►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Welcome
to
Cloud
native
live
where
we
dive
into
the
code
behind
Cloud
native
I'm
your
host.
Today,
my
name
is
Whitney
Lee
and
I'm,
a
cncf
Ambassador
and
a
developer
Advocate
at
VMware
tonsill.
Every
week
we
bring
new
presenters
to
Showcase
how
to
work
with
Cloud
native
Technologies.
We
will
build
things,
we
will
break
things
and
we
will
answer
your
questions
today.
We
have
Melissa
Kilby
and
Pablo
Musa
here
with
us
to
deliver
a
presentation
called
Falco,
a
peek
into
the
people
and
the
latest
features.
A
Now
this
is
an
official
live
stream
of
the
cncf
and
as
such
it
is
subject
to
the
cncf
code
of
conduct.
Please
do
not
add
anything
to
the
chat
with
that
would
be
in
violation
of
that
code
of
conduct
so
basically
be
respectful
of
your
fellow
Chatters
of
the
presenters,
and
please
respect
me
too
and
last
place
there.
Friends
who
are
joining
us
live.
Please
say
hello
in
the
chat
and
tell
us
where
you're
tuning
in
from,
and
if
you
have
questions
during
the
the
presentation,
please
do
post
them
to
chat.
A
A
C
A
Yeah,
what
cool
guest
I'm
so
excited
for
today's
show
it's
going
to
be
a
blast,
and
one
thing
that
I'm
super
excited
about
is
we're
kicking.
This
show
off
a
little
differently.
We're
gonna
do
an
interview
with
Melissa,
because
Melissa
is
super
cool
and
let's
find
out
more
about
that
so
Melissa.
Can
you
tell
us
about
yourself
in
the
beginning
of
your
Tech
Career.
B
Yeah
big
surprise,
my
university
studies
did
not
initially
evolve
a
tech
related
field
instead
I
focused
on
Sports
Science
and
had
a
strong
passion
for
gymnastics
later
on.
During
my
PhD
I
discovered
my
new
passion
for
computer
programming
and
my
entry
into
cyber
security
began
with
my
initial
role.
Supporting
cyber
research
projects
for
the
US
government.
B
I
also
taught
applied
data
science
at
placet
and
around
five
years
ago,
I
joined
Apple,
where
I
initially
applied
Ai
and
ML,
and
big
data
to
threat
detection
later
on
I
transitioned
into
a
new
role
that
involved
developing
low-level
Linux
kernel,
monitoring
tools
and
Performing
threat
detection
at
scale
using
Falco.
Lastly,
a
fun
fact
about
me
is
that
I
also
had
the
opportunity
to
internet
NASA
and
contribute
to
their
spacesuit
engineering
program.
B
Year
I
made
my
first
open
source
contribution
ever
to
the
Falco
project,
so
exciting
I
started,
participating
in
a
project
by
upstreaming
patches
and
despite
having
no
prior
experience
in
C,
C,
plus,
plus
or
ebpf
against
proficiency
through
the
project
as
I
contributed.
A
lot
and
I
also
have
patience
along
the
way.
That's.
A
B
Definitely
knew
that
to
become
more
involved
in
a
project,
I
needed
to
learn
more
about
the
project
and
make
myself
a
known
entity
and
contribute
to
do
that.
I
started
with
easier
patches.
This
approach
allowed
me
to
build
trust
with
the
maintainers
and
gradually
familiarized
myself
with
the
code
Base
by
tackling
simpler
tasks.
Initially
I
also
gained
confidence
and
deepened
my
understanding
in
the
projects.
Intricacies
I
also
help
reviewing
PRS
and
triaging
issues
and
provide
guidance
and
expertise
to
the
community
and
additionally,
I
assisted
in
creating
patches
that
others
needed
to
effectively
utilize
Falco.
B
In
summary,
I
just
aim
to
be
helpful
and
contribute
positively
to
the
community
in
various
ways,
and
one
important
thing
is
being
comfortable
with
feeling
uncomfortable
and
not
knowing
all
the
answers
right
away.
All
of
us
all
the
maintainers
were
constantly
learning
and
evolving
so
embracing
this
mindset
is
very
crucial.
A
Being
being
comfortable
with
being
uncomfortable,
is
amazing
and
I
want
to
take
a
second
and
say
like
we
have
so
much
great
chat
right
now
and
I'm
excited
to
dig
into
some
of
your
questions,
especially
about
Falco,
but
we're
going
to
do
that
a
little
later
alongside
the
demo,
and
then
we
do
have
a
lovely
comment.
This
amazing
achievements,
Melissa,
which
I
totally
agree
and
and
being
comfortable
being
uncomfortable,
is
a
huge
part
of
that
I
think
so.
You're
a
maintainer
Falco.
How
does
being
a
maintainer
help
in
your
career
generally.
B
I
can
focus
on
the
actual
goal
that
we're
trying
to
accomplish,
and
often
or
maybe
even
all,
the
time,
it's
a
combination
of
everyone's
input
that
creates
our
success
and,
furthermore,
having
joined
a
project
with
years
of
experience
of
working
in
a
large
company.
I've
also
noticed
similarities.
Working
with
open
source
requires
basically
the
same
skills
as
working
in
a
large
organization
where
you
collaborate
with
various
teams
and
departments,
and
you
need
to
understand
their
needs
and
concerns
and
developing
effect
of
communication
skills
is
of
utmost
importance.
B
B
Red
Apple
definitely
stand
out
as
one
of
the
distinct
adopters
due
to
the
scale
we
operate
at.
The
scale
allows
us
to
bring
valuable
insights
and
assert
that
certain
approaches
may
not
be
suitable
for
large-scale
production.
