docker-plugin

Docker Events Plugin

This repository contains the docker plugin for Falco, which can fetch events and emit sinsp/scap events (e.g. the events used by Falco) for each entry.

The plugin also exports fields that extract information from a docker event, such as the event time, the action, the container name, the container image, the node id (for swarm cluster), ...

• Docker Events Plugin
• Event Source
• Supported Fields
• Development
  • Requirements
  • Build
  • Install
• Settings
• Configurations
• Usage
  • Requirements
  • Results

Event Source

The event source for docker events is docker.

Supported Fields

Development

Requirements

You need:

• Go >= 1.17

Build

make build

Install

make install

Settings

Only init accepts settings:

• flushinterval: time en ms between two flushes of events from docker to Falco (default: 30ms)

Configurations

• falco.yaml

  plugins:
    - name: docker
      library_path: /etc/falco/audit/libdocker.so
      init_config: '{"flushinterval": 10}'
      open_params: ''
  
  load_plugins: [docker]
  
  stdout_output:
    enabled: true
  

  💡 init_config can also set in yaml format:

  init_config:
    flushinterval: 10
  

• rules.yaml

The source for rules must be docker.

See example:

- rule: Dummy Rule
  desc: Dummy Rule
  condition: docker.status in (start,create,die)
  output: status=%docker.status from=%docker.from type=%docker.type action=%docker.action name=%docker.attributes.name 
  priority: DEBUG
  source: docker
  tags: [docker]

Usage

falco -c falco.yaml -r docker_rules.yaml

Requirements

• Falco >= 0.31

Results

14:53:29.092313000: Debug status=create from=alpine type=container action=create name=pensive_haibt
14:53:29.092787000: Debug status=start from=alpine type=container action=start name=pensive_haibt
14:53:29.092899000: Debug status=die from=alpine type=container action=die name=pensive_haibt