Everyone can contribute! Learn DevOps and Cloud Native in our cafe ☕

Technology is moving fast in the DevOps and Cloud Native community.

Join the conversation and add your thoughts, tips, experiences, stories.

"Everyone Can Contribute" is inspired by GitLab's mission.

42. #EveryoneCanContribute cafe: Falco and GitLab Package Hunter

POP dives into Falco, the rules engine and a live deployment into a Kubernetes cluster. Michael Friedrich takes over with Package Hunter, using the Falco rules to monitor unexpected syscalls from package dependency installs.


Enjoy the session! 🦊


POP started with the basics, showing the power of the ruleset of Falco to monitor many different events. He also shared how to customize Falco with Falcosidekicks:

A simple daemon for connecting Falco to your ecossytem. It takes a Falco’s events and forward them to different outputs in a fan-out way.

POP showed the sidekicks in the demo with sending messages to Slack, trying to detect a tempering cookie. The Falcosidekick UI shows the events happening, and emergencies detected by the defined rules. You can create a lot of them - and so did GitLab’s Application Security team when creating Package Hunter.

Michael started the Vagrant VM locally, and we tried to send a 2GB tarball into Package hunter, which did not work. After modifying a hardcoded limit, the file could not be parsed - because the limits of the VM. Seeing a potential limit, we’ll continue next week with more cloud resources, and ideas and patches to contribute upstream.

The Falco rules in Package Hunter adopt Falco’s functionality to monitor specific actions such as

  • Blacklisted binaries executed in container
  • Npm config file access by different programs
  • Process starts listening on a port
  • Inbound and outbound connections, with an allowed white list of IP addresses and domains

More ideas for the future:

  • Falco rulesets contributed upstream
  • Move the Vagrantfile provisioning into Terraform to provisioning a cloud VM
  • Add Package Hunter patches for hardcoded values, and error handling (cli.js HOST, routes.js 200mb limit)

After the session, we learned how to enable the full debug mode.

$ NODE_ENV=development DEBUG=* node src/server.js

More soon, meanwhile checkout Falco and explore its functionality in your production environment! :-)


Date published: August 11, 2021

Tags: Security, Falco, Cloudnative, Gitlab, Package hunter