 0xffff8e787d0b4400
7: (85) . Exiting.

<!-- Minimal and precise steps to reproduce the bug. -->

Expected behaviour

<!-- A clear and concise description of what you expected to happen. -->

Screenshots

<!-- If applicable, add screenshots to help explain your problem. -->

Environment

<!-- Please complete the following info. -->

  • Falco version: 0.26.1 <!-- Use "falco --version". -->
  • System info:
{
  "machine": "x86_64",
  "nodename": "emily",
  "release": "5.9.1-arch1-1",
  "sysname": "Linux",
  "version": "#1 SMP PREEMPT Sat, 17 Oct 2020 13:30:37 +0000"
}

<!-- Falco has a built-in support command you can use "falco --support | jq .system_info" -->

  • Cloud provider or hardware configuration:
  • OS: Arch <!-- Eg., output of "cat /etc/os-release". -->
  • Kernel: Linux emily 5.9.1-arch1-1 <!-- Eg., output of "uname -a". -->
  • Installation method: Compile from source <!-- Eg., Kubernetes, RPM, DEB, from source? -->

Additional context

<!-- Add any other context about the problem here. -->

created time in 7 hours

issue commentfalcosecurity/falco

Can't build eBPF driver

Checkout Falco (I am using 0.26.1) and stage the build directory for BPF

git clone git@github.com:falcosecurity/falco.git
mkdir build
cd build
cmake ../ \
      -DBUILD_BPF="ON" \
      -DBUILD_WARNINGS_AS_ERRORS="OFF" \
      -DCMAKE_BUILD_TYPE="Release" \
      -DCMAKE_INSTALL_PREFIX="/usr" \
      -DFALCO_ETC_DIR="/etc/falco" \
      -DUSE_BUNDLED_DEPS=ON

Then you need to add #define KBUILD_MODNAME "falco" in sysdig-repo/sysdig-prefix/src/sysdig/driver/driver_config.h

#pragma once

#define PROBE_VERSION "2aa88dcf6243982697811df4c1b484bcbe9488a2"

#define PROBE_NAME "falco"

#define PROBE_DEVICE_NAME "falco"

#define KBUILD_MODNAME "falco"   # <------ Add this!
brantcolemanthis

comment created time in 10 hours

push eventkris-nova/public-speaking

Kris Nóva

commit sha c9fb814e91c3fbad88ed9c8b3d41a349d309c78a

adding changes

view details

push time in 10 hours

pull request commentfalcosecurity/falco

Falco build for ARM armv7 armv6

Let's start talking about this https://lists.cncf.io/g/cncf-falco-dev/topic/working_group_arm/77492914

kris-nova

comment created time in 15 days

push eventkris-nova/hack

Kris Nóva

commit sha e79fade34575e59242c6616d274fa7e778b0c67e

feat(hacking): Working on in cluster permissions - RBAC next Signed-off-by: Kris Nóva <kris@nivenly.com>

view details

push time in 18 days

push eventkris-nova/hack

Kris Nóva

commit sha 1f327c4d0ed393c6aea49c2d1af646fc7c6990c2

feat(demo): Working demo Signed-off-by: Kris Nóva <kris@nivenly.com>

view details

push time in 18 days

push eventkris-nova/hack

Kris Nóva

commit sha 0b765f9153cf593fcb7e3f18a06393e8958878d4

feat(init): Adding initial workflow Signed-off-by: Kris Nóva <kris@nivenly.com>

view details

Kris Nóva

commit sha a6bfa1246163cde197c85a8f6adbbf7307ea562d

feat(init): Building workflow... Signed-off-by: Kris Nóva <kris@nivenly.com>

view details

push time in 18 days

issue commentkubernetes/client-go

Building with go modules suddenly returns 'cannot find module providing package'

For anyone trying to use 1.19 client-go I found this was what I needed to use

go mod init
go mod vendor
go mod download

Running Go 1.15

// go.mod

require (
	k8s.io/api v0.19.1
	k8s.io/apimachinery v0.19.1
	k8s.io/client-go v0.19.1
)

Took me a while to find this - adding the language above to help others looking for a solution here. Also important to note that I had to reset my cache from building was a previous version of the libraries as well.

