Home

Awesome

Plugins

Falco Core Repository Stable License

Note: The plugin system is a new feature introduced since Falco 0.31.0. You can find more detail in the original proposal document.

This repository contains the Plugin Registry and the plugins officially maintained by the Falcosecurity organization. Plugins can be used to extend Falco and of applications using Falcosecurity libs. Please refer to the official documentation to better understand the plugin system's concepts and architecture.

Plugin Registry

The Registry contains metadata and information about every plugin known and recognized by the Falcosecurity organization. It lists plugins hosted either in this repository or in other repositories. These plugins are developed for Falco and made available to the community. Check out the sections below to know how to register your plugins and see plugins currently contained in the registry.

Registering a new Plugin

Registering your plugin inside the registry helps ensure that some technical constraints are respected, such as that a given ID is used by exactly one plugin with event source capability and allows plugin authors to coordinate about event source formats. Moreover, this is a great way to share your plugin project with the community and engage with it, thus gaining new users and increasing its visibility. We encourage you to register your plugin in this registry before publishing it. You can add your plugins in this registry regardless of where its source code is hosted (there's a url field for this specifically).

The registration process involves adding an entry about your plugin inside the registry.yaml file by creating a Pull Request in this repository. Please be mindful of a few constraints that are automatically checked and required for your plugin to be accepted:

For reference, here's an example of an entry for a plugin with both event sourcing and field extraction capabilities:

- name: k8saudit
  description: ...
  authors: ...
  contact: ...
  maintainers:
    - name: The Falco Authors
      email: cncf-falco-dev@lists.cncf.io
  keywords:
    - audit
    - audit-log
    - audit-events
    - kubernetes
    url: https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit
    rules_url: https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit/rules
  url: ...
  license: ...
  capabilities:
    sourcing:
      supported: true
      id: 2
      source: k8s_audit
    extraction:
      supported: true

You can find the full registry specification here: (coming soon...)

Registered Plugins

The tables below list all the plugins currently registered. The tables are automatically generated from the registry.yaml file.

