[Bonus] Collect and expose Falco data under 'Security Audit Log' in the user interface.

[vpetersson]

I have managed to get Falco to work on the Raspberry Pi. While it is not working entirely as expected (e.g. no eBPF module support on ARM yet), I was able to get it to start. When doing so, I managed to configure it to write logs to /opt/wott/falco-events.txt.

What we need to do is to pop from this file, and submit all events to the back-end (except for the 'event drop'). We then want display these in a nice way on in the user interface under a "Security Audit Log".

The idea is that we should be able to trigger a malicious payload on the device, and see this appear in the dashboard, to simulate an attack.

Here's an example of falco-events.txt:

$ cat /opt/wott/falco-events.txt
{"output":"Falco internal: syscall event drop. 2 system calls dropped in last second.","output_fields":{"ebpf_enabled":"0","n_drops":"2","n_drops_buffer":"0","n_drops_bug":"0","n_drops_pf":"2","n_evts":"7990"},"priority":"Critical","rule":"Falco internal: syscall event drop","time":"2019-04-30T16:12:41.000000000Z"}
{"output":"Falco internal: syscall event drop. 1 system calls dropped in last second.","output_fields":{"ebpf_enabled":"0","n_drops":"1","n_drops_buffer":"0","n_drops_bug":"0","n_drops_pf":"1","n_evts":"7056"},"priority":"Critical","rule":"Falco internal: syscall event drop","time":"2019-04-30T16:13:20.000000000Z"}
{"output":"Falco internal: syscall event drop. 1 system calls dropped in last second.","output_fields":{"ebpf_enabled":"0","n_drops":"1","n_drops_buffer":"0","n_drops_bug":"0","n_drops_pf":"1","n_evts":"14599"},"priority":"Critical","rule":"Falco internal: syscall event drop","time":"2019-04-30T16:14:20.000000000Z"}
{"output":"Falco internal: syscall event drop. 2 system calls dropped in last second.","output_fields":{"ebpf_enabled":"0","n_drops":"2","n_drops_buffer":"0","n_drops_bug":"0","n_drops_pf":"2","n_evts":"2510"},"priority":"Critical","rule":"Falco internal: syscall event drop","time":"2019-04-30T16:14:25.000000000Z"}
{"output":"Falco internal: syscall event drop. 2 system calls dropped in last second.","output_fields":{"ebpf_enabled":"0","n_drops":"2","n_drops_buffer":"0","n_drops_bug":"0","n_drops_pf":"2","n_evts":"11020"},"priority":"Critical","rule":"Falco internal: syscall event drop","time":"2019-04-30T16:14:47.000000000Z"}
{"output":"Falco internal: syscall event drop. 1 system calls dropped in last second.","output_fields":{"ebpf_enabled":"0","n_drops":"1","n_drops_buffer":"0","n_drops_bug":"0","n_drops_pf":"1","n_evts":"2173"},"priority":"Critical","rule":"Falco internal: syscall event drop","time":"2019-04-30T16:15:20.000000000Z"}
{"output":"Falco internal: syscall event drop. 16 system calls dropped in last second.","output_fields":{"ebpf_enabled":"0","n_drops":"16","n_drops_buffer":"0","n_drops_bug":"0","n_drops_pf":"16","n_evts":"4654"},"priority":"Critical","rule":"Falco internal: syscall event drop","time":"2019-04-30T16:15:52.000000000Z"}
{"output":"Falco internal: syscall event drop. 1 system calls dropped in last second.","output_fields":{"ebpf_enabled":"0","n_drops":"1","n_drops_buffer":"0","n_drops_bug":"0","n_drops_pf":"1","n_evts":"9033"},"priority":"Critical","rule":"Falco internal: syscall event drop","time":"2019-04-30T16:16:20.000000000Z"}
{"output":"Falco internal: syscall event drop. 2 system calls dropped in last second.","output_fields":{"ebpf_enabled":"0","n_drops":"2","n_drops_buffer":"0","n_drops_bug":"0","n_drops_pf":"2","n_evts":"7415"},"priority":"Critical","rule":"Falco internal: syscall event drop","time":"2019-04-30T16:16:35.000000000Z"}
{"output":"Falco internal: syscall event drop. 11 system calls dropped in last second.","output_fields":{"ebpf_enabled":"0","n_drops":"11","n_drops_buffer":"0","n_drops_bug":"0","n_drops_pf":"11","n_evts":"7332"},"priority":"Critical","rule":"Falco internal: syscall event drop","time":"2019-04-30T16:17:01.000000000Z"}
{"output":"17:17:01.929677540: Error File below /etc opened for writing (user=root command=fake-hwclock /sbin/fake-hwclock save parent=fake-hwclock pcmdline=fake-hwclock /etc/cron.hourly/fake-hwclock file=/etc/fake-hwclock.data program=fake-hwclock gparent=run-parts ggparent=sh gggparent=cron)","priority":"Error","rule":"Write below etc","time":"2019-04-30T16:17:01.000000000Z", "output_fields": {"evt.time":1556641021929677540,"fd.name":"/etc/fake-hwclock.data","proc.aname[2]":"run-parts","proc.aname[3]":"sh","proc.aname[4]":"cron","proc.cmdline":"fake-hwclock /sbin/fake-hwclock save","proc.name":"fake-hwclock","proc.pcmdline":"fake-hwclock /etc/cron.hourly/fake-hwclock","proc.pname":"fake-hwclock","user.name":"root"}}
{"output":"Falco internal: syscall event drop. 1155 system calls dropped in last second.","output_fields":{"ebpf_enabled":"0","n_drops":"1155","n_drops_buffer":"0","n_drops_bug":"0","n_drops_pf":"1155","n_evts":"47607"},"priority":"Critical","rule":"Falco internal: syscall event drop","time":"2019-04-30T16:17:30.000000000Z"}
{"output":"Falco internal: syscall event drop. 16 system calls dropped in last second.","output_fields":{"ebpf_enabled":"0","n_drops":"16","n_drops_buffer":"0","n_drops_bug":"0","n_drops_pf":"16","n_evts":"4415"},"priority":"Critical","rule":"Falco internal: syscall event drop","time":"2019-04-30T16:18:06.000000000Z"}

References:

• falco.service
• falco.yaml