This repository contains the docker plugin for Falco, which can fetch events and emit sinsp/scap events (e.g. the events used by Falco) for each entry.
The plugin also exports fields that extract information from a docker event, such as the event time, the action, the container name, the container image, the node id (for swarm cluster), ...
- Docker Events Plugin
- Event Source
- Supported Fields
- Development
- Installation
- Settings
- Configurations
- Usage
The event source for docker events is docker.
| Name | Type | Description |
|---|---|---|
docker.status |
string | Status of the event |
docker.id |
string | ID of the event |
docker.from |
string | From of the event (deprecated) |
docker.type |
string | Type of the event |
docker.action |
string | Action of the event |
docker.stack.namespace |
string | Stack Namespace |
docker.node.id |
string | Swarm Node ID |
docker.swarm.task |
string | Swarm Task |
docker.swarm.taskid |
string | Swarm Task ID |
docker.swarm.taskname |
string | Swarm Task Name |
docker.swarm.servicename |
string | Swarm Service Name |
docker.node.statenew |
string | Node New State |
docker.node.stateold |
string | Node Old State |
docker.attributes.container |
string | Attribute Container |
docker.attributes.image |
string | Attribute Image |
docker.attributes.name |
string | Attribute Name |
docker.attributes.type |
string | Attribute Type |
docker.attributes.exitcode |
string | Attribute Exit Code |
docker.attributes.signal |
string | Attribute Signal |
docker.scope |
string | Scope |
You need:
Go>= 1.19
make buildmake installAdd the index:
sudo falcoctl index add docker https://raw.githubusercontent.com/Issif/docker-plugin/workflow/index.yamlSearch for the artifacts:
sudo falcoctl artifact search dockerINDEX ARTIFACT TYPE REGISTRY REPOSITORY
docker docker-rules rulesfile ghcr.io issif/docker-plugin/ruleset/docker-rules
docker docker plugin ghcr.io issif/docker-plugin/plugin/docker Install the plugin and the rules:
sudo falcoctl artifact install docker-rules:latest INFO Reading all configured index files from "/root/.config/falcoctl/indexes.yaml"
INFO Resolving dependencies ...
INFO Installing the following artifacts: [ghcr.io/issif/docker-plugin/ruleset/docker:latest]
INFO Preparing to pull "ghcr.io/issif/docker-plugin/ruleset/docker:latest"
INFO Pulling c09e07b53699: ############################################# 100%
INFO Pulling 1be5f42ebc40: ############################################# 100%
INFO Pulling 751af53627f8: ############################################# 100%
INFO Artifact successfully installed in "/etc/falco" Only init accepts settings:
flushinterval: time en ms between two flushes of events fromdockertoFalco(default: 30ms)
-
falco.yamlplugins: - name: docker library_path: /usr/share/falco/plugins/libdocker.so init_config: '{"flushinterval": 10}' open_params: '' load_plugins: [docker] stdout_output: enabled: true
💡
init_configcan also set inyamlformat:init_config: flushinterval: 10
-
rules.yaml
The source for rules must be docker.
See example:
- rule: Dummy Rule
desc: Dummy Rule
condition: docker.status in (start,create,die)
output: status=%docker.status from=%docker.from type=%docker.type action=%docker.action name=%docker.attributes.name
priority: DEBUG
source: docker
tags: [docker]falco -c falco.yaml -r docker_rules.yamlFalco>= 0.34
14:53:29.092313000: Debug status=create from=alpine type=container action=create name=pensive_haibt
14:53:29.092787000: Debug status=start from=alpine type=container action=start name=pensive_haibt
14:53:29.092899000: Debug status=die from=alpine type=container action=die name=pensive_haibt