Falco Graduation Path: Progress Tracker

[leogr]

In alignment with the suggestions from our TOC sponsors, we're actively focusing on specific areas to improve The Falco Project, aiming to be fully prepared for the forthcoming Graduation Public Comment phase.

Comprehensive details of the proposed path are outlined in the following document 👇

https://docs.google.com/document/d/12l65c6qC91akgFjzw7BM3KdNJAa5LyDG17sdpdfwf3g/edit?usp=sharing

This issue serves as a tracker for all related activities (see the task lists below).

Get Feedback

Tasks

Beta Give feedback

1. Reach out to Taylor Dolezal
2. Understand how adopters use Falco
3. Get feedback from Falco users and Document their case study falco-website#1036
   kind/content +1
   

   
4. feat: add slider falco-website#1089
   approved dco-signoff: yes kind/content kind/user-interface lgtm size/L +6
   
5. forward falco alerts falco-website#1070
   approved area/documentation dco-signoff: yes kind/content lgtm size/L +6
   

Tech Writing / Documentation

We will use #falco-docs channel on the CNCF Slack to discuss those efforts.

Tasks

Beta Give feedback

1. File a service desk ticket with CNCF requesting a technical writer
2. Improve Falco definition falco-website#1003
   4 of 5
   area/documentation kind/content +2
   
3. Improving visibility/clarity or repo status: using badge and better docs #271
   kind/feature +1
   
4. Clarify each component under Falco organization. falco-website#1004
   area/documentation kind/content +2
   
5. Create a glossary for Falco terms falco-website#1006
   26 of 26
   area/documentation kind/content +2
   
6. Add a contribution guides for Falco rules falco-website#1009
   area/documentation kind/content +2
   

   
7. Improve documentation around supported falco fields falco-website#985
   area/documentation kind/content +2
   
8. Rework supported events page falco-website#1031
   area/documentation kind/content +2
   
9. Increase clarity in the API between the kernel space and the user space falco-website#1063
   kind/documentation +1
   
10. Add a step-by-step user guide on adopting Falco falco-website#1007
    4 of 4
    area/documentation kind/content +2
    
11. Add a "how to guide" on writing, deploying and fine tuning rules falco-website#1008
    area/documentation kind/content +2
    

    
12. Improve cross-referencing in Falco website and repositories falco-website#1005
    area/documentation kind/content +2
    
13. cleanup(docs): adjust falco readme style and content falco#2594
    approved dco-signoff: yes kind/documentation lgtm release-note size/L +6
    

    
14. docs: finalize the definition for Falco falco-website#1069
    approved area/documentation dco-signoff: yes kind/content lgtm size/S +6
    
15. fix descriptions + colors falco-website#1097
    approved area/community dco-signoff: yes kind/content lgtm size/S +6
    
16. copy edit pass for the new glossary falco-website#1085
    approved area/documentation dco-signoff: yes kind/cleanup lgtm size/L +6
    
17. refer to terms in the glossary falco-website#1078
    approved area/documentation dco-signoff: yes kind/content lgtm size/M +6
    
18. custom rules first steps falco-website#1077
    approved area/documentation dco-signoff: yes kind/content lgtm size/XL +6
    
19. Getting started falco-website#1072
    approved area/documentation dco-signoff: yes lgtm size/XXL +5
    
20. update(docs): update alert forwarding page falco-website#1090
    approved area/documentation dco-signoff: yes kind/cleanup lgtm size/XS +6
    
21. chore: general docs clean up and updates falco-website#1096
    approved area/documentation dco-signoff: yes kind/cleanup kind/content kind/translation lgtm size/L +8
    
22. update(supported events, supported fields): link the two pages together, fix ambiguous wording falco-website#1099
    approved area/documentation dco-signoff: yes kind/cleanup lgtm size/S +6
    
23. cleanup: enhance info wrt output fields in style guide falco-website#1094
    approved area/documentation dco-signoff: yes kind/cleanup lgtm size/M +6
    
24. new: add dedication rules adoption in production guide falco-website#1106
    approved area/documentation dco-signoff: yes kind/content lgtm size/M +6
    
25. cleanup(docs): cleanup falco definition falco-website#1108
    approved area/documentation dco-signoff: yes kind/cleanup lgtm size/XL +6
    

Use Case Development

Develop two primary use cases

Tasks

Beta Give feedback

1. Detection use case published
2. Compliance use case published
3. Develop Falco use cases falco-website#1035
   kind/content +1
   
4. PCI DSS blog falco-website#1027
   approved dco-signoff: yes lgtm size/L +4
   
5. Falco mitre attack blog falco-website#1049
   approved area/blog dco-signoff: yes kind/content lgtm size/L +6
   
6. nist controls blog post falco-website#1054
   approved area/blog dco-signoff: yes kind/content lgtm size/L +6
   

