►
Description
Blog: https://everyonecancontribute.com/post/2021-08-11-cafe-42-falco-gitlab-package-hunter/
Falco: https://falco.org/
Package Hunter: https://about.gitlab.com/blog/2021/07/23/announcing-package-hunter/
A
And
we
are
live
on
youtube
hello,
everyone
in
for
into
no
not
my
shouldn't,
shouldn't
think
in
german
and
try
to
talk
english
at
the
same
time
today
we
want
to
look
into
falco
and
the
gitla
package
hunter,
and
it
is
my
pleasure
to
have
pop
with
us
today
and
talk,
give
us
an
introduction
into
what
it
does,
how
it
works,
including
a
live
demo
and
later
on.
We
will
switch
into
package
hunter
trying
it
out.
A
A
B
For
having
me
on,
I
appreciate
it.
My
name
is
dan
papadre
people
call
me
pop:
I'm.
The
director
of
open
source
community
and
ecosystem
for
cystic
cystic
is
one
of
the
creators
of
falco.
We
have
a
very
vibrant
community,
which
I
love.
You
know
people
are
interacting
and
doing
really
cool
stuff.
We
have
a
great
ecosystem
of
adopters
like
gitlab.
I've
done
some
really
amazing
stuff
in
the
past.
I
know
sam
who's
on
the
who's
on
the
caller.
B
B
But
what
is
falco
falco
is
a
cncf
project.
It's
incubated,
cncf
project,
we're
in
the
process
of
graduation,
and
so
it
was
originally
built
by
systic.
Systig
is
a
secure,
devops
platform
that
allows
you
vulnerability,
management
and
all
the
way
to
post
post-mortem,
using
the
underlying,
like
libs
of
that
we
use
that
is
part
of
the
falco
project.
So
what
does
it
do
so?
Falco
uses
system
calls
to
secure
and
monitor
a
system
by
parsing
system
calls
at
the
kernel
at
runtime.
B
So
you
hear
terms
like
ebpf,
or
you
know
those
types
of
things
you're
tapping
into
the
kernel
and
you're
running
little
applications
that
allow
you
to
kind
of
extrapolate
data
points
right.
So
anything
is
a
system
call
right.
If
I
go
ahead
and
hit
touch
a
file,
there's
a
system
call
that's
happening.
If
I
go
ahead
and
have
a
network
connection,
that
is
also
a
system
called.
B
So
all
of
those
things
are
things
that
are
presented
to
the
kernel,
and
so
what
file
code
does
is
it
has
a
rules,
engine
and
alerts
when
that
when
that
rule
is
violated
right
and
so
we'll
talk
about
package
hunter
later,
the
amazing
people
at
at
kid
lab
basically
created
a
bunch
of
rules,
some
rules
that
that
basically
are
specific
to,
like
maybe
some
of
the
npm
packages,
and
it's
like
they've
extended
it.
So
it's
really
cool
how
they've
taken
the
basis
of
falcon
extended
but
I'll.
B
A
B
So
if
you
look
at
this
here
again
talking
about
syscalls
applications-
and
you
know
at
the
os
and
kernel
here-
but
if
you
look
at
the
rule,
sets
that
are
there,
the
default
rules
are
they're.
65
system
calls
somebody
executing
a
shell.
So
if
you
had
a
default
like
just
kubernetes
deployment
nobody's
going
to
know,
if
somebody
execs
into
a
pod
nobody's
going
to
know
if
they've
mutated,
a
binary,
then
they're
going
to
know
if
they've
created
simple
symbolic
links
there.
B
So
even
if,
like
you've
done
a
vulnerability,
scan
and
you've
deployed
this
thing,
it's
still
there
might
be
something
where
somebody
could
drop
like
a
payload
in
and
there
could
be
an
issue
where
then
they
can
go
ahead
and
go
and
connect
to
an
external
website
or-
or
you
know,
a
minor
of
some
sort
right.
