falco: Plugin with field extraction capability for any event causes Falco to exit with an error in 0.32.0

Describe the bug

When attempting to run Falco 0.32.0 that is configured to load plugin in development that is a field extraction plugin that supports field extraction regardless of source, Falco will exit with the following error

Error: Plugin 'ABC' has field extraction capability but is not compatible with any enabled event source

From the documentation at https://falco.org/docs/plugins/#plugin-event-sources-and-interoperability this should be allowed.

The set of compatible event sources can also be omitted. In this case, all events will be presented to the plugin, regardless of their source.

How to reproduce it

Using configuration for Falco that contains the following plugin snippet using the JSON plugin for ease of reproduction, start Falco at version 0.32.0 and encounter the following error

plugins:
  - name: json
    library_path: libjson.so
    init_config: ""

load_plugins: [json]

$ sudo falco -c ./falco.yaml 
Sat Jun 11 11:43:43 2022: Falco version 0.32.0 (driver version 39ae7d40496793cf3d3e7890c9bbdc202263836b)
Sat Jun 11 11:43:43 2022: Falco initialized with configuration file ./falco.yaml 
Sat Jun 11 11:43:43 2022: Loading plugin (json) from file /usr/share/falco/plugins/libjson.so
Error: Plugin 'json' has field extraction capability but is not compatible with any enabled event source

Expected behaviour

The expectation is that Falco should start and the field extraction plugin is then responsible for handling any event source it is given. Using the plugin stanzas from the falco.yaml snippet from “How to reproduce it” and Falco 0.31.1, Falco starts up and is ready to start handling events.

$ sudo falco -c ./falco.yaml
Sat Jun 11 11:42:28 2022: Falco version 0.31.1 (driver version b7eb0dd65226a8dc254d228c8d950d07bf3521d2)
Sat Jun 11 11:42:28 2022: Falco initialized with configuration file ./falco.yaml 
Sat Jun 11 11:42:28 2022: Loading plugin (json) from file /usr/share/falco/plugins/libjson.so
Sat Jun 11 11:42:28 2022: Loading rules from file /etc/falco/falco_rules.yaml:
Sat Jun 11 11:42:28 2022: Loading rules from file /etc/falco/falco_rules.local.yaml:
Sat Jun 11 11:42:29 2022: Starting internal webserver, listening on port 8765

Screenshots

N/A

Environment

  • Falco version:
$ falco --version
Falco version: 0.32.0
Driver version: 39ae7d40496793cf3d3e7890c9bbdc202263836b
  • System info:
$ falco --support | jq .system_info
Sat Jun 11 12:02:49 2022: Falco version 0.32.0 (driver version 39ae7d40496793cf3d3e7890c9bbdc202263836b)
Sat Jun 11 12:02:49 2022: Falco initialized with configuration file /etc/falco/falco.yaml
Sat Jun 11 12:02:49 2022: Loading rules from file /etc/falco/falco_rules.yaml:
Sat Jun 11 12:02:49 2022: Loading rules from file /etc/falco/falco_rules.local.yaml:
{
  "machine": "x86_64",
  "nodename": "falco-vm",
  "release": "5.15.11-200.fc35.x86_64",
  "sysname": "Linux",
  "version": "#1 SMP Wed Dec 22 15:41:11 UTC 2021"
}
  • Cloud provider or hardware configuration: N/A
  • OS:
$ cat /etc/os-release 
NAME="Fedora Linux"
VERSION="35 (Thirty Five)"
ID=fedora
VERSION_ID=35
VERSION_CODENAME=""
PLATFORM_ID="platform:f35"
PRETTY_NAME="Fedora Linux 35 (Thirty Five)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:35"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f35/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=35
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=35
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
  • Kernel:
$ uname -a
Linux falco-vm 5.15.11-200.fc35.x86_64 #1 SMP Wed Dec 22 15:41:11 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
  • Installation method:

RPM

Additional context

I believe https://github.com/falcosecurity/falco/pull/1999 introduced this potential regression, as it looks to remove the check which allowed for empty event sources for field extractor plugins.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 17 (10 by maintainers)

Most upvoted comments

Hey @juju4, I can confirm that the json plugin is not required if not for extracting fields from plugins and with plugin-dependent rulesets (such as the k8saudit one). Why are you loading the json plugin in this case? Can you share your falcio.yaml config or give a pointer to it?

Either way, the workaround is just to not load the plugin if you don’t need it. It would be load_plugins: [] in falco.yaml.

+1
jasondellaluce on Jun 20, 2022

Thanks for the details @jasondellaluce surrounding why we can’t access the syscall source in field extraction plugins today. When loading a plugin with event sourcing enabled along with a field extraction plugin, Falco starts up as expected in 0.32.0. I’ll keep a watch on the feature in future releases and will seek an alternative path to how to achieve what I was intending to do with my custom plugin. Looking for dynamic event enrichment based on Kubernetes labels in the emitted event similar to the event enrichment mentioned in the Slack conversation you’ve linked, https://kubernetes.slack.com/archives/CMWH3EH32/p1643838967857299.

+1
marc-sensenich on Jun 13, 2022
Read more comments on GitHub
← falco: plugin "k8saudit-eks" No such file or directory. Exiting. issue
falco: rule match causes crash "Error: rule id or priority out of bounds" in stats_manager.cpp →