SimonTheLeg

comment created time in 18 days

create barnchkris-nova/hack

branch : main

created branch time in 18 days

created repositorykris-nova/hack

Hacking on Kubernetes

created time in 18 days

fork kris-nova/gobpf

Go bindings for creating BPF programs.

fork in 18 days

issue closedkris-nova/public-speaking

ContainerDays 2020, June 22-24

<!-- Please only use this template for submitting engagement requests -->

Name of the event: ContainerDays

Links to the event (main website, schedule, marketing, etc): https://www.containerdays.io/

List of full days Nova would be needed: Either June 23 or June 24

City, Country: Hamburg, Germany

Any help with travel and lodging?: Sure. We can coffer travel cost.

Anything else? Audience size? Why would I find this useful? What would you like for me to speak about?: ContainerDays is a three days conference about containerization, microservices, Kubernetes and cloud native technologies. With 1100 participants, CDS is the largest container conference in Europe with plenty of networking opportunities in a relaxed atmosphere. You are one of the top speaker in the Kubernetes community and our attendees would love to hear you speaking at CDS.

closed time in 20 days

mirabellaatloodse

startedanthraxx/linux-hardened

started time in 20 days

push eventfalcosecurity/community

Kris Nóva

commit sha 9425fcceb1d9572ef4690029b925d9cb2ede27d5

feat(docs): Fixing typo in meeting notes README.md Signed-off-by: Kris Nóva <kris@nivenly.com>

view details

push time in 21 days

create barnchfalcosecurity/community

branch : release-meeting-notes.md

created branch time in 21 days

PR opened falcosecurity/falco

feat(docs): Adding meeting notes step to RELASE.md

Signed-off-by: Kris Nóva kris@nivenly.com

<!-- Thanks for sending a pull request! Here are some tips for you:

  1. If this is your first time, please read our contributor guidelines in the CONTRIBUTING.md file and learn how to compile Falco from source here.
  2. Please label this pull request according to what type of issue you are addressing.
  3. . Please add a release note!
  4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature" -->

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

<!-- Please remove the leading whitespace before the /kind <> you uncommented. -->

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

<!-- Please remove the leading whitespace before the /area <> you uncommented. -->

What this PR does / why we need it:

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Usage: Fixes #<issue number>, or Fixes (paste link of issue). If PR is kind/failing-tests or kind/flaky-test, please post the related issues/tests in a comment and do not use Fixes. -->

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

<!-- If no, just write "NONE" in the release-note block below. If yes, a release note is required: Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, prepend the string "action required:". For example, action required: change the API interface of the rule engine. -->

NONE
+10 -0

0 comment

1 changed file

pr created time in 21 days

create barnchfalcosecurity/falco

branch : release-note-update

created branch time in 21 days

release falcosecurity/falco

0.26.0

released time in a month

created tagfalcosecurity/falco

tag0.26.0

Cloud Native Runtime Security

created time in a month

push eventfalcosecurity/falco

Kris Nóva

commit sha 20f5e5d35ad4f8d7c808037e8c52ed9e4279bb68

feat(release): Release 0.26 Cutting release for 0.26.0 and starting 0.27.0 Signed-off-by: Kris Nóva <kris@nivenly.com>

view details

Kris Nóva

commit sha 404762bd34138e8915b9817c4d2160008dd2ceab

feat(release): Updating notes according to PR Signed-off-by: Kris Nóva <kris@nivenly.com>

view details

push time in a month

PR merged falcosecurity/falco

Reviewers
feat(release): Release 0.26 approved dco-signoff: yes lgtm release-note-none retest-not-required-docs-only size/M

Cutting release for 0.26.0 and starting 0.27.0

Signed-off-by: Kris Nóva kris@nivenly.com

<!-- Thanks for sending a pull request! Here are some tips for you:

  1. If this is your first time, please read our contributor guidelines in the CONTRIBUTING.md file and learn how to compile Falco from source here.
  2. Please label this pull request according to what type of issue you are addressing.
  3. . Please add a release note!
  4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature" -->

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

<!-- Please remove the leading whitespace before the /kind <> you uncommented. -->

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

<!-- Please remove the leading whitespace before the /area <> you uncommented. -->