Kernel Version Testing

Tasks

Beta Give feedback

1. File a service desk ticket with CNCF requesting resources to perform kernel version testing
2. CNCF has provided resources to run tests in our CI
3. Infrastructure request for Falco kernel testing cncf/cluster#240
   cluster request +1
   
4. Kernel Version Testing Framework CI implementation libs#1191
   kind/feature +1
   
5. new(ci): build latest mainline kernel (even RC!) in latest-kernel job. libs#1090
   approved area/CI dco-signoff: yes kind/feature lgtm release-note-none size/M +7
   
6. new(test): add test/vm for localhost VM-based driver kernel compatibility tests libs#524
   approved area/tests dco-signoff: yes kind/documentation lgtm release-note size/XXL +7
   
7. new(proposals): driver kernel testing framework libs#1131
   approved area/proposals dco-signoff: yes kind/design lgtm release-note-none size/XL +7
   

Rule Modularity/Assumptions

Tasks

Beta Give feedback

1. [TRACKING] Tag Falco rules according to rules maturity framework and compliance use case if applicable rules#101
   kind/documentation +1
   
2. docs(userspace/libsinsp): more detailed docs about proc filterchecks libs#1095
   approved dco-signoff: yes lgtm size/S +4
   
3. new(proposals): rules adoption, management and maturity framework rules#76
   approved area/documentation dco-signoff: yes kind/documentation kind/feature lgtm size/L +7
   
4. new(docs): dedicated rules contributing guide -> rules maturity definitions and rules acceptance criteria rules#115
   approved area/documentation dco-signoff: yes kind/documentation lgtm size/L +6
   
5. cleanup(rules): initially tag all rules disabled by default w/ maturity_sandbox level rules#102
   approved area/rules dco-signoff: yes kind/cleanup lgtm size/M +6
   
6. cleanup(rules): initial transitions of some sandbox rules to incubating rules#103
   approved area/rules dco-signoff: yes kind/cleanup lgtm size/XS +6
   
7. cleanup(rules): initial tagging of stable rules round1 rules#106
   approved area/rules dco-signoff: yes kind/cleanup kind/documentation lgtm size/M +7
   
8. cleanup(rules): initial tagging of stable rules round2 rules#108
   +0
   
9. cleanup(rules): initial tagging of stable rules round3 rules#109
   +0
   
10. cleanup(rules): initial tagging of stable rules round4 rules#110
    approved area/rules dco-signoff: yes kind/cleanup kind/documentation lgtm size/M +7
    
11. cleanup(rules): initial tagging of sandbox or incubating rules round2 rules#112
    approved dco-signoff: yes kind/cleanup lgtm size/S +5
    
12. cleanup(rules): initial tagging of sandbox or incubating rules round3 rules#113
    approved dco-signoff: yes kind/cleanup lgtm size/S +5
    
13. cleanup(rules): initial tagging of sandbox or incubating rules round4 rules#114
    approved dco-signoff: yes kind/cleanup lgtm size/S +5
    
14. cleanup(rules): adjust output fields wrt new style guide rules#122
    approved area/rules dco-signoff: yes kind/cleanup lgtm size/XL +6
    
15. fix(rules): fix some syntax issues and some mitre assignments rules#125
    approved dco-signoff: yes kind/bug kind/cleanup lgtm size/M +6
    

[leogr]

Status Update

I'm delighted to announce that we've completed all the action items recommended by our TOC sponsors (@TheFoxAtWork and @justincormack) and are on track with the proposed July and August timeline! Of course, this early completion doesn't imply a slowdown in our commitment to improving the project. Instead, it's renovated with the invaluable knowledge we've acquired from our experiences over the past few months.

As we reach this significant milestone, I've detailed a comprehensive, step-by-step status update below. I hope this information proves useful to you.

I've got to give a big shout-out to every person in the Falco community and the extended CNCF family who has been involved in this effort. Your contributions and support have made these initiatives fly. A special thank you goes to @nate-double-u for the help he's provided us.

cc @falcosecurity/core-maintainers

Get Feedback

Under the guidance of Taylor Dolezal, we've engaged multiple end-users to gather their feedback on Falco usage. We've established a robust process for receiving end-user feedback, including interviews with specific sets of questions aimed at understanding how Falco is used within their respective architectures. These interviews are converted into end-user case studies which we will continue to publish on https://falco.org/about/ecosystem/ as well as linking them from the falco.org home page.

Activities completed include:

• Trendyol case study: Highlighting how Trendyol uses Falco to develop a threat detection system by utilizing Kubernetes audit logs and kernel events to monitor user behavior in production clusters. This allows them to detect operational anti-patterns, improve visibility, and identify malicious actors.
• R6 case study: Showcasing how R6 Security employs Falco to enhance their moving threat detection platform, Phoenix.

