capsule icon indicating copy to clipboard operation
capsule copied to clipboard

Published 20 hours ago verified publisher icon projectcapsule

Store policy violations events for audit

Open bsctl opened this issue 4 years ago • 8 comments

Describe the feature

For audit purpose, it would nice to keep history of Tenants policy violations. Just tracking events as for #289 could be not enough since events are lost after a while.

bsctl avatar Jun 15 '21 11:06 bsctl

We have to understand where we should store these events, user story is not enough detailed for a planning.

prometherion avatar Aug 28 '21 08:08 prometherion

@maxgio92 I'm not a guru of the Falco ecosystem, do you think that a sidekick could be worth it?

Keep in mind that the context is the audit purpose, not sure if it's the correct project.

prometherion avatar Jun 29 '22 08:06 prometherion

@prometherion generally speaking I think that Falco helps understand whether an event is malicious. Then, if the events are all related to violations, maybe it could further filter them by obtaining malicious violations. I think it depends on whether we consider violations all malicious or not.

If we don't consider all violations to be malicious, based on the type of the event (data structure), it could be convenient and needed to write a Falco plugin, by leveraging its plugin framework. A plugin introduces a new event data source, teaching Falco how to support events of that type.

maxgio92 avatar Jun 29 '22 12:06 maxgio92

If the type of the event is of the native Kind Audit event Event I think we don't need a new plugin, as there's already one in place.

If so, based on that data source, Falco inspects those events and is able to filter based on user-defined rules (defaults here).

maxgio92 avatar Jun 29 '22 13:06 maxgio92

@bsctl any thoughts on this? Do you think we could close this?

prometherion avatar Mar 03 '23 18:03 prometherion

Sorry @prometherion for the very late response.

I think Falco would be beneficial analysing the events for malicious ones.

If Capsule already filters them, I'm not quite sure.

Could we expose all Tenant related events offloading the duty to analyse, based on rules, to Falco?

Would that mean to send all Kubernetes Events?

maxgio92 avatar Mar 03 '23 19:03 maxgio92

The intention of this feature request is to implement the standard Policy Report Custom Resource Definition (CRD) that can be used as a common way to provide policy results to Kubernetes cluster administrators and users, using native tools, ref.https://github.com/kubernetes-sigs/wg-policy-prototypes/tree/master/policy-report

It has been implemented also in Kyverno https://kyverno.io/docs/policy-reports/

Suggest to keep it open as Auditing is an important part of policy based systems.

bsctl avatar Mar 03 '23 20:03 bsctl