This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Actionners

Actionners are the built-it actions to react to the events

The Actionners define the actions to apply when an event matches a rule, they are named with pattern category:action.

The category allows to group actions and avoid multiple initializations (eg, multi Kubernetes API client, multi AWS clients, …).

Each actionner is configured with parameters, a map of values passed to the action. The values can be a string, a list (array) or a map (map[string]string).

Example:

- action: Terminate the pod
  actionner: kubernetes:terminate
  parameters:
    grace_period_seconds: 5
    ignore_daemonsets: true
    ignore_statefulsets: true
    min_healthy_replicas: 33%

- action: Label the pod
  actionner: kubernetes:label
  parameters:
    labels:
      suspicious: true

- action: Get logs
  actionner: kubernetes:log
  output:
    target: minio:s3
    parameters:
      bucket: my-bucket
      prefix: /logs/

- action: Run Lambda
  actionner: aws:lambda
  parameters:
    aws_lambda_name: my-function
    aws_lambda_alias_or_version: $LATEST
  contexts:
    - aws
    - k8snode

Contexts

Some actionners allow to specify which sources to use to inject elements in the context field of the event payload, before triggering the action. The context of Falco Talon (the rule name, the action name, the action parameters, etc) are injected anyway.

Outputs

Some actionners allow or require to specify a destination for the generated/collected artifacts. See here to know more.

aws

Elements:

  • aws.instance_profile_arn
  • aws.instance_profile_id
  • aws.region

k8snode

Elements:

  • node.hostname
  • node.instancetype
  • node.role
  • node.topology.region
  • node.topology.zone
  • node.spec.providerid

1 - List of Actionners

Available actionners

The required fields are the field elements that must be present in your Falco event to allow the actionner to do its work.

kubernetes

The category kubernetes can be initialized with a kubeconfig file when Falco Talon runs outside Kubernetes.

kubernetes:terminate

  • Description: Terminate the pod
  • Continue: false
  • Parameters:
    • grace_period_seconds: The duration in seconds before the pod should be deleted. The value zero indicates delete immediately.
    • ignore_daemonsets: If true, the pods which belong to a Daemonset are not terminated.
    • ignore_statefulsets: If true, the pods which belong to a Statefulset are not terminated.
    • min_healthy_replicas: Minimum number of healthy pods to allow the termination, can be an absolute or % value (the value must be a quoted string).
  • Required fields:
    • k8s.pod.name
    • k8s.ns.name
  • Use context: false
  • Output: n/a
  • Source: syscalls

Example:

- action: Terminate the pod
  actionner: kubernetes:terminate
  parameters:
    grace_period_seconds: 5
    ignore_daemonsets: true
    ignore_statefulsets: true
    min_healthy_replicas: 33%

kubernetes:label

  • Description: Add, modify or delete the labels of the pod
  • Continue: true
  • Parameters:
    • level: level to apply the apply the labels, can be node or pod (default)
    • labels: (required) key:value map of labels to add/modify/delete (empty value means label deletion)
  • Required fields:
    • k8s.pod.name
    • k8s.ns.name
  • Use context: false
  • Output: n/a
  • Source: syscalls

Example:

- action: Label the pod
  actionner: kubernetes:label
  parameters:
    level: pod
    labels:
      suspicious: true

kubernetes:networkpolicy

  • Description: Create, update a network policy to block all egress traffic for pod
  • Continue: true
  • Parameters:
    • allow_cidr: list of CIDR to allow anyway (eg: private subnets)
    • allow_namespaces: list of namespaces to allow anyway
  • Required fields:
    • k8s.pod.name
    • k8s.ns.name
  • Use context: false
  • Output: n/a
  • Source: syscalls

Example:

- action: Create a network policy
  actionner: kubernetes:networkpolicy
  parameters:
    allow_cidr:
      - "192.168.1.0/24"
      - "172.17.0.0/16"
    allow_namespaces:
      - "green-ns"
      - "blue-ns"

kubernetes:exec

  • Description: Exec a command in a pod
  • Continue: true
  • Parameters:
    • shell: SHELL used to run the command (default: /bin/sh)
    • command: (required) Command to run
  • Required fields:
    • k8s.pod.name
    • k8s.ns.name
  • Use context: true
  • Output: n/a
  • Source: syscalls

Example:

- action: Exec a command into the pod
  actionner: kubernetes:exec
  parameters:
    shell: /bin/bash
    command: "cat ${FD_NAME}"

kubernetes:script

  • Description: Run a script in a pod
  • Continue: true
  • Parameters:
    • shell: SHELL used to run the script (default; /bin/sh)
    • script: Script to run (use | to use multilines) (can’t be used at the same time than file)
    • file: Shell script file (can’t be used at the same time than script)
  • Required fields:
    • k8s.pod.name
    • k8s.ns.name
  • Use context: true
  • Output: n/a
  • Source: syscalls