What this PR does / why we need it:

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Usage: Fixes #<issue number>, or Fixes (paste link of issue). If PR is kind/failing-tests or kind/flaky-test, please post the related issues/tests in a comment and do not use Fixes. -->

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

<!-- If no, just write "NONE" in the release-note block below. If yes, a release note is required: Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, prepend the string "action required:". For example, action required: change the API interface of the rule engine. -->

NONE
+42 -4

2 comments

2 changed files

kris-nova

pr closed time in a month

PullRequestEvent

delete tag falcosecurity/falco

delete tag : 0.26.0

delete time in a month

PR closed falcosecurity/falco

Reviewers
feat(release): Release 0.26 dco-signoff: yes release-note-none retest-not-required-docs-only size/M

Cutting release for 0.26.0 and starting 0.27.0

Signed-off-by: Kris Nóva kris@nivenly.com

<!-- Thanks for sending a pull request! Here are some tips for you:

  1. If this is your first time, please read our contributor guidelines in the CONTRIBUTING.md file and learn how to compile Falco from source here.
  2. Please label this pull request according to what type of issue you are addressing.
  3. . Please add a release note!
  4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature" -->

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

<!-- Please remove the leading whitespace before the /kind <> you uncommented. -->

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

<!-- Please remove the leading whitespace before the /area <> you uncommented. -->

What this PR does / why we need it:

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Usage: Fixes #<issue number>, or Fixes (paste link of issue). If PR is kind/failing-tests or kind/flaky-test, please post the related issues/tests in a comment and do not use Fixes. -->

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

<!-- If no, just write "NONE" in the release-note block below. If yes, a release note is required: Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, prepend the string "action required:". For example, action required: change the API interface of the rule engine. -->

NONE
+42 -4

1 comment

2 changed files

kris-nova

pr closed time in a month

push eventfalcosecurity/falco

Kris Nóva

commit sha 037864f4de9c51bf8b358a8ac86202721bf20555

feat(release): Updating notes according to PR Signed-off-by: Kris Nóva <kris@nivenly.com>

view details

push time in a month

Pull request review commentfalcosecurity/falco

feat(release): Release 0.26

 # Change Log +## v0.26.0++Released on 2020-24-09++### Major Changes++* new: Address several sources of FPs, primarily from GKE environments. [[#1372](https://github.com/falcosecurity/falco/pull/1372)]

I changed this to rule: instead of new: and moved the line to the third section

kris-nova

comment created time in a month

PullRequestReviewEvent

Pull request review commentfalcosecurity/falco

feat(release): Release 0.26

 # Change Log +## v0.26.0++Released on 2020-24-09++### Major Changes++* new: Address several sources of FPs, primarily from GKE environments. [[#1372](https://github.com/falcosecurity/falco/pull/1372)]

I don't understand what you are saying. What should I change what to? Do we have expectations about a pull request that changes rules? Can you please make a suggestion so that I understand what you are suggesting I do?

kris-nova

comment created time in a month

PullRequestReviewEvent

release falcosecurity/falco

0.26.0

released time in a month

created tagfalcosecurity/falco

tag0.26.0

Cloud Native Runtime Security

created time in a month

PR opened falcosecurity/falco

feat(release): Release 0.26

Cutting release for 0.26.0 and starting 0.27.0

Signed-off-by: Kris Nóva kris@nivenly.com

<!-- Thanks for sending a pull request! Here are some tips for you:

  1. If this is your first time, please read our contributor guidelines in the CONTRIBUTING.md file and learn how to compile Falco from source here.
  2. Please label this pull request according to what type of issue you are addressing.
  3. . Please add a release note!
  4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature" -->

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

<!-- Please remove the leading whitespace before the /kind <> you uncommented. -->

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

<!-- Please remove the leading whitespace before the /area <> you uncommented. -->

What this PR does / why we need it:

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Usage: Fixes #<issue number>, or Fixes (paste link of issue). If PR is kind/failing-tests or kind/flaky-test, please post the related issues/tests in a comment and do not use Fixes. -->

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

<!-- If no, just write "NONE" in the release-note block below. If yes, a release note is required: Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, prepend the string "action required:". For example, action required: change the API interface of the rule engine. -->