So
you
have
those
65
system
level
calls
rules,
but
also
we
tap
into
the
audit
log.
B
B
It's
yaml,
just
like
our
friends
at
gitlab
have
done
with
packager
they're,
basically
taking
and
extending
those
rules-
and
you
can
add,
rule
sets
that
are
there
and
if
you
go
to
the
website,
we
have
there's
a
that
securehub.dev
that
you
can
take
some
of
those
rules
and
create
them
and
edit
them
and
do
what
you
need
to
do
now.
If
you
look
at
this
from
an
architecture,
perspective
and
again
last
slide
and
then
we're
going
to
get
into
the
nitty
gritty
we're
going
to
deploy
a
cluster.
B
If
we
go
from
here,
I
told
you
about
that
kernel
probe
and
then
there's
these
libraries
and
web
servers.
So
that's
how
we're
able
to
get
to
the
metadata
to
tell
you,
okay,
this
happened
in
this
pod
that
happened
in
this
cluster
in
this
place
and
all
those
things
or,
if
you're
running
on
a
standard
host,
it's
going
to
kind
of,
tell
you,
okay.
This
was
a
container.
It
was
running
on
the
host
or
something
of
that
or
a
process
running
on
the
host.
B
That
type
of
thing,
but
then
there's
that
filtered
expression
and
that's
the
rules,
language,
the
yaml,
that
we
use
the
falco
rules
language
for
you
to
assert.
Okay,
somebody,
you
know
a
file
descriptor
of
slash
user,
share,
nginx
or
slash
whatever
it
might
be.
Then
you
can
output
and
you
can
do
that
to
grpc
file
standard
out
shell
and
http,
but
then
there's
also
something
that
the
community
contributed,
which
I
absolutely
adore.
B
Something
called
falco
sidekick.
If
you
aren't,
if
you're
watching
this
right
now-
and
you
haven't-
please
star
it
because
it's
one
of
the
coolest
projects
out
there-
somebody
took
three
standard
out
outputs
and
created
over
24
outputs
to
all
of
these
various
things
like
chat,
like
slack
pager
duty
logs,
like
elastic
search
q,
q
streaming
like
to
nats
cloud
functions,
and
if
you
go
to
falco.org
right
now,
slash
blog
you'll
see
that
somebody
extended
it.
One
of
the
community
created
an
article
about
response
engine
where,
if
a
rule
is
violated,
it
has
a
function.
B
You
can
write
a
google
function,
a
cubeless
function,
a
k
native
function,
an
fast
function,
so
you
have
all
of
these
capabilities
that
you
can
extend
and
contribute.
So
you
say:
hey,
there's
a
new
tech.
You
know
tech.
I
want
to
integrate
this
with
cool.
Let
me
do
it
this
way.
So
that's
what
falco
sidekick
is
all
right.
So
enough
of
me
talking,
let's
get
to
some
some,
let's
make
some
magic
here.
B
So
I'm
going
to
go
ahead
and
I'm
going
to
deploy
a
cluster
in
I'm
going
to
deploy
a
cluster
at
siebel
cloud
if
you're
all
familiar
with
civil
cloud,
it's
a
very
simple
kind
of
k3s
managed
deployment,
big
fan
of
them,
and
I
think
it's
really
quick
and
sure
you
can
get
a
cluster
up
within
you
know:
god
willing
90
seconds.
So
let's
go
ahead
and
do
that.
B
I
gotta
remember
which
one
okay,
so
I've
created
a
lot
of
clusters.
So
here's
what
we're
going
to
do
we're
going
to.
Let
me
just
create
a
smaller
cluster
lab
there
we
go
we're
going
to
create
one
called,
get
lab,
we're
going
to
wait,
save
and
merge.
That's
going
to
merge
the
the
context
of
cube
ctl
there.
B
A
B
I
mean
this
could
be
any
cloud
right.