Technical Writing / Documentation

In collaboration with Nate Waddington, we've worked on improving the Falco messaging and enhancing the quality of the Falco documentation, particularly focusing on new user onboarding. Based on his feedback and assessment, we've simplified and updated the Falco getting started guide and provided clear instructions on adopting Falco, including what additional projects users will need to make the most of Falco. Almost all of the website has been revised and improved. For full detail, see the related task list above.

Completed activities worth mentioning include:

• Enhancing Falco messaging throughout falco.org and Falco GitHub repositories.
• Enhancing clarity about each Falco component.
• Improving cross-references between all repositories, plugins, libraries, etc., leading to the main documentation site and the main repository, as well as the evolution repository.
• Facilitating a better understanding of Falco content by adding a referenceable glossary on falco.org with frequently used terms. This includes references for individuals to learn more about eBPF, kernel security, syscalls, and more by adding links to third-party official documentation and websites.
• Massive reworking on rules documentation with clear instructions on styling and how to use, customize, and fine-tune rules according to various use cases (see the related section below for more detail).

Use Case Development

We have increased clarity on Falco use cases and added two primary use cases on a dedicated falco.org/about/use-cases/ page.

Completed activities include:

• Threat Detection use case: Added additional blogs and guides demonstrating how Falco can be used for threat detection. For example:
  • Defensive Capabilities for Container & Cloud Threats with Tidal
• Compliance use case: Added additional blogs and guides showcasing how Falco can be used for Regulatory Compliance. Examples include:
  • PCI/DSS Controls with Falco
  • Validating NIST Requirements with Falco

Kernel Version Testing

We've successfully implemented our Driver Kernel Testing Framework proposal. This effort includes the creation of a specific falcosecurity/kernel-testing sub-project featuring Ansible playbooks and Dockerfiles to manage FireCracker microVMs for testing drivers against a range of distros/kernel versions. We've also established CI jobs on the falcosecurity/libs repository to execute tests and generate a markdown table with the results on GitHub pages: https://falcosecurity.github.io/libs/matrix/. The CI is impressively speedy, completing runs in approximately 15 minutes. This accomplishment was made possible thanks to the CNCF Community Infrastructure Lab (CIL), which we leverage to run our CI jobs for kernel testing.

Lastly, we're also considering further enhancements beyond the initial scope of this initiative. So, stay tuned!

Rule Modularity/Assumptions

Building upon the Falco Rules Adoption, Management, and Maturity Framework proposal, we have made substantial progress in the adoption of Falco rules. We have successfully established a rule maturity framework and completed a comprehensive round of tagging and enhancing rules. This includes augmenting descriptions and providing tuning advice for stable rules. The newly introduced style guide has been applied to existing rules.

To streamline the adoption process, we've put forth a thorough style guide and an adoption guide on our website. We have also included a dedicated contributing guide within the rules repository to facilitate participation from contributors. To improve accessibility for adopters, we've introduced an overview document and improved cross-links to official documentation on our website.

Looking ahead, we're working on additional enhancements that are currently in the pipeline, expected to be completed by the Falco 0.36 release.

[TheFoxAtWork]

Awesome this is great! You all are on track for a Sept release? I want to verify the changes you've put in place with that release to confirm and wrap things up. CC @justincormack

[leogr]

Hey @TheFoxAtWork

Thank you! 🙏

Yes, we're on track for the Falco 0.36 release, due by September 29th. I can confirm that all the items mentioned will be included in this release. Currently, we're in the final stages of wrapping up various sub-components, such as the libs, rules, etc. This phase concludes around the end of August. From September, we'll transition into the "Release Preparation" iteration, focusing on thorough testing, addressing bugs, if any, and minor improvements. You can view a detailed breakdown on our high-level roadmap.

[leogr]

Status update:

• We can close this tracking issue since the vote passed.
• We're now just waiting for CNCF GB & LC resolutions of a couple of license exception requests (see [License Exception Request] For common C/C++ libraries: libcurl, libelf, uthash cncf/foundation#629 and [License Exception Request] Falco's kernel module cncf/foundation#645), then we can finally move to the graduation level 🥳

/close

[poiana]

@leogr: Closing this issue.

In response to this:

Status update:

• We can close this tracking issue since the vote passed.
• We're now just waiting for CNCF GB & LC resolutions of a couple of license exception requests (see [License Exception Request] For common C/C++ libraries: libcurl, libelf, uthash cncf/foundation#629 and [License Exception Request] Falco's kernel module cncf/foundation#645), then we can finally move to the graduation level 🥳

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.