Bake Sysdig/CNCF Falco

[gcavalcante8808]

Bake Falco as a systemd sysext image.

This PR aims to bake Falco as a systemd sysext

How to use

The following CL file use official falcon systemd files and also the workshop falco configuration (falco requires yaml configuration in place to work):

systemd:
  units:
    #source: https://raw.githubusercontent.com/falcosecurity/falco/master/scripts/systemd/falco-bpf.service
    - name: falco-modern-bpf.service
      enabled: true
      contents: |
        [Unit]
        Description=Falco: Container Native Runtime Security with modern ebpf
        Documentation=https://falco.org/docs/
        Before=falcoctl-artifact-follow.service
        Wants=falcoctl-artifact-follow.service
        
        [Service]
        Type=simple
        User=root
        ExecStart=/usr/bin/falco -o engine.kind=modern_ebpf
        ExecReload=kill -1 $MAINPID
        UMask=0077
        TimeoutSec=30
        RestartSec=15s
        Restart=on-failure
        PrivateTmp=true
        NoNewPrivileges=yes
        ProtectHome=read-only
        ProtectSystem=full
        ProtectKernelTunables=true
        RestrictRealtime=true
        RestrictAddressFamilies=~AF_PACKET
        StandardOutput=null
        
        [Install]
        WantedBy=multi-user.target

    # source: https://raw.githubusercontent.com/falcosecurity/falco/master/scripts/systemd/falcoctl-artifact-follow.service
    - name: falcoctl-artifact-follow.service
      contents: |
        [Unit]
        Description=Falcoctl Artifact Follow: automatic artifacts update service
        Documentation=https://falco.org/docs/
        PartOf=falco-bpf.service falco-kmod.service falco-modern-bpf.service falco-custom.service
        
        [Service]
        Type=simple
        User=root
        ExecStart=/usr/bin/falcoctl artifact follow --allowed-types=rulesfile
        UMask=0077
        TimeoutSec=30
        RestartSec=15s
        Restart=on-failure
        PrivateTmp=true
        NoNewPrivileges=yes
        ProtectSystem=true
        ReadWriteDirectories=/usr/share/falco
        ProtectKernelTunables=true
        RestrictRealtime=true
        
        [Install]
        WantedBy=multi-user.target

storage:
  files:
    - path: /etc/falco/falco.yaml
      contents:
        source: "https://raw.githubusercontent.com/sysdiglabs/falco-workshop/master/falco.yaml"
    - path: /etc/falco/falco_rules.yaml
      contents:
        source: "https://raw.githubusercontent.com/sysdiglabs/falco-workshop/master/falco_rules.yaml"
    - path: /etc/extensions/falco.raw
      contents:
        source: "<LINK>"

Checking the output of the falco-modern-bpf.service outputs some events (a k3s cluster running im my case):

Testing done

• Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
• Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

[tormath1]

LGTM. Any chance to add the a mention in the README with maybe your small butane example? https://github.com/flatcar/sysext-bakery?tab=readme-ov-file#available-extensions

EDIT: Feel free to squash everything in one commit.

[gcavalcante8808]

LGTM. Any chance to add the a mention in the README with maybe your small butane example? https://github.com/flatcar/sysext-bakery?tab=readme-ov-file#available-extensions

EDIT: Feel free to squash everything in one commit.

The README.MD was updated with the sample used in this PR!

I'm on the cellphone rn so I cant rebase/squash manually. Its it possible to squash and merge?

[tormath1]

Can you also add the targeted version that you would like to be released here:
https://github.com/flatcar/sysext-bakery/blob/main/release_build_versions.txt

I guess falco-0.38.1 is fine?

[tormath1]

I built the image and inspected the content. I see that those files are provided under /etc of the sysext (which of course won't be available once the image is mounted) but with this little trick, we can remove those lines and provide /etc/falco and friends directly via the sysext image:

 diff --git a/create_falco_sysext.sh b/create_falco_sysext.sh
index dd7a15f..9fd8b94 100755
--- a/create_falco_sysext.sh
+++ b/create_falco_sysext.sh
@@ -83,5 +83,13 @@ RestrictRealtime=true
 WantedBy=multi-user.target
 EOF

+mkdir -p "${SYSEXTNAME}"/usr/share/falco/etc
+mv "${SYSEXTNAME}"{/etc/{falco,falcoctl},/usr/share/falco/etc/}
+
+mkdir -p "${SYSEXTNAME}"/usr/lib/tmpfiles.d
+cat <<EOF >"${SYSEXTNAME}"/usr/lib/tmpfiles.d/10-falco.conf
+C /etc/falco - - - - /usr/share/falco/etc/falco
+EOF
+
 RELOAD=1 "${SCRIPTFOLDER}"/bake.sh "${SYSEXTNAME}"
 rm -rf "${SYSEXTNAME}"

What do you think?

Suggested change

	- path: /etc/falco/falco.yaml
	contents:
	source: "https://raw.githubusercontent.com/sysdiglabs/falco-workshop/master/falco.yaml"
	- path: /etc/falco/falco_rules.yaml
	contents:
	source: "https://raw.githubusercontent.com/sysdiglabs/falco-workshop/master/falco_rules.yaml"

[gcavalcante8808]

Oh hey @tormath1 ! Thanks for the Tips!

This is my first time working with tmpfiles.d and I tested the suggestions that you made and they work beautifully!

But I could not make it to work in a scenario were I want to update a specific config file, like /etc/falco/falco.yaml :

storage:
  files:
    - path: /etc/falco/falco.yaml
      contents:
        inline: |
          engine:
            kind: modern_ebpf

          rules_file:
            - /etc/falco/falco_rules.yaml
            - /etc/falco/falco_rules.local.yaml
            - /etc/falco/rules.d
          [CONTINUES...]

With the declaration above, the original falco files and folders are not copied to /etc/falco at all.

I tested the tmpfiles.d with with C and C+ modes, it exits with 0 but the falco files are not copied:

k3s-server1 /etc/falco # echo "C+ /etc/falco - - - - /usr/share/falco/etc/falco" | systemd-tmpfiles --create -
Looking for configuration files in (higher priority first):
        /etc/tmpfiles.d
        /run/tmpfiles.d
        /usr/local/lib/tmpfiles.d
        /usr/lib/tmpfiles.d
SELinux enabled state cached to: enabled
Successfully loaded SELinux database in 2.475ms, size on heap is 3141K.
Reading config from stdin…
Running create action for entry C /etc/falco
Copying tree "/usr/share/falco/etc/falco" to "/etc/falco".
k3s-server1 /etc/falco # ls /etc/falco
falco.yaml
k3s-server1 /etc/falco # 

Do you know if is there a way to use all files present on the falco sysext but override the /etc/falco/falco.yaml or other specific file only?

[gcavalcante8808]

If is there a way to override config files then I can update the README.md accordingly and I believe that the sysext will be a in a good shape.

[tormath1]

Ok, so maybe we can go more in a more granular way with symlinks. Similar to:
https://github.com/flatcar/scripts/blob/e4cc483b6724e3953dc7d645b58f31128d1a92b7/build_library/sysext_mangle_flatcar-zfs#L31-L35

I'll try to have a look, I think it's worth to invest here. :)

[gcavalcante8808]

oh great! I really started to think that would not have a way to do it automatically, so we can handpick the files that we want to create using symlinks.

Let me test it.