I
mean
there's
learning
environments
that
we
post.
If
you
go
to
falco.org
right
now,
maybe
I
can
do
that
real
quick,
so
you
see
like
in
our
documentation
if
you
want
to
create
a
learning
environment,
there's
things
through
mini
cube
right
or
if
you
want
to
do
this
through
kind
or
micro
case,
or
you
know,
from
a
production
perspective.
A
B
B
Here
yeah
he's
he's
extended,
he's
working
on
some
stuff
with,
I
think
caverno
project
as
well,
and
he's
he's
a
he
actually
is
one
of
our
contributors
of
the
month.
That's
the
other
thing
I
love
about
the
project.
Is
we
have
such
a
vibrant
community
folks
come
by?
They
they
jump
in,
and
you
know,
they'll
they'll
do
contributions
back
to
the
project,
love
to
see
some
some
contribution
from
gitlab
back
to
the
project
as
well.
B
So
with
that
being
said
now,
let's
go
ahead
and
go
ahead
and
see
yep
it's
k,
get
nodes
see
if
our
nodes
are
ready,
looks
like
two
already
of
the
three
okay.
So
now
what
I'm
going
to
do
is
I'm
going
to
install
falco,
so
I'm
going
to
use
the
helm
deployment.
Now,
let's
go
back
to
the
slides,
real
quick.
Let
me
show
you
how
simple
it
is.
B
B
So
I'm
going
to
go
ahead
and
let
me
create
the
namespace
falco,
then
I'm
going
to
install,
but
I
created
a
custom
rule-
and
this
is
my
now
you've
all
probably
seen
a
couple
of
ones
I've
done
in
the
past,
but
I
do
this
thing
where
it's
basically
like
a
cookie
recipe
right,
and
so
you
can
look
at
this
and
use
this
to
be
able
to
say
that's
like
an
nginx
deployment.
But
I
want
to
show
you.
This
is
a
rule.
B
If
you
look
at
the
syntax
of
a
falco
rule,
it's
a
rule,
there's
a
description
and
then
there's
the
condition.
So
you
notice
like.
Basically,
if
I
want
to
look
at
anything,
that's
happening
within
user
share
engine
x
or
you
know
whatever
and
then
have
it
send
out
an
alert
of
some
sort,
which
is
again
if
we
talk
when
we
get
into
package
hunter
later,
that's
exactly
what
our
friends
at
gidlab
did.
Is
they
created
a
subset
of
some
local
rules
that
you
know,
look
for
npm.
B
Look
for
like
you
know,
package
issues
and
all
those
things
right.
So
that's
kind
of
the.
If
you
look
at
the
syntax
of
this
right,
it's
pretty
kind
of
standard,
it's
like
it's
a
standard
yaml
that
you
would
do
for
a
custom
roll.
So
what
I'm
doing
here
in
this
helm
install
is
I'm
just
saying:
okay,
use
that
custom
rule
yaml,
so
let's
go
k,
get
pods,
dash,
end
falco
and
we're
contin,
creating
containers,
we're
creating
the
side
kick
and
we're
creating
the
ui.
B
You
see
all
those
things
in
one
fell
swoop,
one
helm
truck
deployment.
So
when
people
come
to
us
and
they
say
it's-
you
know
I
can't
get
a
test
in
sandbox
environment.
I'm
telling
you
look
we're
just
doing
this
on
the
live
stream
right
now
we're
seat
of
our
pants
here,
michael
we're
doing
what
we
can
right.
B
B
Okay,
so
there's
our
our
cookie
recipe,
which
I
should
probably
have
changed,
the
name
because
it
is
within
other
people.
So
now,
if
we
go
here-
and
we
see
that
this
pod
is
running,
we
have
falco
running
and
we
have
that
custom
rule.
This
get
labs,
cookie
tampering,
rule
right.