NONE
+43 -4

0 comment

2 changed files

pr created time in a month

create barnchfalcosecurity/falco

branch : 0.26.0

created branch time in a month

startedleodido/rn2md

started time in a month

push eventfalcosecurity/falco-website

Kris Nóva

commit sha 4f08c6720361bf8d9cf1078258d1ea7454c10c33

feat(blog): Updating EKS suggestion Signed-off-by: Kris Nóva <kris@nivenly.com>

view details

push time in a month

PullRequestReviewEvent

Pull request review commentfalcosecurity/falco-website

feat(blog): Choosing a driver

+---+title: Choosing a Falco driver+description: Understanding which Falco driver is right for you+date: 2020-09-23+author: Kris Nóva+---++Falco works by taking Linux system call information at runtime, and rebuilding the state of the kernel in memory.+The Falco engine depends on a driver in order to consume the raw stream of system call information.+Currently the Falco project supports 3 different drivers in which the engine can consume this information.++ - A kernel module+ - An eBPF probe+ - A ptrace(2) userspace program + +This blog will highlight the nuances of each implementation and explain why they exist. +Hopefully this resource will give you a starting point for understanding which driver is right for your use case.++*Updated: Falco 0.26.0*++---++## Kernel Module++The Falco Kernel module is the traditional way of consuming the required stream of data from the kernel.++_Source_: [github.com/draios/sysdig/driver](https://github.com/draios/sysdig/tree/dev/driver)++The kernel module must be loaded in order for Falco to start.+The kernel module depends on the `linux-headers` package in order to compile. [More information+](https://falco.org/docs/source/).++_Note_: A convenience script found [here](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader)++#### Using the kernel module+ +```bash+cd ~+git clone git@github.com/falcosecurity/falco+cd falco+mkdir build+cd build+cmake ../ \+      -DBUILD_BPF=OFF \+      -DBUILD_WARNINGS_AS_ERRORS="OFF" \+      -DCMAKE_BUILD_TYPE="Release" \+      -DCMAKE_INSTALL_PREFIX="/usr" \+      -DFALCO_ETC_DIR="/etc/falco" \+      -DUSE_BUNDLED_DEPS=ON+make driver+sudo insmod driver/falco.ko+sudo falco+```++#### Pros++The kernel module is the most commonly used driver for Falco and can be used in any environment where loading a kernel module is trusted and viable.++ - The module can be built, hosted, and installed directly onto a hosted system.+ - The Falco community offers [limited support](https://falco.org/docs/installation/) for pre-building kernel modules.+ - Will work regardless of kernel version (as compared to eBPF below)++#### Cons++ - Tightly coupled with the host kernel and changing kernel versions, architecture, operating systems can introduce complexity.+ - A faulty kernel module could potentially panic or crash a Linux kernel.+ - Loading a kernel module is not always trusted or allowed in some environments.+ +#### Summary ++Kernel modules are the quickest, and most common way to run Falco. They are a viable solution in any environment where access to the host kernel is trusted.++ - Kubernetes + - AWS EC2 (kops, eks, kubeadm) Anywhere access to the host is allowed+ - Azure + - IBM Cloud+ + ---+ +## eBPF Probe++The Falco eBPF probe is a viable option in environments where kernel modules are not trusted or are not allowed but eBPF programs are.+The most common example of this environment is GKE. Running Falco in GKE was the original use case for creating the eBPF probe.++_Source_: [github.com/draios/sysdig/driver/bpf](https://github.com/draios/sysdig/tree/dev/driver/bpf)++The eBPF probe must be loaded in order for Falco to start, and will provide the same stream of metrics that the kernel module does.+Falco should work seamlessly with this approach.++#### Using the eBPF probe++_Note_: Notice the `-DBUILD_BPF=ON` flag+_Note_: A convenience script found [here](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader)++```bash+cd ~+git clone git@github.com/falcosecurity/falco+cd falco+mkdir build+cd build+cmake ../ \+      -DBUILD_BPF=ON \+      -DBUILD_WARNINGS_AS_ERRORS="OFF" \+      -DCMAKE_BUILD_TYPE="Release" \+      -DCMAKE_INSTALL_PREFIX="/usr" \+      -DFALCO_ETC_DIR="/etc/falco" \+      -DUSE_BUNDLED_DEPS=ON+make bpf+cp driver/bpf/falco.o ${HOME}/.falco/probe.o+sudo falco+```++#### Pros++ - The eBPF probe can be ran in environments like GKE where loading a kernel module is not an option.