Home

Awesome

Docker Events Plugin

This repository contains the docker plugin for Falco, which can fetch events and emit sinsp/scap events (e.g. the events used by Falco) for each entry.

The plugin also exports fields that extract information from a docker event, such as the event time, the action, the container name, the container image, the node id (for swarm cluster), ...

Event Source

The event source for docker events is docker.

Supported Fields

NameTypeDescription
docker.statusstringStatus of the event
docker.idstringID of the event
docker.fromstringFrom of the event (deprecated)
docker.typestringType of the event
docker.actionstringAction of the event
docker.stack.namespacestringStack Namespace
docker.node.idstringSwarm Node ID
docker.swarm.taskstringSwarm Task
docker.swarm.taskidstringSwarm Task ID
docker.swarm.tasknamestringSwarm Task Name
docker.swarm.servicenamestringSwarm Service Name
docker.node.statenewstringNode New State
docker.node.stateoldstringNode Old State
docker.attributes.containerstringAttribute Container
docker.attributes.imagestringAttribute Image
docker.attributes.namestringAttribute Name
docker.attributes.typestringAttribute Type
docker.attributes.exitcodestringAttribute Exit Code
docker.attributes.signalstringAttribute Signal
docker.scopestringScope

Development

Requirements

You need:

Build

make build

Installation

Local

make install

With falcoctl

Add the index:

sudo falcoctl index add docker https://raw.githubusercontent.com/Issif/docker-plugin/workflow/index.yaml

Search for the artifacts:

sudo falcoctl artifact search docker
INDEX   ARTIFACT        TYPE            REGISTRY        REPOSITORY                              
docker  docker-rules    rulesfile       ghcr.io         issif/docker-plugin/ruleset/docker-rules
docker  docker          plugin          ghcr.io         issif/docker-plugin/plugin/docker 

Install the plugin and the rules:

sudo falcoctl artifact install docker-rules:latest
 INFO  Reading all configured index files from "/root/.config/falcoctl/indexes.yaml"
 INFO  Resolving dependencies ...
 INFO  Installing the following artifacts: [ghcr.io/issif/docker-plugin/ruleset/docker:latest]
 INFO  Preparing to pull "ghcr.io/issif/docker-plugin/ruleset/docker:latest"
 INFO  Pulling c09e07b53699: ############################################# 100% 
 INFO  Pulling 1be5f42ebc40: ############################################# 100% 
 INFO  Pulling 751af53627f8: ############################################# 100% 
 INFO  Artifact successfully installed in "/etc/falco"  

Settings

Only init accepts settings:

Configurations

The source for rules must be docker.

See example:

- rule: Dummy Rule
  desc: Dummy Rule
  condition: docker.status in (start,create,die)
  output: status=%docker.status from=%docker.from type=%docker.type action=%docker.action name=%docker.attributes.name 
  priority: DEBUG
  source: docker
  tags: [docker]

Usage

falco -c falco.yaml -r docker_rules.yaml

Requirements

Results

14:53:29.092313000: Debug status=create from=alpine type=container action=create name=pensive_haibt
14:53:29.092787000: Debug status=start from=alpine type=container action=start name=pensive_haibt
14:53:29.092899000: Debug status=die from=alpine type=container action=die name=pensive_haibt