add CEF format for syslog output

[Issif]

Signed-off-by: Thomas Labarussias issif_github@gadz.org

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area config

/area outputs

/area tests

What this PR does / why we need it:

Support CEF format for Syslog output

CEF:0|Falcosecurity|Falco|1.0|Falco Event|Unexpected outbound connection destination|4|uuid=f1fe1e58-6f3f-4562-bc80-aafec699b45a start=2022-11-29T15:35:01Z msg=Disallowed outbound connection destination (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) source=syscalls outputfields=fd.name:fd.name proc.pid:proc.pid user.loginuid:user.loginuid user.name:user.name ckey:CValue bkey:BValue dkey:bar container.id:container.id proc.cmdline:proc.cmdline akey:AValue container.image.repository:container.image.repository tags=network
CEF:0|Falcosecurity|Falco|1.0|Falco Event|Console Login Through Assume Role|6|uuid=a23ab7aa-8e20-400d-a277-ac31bcb7d5ff start=2022-11-29T15:35:08Z msg=Detected a console login through Assume Role (principal=%ct.user.principalid, assumedRole=%ct.user.arn, requesting IP=%ct.srcip, AWS region=%ct.region) source=cloudtrail outputfields=akey:AValue dkey:bar ct.region:ct.region ct.srcip:ct.srcip ct.user.arn:ct.user.arn ct.user.principalid:ct.user.principalid bkey:BValue ckey:CValue tags=cloud,aws,aws_console,aws_iam
CEF:0|Falcosecurity|Falco|1.0|Falco Event|Delete Public Repository|6|uuid=79889861-a713-4cc2-be18-ab58d7e7021a start=2022-11-29T15:35:27Z msg=A public repository was deleted (repository=%github.repo repo_owner=%github.owner org=%github.org user=%github.user) source=github outputfields=github.org:github.org github.owner:github.owner github.repo:github.repo github.user:github.user akey:AValue bkey:BValue ckey:CValue dkey:bar
CEF:0|Falcosecurity|Falco|1.0|Falco Event|Modify Container Entrypoint|6|uuid=ec1b5986-b10a-4d35-9926-cc13c232a44e start=2022-11-29T15:35:45Z msg=Detect Potential Container Breakout Exploit (CVE-2019-5736) (user=%user.name process=%proc.name file=%fd.name cmdline=%proc.cmdline pid=%proc.pid %container.info)
 source=syscalls outputfields=proc.name:proc.name proc.pid:proc.pid user.name:user.name ckey:CValue bkey:BValue fd.name:fd.name proc.cmdline:proc.cmdline akey:AValue dkey:bar container.info:container.info tags=container,filesystem,mitre_initial_access
CEF:0|Falcosecurity|Falco|1.0|Falco Event|Java Process Class File Download|8|uuid=5026648e-b962-4caa-82b0-3fcd1774637e start=2022-11-29T15:35:45Z msg=Java process class file download (user=%user.name user_loginname=%user.loginname user_loginuid=%user.loginuid event=%evt.type connection=%fd.name server_ip=%fd.sip server_port=%fd.sport proto=%fd.l4proto process=%proc.name command=%proc.cmdline pid=%proc.pid parent=%proc.pname buffer=%evt.buffer container_id=%container.id image=%container.image.repository) source=syscalls outputfields=container.id:container.id user.loginuid:user.loginuid user.name:user.name fd.l:fd.l fd.name:fd.name fd.sport:fd.sport proc.pname:proc.pname ckey:CValue bkey:BValue container.image.repository:container.image.repository evt.buffer:evt.buffer evt.type:evt.type fd.sip:fd.sip proc.cmdline:proc.cmdline proc.name:proc.name proc.pid:proc.pid user.loginname:user.loginname akey:AValue dkey:bar tags=mitre_initial_access
CEF:0|Falcosecurity|Falco|1.0|Falco Event|Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)|8|uuid=c617fd89-f806-4d09-949d-eb8cc3c4225c start=2022-11-29T15:35:45Z msg=Detect Polkit pkexec Local Privilege Escalation Exploit (CVE-2021-4034) (user=%user.loginname uid=%user.loginuid command=%proc.cmdline pid=%proc.pid args=%proc.args) source=syscalls outputfields=proc.pid:proc.pid user.loginname:user.loginname dkey:bar proc.args:proc.args proc.cmdline:proc.cmdline user.loginuid:user.loginuid ckey:CValue akey:AValue bkey:BValue tags=process,mitre_privilege_escalation
CEF:0|Falcosecurity|Falco|1.0|Falco Event|K8s Service Deleted|3|uuid=9dcfc783-aee7-4370-b355-aec3b0df6e16 start=2022-11-29T15:35:56Z msg=K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resource=%ka.target.resource resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) source=k8s_audit outputfields=ka.response.code:ka.response.code ka.target.name:ka.target.name ckey:CValue akey:AValue ka.user.name:ka.user.name bkey:BValue dkey:bar ka.auth.decision:ka.auth.decision ka.auth.reason:ka.auth.reason ka.target.namespace:ka.target.namespace ka.target.resource:ka.target.resource tags=k8s
CEF:0|Falcosecurity|Falco|1.0|Falco Event|Packet socket created in container|4|uuid=6a454010-b8cf-43f2-a751-8d64cbe8934e start=2022-11-29T15:36:05Z msg=Packet socket was created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) source=syscalls outputfields=container.id:container.id k8s.pod.name:k8s.pod.name proc.pid:proc.pid container.name:container.name user.name:user.name dkey:bar bkey:BValue proc.cmdline:proc.cmdline user.loginuid:user.loginuid ckey:CValue k8s.ns.name:k8s.ns.name akey:AValue container.image.repository:container.image.repository container.image.tag:container.image.tag evt.args:evt.args tags=network,mitre_discovery