+ - eBPF is considered safer, and unable to crash or panic a kernel. The eBPF code is already compiled into a Linux kernel, and is simply enabled using the eBPF program.+ - The eBPF probe can be dynamically loaded into a kernel at runtime, and does not require using tools like `dkms`, `modprobe`, or `insmod` to load the program.++#### Cons++ - The eBPF probe does not work for every system.+ - You need at least Linux kernel version 4.4 or, preferably, 4.9 to run eBPF. The Falco project suggests a LTS 4.14/4.19 or above.++#### Summary ++The eBPF probe should be used when loading a kernel module is not a viable option.+Reasons for not loading a kernel module may change, and in this case the eBPF probe is the default.++ - Kubernetes+ - GKE+ - Environments where loading a kernel module is untrusted or not supported+ + ---+ +## pdig++The `pdig` binary is the newest and most viable path forward when both a kernel module, and eBPF probe is not an option.+The most common example of this environment is AWS ECS with Fargate. ++The `pdig` tool is built on `ptrace(2)`. It requires `CAP_SYS_PTRACE` enabled for the container runtime. +The `pdig` tool enables a new way of consuming metrics about a given application at the process level.++_Note_: The eBPF probe and kernel module work at a global host level, whereas `pdig` works at a process level. A clever invocation of `pdig` against a system can simulate a broader scope of system parsing. PID 1 is sometimes of interest.++_Source_: [github.com/falcosecurity/pdig](https://github.com/falcosecurity/pdig)++#### Pros++ - Lightweight, safe, and process specific+ - Runs only in userspace+ - Enables Falco for use cases when a kernel module, and an eBPF probe is not viable+ +#### Cons++ - The dependency on `ptrace(2)` is slow. Period.+ - Requires executing Falco with the `pdig` binary to "hack" the driver.+ +#### Summary++The `pdig` tool is the most unique of all the drivers, and enables functionality not otherwise possible.++ - Kubernetes+ - AWS ECS/Fargate + - AWS EKS/Fargate+ - Environments where kernel modules and eBPF is not an option+ +--- ++## Suggested Cloud Provider Implementations ++| Solution             | Suggested Driver            | More Resources                                                                                         |+|----------------------|-----------------------------|--------------------------------------------------------------------------------------------------------|+| Baremetal Kubernetes | Kernel Module               | [Helm Chart](https://falco.org/docs/third-party/#helm)                                                 |+| Kubeadm Kubernetes   | Kernel Module               | [Helm Chart](https://falco.org/docs/third-party/#helm)                                                 |+| Kubernetes Kind      | Kernel Module               | [Kind Documentation](https://falco.org/docs/third-party/#kind)                                         |+| Minikube             | Kernel Module               | [Minikube Documentation](https://falco.org/docs/third-party/#minikube)                                 |+| AWS EKS              | Kernel Module               | [Helm Chart](https://falco.org/docs/third-party/#helm)                                                 |+| Azure                | Kernel Module               | [Helm Chart](https://falco.org/docs/third-party/#helm)                                                 |+| GKE                  | eBPF Probe                  | [Falco on GKE](https://falco.org/docs/third-party/#gke)                                                |+| IBM Cloud            | Kernel Module               | [Helm Chart](https://falco.org/docs/third-party/#helm)                                                 |+| OpenShift            | Kernel Module               | [Helm Chart](https://falco.org/docs/third-party/#helm)                                                 |+| AWS ECS              | pdig                        | [pdig](https://github.com/falcosecurity/pdig) [falco-trace](https://github.com/kris-nova/falco-trace)  |+| AWS EKS (Fargate)    | pdig                        | [pdig](https://github.com/falcosecurity/pdig) [falco-trace](https://github.com/kris-nova/falco-trace)  |