Example:

- action: Run a script into the pod
  actionner: kubernetes:script
  parameters:
    shell: /bin/bash
    script: |
      ps awxuf
      netstat -lpauten
      top -n 1
      cat ${FD_NAME}

kubernetes:log

  • Description: Get logs from a pod
  • Continue: true
  • Parameters:
    • tail_lines: The number of lines from the end of the logs to show (default: 20)
  • Required fields:
    • k8s.pod.name
    • k8s.ns.name
  • Use context: false
  • Output: optionnal (if no output is specified, the logs are printed in the log line)
  • Source: syscalls

Example:

- action: Get logs of the pod
  actionner: kubernetes:log
  parameters:
    tail_lines: 200
  output:
    target: aws:s3
    parameters:
      bucket: my-bucket
      prefix: /logs/

kubernetes:download

  • Description: Download a file from a pod
  • Continue: true
  • Parameters:
    • file: (required) The full path of the file to download
  • Required fields:
    • k8s.pod.name
    • k8s.ns.name
  • Use context: true
  • Output: required
  • Source: syscalls

Example:

- action: Get logs of the pod
  actionner: kubernetes:download
  parameters:
    tail_lines: 200
  output:
    target: aws:s3
    parameters:
      bucket: my-bucket
      prefix: /files/

kubernetes:tcpdump

  • Description: Capture the network packets for the pod
  • Continue: true
  • Parameters:
    • duration: duration in seconds of the capture (default: 5)
    • snaplen: number of bytes captured for each packet (default: 4096)
  • Required fields:
    • k8s.pod.name
    • k8s.ns.name
  • Use context: false
  • Output: required
  • Source: syscalls

Example:

- action: Get logs of the pod
  actionner: kubernetes:tcpdump
  parameters:
    duration: 10
    snaplen: 1024
  output:
    target: aws:s3
    parameters:
      bucket: my-bucket
      prefix: /captures/

kubernetes:delete

  • Description: Delete the resource
  • Continue: false
  • Parameters: N/A
  • Required fields:
    • ka.target.resource
    • ka.target.name
    • ka.target.namespace
  • Use context: false
  • Output: n/a
  • Source: k8saudit

Example:

- action: Delete the suspicious resource
  actionner: kubernetes:delete
  parameters:
    tail_lines: 200

kubernetes:cordon

  • Description: Cordon a node
  • Continue: true
  • Parameters: N/A
  • Required fields:
    • k8s.pod.name
    • k8s.ns.name
  • Use context: false
  • Output: n/a
  • Source: syscalls

Example:

- action: Cordon the node
  actionner: kubernetes:cordon

kubernetes:drain

  • Description: Drain a node
  • Continue: true
  • Parameters:
    • grace_period_seconds: The duration in seconds before the pod should be deleted. The value zero indicates delete immediately.
    • ignore_daemonsets: If true, the pods which belong to a Daemonset are not terminated.
    • ignore_statefulsets: If true, the pods which belong to a Statefulset are not terminated.
    • min_healthy_replicas: Minimum number of healthy pods to allow the termination, can be an absolute or % value (the value must be a quoted string).
    • ignore_error: If true, errors during the drain will be ignored, resulting in a successful action call. Used to control subsequent actions flow.
  • Required fields:
    • k8s.pod.name
    • k8s.ns.name
  • Use context: false
  • Output: n/a
  • Source: syscalls

Example:

- action: Drain the node
  actionner: kubernetes:drain

calico

The category calico can be initialized with a kubeconfig file when Falco Talon runs outside Kubernetes.

calico:networkpolicy

  • Description: Create a Calico Network Policy to block the egress traffic to a specific IP
  • Continue: true
  • Parameters:
    • allow_cidr: list of CIDR to allow anyway (eg: private subnets) (default: 0.0.0.0/0)
    • allow_namespaces: list of namespaces to allow anyway
    • order: order of the network policy
  • Required fields:
    • fd.sip or fd.rip
  • Use context: false
  • Output: n/a
  • Source: syscalls

Example:

- action: Create Calico netpol
  actionner: calico:networkpolicy
  parameters:
    order: 20
    allow_cidr:
      - "192.168.1.0/24"
      - "172.17.0.0/16"
    allow_namespaces:
      - "green-ns"
      - "blue-ns"

aws:lambda

  • Description: Invoke an AWS lambda forwarding the Falco event payload
  • Continue: true
  • Parameters:
    • aws_lambda_name: Lambda name to call. Lambda must reside in the same region as your default credential provider or static region provided in configuration.
    • aws_lambda_alias_or_version: Lambda alias or version to call. (default: $LATEST)
    • aws_lambda_invocation_type: Invocation type for Lambda. Accepted values: RequestResponse, Event, DryRun. (default: RequestResponse)
  • Required AWS access:
    • sts:getCallerIdentity
    • lambda:InvokeFunction
    • lambda:GetFunction
  • Use context: true
  • Output: n/a
  • Source: any

Example:

- action: Invoke Lambda function
  actionner: aws:lambda
  parameters:
    aws_lambda_name: sample-function
    aws_lambda_alias_or_version: $LATEST
    aws_lambda_invocation_type: RequestResponse

2 - Contexts

Available contexts for the actionners

The context is composed of elements from the original Falco event, from Falco Talon and other sources, these elements can be used to dynamically configure the actions to perform. They are all exposed as environment variables that can be used as tokens to replace in the parameters of the actions.

