https://github.com/mvenditto/falcosecurity.plugin.sdk
Unofficial Falco plugin SDK for .NET
https://github.com/mvenditto/falcosecurity.plugin.sdk
csharp falco falco-plugin-sdk falco-plugins falcosecurity net net6 sdk
Last synced: 6 months ago
JSON representation
Unofficial Falco plugin SDK for .NET
- Host: GitHub
- URL: https://github.com/mvenditto/falcosecurity.plugin.sdk
- Owner: mvenditto
- License: mit
- Created: 2022-11-01T20:59:46.000Z (almost 3 years ago)
- Default Branch: master
- Last Pushed: 2022-11-19T14:37:58.000Z (almost 3 years ago)
- Last Synced: 2023-05-16T23:22:43.260Z (over 2 years ago)
- Topics: csharp, falco, falco-plugin-sdk, falco-plugins, falcosecurity, net, net6, sdk
- Language: C#
- Homepage:
- Size: 345 KB
- Stars: 7
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
README
# FalcoSecurity.Plugin.Sdk
[](https://ci.appveyor.com/project/mvenditto/falcosecurity-plugin-sdk)
[](https://ci.appveyor.com/project/mvenditto/falcosecurity-plugin-sdk/build/tests)
[](https://ci.appveyor.com/project/mvenditto/falcosecurity-plugin-sdk/build/tests)
[](https://app.codecov.io/gh/mvenditto/FalcoSecurity.Plugin.Sdk)
Unofficial [Falco](https://github.com/falcosecurity/falco) plugin SDK for .NET, powered by [DNNE](https://github.com/AaronRobinsonMSFT/DNNE) native exports and [NET6+ native memory management](https://learn.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.nativememory?view=net-6.0).
## Wiki
For a full example and addition information on how this works, check out the [Wiki](https://github.com/mvenditto/FalcoSecurity.Plugin.Sdk/wiki/Dummy-counter-plugin)!
## 
NuGet packages
| | | desc | changelog |
|-----|------|-------|-----------|
| FalcoSecurity.Plugin.Sdk | [](https://www.nuget.org/packages/FalcoSecurity.Plugin.Sdk/) | Core Plugin SDK types | [CHANGELOG.md](https://github.com/mvenditto/FalcoSecurity.Plugin.Sdk/blob/master/FalcoSecurity.Plugin.Sdk/CHANGELOG.md) |
| FalcoSecurity.Plugin.Sdk.Generators | [](https://www.nuget.org/packages/FalcoSecurity.Plugin.Sdk.Generators/) | Source generators for native exports | [CHANGELOG.md](https://github.com/mvenditto/FalcoSecurity.Plugin.Sdk/blob/master/FalcoSecurity.Plugin.Sdk.Generators/CHANGELOG.md) |
| FalcoSecurity.Plugin.Sdk.Template | [](https://www.nuget.org/packages/FalcoSecurity.Plugin.Sdk.Template/) | [Project template](https://github.com/mvenditto/FalcoSecurity.Plugin.Sdk/wiki/Getting-Started#The-falcoplugin-template) `dotnet new falcoplugin` | |
## Dummy plugin sneak-peek
```cs
[FalcoPlugin(
Id = 999,
Name = "dummy_plugin",
Description = "A dummy plugin",
Contacts = "mvenditto",
RequiredApiVersion = "2.0.0",
Version = "1.0.0")]
public class Plugin: PluginBase, IEventSource, IFieldExtractor {
public string EventSourceName => "dummy_source";
public IEnumerable EventSourcesToExtract
=> Enumerable.Empty(); // only consume ourselves event-source
public IEnumerable OpenParameters =>
=> Enumerable.Empty(); // no specific open-params
public IEnumerable Fields => new List {
new(type: "uint64",
name: "dummy.counter",
display: "Counter value",
desc: "Current value of the internal counter")
};
public IEventSourceInstance Open(IEnumerable ? openParams) {
return new CounterInstance();
}
public void Close(IEventSourceInstance instance) {
instance.Dispose();
}
public void Extract(IExtractionRequest extraction, IEventReader evt) {
var counter = BitConverter.ToInt32(evt.Data);
extraction.SetValue((ulong) counter);
}
}
public class CounterInstance: PullEventSourceInstance {
public int Counter {get; set;}
public CounterInstance(): base(batchSize: 10, eventSize: 8) {
Counter = 1;
}
protected override void PullEvent(EventSourceInstanceContext ctx, IEventWriter evt) {
var unixNano = (ulong) DateTimeOffset.Now.ToUnixTimeSeconds() * 1000000000;
evt.Write(BitConverter.GetBytes(Counter));
evt.SetTimestamp(unixNano);
if (Counter >= 50) {
ctx.IsEof = true;
}
Counter += 1;
}
}
```
```yaml
- rule: Dummy counter rule
desc: Dummy counter equals 42
condition: (dummy.counter=42)
output: dummy.counter is 42 value=%dummy.counter
priority: DEBUG
source: dummy_source
tags: [dummy]
```
admin@someplace:~$ tree /usr/share/falco
/usr/share/falco/
└── plugins
├── libjson.so
├── libk8saudit.so
└── dummy_plugin
├── plugin_native.so
├── FalcoSecurity.Plugin.Sdk.dll
├── FalcoSecurity.Plugin.Sdk.DummyPlugin.dll
├── Microsoft.Extensions.ObjectPool.dll
└── FalcoSecurity.Plugin.Sdk.DummyPlugin.runtimeconfig.json
admin@someplace:~$ falco --enable-source dummy_source
Sat Nov 5 18:08:52 2022: Falco version: 0.33.0 (x86_64)
[...TRUNCATED...]
Sat Nov 5 18:08:52 2022: Enabled event sources: dummy_source
Sat Nov 5 18:08:52 2022: Opening event source 'dummy_source'
Sat Nov 5 18:08:52 2022: Opening capture with plugin 'dummy_plugin'
Sat Nov 5 18:08:52 2022: Closing event source 'dummy_source'
18:08:52.000000000: Debug dummy.counter is 42 value=42
Events detected: 1
Rule counts by severity:
DEBUG: 1
Triggered rules by rule name:
Dummy counter rule: 1
admin@someplace:~$ █
# Note
This sdk is **Unofficial** and is not associated nor endorsed by Sysdig and falcosecurity/falco