We
can
identify
more
efficient
Alternatives
that
can
benefit
not
only
ourselves
but
also
other
adopters
like
us
that
are
facing
similar
challenges.
B
Our
objective
is
to
enhance
the
robustness
and
strength
of
Falco.
We
prioritize
stability,
safety
and
integrity
alongside
the
addition
of
features.
Lastly,
it
is
generally
exciting
to
not
only
announce
the
availability
of
a
particular
feature,
but
also
to
proudly
declare
that
we
contributed
to
building
it.
B
A
C
Great
so
yeah
before
we
talk
about
like
zero
35
release,
which
we
did
about
a
month
ago,
just
an
intro
to
Falco
for
people
that
don't
know
the
project
that
well
so
Falco
is
an
open
source,
runtime
security
solution
for
threat,
detection
across
kubernetes
containers
hosts
and
the
cloud.
It's
a
cncf
incubation
level
project
and
we
applied
for
graduation
back
in
November
2022,
and
hopefully
we
get
we
get
it
graduated
soon.
It's
getting
more
and
more
traction
over
time,
which
is
great
and
here's
an
overview
of
how
Falco
works.
C
So
the
whole
idea
of
Falco
is
being
this
stream
agent.
That's
collecting
data
from
multiple
inputs
and
sending
alerts.
If
something
suspicious
happens
right
and
the
different
inputs
we
can
have,
we
can
talk
about
system
calls
where
we
can
look
with
either
the
kernel
module
or
using
ebpf
probes,
or
we
are
talking
about
plugins
like
just
collecting
data
from
GitHub
cloudtrail
kubernetes
audit
logs.
Then
we
have
a
set
of
rules
which
we
run.
Those
events
against
and
if
there
is
a
match
means.
Oh,
this
is
a
weird
Behavior.
C
This
is
suspicious
and
then
we
send
an
alert
to
whatever
the
output
you
configure
to
so
a
little
bit
more
on
the
DPF
I
guess
most
of
you
heard
the
BPF
before
is
in
the
past
for
a
few
years
now
it
stands
for
extended
Berkeley
packet
future,
but
the
name
is
basically
history.
So
don't
worry
too
much
about
it
in
a
nutshell,
it
extends
the
kernel
capabilities
safely
and
efficiently,
without
changing
kernel,
source
code
or
without
loading
kernel
modules.
C
B
Thanks
Pablo
in
the
following,
slides
I
will
present
the
modern
BPF
implementation
of
Barco,
as
Pablo
already
said,
focusing
on
the
concepts
of
one
kernel
buffers
the
BPF
ring
buffer
and
the
compiler
Runs
run
everywhere.
Core
e
features
the
BTF
BPF
by
type
format,
tracing
programs
next
slide,
please,
the
modern
BPF
driver
feels
good
for
adapters
as
it
eliminates
the
need
to
worry
about
many
underlying
complexities.
B
For
example,
if
you
are
a
go
or
Java
developer,
you
are
accustomed
to
easily
compiling
and
running
applications
on
various
operating
systems
such
as
Linux,
Mac,
OS
and
windows,
as
well
as
different
architectures
like
x86
or
arm64.
This
ease
of
portability
is
possible
because
many
of
the
underlying
considerations
are
abstracted
away
from
you
and
everyone
loves
easy
devops,
easy
testing
and
better
performance
next
slide,
please
in
a
nutshell,
what
our
kernel
drivers
do
all
of
them.
They
primarily
read
kernel
data
structure
Fields,
as
shown
on
the
left
side
of
the
slide.
B
The
old
BPF
instrumentation
requires
performing
successive
kernel
reads
when
traversing
through
kernel
structs-
and
this
is
due
to
the
fact
that
memory
is
read
directly
to
the
stack
and
to
successfully
navigate
these
structures.
You
have
to
know
the
exact
subtracts
and
field
names.
This
process
is
not
only
tedious
but
also
fragile,
because
the
Linux
kernel
does
not
provide
a
guarantee
of
backwards,
compatibility
or
stable
apis
across
different
releases.
B
Now,
let's
shift
our
Focus
to
the
right
side
of
the
slide,
where
we
explore
a
better
approach,
known
as
the
core
e-way
that
we
adopt
in
our
modern
BPF
drivers.
Here's
how
it
works.
First,
with
the
Corey
approach,
you
can
read
the
desired
fields
in
a
single
operation,
regardless
of
the
number
of
structs
you
need
to
Traverse.
You
only
require
one
BPF
core
reads.
Furthermore,
even
if
there
are
slight
variations
in
the
kernel
data
structures,
the
new
BPF
core
read
helper
can
adapt
without
requiring
modifications
to
the
read
operation.
B
That's
pretty
cool,
and
this
is
achieved
through
the
use
of
Kernel
debug
info.
The
BTF
I
mentioned
earlier
that
we
have
yeah
and
BTF
automatically
identifies
the
new
location
of
Kernel
structure
fields.
Those
sounds
amazing.
Unfortunately,
nothing
is
ever
perfect,
especially
net
analytics
kernel.
This
approach
will
not
work
in
cases
where
there
are
significant
structural
changes
and
common
kernel
structures,
or,
let's
say
when
the
meaning
of
a
field
undergoes
a
complete
radical
transformation.
Next
slide.
Please.
B
In
addition,
in
the
old
ebpf
driver,
we
required
the
exact
kernel
header
files
to
compile
the
BPF
object
code
with
the
modern
BPF
approach
where
the
driver
is
compiled
generically
and
that's
specific
to
a
particular
kernel
release.
