- Organization: CNCF
- Project: Falco Event Generator
- Title: Upgrading event-generator and automating Falco performance testing
- Implementation Idea: Declarative YAML file testing feature
- Mentee: GLVS Kiriti
- Mentors: Jason Dellaluce, Aldo Lacuku
Falco is a real-time security tool designed to detect abnormal behaviours and security-related runtime events in Linux systems and the cloud. The event-generator is an utility within the Falco ecosystem that helps testing Falco’s detection capabilities. The tool also has benchmark capabilities that represent a building block of the Falco performance testing practices. However, the project received less attention than required in the past few years and would require some care and renovation.
This Google Summer of Code project proposes upgrading the event-generator to improve its testing and benchmarking capabilities, its reliability, and its consistency, and developing new Continuous Integration pipelines based on it. The end goal is to evolve the event-generator and make it the standard tool for systematically accessing the correctness and performance of Falco’s threat detection capabilities at every release and development cycle
- Currently all this PRs are merged to gsoc2024 branch
- My forked repo of event-generator repo
- My expereince so far upto midterm blog
| Pull Requests | Status | Description |
|---|---|---|
| #211 | 🟪Merged | This PR marked the starting of the implementation of Declarative YAML file testing feature. Specifically in this PR added the yaml file parsing functionality, implemented host runner and added the structure for yaml file |
| #216 | 🟪Merged | Added the container runner interface and implemented setup and clenup methods |
| #217 | 🟪Merged | Implemented executestep method for the container runner and refactored the folder and file structure |
| #218 | 🟪Merged | Added the required helper function for making syscalls which are requiered to trigger the stable rules |
| #219 | 🟪Merged | Added the test command that connects with grpc api of running falco instance and validates whether a rule is triggered or not when we run the events using the declarative yaml file testing feature |
| #1343 | 🟪Merged | Added a blog post on the experience so far upto midterm |
| #1342 | 🟪Merged | Fixed Some typos |
| Pull Requests | Status | Description |
|---|---|---|
| #100 | 🟪Merged | Corrected a typo |
| #101 | 🟪Merged | Added event for trigerring rule "Write below root" |
| #102 | 🟪Merged | Added event for trigerring rule "Write below monitored dir" |
| #103 | 🟪Merged | Added event for trigerring rule "Create hidden file or directory" |
| #108 | 🟪Merged | Added event for trigerring rule "Read shell configuration" |
| #109 | 🟪Merged | Added event for trigerring rule "Remove bulk data from disk" |
| #112 | 🟪Merged | Added event for trigerring rule "Read SSH information" |
| #117 | 🟪Merged | Added event for trigerring rule "Adding SSH keys to authorized_keys " |
| #122 | 🟪Merged | Added event for trigerring rule "Program run with disallowed http proxy env" |
| #124 | 🟪Merged | Added event for trigerring rule "Find AWS credentials " |
| #125 | 🟪Merged | Added event for trigerring rule "Execution from /dev/shm " |
| #126 | 🟪Merged | Fix broken links in readme |
| #133 | 🟪Merged | Added event for trigerring rule "PTRACE attached to process" |
| #136 | 🟪Merged | Added event for trigerring rule "PTRACE anti-debug attempt " |
| #141 | 🟪Merged | Added event for trigerring rule "Fileless execution via memfd_create " |
| #143 | 🟪Merged | Added event for trigerring rule "Clear log activites " |
| #156 | 🟪Merged | Added event for trigerring rule "Polkit local privilege escalation vulnerability(CVE-2021-4034)" |
| #157 | 🟪Merged | Added event for trigerring rule "Sudo potential privilege escalation " |
| #161 | 🟩 Open | Added event for trigerring rule "Linux kerenel module injection detected " |
| #163 | 🟪Merged | Added event for trigerring rule "set setuid or setgid bit " |
| #165 | 🟪Merged | Added event for trigerring rule "Launch ingress remote file copy tools in container " |
| #169 | 🟪Merged | Added event for trigerring rule "Kubernetes Client Tool Launched in container" |
| #171 | 🟪Merged | Added event for trigerring rule "Unprivileged Delegation of page faults handling to a userspace process" |
| #173 | 🟪Merged | Added event for trigerring rule "Detect crypto miners using srtatum protocol" |
| #176 | 🟩 Open | Added event for trigerring rule "Detect outbound connections to common miner pool ports" |
| #182 | 🟪Merged | Added event for trigerring rule "Container drift detected using chmod" |
| #189 | 🟪Merged | Added event for trigerring rule "Container drift detetced (open+create)" |
| #190 | 🟪Merged | Added event for trigerring rule "Launch package management process in container" |
| #196 | 🟪Merged | Added event for trigerring rule "Drop and execute new binary in container" |
| #202 | 🟪Merged | Refactor in existing event to use events.ErrSkipped with a proper reason when skippinf an actions |
| #203 | 🟪Merged | Added event for trigerring rule "Detect release_agent file container escapes" |
| #208 | 🟪Merged | Bug fix in execution dev shm event |
| #83 | 🟪Merged | Added a job in ci which builds the all examples in plugin-sdk-go repo |
| #48 | 🟩Open | Added Test for falco -h and falco --help commands in testing repo |
- Improving benchmarking capabilities of event-generator
- Integrate the enhanced event-generator in falco-ci pipleine
Following GSoC, I’m eager to maintain the same level of contribution and further engage with the community. I look forward to supporting new developers and exploring both new and existing projects within the organization. I am committed to being as helpful as possible to the community moving forward. 😇 If anyone needs assistance or wishes to connect, I’m just a couple of clicks away.
I want to extend my heartfelt thanks to my mentors ❤️, Jason Dellaluce and Aldo Lacuku, for their unwavering support throughout my GSoC journey. Their patience and invaluable suggestions were crucial whenever I encountered challenges. I also appreciate the entire Falco community, especially Leonardo Grasso and Federico Di Pierro, for their exceptional assistance during the GSoC selection process. All of your help was instrumental in making this experience a success 🔥.