Skip to content

Latest commit

 

History

History
90 lines (73 loc) · 11.6 KB

README.md

File metadata and controls

90 lines (73 loc) · 11.6 KB

GSoC-2024 @FalcoSecurity

GSoC-logo

General Information 📝

Description 📜

Falco is a real-time security tool designed to detect abnormal behaviours and security-related runtime events in Linux systems and the cloud. The event-generator is an utility within the Falco ecosystem that helps testing Falco’s detection capabilities. The tool also has benchmark capabilities that represent a building block of the Falco performance testing practices. However, the project received less attention than required in the past few years and would require some care and renovation.

Goals 🎯

This Google Summer of Code project proposes upgrading the event-generator to improve its testing and benchmarking capabilities, its reliability, and its consistency, and developing new Continuous Integration pipelines based on it. The end goal is to evolve the event-generator and make it the standard tool for systematically accessing the correctness and performance of Falco’s threat detection capabilities at every release and development cycle

What changes I did ? 🚀

List of the PRs that are created during GSoC period.

  • Currently all this PRs are merged to gsoc2024 branch
  • My forked repo of event-generator repo
  • My expereince so far upto midterm blog
Pull Requests Status Description
#211 🟪Merged This PR marked the starting of the implementation of Declarative YAML file testing feature. Specifically in this PR added the yaml file parsing functionality, implemented host runner and added the structure for yaml file
#216 🟪Merged Added the container runner interface and implemented setup and clenup methods
#217 🟪Merged Implemented executestep method for the container runner and refactored the folder and file structure
#218 🟪Merged Added the required helper function for making syscalls which are requiered to trigger the stable rules
#219 🟪Merged Added the test command that connects with grpc api of running falco instance and validates whether a rule is triggered or not when we run the events using the declarative yaml file testing feature
#1343 🟪Merged Added a blog post on the experience so far upto midterm
#1342 🟪Merged Fixed Some typos

List of the PRs that are created before selection of GSoC 🎁

Pull Requests Status Description
#100 🟪Merged Corrected a typo
#101 🟪Merged Added event for trigerring rule "Write below root"
#102 🟪Merged Added event for trigerring rule "Write below monitored dir"
#103 🟪Merged Added event for trigerring rule "Create hidden file or directory"
#108 🟪Merged Added event for trigerring rule "Read shell configuration"
#109 🟪Merged Added event for trigerring rule "Remove bulk data from disk"
#112 🟪Merged Added event for trigerring rule "Read SSH information"
#117 🟪Merged Added event for trigerring rule "Adding SSH keys to authorized_keys "
#122 🟪Merged Added event for trigerring rule "Program run with disallowed http proxy env"
#124 🟪Merged Added event for trigerring rule "Find AWS credentials "
#125 🟪Merged Added event for trigerring rule "Execution from /dev/shm "
#126 🟪Merged Fix broken links in readme
#133 🟪Merged Added event for trigerring rule "PTRACE attached to process"
#136 🟪Merged Added event for trigerring rule "PTRACE anti-debug attempt "
#141 🟪Merged Added event for trigerring rule "Fileless execution via memfd_create "
#143 🟪Merged Added event for trigerring rule "Clear log activites "
#156 🟪Merged Added event for trigerring rule "Polkit local privilege escalation vulnerability(CVE-2021-4034)"
#157 🟪Merged Added event for trigerring rule "Sudo potential privilege escalation "
#161 🟩 Open Added event for trigerring rule "Linux kerenel module injection detected "
#163 🟪Merged Added event for trigerring rule "set setuid or setgid bit "
#165 🟪Merged Added event for trigerring rule "Launch ingress remote file copy tools in container "
#169 🟪Merged Added event for trigerring rule "Kubernetes Client Tool Launched in container"
#171 🟪Merged Added event for trigerring rule "Unprivileged Delegation of page faults handling to a userspace process"
#173 🟪Merged Added event for trigerring rule "Detect crypto miners using srtatum protocol"
#176 🟩 Open Added event for trigerring rule "Detect outbound connections to common miner pool ports"
#182 🟪Merged Added event for trigerring rule "Container drift detected using chmod"
#189 🟪Merged Added event for trigerring rule "Container drift detetced (open+create)"
#190 🟪Merged Added event for trigerring rule "Launch package management process in container"
#196 🟪Merged Added event for trigerring rule "Drop and execute new binary in container"
#202 🟪Merged Refactor in existing event to use events.ErrSkipped with a proper reason when skippinf an actions
#203 🟪Merged Added event for trigerring rule "Detect release_agent file container escapes"
#208 🟪Merged Bug fix in execution dev shm event
#83 🟪Merged Added a job in ci which builds the all examples in plugin-sdk-go repo
#48 🟩Open Added Test for falco -h and falco --help commands in testing repo

What are the remaining tasks ? 🗣️

  • Improving benchmarking capabilities of event-generator
  • Integrate the enhanced event-generator in falco-ci pipleine

Future Plans: ⏲️

Following GSoC, I’m eager to maintain the same level of contribution and further engage with the community. I look forward to supporting new developers and exploring both new and existing projects within the organization. I am committed to being as helpful as possible to the community moving forward. 😇 If anyone needs assistance or wishes to connect, I’m just a couple of clicks away.

Conclusion 👏

I want to extend my heartfelt thanks to my mentors ❤️, Jason Dellaluce and Aldo Lacuku, for their unwavering support throughout my GSoC journey. Their patience and invaluable suggestions were crucial whenever I encountered challenges. I also appreciate the entire Falco community, especially Leonardo Grasso and Federico Di Pierro, for their exceptional assistance during the GSoC selection process. All of your help was instrumental in making this experience a success 🔥.