We
Face
the
question
of
where
to
obtain
kernel
data
structure,
definitions
from
and
I
must
admit
that
there
is
no
plaque
magic
involved
in
this
process.
To
address
this,
you
need
to
maintain
a
VM
Linux
header
file
in
your
project,
which
contains
all
the
necessary
kernel
data
structure
definitions.
B
Additionally,
if
your
program
relies
on
Macros
or
functions
typically
found
in
system
header
files,
you
will
also
need
to
redefine
them.
Returning
to
the
scenario
I
just
described
when
encountering
incompatible
types
between
different
distributions
or
kernel
releases,
you
introduce
flavor
header
files
and
the
example
on
this
slide.
You
can
observe
that
we
defined
an
auto
task,
infrastruct,
specifically
Forest
centers,
okay.
A
B
Okay,
Switching
gears
a
little
bit,
let's
dive
deeper
into
the
concept
of
Kernel
buffers.
Initially,
when
ebpf
was
introduced,
there
was
only
a
perf
buffer
available
to
see
the
diagram
on
the
left
and
it
was
necessary
to
allocate
one
buffer
for
each
CPU.
For
instance,
let's
say
on
a
server
with
96
CPUs.
You
would
need
96
buffers
with
each
buffer,
typically
having
a
size
of
8
or
16
megabytes.
Let's
consider
a
real
world
example
with
the
older
perf
buffer.
Imagine
you
have
very
busy
servers
where
kernel
side
drops
are
occurring.
B
You
keep
increasing
the
size
of
the
buffer,
but
your
problems
do
not
go
away.
This
is
because
the
challenges
often
revolve
around
births
of
events.
So
what
now?
The
evpf
community
has
introduced
a
promising
new
type
of
buffer
called
The
Ring
buffer
in
our
modern
BPF
kernel
driver
we
utilized
the
new
BPF
ring
buffer.
These
buffer,
however,
have
fundamental
design
differences
that
we
had
to
learn
through
experience.
The
new
ring
buffer
Maps
memory,
twice
contiguely
back
to
back
in
the
virtual
memory
to
make
working
with
records
that
wrap
around
simple
and
efficient.
B
While
it
turns
out
the
new
ring,
buffer
implementation
does
not
exactly
duplicate
memory,
it
was
confirmed
by
the
kernel
memory,
sorry
kernel
memory
management
expert
that
currently
there's
no
way
to
avoid
wrong
Babble
accounting
of
memory
reserved
but
not
used
by
the
BPF
ring
buffer.
So
please
keep
this
in
mind
when
using
the
new,
modern,
BPF
probe
to
account
for
the
different
memory
footprint
and
to
handle
event
bursts
better.
The
best
approach
is
to
leverage
the
capability
of
the
Ring
buffer
to
be
utilized
across
multiple
CPUs.
B
What
you
see
on
the
right
side
of
the
site,
this
not
only
helps
in
managing
the
memory
effectively,
but
also
has
another
beneficial
side
effect
with
the
larger
shared
buffer.
You
may
experience
fewer
or
no
event
drops
as
the
buffer
can
better
handle
temporary
spikes
and
the
volume
of
events
and
Pablo
I
think
you
now
have
a
demo
for
us
around
the
core
e-feature.
C
Yes,
absolutely
so
one
of
the
cool
things
about
open
source
is
like
every
time
we
work
on
something
new.
We
like
to
write
about
it
and
put
a
Blog
out
there
right,
and
then
you
have
other
people
from
the
community
they're
just
talking
to
each
other
and
just
helping
putting
together.
So
here's
the
modern
BPF
blog
post,
you
can
read
about
everything,
Melissa
said
and
more
you're,
going
to
probably
see
that
some
of
the
diagrams
actually
come
from
here
and
at
the
end,
you're
actually
going
to
see
a
try
it
out
with
a
link.
C
This
is
the
link
that
I'm
going
to
use
to
basically
show
you
a
quick
demo
on
the
modern
ebpf.
So
what
I'm
going
to
do
here
is
basically
compare
the
classic
vpf
probe
that
we
use
to
have
with
the
modern
one,
with
all
the
features
that
Melissa
talked
about,
but
mainly
focusing
on
the
Corey,
like
compile
ones
run
everywhere.
C
To
show
how
easy
it
is
for
you
to
just
update
or
upgrade
your
kernel
without
having
to
think
about
Falco
or
anything,
that's
actually
using
eppr,
so
getting
started
into
one
of
the
comments
enabling
debug
on
production
kernel.
So
it's
not
really
debugging,
but
it's
more
about
increasing
our
visibility
into
what
is
happening
right.
That's
what
we
want
to
achieve
with
Falco
in
order
to
set
us
ebpf.
So
what
I'm
going
to
do
is
first
I.
C
C
Oh
absolutely
yeah.
Thank
you.
I
completely
forgot
yeah.
So
this
is
this
training
environment
that
we
we
use
and
where
we
like
to
put
Labs
like
this,
I
have
Falco
installed
here
and
I'm,
just
going
to
run
it
with
the
BPF
probe,
and
you
can
basically
see
here
that
yeah,
it's
running
it's
using
the
BPF
probe,
and
this
is
where
the
BPF
probe
is
configured
again.
C
This
is
the
classic
vpf
that
we
used
to
have
before
and
just
to
show
how
Falco
works
I'm
going
to
do
something
that
could
be
considered
suspicious,
which
is
basically
trying
to
find
some
keys
and
Falco
is
going
to
learn
basically
saying:
oh
warn
it.