So
here's
what
I
want
to
do
is
I
want
to
try
to
attack
one
of
those
pods
right,
let's
go
ahead
and
do
that,
I'm
going
to
use
cube
ns
and
I'm
going
to
set
the
name
space
to
the
secret
just
to
make
it
life
easier.
B
With
no
yep
yeah,
so
it's
familiar
with
ahmet
a
matt
from
google
created
a
bunch
of
really
cool
tools
that
let
you
kind
of
easily
kind
of
manipulate,
and
you
know
your
environment,
as
you
know,
like
cube,
contacts,
are
really
difficult
to
track
and
keep
you
know,
keeping
in
charge
of
them.
There's
other
tools
like
k9s
and
others
like
this,
but
I
I
just
tend
to
use
cube,
ctx
and
qms,
so
we
go
cube.
Pods,
okay,.
D
So
let's
go
ahead:
yeah
my
favorite
tool
is
cube
tail
because
it
can
attach
directly
into
namespace,
and
you
get
all
the
lots
of
all
containers
that
are
currently
running
in
that.
It's
really
true,
because
some
pots
have
three
containers
and
it's
sometimes
hard
to
date,
a
lot
of
everyone.
Then
you
see
it
live
updating
this
really
cool.
B
B
Okay,
so
again,
there's
these
out
of
the
box
rules-
and
there
was
one
here.
This
is
the
terminal,
shell
and
container
right.
Because
look,
I
remember
I
terminaled
into
that
container.
If
we
go
here,
you
can
see
I'm
in
that
container
right
now,
oops,
I'm
in
that
container,
okay,
but
we're
going
to
do
some
more
mischief
in
a
second.
This
is
showing
me
the
user,
the
login
id
the
k,
the
name
the
pod
name.
B
So
I
have
this
detail
of
what
happened
right
now,
let's
go
ahead
and
try
to
trigger
that
rule
that
I
meant
earlier
now
again
you
have
all
of
these
rules.
Pre-Built,
there's
60!
Remember
I
showed
you
there's
65
and
there's
45,
so
there's
in
total.
I
think
140
rules
that
you
get
out
of
the
box,
but
it's
extensible.
B
B
B
Okay,
you're,
saying
to
me
well
pop:
what
is
this
telling
me?
Well,
I
want
to
know
if
somebody's
dropping
a
workload
anywhere
I
want
to
know
and
if
it's
a
system
call
right,
it's
network
connection
and
if
we
go
back
to
our
here,
look
at
that
something
happened.
Let
me
go
and
close
this.
It's
our
gitlab's
cookie
tampering
detector
right!
There's
our
rule
that
we
just
deployed
that
custom
rule
there
and
what
does
it
tell
us
tells
us
that
it
was
tampered
that
shows
us
exactly
which
deployment
this
happened.
B
On
so
remember,
let's
say
I
have
10
nodes
in
a
cluster
and
I
have
17
clusters.
I
have
falco
deployed.
I
know
exactly
where
somebody
is
in.
I
can
take
this
and
maybe,
if
I
have
falco
sidekick
deployed,
maybe
I
might
do
something
like
this.
Where
I
have
it
in
this
case
here
hold
on,
I
have
pops
cookies.
B
Now,
look
at
my
falco
alerts.
There
you
go.
Look
at
that.
Gitlab's
cookie,
tampering
detector,
it's
all
done
with
one
see
that
all
using
falco
sidekick
and
the
ui
so
riddle
riddle
me
this
you
all.
If
you
were
just
going
to
take
a
default,
you
know
cluster.
You
would
have
this
level
of
of
observability
slash
security
security
is
understanding.
What's
going
on
in
your
environment,
you
can
have
all
the
policies
you
want
and
block
all
you
want,
but
let's
just
say
somebody
gets
in.
You
have
a
situation
like
solarwinds,
and
that
situation
is
this.
B
Misconfiguration
and
security
issues
account
for
5.2
trillion
dollars.
This
is
not
my
words.
This
is
accenture
of
issues
that
happen
in
the
world.
This
is
why,
right
now,
falco
to
me
is
the
greatest
runtime,
the
de
facto
tool.
That's
out
there.
It
literally
out
of
the
box
did
all
of
the
stuff
it's
extensible
and
all
of
that,
okay,
I'm
going
to
show
you
one
more
thing
and
then
any
questions
you
all
may
have.
B
I
want
to
talk
to
you
all
about
again.
You
saw
that
this
is
how
I
deployed
this.
I
added
the
repo
I
did
the
file
code
deploy.
I
added
a
couple
more
things
like
the
the
slack
you
you
know,
webhook,
uid
and
stuff,
like
that,
it's
that's
a
little
bit
more
of
the
magic
that
I
did
and
I
also
created
like
custom
rules
right,
but
you
still
get
those
things
out
of
the
box
too.
B
You
want
to
play
with
this
right
now:
spin
up
a
sibo
cluster
spin
up
a
gk
cluster
in
azure
cluster
and
deploy
it
right.
Now
you
can
do
exactly
what
I
just
did
here
right.
The
other
part
of
this
is
contribute
to
falco.
We
have
one
of
our
amazing
doctors
again,
gitlab
love
the
fact
that
they've
been
with
us
for
years
and
basically
using
this
tool
in
their
environment,
but
also
you
know,
adding
additional
projects
like
we're
going
to
see
with
package
hunter.
Take
a
look
at
falco.org.
B
You
all
check
out
the
falco
project
in
github.
Give
it
a
star
play
around
with
it.
There's
many
ways
you
can
contribute.
There's
you
know
there's
core.
If
you're,
if
you're
into
ebpf,
there's
core
things,
you
can
do,
there's
rule
creation,
you
can
do.
There's
integrations,
like
we
mentioned
earlier.
Frank
frank
was
somebody
off
the
street
who
literally
came
in
thomas
as
well
and
created
falco
psychic
and
that
beautiful
ui
I
saw
you
saw
think
about
the
dart.
Like
I
one
day,
we
were
joking
about
dark
mode.
B
Two
weeks
later,
the
community
built
it
out
by
community.
I
mean
frank,
that's
the
beauty
of
this.
This
thing
I
I
love
it
and
getting
involved
in
the
human
community
we're
on
kubernetes
slacks.
If
you
go
kubernetes
slack
slash,
falco
go
in
that
channel.
Kick
the
tires.
Ask
the
questions
we're
here.
All
of
the
all
the
time
we
have
a
set
of
amazing
maintainers
that
aren't
just
system
maintainers,
there's
folks
from
ibm.
There's
folks
from
you
know,
amazon!
B
D
B
I
I
get
this
question
all
the
time.
It's
super
super
minimal
because
we're
tapping
at
the
functions
of
vbpf
that
are
kernel
based
right,
and
so
it's
not
like
it's
I've
seen.
It
depends
on
the
amount
of
containers
or
system
calls
that
are
there
and
there's
ability
to
like
filter
through
them
as
well.
D
B
Cool
but
here's
what
I
would
say
to
you
is
take
a
look
and
put
it
in
like
a
like
a
develop
development
environment
and
see
like
how
what
you
know
what
the
utilization
is
and
if
there's
any
issues
there.
Let
us
know
we
can
try
to
address
them,
but
I
can
tell
you:
I
I've
seen
a
lot
of
end
users
using
this
in
in
environments
and
it's
doesn't
affect
them.
B
Nice,
so
you
use
the
terminal
shell
or
the
shell
they're
out
of
the
box
yeah,
it's
really
useful
one
of
the
ones
I've
seen,
which
I
love.
This
was
a
really
good
one
was
we
did
a
talk,
and
one
of
the
of
shopify
is
one
of
our
very
large
adopters
and
you
know
they
they're.
They
were
using
it
for
ways
to
kind
of
understand
what
was
happening
in
in
set
pods
and
and
even
from
a
network
connectivity
perspective.
They
were
able
to
say,
okay,
this.
B
C
I
mean,
I
think,
from
my
perspective
and
from
my
understanding
is
the
default
ruleset,
which
ships
as
you
thought,
is
for
starting
good
enough,
and
then
you
can
extend
contribute
back,
but
from
the
start,
you
get
everything
you
need
to
get
started.
It's
not
like
that.
They
have
developed
your
your
own
policies,
let's
say
with
oppa
or
kyvano.
Okay.
There
are
also
some
best
practices,
but
I
mean
they
don't
chip
100
rules.
So
that's
really
great.
Also,
there's
some.
C
B
B
Yeah
and
like
I
said,
there's
110
or
120
rules
that
come
out
of
the
box
right,
but
that
includes
system
calls,
but
also
audit
log
rules,
but
here's
the
thing
I
I
wanted
to
show
you
all
about
as
well.
This
is
again
where
folks
would
contribute
back
here's
where,
if
look
you're,
looking
for
a
specific
thing
where
you
want
to
control
like
etsy
d,
for
instance,
there's
the
example
of
the
rule
here,
so
you
can
copy
and
paste
this
right.
B
Some
of
these
already
defaulted
in
there,
but,
let's
just
say,
hey,
I
got
an
nginx
deployment.
I
want
to
use
and
say:
okay,
I
want
this
to
be
in
this.
You
know
whitelist
this
file
descriptor
or
this
command
prompt
and
all
that
or
this
is
what
the
output
that
I
want
to
have.
So
this
is
again
where
you
have
that
basis
to
be
able
to
say.
Oh,
you
know
I
need
to
protect
this
very
sensitive
directory,
or
I
need
to
protect
this
specific
connectivity
going
out
to
a
specific
place.
B
One
of
the
things
that
also
one
of
the
contributors
did
was
there's
something
called
the
awesome,
repo
and
literally
they've.
Compated,
every
single
one
and
I'll
put
this
in
the
chat
right
now.
Basically,
they've
concatenated,
every
single
rule
or
excuse
me
every
single
article.
That's
ever
been
written
on
falco,
so
you
can
see
hey.
You
know
somebody
created
this
and
somebody
did
this
and
it's
also
repo.
If
you
wanted,
you
know
if
you
wanted
to
add
your
own
details
here,
you
can
as
well.
B
D
I'm
trying
installing
it
in
one
of
our
sandbox
clusters
right
now
to
see
how
it's
working
on
our
site,
nice,
and
I
really
like
also
not
the
benefit
that
you
can
use
it
on
juveniles,
so
that
you
can
also
use
it
in
not
kubernetes
so
on
static
workload.
Sometimes,
and
that
should
be
a
case
that
you
probably
don't
want
your
database
into
benitez.
D
B
And
you
can
tear
down
those
rules
too.
So,
if
you
saw
like
again,
I
have
the
custom
rules
that
are
defined.
You
can
basically
say
I
want
to
go
and
say
no
rules,
and
these
are
the
five
that
I
care
about.
Like
you
know
again,
it's
if
you
think
about
philip
mentioned
earlier.
It's
like.
I
just
wanted
to
understand
my
developers
determining
into
the
environment.
That
could
be
the
only
rule
you
want
to
set
up
for
or
grab
some
from
the
the
secure
hub
right,
hey
just
there's
nginx
ones.
B
I
want
to
deal
with.
You
know
those
are
ones
to
think
about
what
like
what
I've
seen
too,
and
we
have
an
article
on
on
this
as
well,
where
you
can
use
things
like
get
ops
right,
so
you
can
basically,
you
know,
use
something
like
you
know.
An
update
to
that
rule
like
an
update,
basically
does
a
deploy.
So
there's
tools
like
argo
cd
flux,
all
those
types
of
things
where
you
can
say,
okay,
connect
in
like
this
is
a
rule,
update
push
it
out,
turn
it
on
turn
it
off
that
type
of
thing.
B
I
did
that
in
the
talk
which
was
kind
of
cool
it
was
like
it
was
at
first,
the
rule
was
in
a
a
lower
priority
and
then
we
made
it
to
an
emergency
and
that
would
trigger
a
a
function
and
the
function
would
kill
the
pod
if
somebody
terminal
into
it.
So
that's
a
response
engine.
So
if
you
go
to
falco.org
blog,
you
can
see
some
examples.
There's
literally
seven
part
response
engine
blog.
We
wrote
that
can
show
you
how
you
can
interact
with
other
projects
that
are
in
the
community.
C
C
B
Why
couldn't
you
continue?
I
mean
you,
could
you
would
you
could
delay
yeah
you
one
time
you
could
take
one
of
the
rules
right?
Maybe
it's
a
default
rule
that
you've
created
and
and
share
that
with
the
world.
I
I
know
again.
I
mentioned
the
the
minor
one
one.
It
was
a
stratum
protocol
that
somebody
wrote
early
on
and
which
was
very
cool,
or
somebody
actually
went
out
and
updated
this
scbe
and
updated
that
presented
that.
A
B
It's
gold
falco's
written
in
c
plus
plus,
but
the
but
the
you
know
the
yama
and
you
know
like
go
falco.
Psychics
rating
go
so
you
know
you
can
play
around
with
with
that.
There's
also
like
a
go
client
as
well.
So
there's
a
lot
of
things
and
and-
and
I
think
like
if
we
gonna
segue,
this
is
my
look
at
the
segue
michael.
You
like
this
package
hunter,
I
believe,
is
using
some
npm
packages
to
be
able
to
do
this
off
to
you,
michael.
A
A
You
probably
should
see
my
entire
screen
now
yeah
like
building
the
bridge
to
package
hunter-
and
this
was
kind
of
this-
was
an
announcement
I
think
two
weeks
ago
around
like
how
can
we
monitor
us
package
dependencies
who
invoke
a
specific
download
or
to
do
something
which
we
don't
expect
and
similar
to
other
security
scanners
and
analyzers?
There
must
be
found
a
way
to
actually
monitor
that
and
one
of
the
things
I've
like
learned
myself
is,
like
you
create
a
sandbox
environment.
A
B
Can
you
talk
about
that
real
quick,
you
don't
mind
because
I'm
thinking
again
it's
a
natural
segue.
If
you
look
at
the
foul
remember
I
showed
you
all
the
rules
right,
there's
the
falco
rule
set
that's
getting
created.
We
see
the
yaml
there.
So
if
we
can
go
into
that
falco
director,
the
falco
rules,
yeah,
that's
the
one
right
I
mean
you
see
the
syntax
that
we
used
before
the
amazing
folks
at
gitlab.
Took
this
right
and
looked
at
you
know,
spawn
process
around.
A
It's
actually
it's
a
lot
to
learn
and
a
lot
to
unpack,
and
I
I'm
not
the
author
of
it.
So
I'm
also
just
learning
myself
while
scrolling
now,
but
it's
really
it's
really
interesting.
That,
like
there
is,
I
I
remember
myself
looking
into
ways
how
I
can
monitor
a
cisco
or,
however,
I
can
like
do
that
myself,
maybe
not
in
the
security
way.
A
A
Now
it's
installing
something,
but
at
least
this
took,
I
think,
20
seconds.
The
way
went
up
took
two
to
five
minutes
or
something
depending
on
the
internet
connection
and
the
packages
being
installed.
I
also
looked
into
the
vagrant
file,
which
does
the
provisioning,
so
it
should
be
straightforward
to
more
straightforward.
A
A
A
A
A
A
So
there's
like
the
message
message:
detection
that
something
is
going
on
and
the
command
node
scripts
and
install
chest
or
something
malicious
or
at
least
tries
to
do
an
outbound
connection
which
is
defined
by
the
rules
that
it
doesn't
want
to.
To
do
that,
and
in
this
case
there
were
a
while
ago
it
was.
It
happened
in
node-sas.
A
B
A
D
D
A
Yeah
later
actually
get
okay,
it
tracks
that
at
least
so.
I
don't
need
to
remember
that
I
changed
that.
Okay,
I'm
not
sure,
if,
like
the
upload,
will
actually
do
something
or
detect
something,
but
I
wanted
to
like
see
that
something
is
working.
The
other
idea
I
had
before
was
to
to
do
to
initialize
a
new.
D
A
D
A
B
A
That's
there's
no
problem
at
all.
I
told
you
sometimes
things
break.
Sometimes
we
extend
the
sessions
and
sometimes
everything
breaks.
So
I
really
appreciate
you
taking
the
time
to
show
us
today
to
inspire
us
to
think
about
contributing
and
and
how
the
rule
system
works
and
to
follow
up
on
everything.
A
Potentially,
we
will
try
now
to
fix,
fix
things
or
try
it
even
out.
I
will
share
the
recording
or
the
recording
is
already
on
youtube,
create
a
blog
post
around
it
and
send
you
send
you
the
links
and
we
might
be
doing
a
follow-up
session
in
a
bit
or
finding
new
ways
or
new
ideas.
So
that
being
said,
really
appreciate
you
in
our
session
today,
and
hopefully
we
meet
in
person
in
the
future.
At
some
point.
B
Absolutely
thank
you
so
much
for
having
me
on
and
again
really
great
work
that
you
know
get
labs
on.
We
again,
we
have
an
adopters
file
of
folks
that
are
that
are
using
falco
and
we
we're
very
proud
to
have
git
lab
as
an
adopter
of
falcons.
We
we
appreciate
it
and
looking
forward
to
doing
more
with
you
all
thanks.
A
A
A
A
A
A
A
A
A
D
A
A
A
A
A
A
D
D
D
A
D
A
A
A
D
A
A
A
D
Yeah
we
can
it's
like
quite
simple,
also
to
expose
this
as
environment
variable.
So
it's
not
quite
hard,
I'm
probably
to
make
a
pool
request
to
that.
It's
it's
only.
You
need
to
grow,
process.n
and
then
the
environment
variable.
Then
you
can
set
up
also
default
value
with
pi
pipe,
and
then
we
default
videos.
That's
how
not
just
watching
or
my
understanding
of
what
sonja
is.
I'm
also
not
an
expert
on
that.
It's
but
separate
hangout.
Probably,
can
you
do
an
h-top
on
the
machine,
because
I
have
a
fear.
A
A
But
it
would
be
that's
a
great
idea
because
I
think
spinning
up
a
virtual
machine.
Now
it
takes
too
long
or
not
spinning
it
up,
but
copy
pasting
it
and
making
everything
work.
I
think,
first
of
all,
it
deserves
something
scripted
and
the
other
thing
is:
we
can
work
async
on
specific
source
code,
patches
or
ideas
which
we
have
so
the
sounds.
This
sounds
like
a
good
plan,
especially
because
it's
already
after
after
8
pm
and.
A
D
A
I
think
I'm
I'm
not
sure,
but
I
think
farco
has
a
linter
built
in
or
at
least
you
can
validate
the
rules
and
the
configuration,
but
I'm
I'm
not
sure
about
it.
I
just
I'm
just
guessing,
because
it
felco
has
client
libraries
and
there's
lots
in
the
ecosystem
and
I
think
linting,
the
the
rules
engine
is
probably
something
which
which
is
built
in,
but
if
it's
not,
we
can
build
it.
So,
philip,
you
have
found
your
project
to
contribute.