refactor: add k8saudit plugin and adapt config, tests, and rulesets

Signed-off-by: Jason Dellaluce <[email protected]>

cmake/modules/plugins.cmake

@@ -15,6 +15,18 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
 
+# todo(jasondellaluce): switch this to a stable version once this plugin gets
+# released with a 1.0.0 required plugin api version
+ExternalProject_Add(
+  k8saudit-plugin
+  URL "https://download.falco.org/plugins/dev/k8saudit-0.0.0-0.1.0-0%2B3068d86-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=e5c8cf4290b700ae92e80f693aa5a0223d917d637001fdc872430e57a1e625bc"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so" DESTINATION "${FALCO_PLUGINS_DIR}")
+
 # todo(jasondellaluce): switch this to a stable version once this plugin gets
 # released with a 1.0.0 required plugin api version
 ExternalProject_Add(
@@ -31,8 +43,8 @@ install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plu
 # released with a 1.0.0 required plugin api version
 ExternalProject_Add(
   json-plugin
-  URL "https://download.falco.org/plugins/dev/json-0.2.2-0.2.2-19%2B3068d86-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=e5c8cf4290b700ae92e80f693aa5a0223d917d637001fdc872430e57a1e625bc"
+  URL "https://download.falco.org/plugins/dev/json-0.2.2-0.2.2-21%2B6a2e542-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=6a2a959117c4f0ea0101853146c267f2cf62d7c5e2b0136022df3921e68cf24a"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")

falco.yaml

@@ -44,6 +44,12 @@ rules_file:
 # init_config/open_params for the cloudtrail plugin, see the README at
 # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md.
 plugins:
+  - name: k8saudit
+    library_path: libk8saudit.so
+    init_config:
+      - maxEventBytes: 1048576
+      - sslCertificate: /etc/falco/falco.pem
+    open_params: "http://:9876/k8s-audit"
   - name: cloudtrail
     library_path: libcloudtrail.so
     init_config: ""

rules/k8s_audit_rules.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,7 +14,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-- required_engine_version: 2
+- required_engine_version: 11
+
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.1.0
+  - name: json
+    version: 0.2.2
 
 # Like always_true/always_false, but works with k8s audit events
 - macro: k8s_audit_always_true

test/confs/plugins/k8s_audit.yaml

@@ -0,0 +1,29 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+stdout_output:
+  enabled: true
+
+plugins:
+  - name: k8saudit
+    library_path: BUILD_DIR/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so
+    init_config: ""
+    open_params: "" # to be filled out by each test case
+  - name: json
+    library_path: BUILD_DIR/json-plugin-prefix/src/json-plugin/libjson.so
+    init_config: ""
+
+load_plugins: [k8saudit, json]