There
is
a
grab
private
keys
or
password
activities
found,
and
it's
going
to
give
you
a
lot
of
information
about
it
because
we're
just
running
it
on
the
host,
not
in
a
container
or
in
a
kubernetes
cluster.
We
don't
have
container
information
or
the
image,
but
otherwise
we
would
so.
C
This
is
the
probe
running
I'm
now
going
to
do
the
same
thing,
but
using
the
modern
evpf
so
notice
that
to
use
the
mod,
an
abpf
with
plain
Falco
installation,
you
just
do
dash
dash
modern
BPF
and
what
you're
going
to
see
here
is
yeah
Falco
started.
We
are
looking
into
CIS
calls
using
the
modern
BPF
and
more
than
that,
we
have
one
ring
buffer
for
every
two
CPUs,
which
is
what
analysts
had
just
described:
I'm
going
to
do
the
same
thing,
suspicious
activity
and
hopefully
Falco
is
just
gonna.
C
Let
me
know:
hey
folks
like
this.
Doesn't
look
really
good.
You
might
want
to
take
a
look
I'm
using
standard
output
here,
but
we
could
easily
set
up
Falco
to
send
this
to
a
cm
in
your
back
end
right
or
either
a
slack
notification
if
something
is
actually
critical
good.
So
that's
Falco,
just
running
and
working
what
I'm
gonna
do
next
is
I'm
gonna
go
to
the
next
challenge,
I'm
going
to
update
the
Linux
kernel,
which
is
something
that
you
don't
do
every
day,
but
it
needs
to
be
done
from
time
to
time.
C
A
C
That's
a
good
question,
I
think
understanding
a
little
bit
of
how
processes
relate
to
the
kernel
and
basically,
what
sys
calls
me.
It's
an
important
aspect.
So
every
process
that's
running
in
a
computer
whenever
they
need
resources
like
memory
CPU
files,
they
need
to
go
through
the
kernel
right
and
they
do
that
through
system
calls
in
order
to
do
it.
So
the
whole
idea
is
that
if
you
basically
have
visibility
and
you
instrument
the
kernel,
you
have
visibility
into
all
the
processes
that
are
running.
C
B
Is
probably
the
background
for
the
session
today
could
be
considered
a
question?
What
is
the
background?
I
need
to
get
started
with
Falco,
and
it
really
depends
what
level
you
want
to
get
into
because
Falco's
cut
across
so
many
different
domains,
including
kernel
programming,
red
teaming,
offensive
security
data
science,
Big
Data
data
Pipelines.
B
Today
we
dive
more
into
the
Traverse.
So
the
background
you
need
is
traditional
kernel,
programming,
understanding
that
what
I
mentioned
before
for
traditional
kernel
modules
or
the
old
ebpf
driver
you
need
to
have
the
kernel
header
files
for
the
exact
kernel
you
want
to
deploy
your
tool
to
in
order
to
compile
the
eppf
byte
code
for
and
then
ebpf
as
a
new
technology.
There
is
so
many
great
tutorials
and
I
would
just
start
reading
and
maybe
then
re-watch
what
we
said
today,
just
as
well
suggestion.
B
C
Great
so
I
updated
the
kernel
from
10
30
to
10
34..
What
I'm
gonna
do
now
is
I'm.
Just
gonna
should
oops
not
this
one
I'm
just
gonna
reboot
the
machine,
so
we
can
start
with
the
new
kernel
yeah.
This
is
going
to
be
inactive
for
a
few
seconds
and
I'm
just
going
to
wait.
So
if
there
are
any
questions
in
the
meantime,
I
can
also
try
to
answer
those.
A
C
C
So
trying
to
run
the
classic
one,
it's
trying
to
use
the
BPF
and
basically
says
I,
never
occurred
here
forcing
termination,
and
if
you
look
into
the
error,
it's
like
BPF
probe
is
compiled
for
a
different
kernel,
but
you're
running
this
one.
So
we
can't
do
anything.
You
need
to
recompile
your
classic
BPF
robe,
so
it
can
actually
work
on
the
other
side.
If
we
just
go
for
the
modern,
BPF
voila
Falco's
running.
Why?
C
C
Looking
here,
it
seems
like
okay,
but
it's
easy
to
compile
like
Falco
in
this
scenario.
Here,
yes,
it
is,
but
if
you're
thinking
about
a
hundred
thousand
nodes
running
it-
and
now
you
need
to
think
about
Falco
and
everything
else,
like
that's
one
less
thing
to
worry
about,
plus
all
the
performance
improvements
that
we
added
into
it
like
ring
buffers
and
others.
C
C
C
B
Pablo,
yes,
if
you
have
been
using
Falco
and
believe
that
it
only
monitored
the
system
calls
defined
in
your
rules,
I,
unfortunately,
must
inform
you
that
this
was
not
the
case
part
to
Falco
0.35.
However,
I
have
good
news,
starting
from
this
falca
release.
0.35
the
statement
holds
true
I'll
bade
with
some
caveats
that
I
will
explain
in
detail.
Now
we
modernized
Falco
from
the
ground
up
really
from
the
crowned
up
and
introduced.
This
new
feature
called
adaptive,
ciscals
monitoring.
It
empowers
end
users
to
tell
Falco
which
system
calls
to
monitor.
B
So
we
also
addressed
this
Gap
and
this
Milestone
allowing
access
to
a
notable
range
of
syscalls,
not
all
syscalls
but
I-
think
over
350
represents
another
significant
advancement
in
threat
detection.
In
summary,
as
an
end
user,
the
benefits
you
gain
from
this
new
release
and
these
updates
include
full
control
over
the
selected
selection
of
system
calls
to
Monitor,
and
this
flexibility
allows
you
to
adjust
your
monitoring
approach
over
time
based
on
your
cost
budget
and
threat
model.