Updated

kris-nova

comment created time in a month

PR opened falcosecurity/falco-website

feat(blog): Choosing a driver

Adding a blog to help with choosing a driver

Signed-off-by: Kris Nóva kris@nivenly.com

<!-- Thanks for sending a pull request! Here are some tips for you:

  1. If this is your first time, please read our contributor guidelines in the CONTRIBUTING.md file in the Falco repository.
  2. Please label this pull request according to what type of issue you are addressing.
  3. Please add a release note!
  4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature" -->

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind user-interface

/kind content

/kind translation

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area blog

/area documentation

What this PR does / why we need it:

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Usage: Fixes #<issue number>, or Fixes (paste link of issue). -->

Fixes #

Special notes for your reviewer:

+185 -0

0 comment

1 changed file

pr created time in a month

create barnchfalcosecurity/falco-website

branch : driver-blog

created branch time in a month

pull request commentdraios/sysdig

Add KBUILD_MODNAME definition for kmod and bpf

+1 Need this fix

nathan-b

comment created time in a month

PR closed falcosecurity/falco-website

Reviewers
feat(media): Adding Shopify Video to Homepage dco-signoff: yes kind/content size/S

Signed-off-by: Kris Nóva kris@nivenly.com

<!-- Thanks for sending a pull request! Here are some tips for you:

  1. If this is your first time, please read our contributor guidelines in the CONTRIBUTING.md file in the Falco repository.
  2. Please label this pull request according to what type of issue you are addressing.
  3. Please add a release note!
  4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature" -->

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind user-interface

/kind content

/kind translation

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area blog

/area documentation

What this PR does / why we need it:

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Usage: Fixes #<issue number>, or Fixes (paste link of issue). -->

Fixes #

Special notes for your reviewer:

+22 -1

1 comment

3 changed files

kris-nova

pr closed time in a month

starteddhruvvyas90/qemu-rpi-kernel

started time in a month

startedHerringway/ebsrc

started time in a month

PR opened falcosecurity/falco-website

feat(media): Adding Shopify Video to Homepage

Signed-off-by: Kris Nóva kris@nivenly.com

<!-- Thanks for sending a pull request! Here are some tips for you:

  1. If this is your first time, please read our contributor guidelines in the CONTRIBUTING.md file in the Falco repository.
  2. Please label this pull request according to what type of issue you are addressing.
  3. Please add a release note!
  4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature" -->

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind user-interface

/kind content

/kind translation

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area blog

/area documentation

What this PR does / why we need it:

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Usage: Fixes #<issue number>, or Fixes (paste link of issue). -->

Fixes #

Special notes for your reviewer:

+22 -1

0 comment

3 changed files

pr created time in a month

create barnchfalcosecurity/falco-website

branch : kubecon-media

created branch time in a month

issue commentfalcosecurity/falco

Clearer documentation on driver removal process from 20200901-artifacts-cleanup.md proposal

See my response from slack

Hey @Fahad thanks for bringing this up. I don't think you are alone with being frustrated and I think we can totally figure out a clean solution here.
I don't think @leodido intended to break any live systems here with this proposal.
In general I am also disappointed that a restriction such as storage has caused Falco maintainers to have to "work around" a problem. I do not believe removing anything from storage is a viable technical solution here and we should not have done that.
What we can do:
Bring this up on the weekly Wed calls so we can figure out what the use cases and constraints are (I am still confused here myself).
Once we understand what we need to do (and what is currently blocking us) from a storage perspective we can reach out to @amye and @caniszczyk with the CNCF to ask for resources.
But we need to understand what we are asking for first, and I believe the weekly call is the correct place to do that. We need to be able to quantify what we need somehow.
Do you think you would be able to join the call or help out with this effort @Fahad?

Keeping this issue open as a placeholder.


TLDR: I don't understand why this is still a problem, and why a "solution" to this was deleting artifacts. That seems like a drastically inappropriate response.

mmcaya

comment created time in a month

startedcilium/ebpf

started time in 2 months

PullRequestReviewEvent
PullRequestReviewEvent

push eventkris-nova/public-speaking

Kris Nóva

commit sha 1b3b4eae32bef92c9eb40b8a75ce4f54190b05ef

Update README.md

view details

push time in 2 months

pull request commentfalcosecurity/falco

wip: build: add minimal and statically linked builds

Should we expect any changes with the signal handler with this? I ran @fntlnz's static binary from some time ago and I noticed that Falco was no longer respecting ^C signals from my keyboard. I had to kill -9 the PID in order to exit the program.