<!-- The text inside \<!-- REGISTRY:xxx --\> comments is auto-generated. These comments and the text between them should not be edited by hand --> <!-- REGISTRY:TABLE -->
NameCapabilitiesDescription
plugin-id-zero-valueEvent Sourcing <br/>ID: 0 <br/>``This ID is reserved for particular purposes and cannot be registered. A plugin author should not use this ID unless specified by the documentation. <br/><br/> Authors: N/A <br/> License: N/A
k8sauditEvent Sourcing <br/>ID: 1 <br/>k8s_audit <br/>Field Extraction <br/> k8s_auditRead Kubernetes Audit Events and monitor Kubernetes Clusters <br/><br/> Authors: The Falco Authors <br/> License: Apache-2.0
cloudtrailEvent Sourcing <br/>ID: 2 <br/>aws_cloudtrail <br/>Field Extraction <br/> aws_cloudtrailReads Cloudtrail JSON logs from files/S3 and injects as events <br/><br/> Authors: The Falco Authors <br/> License: Apache-2.0
jsonField Extraction <br/> All SourcesExtract values from any JSON payload <br/><br/> Authors: The Falco Authors <br/> License: Apache-2.0
dummyEvent Sourcing <br/>ID: 3 <br/>dummy <br/>Field Extraction <br/> dummyReference plugin used to document interface <br/><br/> Authors: The Falco Authors <br/> License: Apache-2.0
dummy_cEvent Sourcing <br/>ID: 4 <br/>dummy_c <br/>Field Extraction <br/> dummy_cLike dummy, but written in C++ <br/><br/> Authors: The Falco Authors <br/> License: Apache-2.0
dockerEvent Sourcing <br/>ID: 5 <br/>docker <br/>Field Extraction <br/> dockerDocker Events <br/><br/> Authors: Thomas Labarussias <br/> License: Apache-2.0
seccompagentEvent Sourcing <br/>ID: 6 <br/>seccompagent <br/>Field Extraction <br/> seccompagentSeccomp Agent Events <br/><br/> Authors: Alban Crequy <br/> License: Apache-2.0
oktaEvent Sourcing <br/>ID: 7 <br/>okta <br/>Field Extraction <br/> oktaOkta Log Events <br/><br/> Authors: The Falco Authors <br/> License: Apache-2.0
githubEvent Sourcing <br/>ID: 8 <br/>github <br/>Field Extraction <br/> githubGithub Webhook Events <br/><br/> Authors: The Falco Authors <br/> License: Apache-2.0
k8saudit-eksEvent Sourcing <br/>ID: 9 <br/>k8s_audit <br/>Field Extraction <br/> k8s_auditRead Kubernetes Audit Events from AWS EKS Clusters <br/><br/> Authors: The Falco Authors <br/> License: Apache-2.0
nomadEvent Sourcing <br/>ID: 10 <br/>nomad <br/>Field Extraction <br/> nomadRead Hashicorp Nomad Events Stream <br/><br/> Authors: Alberto Llamas <br/> License: Apache-2.0
dnscollectorEvent Sourcing <br/>ID: 11 <br/>dnscollector <br/>Field Extraction <br/> dnscollectorDNS Collector Events <br/><br/> Authors: Daniel Moloney <br/> License: Apache-2.0
gcpauditEvent Sourcing <br/>ID: 12 <br/>gcp_auditlog <br/>Field Extraction <br/> gcp_auditlogRead GCP Audit Logs <br/><br/> Authors: The Falco Authors <br/> License: Apache-2.0
syslogsrvEvent Sourcing <br/>ID: 13 <br/>syslogsrv <br/>Field Extraction <br/> syslogsrvSyslog Server Events <br/><br/> Authors: Maksim Nabokikh <br/> License: Apache-2.0
salesforceEvent Sourcing <br/>ID: 14 <br/>salesforce <br/>Field Extraction <br/> salesforceFalco plugin providing basic runtime threat detection and auditing logging for Salesforce <br/><br/> Authors: Andy <br/> License: Apache-2.0
boxEvent Sourcing <br/>ID: 15 <br/>box <br/>Field Extraction <br/> boxFalco plugin providing basic runtime threat detection and auditing logging for Box <br/><br/> Authors: Andy <br/> License: Apache-2.0
testEvent Sourcing <br/>ID: 999 <br/>testThis ID is reserved for source plugin development. Any plugin author can use this ID, but authors can expect events from other developers with this ID. After development is complete, the author should request an actual ID <br/><br/> Authors: N/A <br/> License: N/A
k8smetaField Extraction <br/> syscallEnriche Falco syscall flow with Kubernetes Metadata <br/><br/> Authors: The Falco Authors <br/> License: Apache-2.0
k8saudit-gkeEvent Sourcing <br/>ID: 16 <br/>k8s_audit <br/>Field Extraction <br/> k8s_auditRead Kubernetes Audit Events from GKE Clusters <br/><br/> Authors: The Falco Authors <br/> License: Apache-2.0
journaldEvent Sourcing <br/>ID: 17 <br/>journal <br/>Field Extraction <br/> journalRead Journald events into Falco <br/><br/> Authors: Grzegorz Nosek <br/> License: Apache-2.0
kafkaEvent Sourcing <br/>ID: 18 <br/>kafkaRead events from Kafka topics into Falco <br/><br/> Authors: Hunter Madison <br/> License: Apache-2.0
gitlabEvent Sourcing <br/>ID: 19 <br/>gitlab <br/>Field Extraction <br/> gitlabFalco plugin providing basic runtime threat detection and auditing logging for GitLab <br/><br/> Authors: Andy <br/> License: Apache-2.0
keycloakEvent Sourcing <br/>ID: 20 <br/>keycloak <br/>Field Extraction <br/> keycloakFalco plugin for sourcing and extracting Keycloak user/admin events <br/><br/> Authors: Mattia Forcellese <br/> License: Apache-2.0
<!-- REGISTRY:TABLE -->

Hosted Plugins

Another purpose of this repository is to host and maintain the plugins owned by the Falcosecurity organization. Each plugin is a standalone project and has its own directory, and they are all inside the plugins folder.

The main branch contains the most up-to-date state of development, and each plugin is regularly released. Please check our Release Process to know how plugins are released and how artifacts are distributed. Dev builds are published each time a Pull Request gets merged into main, whereas stable builds are released and published only when a new release gets tagged. You can find the published artifacts at https://download.falco.org/?prefix=plugins.

If you wish to contribute your plugin to the Falcosecurity organization, you just need to open a Pull Request to add it inside the plugins folder and to add it inside the registry. In order to be hosted in this repository, plugins must be licensed under the Apache 2.0 License.

Contributing

If you want to help and wish to contribute, please review our contribution guidelines. Code contributions are always encouraged and welcome!

License

This project is licensed to you under the Apache 2.0 Open Source License.