B
B
Now,
let's
discuss
the
reasons
why
adaptive
ciscal
selection
was
not
available
earlier.
One
of
the
primary
reasons
is
that
certain
events
involve
multiple
ciscals,
for
instance,
spawning
a
new
process
typically
involves
a
combination
of
syscalls
like
Fork,
followed
by
exactly
e.
Additionally,
in
certain
scenarios,
such
as
establishing
a
network
connection,
monitoring
system
calls
like
socket
or
bind
is
also
necessary,
along
with
this
specific
syscall
of
Interest,
such
as
connect
or
accept
to
add
to
the
complexity.
B
If
Falco
maintains
a
process,
cache
table
that
stores,
States
information
and
this
state
allows
for
real-time
traversal
of
parent
process
lineages
enabling
features
like
parent-child
relationship
tracking
that
everyone
truly
loves
about
Falco.
The
combination
of
these
feed.
These
factors
made
it
challenging
to
provide
adaptive
ciscal
Selections
in
earlier
versions
of
Falco.
However,
with
the
recent
advancements
and
modernization
efforts,
we
have
successfully
overcome
all
these
complexities
to
offer
this
valuable
feature.
B
I
have
to
say
this.
Advancements
at
or
advancement
prints
really
create
excitement
to
a
variety
of
end
users.
Researchers
can
now
monitor
all
system
calls,
while
adopters
in
production
settings
can
customize
their
monitoring
scope
to
align
with
their
cost
budget.
And
again,
there
are
specific
requirements.
This
flexibility
enables
efficient
resource
allocation
and
effective
threat.
Detection.
Okay
in
the
upcoming
slides
I,
will
provide
some
explanations,
not
all
of
the
explanations
about
the
inner
workings
of
Falco
next
slide.
B
Please,
the
key
takeaway
from
this
slide
is
that,
in
order
to
effectively
monitor
system
calls,
it
is
essential
to
know
there
are
system
call
IDs
system
calls
are
defined
in
the
Linux
headers.
Here
we
go
again
with
the
headers
files
and
each
this
call
is
associated
with
a
specific
number
to
support.
Multiple
architectures
internally
Falco
employs
a
mapping
mechanism
using
a
custom
enumeration
again.
This
mapping
is
necessary
because
the
number
associated
with
a
system
call
can
vary
across
different
architectures,
such
as
x86
or
arm64..
B
By
utilizing
the
stepping
mechanism,
Focus
libraries
can
uniquely
identify
and
handle
each
supported
syscall
in
a
consistent
and
uniform
manner.
Another
key
point
to
highlight
is
that
ciscalls
have
both
an
enter
event
and
an
exit
event
to
facilitate
a
structured
approach
in
the
parsing
process.
Falco
introduces
an
additional
mapping
or
enumeration
shown
on
the
right
of
the
slide.
This
mapping
is
essential
for
organizing
the
parsing
and
handling
of
events
as
Falco
not
only
deals
with
so-scall
events,
but
also
incorporates
non-syscall
events
such
as
container
events.
B
Next
slide,
please,
the
last
two
slides
provide
an
overview
of
the
Adaptive
syscall
selection
flow.
We
begin
with
the
Falco
rules:
Falco
traverses,
the
abstract,
syntax
stream
of
each
rules,
filter
and
extract
the
syscall
strings.
It
then
Maps
the
string
to
the
corresponding
syscall
IDs
and
the
internal
event
IDs
within
Fargo.
B
This
process
involves
not
only
ciscal
is
defined
in
the
Falco
rules,
but
also
the
this
call
is
required
for
Falco's
internal
brain
or
states
that
we
already
discussed
next
to
transfer
this
information
to
the
kernel.
We
employ
a
dedicated
ebpf
map
in
the
case
of
BPF
Traverse
or
an
internal
bit
mask
using
the
ioctl
API
in
the
case
of
a
kernel
module.
This
allows
us
to
inject
the
relevant
information
into
this
enter
and
this
exit
Trace
points
within
the
driver
next
slide.
Please.
B
Important
to
understand
is
that,
due
to
the
triggering
of
the
CIS
enter
and
CIS
exit
kernel,
Trace
points
for
every
literally
every
syscall.
Our
push
down
filter
is
designed
to
efficiently
exclude
unnecessary
syscalls
that
we're
not
interested
in
before
any
data
field
extraction
occurs
in
our
kernel
drivers,
this
filter,
optimizes
the
monitoring
process
by
discarding
irrelevant
ciscals
early
on
the
earliest
possible.
Basically
once
again,
Falco
operates
as
a
passive
monitor,
assist
calls
and
does
not
exert
any
influence
or
modify
the
behavior
of
the
ciscals
being
monitored
Additionally.
B
The
purpose
of
Kernel
site
filtering
is
to
minister
minimize
the
number
of
events
that
must
be
transferred
from
the
kernel
to
user
space
through
the
buffer.
We
already
talked
about
as
well.
In
addition,
the
goal
is
to
reduce
the
number
of
events
processed
and
evaluated
against
Falco
rules
in
user
Space.
By
implementing
this
modernized
filtering
mechanism,
we
can
achieve
these
efficiencies
without
compromising
visibility
at
all.
B
This
is
because
the
ignored
syscalls
are
not
utilized
in
Falco
rules
and
also
not
utilized
for
the
states
ensuring
that
only
the
events
necessary
for
Falco,
State
and
rules
are
served
up
to
user
space.