Except those from Falco, all the informations are also injected into a context section in the original payload (JSON) before the run of the action, it’s useful for the actionners using a third party system (ie: aws:lambda) to have the original Falco event and the context of what Falco Talon does.

Example:

{
    "output": "14:37:27.505989596: Warning Detected ptrace PTRACE_ATTACH attempt (proc_pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)",
    "priority": "WARNING",
    "rule": "PTRACE attached to process",
    "time": "2023-12-20T14:37:27.505989596Z",
    "output_fields": {
        "container.info": "container.info",
        "evt.arg.flags": "evt.arg.flags",
        "evt.type": "evt.type",
        "proc.cmdline": "proc.cmdline",
        "proc.exepath": "proc.exepath",
        "proc.name": "proc.name",
        "proc.pcmdline": "proc.pcmdline",
        "proc.pname": "proc.pname",
        "proc.tty": "proc.tty",
        "user.loginuid": "user.loginuid",
        "user.name": "user.name",
        "user.uid": "user.uid"
    },
    "hostname": "host-7.local",
    "source": "syscalls",
    "tags": [
        "maturity_stable",
        "host",
        "container",
        "process",
        "mitre_privilege_escalation",
        "T1055.008"
    ],
    "context": {
        "falco-talon.rule": "myrule",
        "falco-talon.rule.continue": true,
        "falco-talon.rule.dryrun": false,
        "falco-talon.rule.action": "myaction",
        "falco-talon.rule.actionner": "category:action",
        "falco-talon.rule.action.continue": true,
        "falco-talon.rule.action.ignore_errors": false,
        "falco-talon.rule.action.parameters": "{\"param1\": true, \"param2\": \"value2\", \"param3\": 10}",
    }
}

Falco

The exposed env vars concerning Falco are exported as environment variables:

  • PRIORITY: the priority of the Falco events
  • HOSTNAME: the hostname where the Falco event occured
  • SOURCE: the source for the Falco event
  • RULE: the name of the rule that created the Falco event
  • TAGS: a comma separated list of the tags associated with the Falco event
  • All the OutputFields of the Falco event are exported, in uppercase, with the dots replaced by _ and the brackets [ ] removed, examples:
    • fd.name > FD_NAME
    • proc.args[0] > PROC_ARGS_0

Falco Talon

The exposed env vars concerning Falco are:

  • FALCO-TALON_RULE: the name of the Falco Talon rule that matches
  • FALCO-TALON_RULE_CONTINUE: if the Falco Talon rule allows to continue or not
  • FALCO-TALON_RULE_DRYRUN: if the Falco Talon rule dry runs or not
  • FALCO-TALON_RULE_ACTION: the name of the action triggered by the Falco Rule
  • FALCO-TALON_RULE_ACTION_CONTINUE: if the action triggered by the Falco Rule allows to continue or not
  • FALCO-TALON_RULE_ACTION_IGNORE_ERRORS: if the action triggered by the Falco Rule ignores the errors or not
  • FALCO-TALON_RULE_ACTION_PARAMETERS: a json payload with parameters of the action triggered by the Falco Rule
  • FALCO-TALON_RULE_ACTIONNER: the actionner used by the action triggered by the Falco Rule

Moreover, some actionners allow also to specify extra sources of information.

Other sources (optionnal)

AWS

For injecting some informations retrieved from AWS IMDS, use the source: aws (lower case).

In the context section of the payload:

    "context": {
        "aws.intance.profile": "myprofile",
        "aws.instance.profile.id": "myprofileid",
        "aws.region": "us-east-1",
    }

As env vars:

  • AWS_INSTANCE_PROFILE_ARN
  • AWS_INSTANCE_PROFILE_ID
  • AWS_REGION

k8snode

For injecting some informations retrieved from the node, use the source: k8snode.

In the context section of the payload:

    "context": {
        "node.hostname": "hostname",
        "node.instancetype": "instancetype",
        "node.role": "worker",
        "node.topology.zone": "zonea",
        "node.topology.region": "region",
        "node.spec.providedid": "id",
    }

As env vars:

  • NODE_HOSTNAME
  • NODE_INSTANCETYPE
  • NODE_ROLE
  • NODE_TOPOLOGY_ZONE
  • NODE_TOPOLOGY_REGION
  • NODE_SPEC_PROVIDEDID