CEF:0|Falcosecurity|Falco|1.0|Falco Event|CloudTrail Logging Disabled|6|uuid=2b484d90-c738-44b9-8861-cc1835f75666 start=2022-11-29T15:36:19Z msg=The CloudTrail logging has been disabled. (requesting user=%ct.user, requesting IP=%ct.srcip, AWS region=%ct.region, resource name=%ct.request.name) source=cloudtrail outputfields=ct.srcip:ct.srcip ct.user:ct.user ckey:CValue akey:AValue bkey:BValue dkey:bar ct.region:ct.region ct.request.name:ct.request.name tags=cloud,aws,aws_cloudtrail
CEF:0|Falcosecurity|Falco|1.0|Falco Event|Attach/Exec Pod|4|uuid=bc4ea637-ba19-4be9-8ed9-54d6a3531320 start=2022-11-29T15:36:24Z msg=Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name resource=%ka.target.resource ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command]) source=k8s_audit outputfields=ka.target.name:ka.target.name ka.uri.param:ka.uri.param ka.user.name:ka.user.name bkey:BValue dkey:bar ka.target.namespace:ka.target.namespace ka.target.resource:ka.target.resource ka.target.subresource:ka.target.subresource akey:AValue ckey:CValue tags=k8s
CEF:0|Falcosecurity|Falco|1.0|Falco Event|Linux Kernel Module Injection Detected|6|uuid=5e9c4570-2801-416e-8218-eb05ee58b558 start=2022-11-29T15:36:30Z msg=Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag) source=syscalls outputfields=akey:AValue bkey:BValue dkey:bar container.image.repository:container.image.repository container.image.tag:container.image.tag container.info:container.info proc.pname:proc.pname user.name:user.name proc.args:proc.args user.loginuid:user.loginuid ckey:CValue tags=process
CEF:0|Falcosecurity|Falco|1.0|Falco Event|Console Login Without MFA|8|uuid=872f2ef6-74cc-495a-9f85-a42b565126a7 start=2022-11-29T15:36:36Z msg=Detected a console login without MFA (requesting user=%ct.user, requesting IP=%ct.srcip, AWS region=%ct.region) source=cloudtrail outputfields=ct.user:ct.user akey:AValue bkey:BValue ckey:CValue dkey:bar ct.region:ct.region ct.srcip:ct.srcip tags=cloud,aws,aws_console,aws_iam
CEF:0|Falcosecurity|Falco|1.0|Falco Event|Unexpected UDP Traffic|4|uuid=ab16bc41-f672-44bb-b8a9-66ae538d77fd start=2022-11-29T15:36:54Z msg=Unexpected UDP Traffic Seen (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository)
 source=syscalls outputfields=fd.l:fd.l fd.name:fd.name akey:AValue dkey:bar proc.cmdline:proc.cmdline proc.pid:proc.pid ckey:CValue bkey:BValue container.id:container.id evt.args:evt.args evt.type:evt.type user.loginuid:user.loginuid user.name:user.name container.image.repository:container.image.repository tags=network,mitre_exfiltration
CEF:0|Falcosecurity|Falco|1.0|Falco Event|User has been moved from suspended status in OKTA.|4|uuid=9eaf0c47-4ed0-48e2-b4a8-75eb32275e35 start=2022-11-29T15:37:01Z msg=A user has been moved from suspended status in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name) source=okta outputfields=okta.client.ip:okta.client.ip okta.target.user:okta.target.user ckey:CValue akey:AValue bkey:BValue dkey:bar okta.actor.name:okta.actor.name tags=okta
CEF:0|Falcosecurity|Falco|1.0|Falco Event|Delete Bucket Public Access Block|8|uuid=809177dc-6901-4265-a1e4-5a71089063f8 start=2022-11-29T15:37:09Z msg=A public access block for a bucket has been deleted (requesting user=%ct.user, requesting IP=%ct.srcip, AWS region=%ct.region, bucket=%s3.bucket) source=cloudtrail outputfields=ct.user:ct.user ckey:CValue akey:AValue bkey:BValue dkey:bar ct.region:ct.region ct.srcip:ct.srcip tags=cloud,aws,aws_s3
CEF:0|Falcosecurity|Falco|1.0|Falco Event|User accessing OKTA admin section|4|uuid=47001f54-44ad-4e9f-a516-386106e17ab5 start=2022-11-29T15:37:24Z msg=A user accessed the OKTA admin section of your OKTA instance (user=%okta.actor.name, ip=%okta.client.ip) source=okta outputfields=ckey:CValue akey:AValue dkey:bar okta.actor.name:okta.actor.name okta.client.ip:okta.client.ip bkey:BValue tags=okta
CEF:0|Falcosecurity|Falco|1.0|Falco Event|System procs network activity|4|uuid=aa29dfc5-98d9-478d-803f-15d538f34708 start=2022-11-29T15:37:32Z msg=Known system binary sent/received network traffic (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name container_id=%container.id image=%container.image.repository)
 source=syscalls outputfields=fd.name:fd.name ckey:CValue dkey:bar user.loginuid:user.loginuid user.name:user.name akey:AValue bkey:BValue container.id:container.id container.image.repository:container.image.repository proc.cmdline:proc.cmdline proc.pid:proc.pid tags=network,mitre_exfiltration

Which issue(s) this PR fixes:

#382

Fixes #

Special notes for your reviewer:

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fjogeleit, Issif

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Issif,fjogeleit]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[poiana]

LGTM label has been added.

Git tree hash: e2fa0240370cec13ee1024bf879e9bb73875f33d