This is an experimental plugin showcasing how Falco can:
- detect interactive commands supplied via the Bash command line (via readline)
- match interactive commands that triggered specific events: e.g., if
/etc/shadowis monitored and has been opened via an interactive session, show which interactive command led to that specific file opening
For now it only monitors bash readline() functions like many eBPF tools, but there are more interactive use cases for bash and more interpreters that could be implemented.
Detection example:
The plugin has its own type of event icmd which triggers upon any interactive bash command monitored and exposes the following fields in both the icmd event and also enriches syscall events:
| NAME | TYPE | ARG | DESCRIPTION |
|---|---|---|---|
proc.icmd |
string |
None | Interactive bash command that initiated this operation (if available) |
- Clone this repository
- Install Rust and Cargo
- Run
cargo build --release
This should generate a shared object file in the target/release directory.
You need a running Falco instance to test the plugin. You can use the Falco Docker image to get started.
Assuming that you are in the plugin directory and the plugin has been generated in target/release/libinteractive_commands.so you can test it with Falco by running:
sudo docker run --rm -i -t --name falco --privileged --pid=host \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro \
-v $(pwd)/target/release/libinteractive_commands.so:/usr/share/falco/plugins/libinteractive_commands.so \
-v $(pwd)/example_rule.yaml:/etc/falco/example_rule.yaml \
falcosecurity/falco:latest falco \
-o 'plugins[]={"name":"interactive_commands","library_path":"/usr/share/falco/plugins/libinteractive_commands.so"}' \
-o load_plugins[]=interactive_commands \
-o rules_files[]=/etc/falco/example_rule.yamlNote that the configuration above can be replicated in your local falco.yaml, if you already have Falco installed like so:
load_plugins: [interactive_commands]
plugins:
- name: interactive_commands
library_path: [FULL_PATH_TO_SO_FILE]/libinteractive_commands.soThis plugin is not yet production ready and has a few limitations which can be overcome with more development:
- Sometimes commands are detected after their effect already has been processed by Falco, leading to missing or incorrect CLI information: this is due to lack of optimization in the plugin and missing child thread information in libs; by adding that info in libs and optimizing the code in the plugin this issue can be minimized
- It does not support scap files
- It has a hard limit on 4096 bytes for command line strings