Generate a variety of suspect actions that are detected by Falco rulesets.
Warning — We strongly recommend that you run the program within Docker (see below), since some commands might alter your system. For example, some actions modify files and directories below /bin, /etc, /dev, etc. Make sure you fully understand what is the purpose of this tool before running any action.
The full command line documentation is here.
$ event-generator list
helper.ExecLs
helper.NetworkActivity
helper.RunShell
k8saudit.ConfigmapPrivateCreds
k8saudit.DisallowedPodDeployment
k8saudit.HostnetworkDeployment
k8saudit.NodeportService
k8saudit.PrivilegedDeployment
k8saudit.RolePodExec
k8saudit.RoleWildcardResources
k8saudit.RoleWritePrivileges
k8saudit.SensitiveMountDeployment
k8saudit.VanillaConfigmap
k8saudit.VanillaDeployment
k8saudit.VanillaRoleRolebindingServiceaccount
k8saudit.VanillaService
syscall.ChangeThreadNamespace
syscall.CreateFilesBelowDev
syscall.DbProgramSpawnProcess
syscall.MkdirBinaryDirs
syscall.ModifyBinaryDirs
syscall.NonSudoSetuid
syscall.ReadSensitiveFile
syscall.ReadSensitiveFileAfterStartup
syscall.RunShellUntrusted
syscall.ScheduleCronJobs
syscall.SystemProcsNetworkActivity
syscall.SystemUserInteractive
syscall.UserMgmtBinaries
syscall.WriteBelowBinaryDir
syscall.WriteBelowEtc
syscall.WriteBelowRpmDatabaseevent-generator run [regexp]
Without arguments it runs all actions, otherwise only those actions matching the given regular expression.
For example, to run syscall.MkdirBinaryDirs and
syscall.ModifyBinaryDirs actions only:
$ sudo event-generator run syscall\.\*BinaryDirs
INFO sleep for 1s action=syscall.MkdirBinaryDirs
INFO writing to /bin/directory-created-by-event-generator action=syscall.MkdirBinaryDirs
INFO sleep for 1s action=syscall.ModifyBinaryDirs
INFO modifying /bin/true to /bin/true.event-generator and back action=syscall.ModifyBinaryDirsUseful options:
--loopto run actions in a loop--sleepto set the length of time to wait before running an action (default to1s)
All other options are documented here.
Run all events with the Docker image locally:
docker run -it --rm falcosecurity/event-generator runRun the following command to create the Service Account (falco-event-generator), Cluster Role, and Role that will allow the tool to create objects in the current namespace:
kubectl apply -f deployment/role-rolebinding-serviceaccount.yamlRun all events once using a Kubernetes job:
kubectl apply -f deployment/run-as-job.yamlRun all events in a loop using a Kubernetes deployment:
kubectl apply -f deployment/event-generator.yaml
N.B.
The above commands apply to the default namespace. Use the --namespace option to use a different namespace. Events will be generated in the same namespace.
The syscall collection performs a variety of suspect actions that are detected by the default Falco ruleset.
$ docker run -it --rm falcosecurity/event-generator run syscall --loopThe above command loops forever, incessantly generating a sample event each second.
The k8saudit collection generates activity that matches the k8s audit event ruleset.
$ event-generator run k8saudit --loop --namespace `falco-eg-sandbox`N.B.: the namespace must exist already.
The above command loops forever, creating resources in the falco-eg-sandbox namespace and deleting the after each iteration.
N.B.
- the namespace must already exist
- to produce any effect the Kubernetes audit log must be enabled, see here
See the events registry.
Sure!
Check out the events registry conventions, then feel free to open a PR. Your contribution is highly appreciated.
This project provides three main packages that can be imported and used separately:
/cmdcontains the CLI implementation/eventscontains the events registry/pkg/runnercontains the actions runner implementations
Feel free to use them as you like on your projects.
Special thanks to Mark Stemm (@mstemm) — the author of the first event generator.