Request: Could a Falco plugin take over responsibility for the AKS Audit Log Forwarder from Sysdig? #368
Comments
|
ei! Thank you for reporting! |
|
Hey @tspearconquest Thank you for bringing this up. AFAIK maintainers have discussed more than one time to start developing a To make this happen, we probably need some help from contributors to kick off this Do we know anyone with experience in AKS and Go? 🤔 |
|
I don't know Go but willing to learn it; happy to help test it out in our environment if nothing else. |
|
I'm not experienced with AKS either, but I developed the |
|
Hey folks, I think this should be moved to https://github.com/falcosecurity/plugins and become a feature request for a new plugin |
|
I agree |
leogr
changed the title
|
I believe this is valuable, but I don't have cycles to take care of it. /assign /help |
|
@leogr: Please ensure the request meets the requirements listed here. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
We still want this. /remove-lifecycle stale |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
Motivation
Back in 2022, I did some testing of AKS Audit Log Forwarder with Falco and was able to confirm that it works properly. Audit logs from AKS are routed via an Event Hub, where the above will pick them up and route them into Falco for analysis by the k8saudit rules. Falco analyzes the events and logs activity based on the rules.
In my org's setup, we use Fluentd to capture container logs from the pods running in the cluster and forward them over to Log Analytics for our SOC team to further analyze and action.
Falco has made some great work on the k8s audit configuration by converting the original k8saudit stuff to a Falco plugin which automatically activates the built-in webserver (zero config when the plugin is enabled) and while this works fine, I've noticed that the audit log forwarder has not had any commits in 2 years; so it appears to me that the project was abandoned by Sysdig. This puts those of us using AKS with auditing requirements in a tough spot. Either we have to maintain the project ourselves, pulling in updates and making patches (not to mention keeping up with Kubernetes dependency library versions), or we run the risk of falling out of compliance with regulatory requirements, or the risk of the forwarder breaking completely one day in the future because of the lack of maintenance and various breaking changes in the cluster.
Side note for those not in the know: At least some of the regular Falco contributors work for Sysdig; though I don't know the exact nature of the relationship between the two teams.
Feature
As a Falco user, it would benefit the community of AKS users if Falco were to take over responsibility of the audit log forwarder. We don't have another good option for getting the event logs from AKS clusters into Falco, because we don't have access to make changes on the master nodes directly; our only options in Azure by default are to send the audit logs directly to an Event Hub, directly to Log Analytics, or directly to a Storage Account.
Alternatives
Can't think of any. My team doesn't have the ability to maintain the project internally; though we have been keeping up with CVE patches in the dependencies, it's a growing concern that one day we will upgrade to a kubernetes version which is incompatible and the log forwarder will just stop working.
Additional context
I wonder if it possibly could be converted to a Falco plugin itself, or possibly even integrated into the k8saudit plugin? If it either of these is an option, then it'd be much easier to setup and use with Falco because it could retrieve the logs from the event hub and pull them into Falco directly, and if integrated into the k8saudit plugin, then we wouldn't even need to have the falco webserver running.
The text was updated successfully, but these errors were encountered: