Everyone can contribute! Let's learn together in a weekly cafe ☕


We love to break things, make mistakes, debug, analyse, fix problems together. Live and unfiltered on Youtube.

Community members and thought leaders regularly join and share their projects and ideas.

"Everyone Can Contribute" is inspired by GitLab's mission.

42. #EveryoneCanContribute cafe: Falco and GitLab Package Hunter


POP dives into Falco, the rules engine and a live deployment into a Kubernetes cluster. Michael Friedrich takes over with Package Hunter, using the Falco rules to monitor unexpected syscalls from package dependency installs.

Recording

Enjoy the session! 🦊


Highlights

POP started with the basics, showing the power of the ruleset of Falco to monitor many different events. He also shared how to customize Falco with Falcosidekicks:

A simple daemon for connecting Falco to your ecossytem. It takes a Falco’s events and forward them to different outputs in a fan-out way.

POP showed the sidekicks in the demo with sending messages to Slack, trying to detect a tempering cookie. The Falcosidekick UI shows the events happening, and emergencies detected by the defined rules. You can create a lot of them - and so did GitLab’s Application Security team when creating Package Hunter.

Michael started the Vagrant VM locally, and we tried to send a 2GB tarball into Package hunter, which did not work. After modifying a hardcoded limit, the file could not be parsed - because the limits of the VM. Seeing a potential limit, we’ll continue next week with more cloud resources, and ideas and patches to contribute upstream.

The Falco rules in Package Hunter adopt Falco’s functionality to monitor specific actions such as

  • Blacklisted binaries executed in container
  • Npm config file access by different programs
  • Process starts listening on a port
  • Inbound and outbound connections, with an allowed white list of IP addresses and domains

More ideas for the future:

  • Falco rulesets contributed upstream
  • Move the Vagrantfile provisioning into Terraform to provisioning a cloud VM
  • Add Package Hunter patches for hardcoded values, and error handling (cli.js HOST, routes.js 200mb limit)

After the session, we learned how to enable the full debug mode.

$ NODE_ENV=development DEBUG=* node src/server.js

More soon, meanwhile checkout Falco and explore its functionality in your production environment! :-)

Insights


Date published: August 11, 2021

Tags: Security, Falco, Cloudnative, Gitlab, Package hunter