In
summary,
the
kernel
site
filtering
approach
allows
us
to
optimize
event
handling,
while
still
providing
all
of
the
relevant
information
required
by
Falco
I.
Think
we're
ready
for
the
next
demo
Pablo.
C
Absolutely
thank
you
very
much
yep
so
again
for
the
adaptives.
This
calls
is
the
same
thing
we
sat
down
together.
We
wrote
A
Blog,
thank
you,
Melissa
Roberto
and
Puerto
Rico
for
that,
and
we
tried
to
explain
here,
what's
going
on,
what's
the
new
feature
and
there
is
way
more
information
than
what
Melissa
described
and
at
some
part
here
that
I'm
failing
to
find,
there
is
also
a
link
for
you
to
try
another
lab
if
you
want
so
the
idea
of
this
lab.
C
A
B
I
was
my
experience.
Is
that
if
you
want
there's
various
ways,
first
of
all,
it
must
not
be
just
code.
You
can
also
help
on
slack,
answering
questions
about
Falco
or
help
triaging
issues
and
just
be
helpful
in
general.
If
you
want
to
contribute
code,
I
would
recommend
to
start
with
smaller,
easier
patches
to
build
trust
with
us
over
time,
and
that's
kind
of
my
recommendation.
I
would
give
you
do
you
have
a
follow-up
question.
C
Yeah
I
think
even
tntf
and
like
the
different
events
that
I've
been
joining
like
people
have
been
talking
more
and
more
about
contributing
without
having
to
contribute
code
right.
There
are
many
ways
to
contribute
to
a
project.
You
can
just
help
people
you
can
just
look
into
the
documentation.
You
can
help
with
blogs.
You
can
just
connect
folks
to
talk
about
the
same
thing,
your
host,
an
event
or
something
like
that.
So
if
you're
scared
about
all
this
technical
part
that
Melissa
talked
about
which
I
don't
understand
everything.
C
C
So
going
back
to
My
Demo,
what
I'm
gonna
try
to
do
here
is
basically
show
you
adaptives.
It's
called
selection.
So
this
idea
that
Falco
has
a
defined
set
of
system
calls
that
should
be
monitored.
So
you
basically
can
guarantee
that
we
have
a
good
visibility
into
what's
going
on
and
important
data
is
not
missing
right,
so
we
will
start
by
basically
showing
you
like.
If
we
run
Falco,
there
are
a
few
settings
that
you
can
add
just
to
see
like
some
logs
like
log
level.
C
And
then
you
have
the
senator
here
to
true,
and
you
have
the
dry
run:
that's
not
going
to
really
collect
events,
but
just
do
a
dry
run
on
Falco
and
with
that
we
can
clearly
see
like
the
sys
calls
here
that
were
added
because
they
are
in
the
rules.
31
system
calls
and
then
you
can
see.
The
other
43
system
calls
that
were
basically
added
to
make
sure
that
state
engine
of
Falco
has
everything
it
needs
to
have
all
the
data,
which
is
a
total
of
74
system
calls.
That
is
monitoring
right.
C
So
if
I
go
to
the
next
part,
what
I'm
going
to
do
now
is
basically
I'm
going
to
have
one
simple
rule
so
for
us
to
really
play
I'm
gonna,
narrow
the
scope
and
then
we're
gonna
see
what
Falco
is
actually
doing
so
for
those
of
you
not
familiar
with
Falco.
Basically,
what
Falco
does
is
look
into
this
system
calls
that
are
happening,
the
ones
that
it
decides
to
Monitor
and
it
Compares
that
those
events
against
rules
right
there's
a
default
set
of
rules
that
for
system
calls
by
default,
has
more
than
80.
C
I'm,
just
gonna
say
forget
about
all
of
those
just
use
this
single
rule
here,
which
is
a
very
simple
and
dummy
rule,
to
be
honest,
I'm
just
looking
to
okay.
Is
there
an
uncommon
process,
execution
and
by
uncommon
here?
Is
any
process?
That's
not
bash
sh,
alas,
or
RM
so
I'm,
basically,
monitoring
anything!
That's
exactly
or
exact.
Viet
in
an
exit
system
call
good.
C
Now
I'm
going
to
run
Falco
I'm
going
to
use
the
same
log
level,
standard
error
and
I'm
just
going
to
load
this
single
rule
file
and
what
we
can
see
now
is
there
were
only
two
rules
found
and
sorry.
Only
two
system
calls
found
in
the
rules
exactly
and
exactly
yet,
and
because
of
that
to
keep
consistency,
Falco
had
to
add
another
56
is
calls
that
are
going
to
be
monitored
as
well
with
a
total
of
78..
C
So
that's
less
than
we
had
before,
which
was
70
something,
and
in
this
case
we
actually
have
more
before
we
had
43.
Now
we
have
56.
so
because
we
have
less
calls
in
the
Wolves
Falco
had
to
balance
to
make
sure
like
it
keeps
it
stays
consistent
and
increase.
The
number
of
Falco
sort
of
system
calls
are
actually
monitored.
This
is
just
some
Ubuntu
license
check
happening
in
here
great
so
now,
I'm
gonna
run
some
commands
just
with
the
script
and
we're
gonna
see
what
Falco
gets.
C
C
There
was
the
touch
there
was
an
encadir
Another
Touch.
So
just
a
few
Linux
comments
that
I
executed.
The
important
part
here
is
the
path,
because
that's
the
example
that
I'm
going
to
explore.
You
can
see
that
okay,
this
is
root,
slash,
folder,
that's
exactly
where
the
process
touch
was
executed
from
in
this
case,
with
everything
set
up
correctly,
so
I'm
gonna
go
to
the
next
one,
and
what
I'm
going
to
do
now
is
actually
use.