Screenshot from 2020-09-02 16-10-38

leogr

comment created time in 2 months

issue commentfalcosecurity/falco

Compatibility with AWS ECS Fargate

Also CC @btorretta :point_up:

btorretta

comment created time in 2 months

issue commentfalcosecurity/falco

Compatibility with AWS ECS Fargate

@marcossv9 please see the working group getting started next week that will be addressing this concretely https://lists.cncf.io/g/cncf-falco-dev/topic/userspace_producers_working/76589131

btorretta

comment created time in 2 months

issue openedfalcosecurity/falco

Add ptrace(2) rule to Falco default rule set

Motivation

Right now ptrace may be used to interfere with a process on a host system. The default Falco ruleset does not check for ptrace interference.

<!-- Is your feature request related to a problem? Please describe what the problem is clearly and concisely. Eg., I'm always frustrated when ... -->

Feature

Can we add a ptrace(2) check in the default Falco rule set? This will alert if ptrace is used to interfere with a running process on a host system.

<!-- Describe the solution you would like. A clear and concise description of what you want to happen. -->

Alternatives

<!-- Describe alternatives you have considered, if any. A clear and concise description of any alternative solutions or features you have considered. -->

Additional context

<!-- Add any other context or screenshots about the feature request here. -->

created time in 2 months

PR opened falcosecurity/.github

feat(docs): Updating security reporting email

We had a user report a potential security concern and this email address was relatively unmonitored. Furthermore having a security report tied to a single vendor seems worrysome.

Now all Falco maintainers will recieve these reports.

Signed-off-by: Kris Nova kris@nivenly.com

+1 -1

0 comment

1 changed file

pr created time in 2 months

create barnchfalcosecurity/.github

branch : update-security-email

created branch time in 2 months

PullRequestReviewEvent
PullRequestReviewEvent

pull request commentfalcosecurity/falco

Update sysdig version to ae104eb20ff0198a5dcb0c91cc36c86e7c3f25c7

/approve

leogr

comment created time in 2 months

PullRequestReviewEvent

push eventfalcosecurity/falco

Kris Nova

commit sha 6abe6b7c4e8d87669e52567bfe22abf610e0d767

feat(docs): Updating links for gRPC and Protobuf Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 2 months

push eventfalcosecurity/falco

Kris Nova

commit sha 2bae8f63c6e519d6fc34b1b10677bd5e9668b5e1

feat(docs): Fixing formatting in README.md Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 2 months

push eventfalcosecurity/falco

Kris Nova

commit sha 8f5b3a46876df638b8723cd8c18452ac37ecb623

feat(docs): Adding SDKs and gRPC to README.md Signed-off-by: Kris Nova <kris@nivenly.com>

view details

push time in 2 months

PR opened falcosecurity/falco

Update readme

<!-- Thanks for sending a pull request! Here are some tips for you:

  1. If this is your first time, please read our contributor guidelines in the CONTRIBUTING.md file and learn how to compile Falco from source here.
  2. Please label this pull request according to what type of issue you are addressing.
  3. . Please add a release note!
  4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature" -->

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

<!-- Please remove the leading whitespace before the /kind <> you uncommented. -->

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

<!-- Please remove the leading whitespace before the /area <> you uncommented. -->

What this PR does / why we need it:

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Usage: Fixes #<issue number>, or Fixes (paste link of issue). If PR is kind/failing-tests or kind/flaky-test, please post the related issues/tests in a comment and do not use Fixes. -->

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

<!-- If no, just write "NONE" in the release-note block below. If yes, a release note is required: Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, prepend the string "action required:". For example, action required: change the API interface of the rule engine. -->


+33 -34

0 comment

1 changed file

pr created time in 2 months

create barnchfalcosecurity/falco

branch : update-readme

created branch time in 2 months

issue commentfalcosecurity/falco

Falco unix socket permissions

I think it might be useful to have read-only access for non-root users

or at least the ability to enable this functionality

nibalizer

comment created time in 2 months

more