C
What
Melissa
described
and
I'm
going
to
select
the
specific
system
calls
that
Falco
should
monitor
not
more
not
less
I'm
going
to
add
just
two
of
them
and
that's
going
to
be
it
and
from
there
we're
gonna
see
that
actually
information
is
going
to
be
missing,
because
we
don't
have
enough
context
to
do
the
right
thing
and
I'm
gonna
edit
Falco
feel
free
to
stop
me.
If
there
is
anything
in
chat,
I
can
see
it
right
now.
C
C
That's
just
going
to
make
sure
that
we
have
everything
I'm
forcing
Falco
to
just
look
at
those
two
system
calls
nothing
else
right,
so
I'm,
Gonna,
Save,
I'm,
gonna
run
Falco
again
and
now
we
can
see.
We
got
two
system
calls
from
the
rules.
We
got
an
extra
two
that
was
basically
from
the
basis
call-
and
this
is
a
no
variety
because
I'm,
basically
adding
the
same
two
that
I
have
in
the
rule.
So
nothing
else,
and
then
what
you're
gonna
see
that
the
total
it's
actually
going
to
be
three.
C
There
is
the
exact
V,
the
exact
V8
and
the
proc
exit.
Proc
exit
is
a
safeguard
that
was
added
and
hard
coded
in
there
just
to
make
sure
things
don't
derail
good,
so
I
have
it
running
right
now,
I'm
gonna
run
the
same
commands
again
and
what
I
want
to
show
you
is
that
right
now.
Basically,
the
path
is
not
there
anymore.
C
Why
is
the
path
not
there
anymore,
because
we
don't
have
the
ciscos
that
we
need
to
actually
be
able
to
have
this
information
in
there.
So
be
very
careful
when
playing
with
this.
Don't
do
that
in
production
and
if
you
actually
look
at
the
blog,
there
are
some
best
practices
with
regards
I.
Think
it's
over
here.
So
the
type
of
events
that
you
have
that
you're,
like
the
rules
that
you
have.
What
are
the
system,
calls
that
you
must
include
in
there
and
just
to
finalize
My
Demo?
A
C
Yeah,
so
what
I'm
going
to
do
now
is
just
set
repair
to
true,
and
this
setting
is
amazing.
I
love
it,
it's
basically
said,
say:
okay,
this
is
what
I'm
interesting
in,
but
you
know
what
I'm
not
sure
what
I'm
doing
and
I
might
be
breaking
stuff.
So
please
just
repair
stuff
for
me.
If
and
now
when
I
run,
I
still
have
the
two
syscalls
and
the
two
syscalls
are
overriding
with
the
configuration
with
the
base
is
called
setting
that
I
had
before.
C
But
now
Falco
is
adding
16
repair
system
calls
they're.
What
Falco
believes
is
the
real
minimal
set
of
CIS
calls
that
we
can
have
to
keep
State
consistent
and
still
give
you
the
output
and
feel
free
to
correct
me
here,
Melissa,
if
I'm
saying
something
that
I
shouldn't
no,
but
not
just
to
finalize
now,
I'm
running
it
again
and
you're
going
to
see
that
the
path
is
here
and
that's
probably
because
the
CH
deer
was
just
added
there,
which
is
me
changing
directories
and
that's
what
I'm
printing
in
here.
C
So
that
was
a
quick
explanation
of
the
new
adaptive
ciscal
selection
feature.
Sorry
demo
not
necessarily
an
explanation,
and
you
can
just
try
yourself
just
break
it,
use
the
same
example
or
just
go
for
your
own
example,
and
it's
just
super
cool
that
you
can
see
edit
there
break
things
and
try
again
and
have
a
an
environment
to
just
do
that.
A
C
B
Pablo
I
can
probably
adds
at
2.1.
Second,
the
difference
between
the
default
state
enforcement
is
that
by
default,
Falco
turns
on
any
system
calls
that
could
potentially
modify
any
state
and
the
difference
here
and
the
repair
option
is
that
Falco
now
carefully
analyzes
the
actual
rules
it
provides.
You
provide
and
then
activates
only
the
necessary
assist
calls
to
avoid
breaking
Focus
functionality.
That's
where
the
benefits
come
in.
That's.
A
B
And
yeah
I
think
if
you
had
to
choose
just
one
threat,
detection
tool,
doing
operating
system
level.
Kernel
inspection
probably
covers
most
of
the
attacks,
so
that's
basically
where
I
would
recommend
people
to
get
the
most
investment
out.
If
you
can
only
deploy
one
tool,
one
downside
is
that
you
have
to
deploy
this
tool
across.
B
Your
entire
environments
could
be
different.
Back-End
servers
like
in
kubernetes
your
worker
nodes.
Then
you
have
your
control
nodes.
Maybe
you
have
bare
metal
hosts,
and
so
you
would
need
to
deploy
Falco
everywhere
and
there's
a
small
subset
of
attacks
that
Falco
cannot
detect.
If
you
think
about
higher
up
in
the
application
stack,
for
example,
authentication
bypasses,
you
would
still
need
application
logs
and
there's
also
the
kubernetes
control
plane
like
kubernetes
audit
logs
Falco
has
a
plugin
for
it.
But
it's
not.
This
calls
data
public.
You
probably
have
more
to
add
to
this.
C
Yep
I
think
security
must
be
seen
as
layers
right.
Like
it's
a
fact,
and
if
you
look
into
the
cloud
native
environment,
you
have
like
many
different
acronyms
we're
talking
about
cam,
we're
talking
about
cwpp
and
other
cspm,
so
you
basically
need
to
make
sure
that
you
understand
what
Falco
proposal
is,
which
is
the
last
line
of
defense.
C
So
after
you
have
all
those
layers
in
place,
there's
still
like
day
Zero
vulnerability
right,
like
log4,
shell
was
discovered
almost
nine
years
later,
like
what
was
happening
throughout
those
nine
years,
and
how
could
you
have
visibility
into
that?
If
no
one
actually
knew
what
was
going
on
and
after
people
discovered
until
we
had
a
patch
what
happens
in
this
Gap?
What
happens
in
this
Gap
is.
If
you
have
a
two,
that's
the
last
line
of
defense
and
that's
monitoring
at
run
time.
C
What's
happening,
that's
what
Falco
is
you
can
be
alerted
in
real
time
if
something
fishy
or
suspicious
is
happening,
so
I
would
say
to
convince
is
to
make
sure
that
people
understand
the
problem
that
it
doesn't
matter
how
many
layers
of
security
you
have
yours,
too
vulnerable
out
there,
and
this
is
the
extra
layer
and
I
would
say
like
the
last
line
of
defense.
That's
how
we
usually
like
to
call
it.
B
Yes,
and
really
thinking
about
your
cost
budget
is
very
important.
For
example,
perhaps
your
servers
are
really
really
busy
and
you
have
a
very
low
cost
budget.
Now,
with
these
new
features
we
presented
today,
you
can
do
very
targeted
monitoring.
Maybe
you
just
want
to
look
at
newly
spawned
processes,
because
that's
all
you
can
afford
to
monitor,
but
it's
still
better
than
nothing.
A
A
B
Yes,
so
there's
an
exciting
prospect
for
the
next
Falcon
release.
0.36,
most
notably,
we
are
developing
a
rules,
maturity
framework.
This
framework
aims
to
facilitate
the
onboarding
process
for
new
adopters
of
Falco
and
maybe
also
help
with
the
sales
pitch
and
guide
adopters
in
implementing
threat
detection
effectively.
We
will
identify
approximately
20
to
35
rules
that
are
tagged
as
stable
and
highly
relevant
for
addressing
the
top
cyber
threats.
B
These
rules
will
serve
as
a
starting
point
for
adopters
to
implement,
monitoring
and
alerting
in
their
environments,
and
once
these
rules,
initial
rules
have
been
successfully
implemented
with
an
acceptable
noise
level,
because
every
environment
is
different,
you
have
to
deploy
and
see
how
they
work.
Adapters
can
then
progress
to
exploring
rules
Tech
with
a
lower
maturity
level
and
so
on.
I
think
this
will
really
help
Drive
adoption
of
Falco
even
further.
B
Then
we're
also
continuously
striving
to
enhance
the
efficiency
and
robustness
of
the
Falco
source.
The
upcoming
developments
in
threat
detection
capabilities
include,
for
example,
Sim
link,
resolution
of
executable
files,
as
well
as
a
redesigned
DNS
resolution
mechanism.
Additionally,
there
will
be
a
wealth
of
new
guides
available
to
further
improve
the
adoption
process
for
users.
B
Furthermore,
we
believe
there
is
never
a
wrong
time
to
embark
on
embassies
Endeavors
as
such,
we're
currently
in
the
design
phase
for
providing
anomaly
detection
capabilities
directly
on
the
host
we're
actively
working
on
this
exciting
moonshot
project.
I.
Think
that's
all
we
have
to
not
steal
all
the
Thunder
from
future
talks.
A
A
I
think
is
that
a
wrap
for
today
I
think
we've
we've
got
all
the
questions
covered
in
chat.
Thank
you.
So
much
for
all
the
wonderful
questions
today
chat
and
is
there
anything
else?
I
will
I'll
share
this
okay,
I'm
gonna
share
a
link
to
the
slides
right
now,
so
you'll
have
that
and
I'm
also
going
to
put
it
on
the
screen
for
a
little
bit
so.
C
There's
also
the
book
I
read
the
book
twice:
it's
actually
a
really
nice
book
to
understand
a
little
bit
more
about
Cloud
native
and
security,
and
it's
for
free.
You
can
just
download
it
and
have
fun.
This
is
also
in
the
slide
deck.
So
if
you
want
to
stop
my
sharing
now,
people
can
just
get
the
link.
Okay,.
B
C
Yeah
I'll
explain
on
that
and
I
would
say
yes
I've
seen
that
say:
cops
people
using
I've
seen
like
aims
for
people
using.
So
you
have
a
lot
of
different
teams
that
you
have
a
single
team
that
provides
the
infrastructure
to
the
rest
of
the
the
company,
and
people
are
just
using
kubernetes
cluster
and
whatnot,
and
Falco
is
a
way
of
actually
getting
visibility
into
what
people
are
doing
within
their
clusters
right.
So
our
people
opening
shells
into
production
containers
like
this
is
not
what
you
want
people
to
be
doing.
A
Amazing,
well,
I
think
that's
a
wrap
today.
Friends,
do
you
have
any
closing
statements
before
I?
Do
the
my
closing
statements
go
for
it
all
right?
Thank
you.
Everyone
thanks!
So
much
for
joining
today's
episode
of
cloud
native
live.
It
was
great
to
have
Melissa,
Kilby
and
Pablo
Musa
here
to
teaching
us
about
Falco.
We
learned
about
the
latest
features
and
we
learned
about
the
community
and
how
to
get
involved.
That
was
super
cool
chat.
As
always,
you
were
amazing.
Thank
you
for
the
interaction
and
the
questions,
and
here
at
Cloud
native
live.