►
Description
Blog: https://everyonecancontribute.com/post/2021-08-11-cafe-42-falco-gitlab-package-hunter/
Falco: https://falco.org/
Package Hunter: https://about.gitlab.com/blog/2021/07/23/announcing-package-hunter/
A
And
we
are
live
on
youtube
hello,
everyone
in
for
into
no
not
my
shouldn't,
shouldn't
think
in
german
and
try
to
talk
english
at
the
same
time
today
we
want
to
look
into
falco
and
the
gitla
package
hunter,
and
it
is
my
pleasure
to
have
pop
with
us
today
and
talk,
give
us
an
introduction
into
what
it
does,
how
it
works,
including
a
live
demo
and
later
on.
We
will
switch
into
package
hunter
trying
it
out.
A
I
tried
to
prepare
something
myself
and
in
the
end
we
hopefully
can
hack
together,
try
things
out,
break
things,
fix
things
and
have
a
great
time.
That
being
said
pop,
what's
up
with
falco.
What
is
that?
Who
are
you
a
short
introduction.
B
For
having
me
on,
I
appreciate
it.
My
name
is
dan
papadre
people
call
me
pop:
I'm.
The
director
of
open
source
community
and
ecosystem
for
cystic
cystic
is
one
of
the
creators
of
falco.
We
have
a
very
vibrant
community,
which
I
love.
You
know
people
are
interacting
and
doing
really
cool
stuff.
We
have
a
great
ecosystem
of
adopters
like
gitlab.
I've
done
some
really
amazing
stuff
in
the
past.
I
know
sam
who's
on
the
who's
on
the
caller.
B
Here
with
us,
has
done
some
talks
on
falco
and
integrations
with
gitlab,
and
all
of
that,
so
it's
it's.
It's
awesome,
but
in
terms
of
I'm
gonna
go
ahead
and
share
my
screen
at
this
point,
so
bear
with
me
one
second.
B
I
was
going
to
show
you
a
bunch
of
slides,
I'm
not
going
to
we're
going
to
we're
going
to
what
we're
going
to
do
today
is
I'm
going
to
tell
you
the
background
of
falcon
and
then
we
can
segue
into
what
you
can
do
with
package
manager
package
manager
because
excuse
me
package
hunter,
because
package
hunter
is
using
the
underlying
libs
of
falco
as
a
as
a
way
to
do
some
of
the
the
dependency
like
tracking
and
all
the
you
know,
runtime
details
from
that.
B
But
what
is
falco
falco
is
a
cncf
project.
It's
incubated,
cncf
project,
we're
in
the
process
of
graduation,
and
so
it
was
originally
built
by
systic.
Systig
is
a
secure,
devops
platform
that
allows
you
vulnerability,
management
and
all
the
way
to
post
post-mortem,
using
the
underlying,
like
libs
of
that
we
use
that
is
part
of
the
falco
project.
So
what
does
it
do
so?
Falco
uses
system
calls
to
secure
and
monitor
a
system
by
parsing
system
calls
at
the
kernel
at
runtime.
B
So
you
hear
terms
like
ebpf,
or
you
know
those
types
of
things
you're
tapping
into
the
kernel
and
you're
running
little
applications
that
allow
you
to
kind
of
extrapolate
data
points
right.
So
anything
is
a
system
call
right.
If
I
go
ahead
and
hit
touch
a
file,
there's
a
system
call
that's
happening.
If
I
go
ahead
and
have
a
network
connection,
that
is
also
a
system
called.
B
So
all
of
those
things
are
things
that
are
presented
to
the
kernel,
and
so
what
file
code
does
is
it
has
a
rules,
engine
and
alerts
when
that
when
that
rule
is
violated
right
and
so
we'll
talk
about
package
hunter
later,
the
amazing
people
at
at
kid
lab
basically
created
a
bunch
of
rules,
some
rules
that
that
basically
are
specific
to,
like
maybe
some
of
the
npm
packages,
and
it's
like
they've
extended
it.
So
it's
really
cool
how
they've
taken
the
basis
of
falcon
extended
but
I'll.
B
A
B
So
if
you
look
at
this
here
again
talking
about
syscalls
applications-
and
you
know
at
the
os
and
kernel
here-
but
if
you
look
at
the
rule,
sets
that
are
there,
the
default
rules
are
they're.
65
system
calls
somebody
executing
a
shell.
So
if
you
had
a
default
like
just
kubernetes
deployment
nobody's
going
to
know,
if
somebody
execs
into
a
pod
nobody's
going
to
know
if
they've
mutated,
a
binary,
then
they're
going
to
know
if
they've
created
simple
symbolic
links
there.
B
So
even
if,
like
you've
done
a
vulnerability,
scan
and
you've
deployed
this
thing,
it's
still
there
might
be
something
where
somebody
could
drop
like
a
payload
in
and
there
could
be
an
issue
where
then
they
can
go
ahead
and
go
and
connect
to
an
external
website
or-
or
you
know,
a
minor
of
some
sort
right.
So
you
have
those
65
system
level
calls
rules,
but
also
we
tap
into
the
audit
log.
B
B
It's
yaml,
just
like
our
friends
at
gitlab
have
done
with
packager
they're,
basically
taking
and
extending
those
rules-
and
you
can
add,
rule
sets
that
are
there
and
if
you
go
to
the
website,
we
have
there's
a
that
securehub.dev
that
you
can
take
some
of
those
rules
and
create
them
and
edit
them
and
do
what
you
need
to
do
now.
If
you
look
at
this
from
an
architecture,
perspective
and
again
last
slide
and
then
we're
going
to
get
into
the
nitty
gritty
we're
going
to
deploy
a
cluster.
B
If
we
go
from
here,
I
told
you
about
that
kernel
probe
and
then
there's
these
libraries
and
web
servers.
So
that's
how
we're
able
to
get
to
the
metadata
to
tell
you,
okay,
this
happened
in
this
pod
that
happened
in
this
cluster
in
this
place
and
all
those
things
or,
if
you're
running
on
a
standard
host,
it's
going
to
kind
of,
tell
you,
okay.
This
was
a
container.
It
was
running
on
the
host
or
something
of
that
or
a
process
running
on
the
host.
B
That
type
of
thing,
but
then
there's
that
filtered
expression
and
that's
the
rules,
language,
the
yaml,
that
we
use
the
falco
rules
language
for
you
to
assert.
Okay,
somebody,
you
know
a
file
descriptor
of
slash
user,
share,
nginx
or
slash
whatever
it
might
be.
Then
you
can
output
and
you
can
do
that
to
grpc
file
standard
out
shell
and
http,
but
then
there's
also
something
that
the
community
contributed,
which
I
absolutely
adore.
B
Something
called
falco
sidekick.
If
you
aren't,
if
you're
watching
this
right
now-
and
you
haven't-
please
star
it
because
it's
one
of
the
coolest
projects
out
there-
somebody
took
three
standard
out
outputs
and
created
over
24
outputs
to
all
of
these
various
things
like
chat,
like
slack
pager
duty
logs,
like
elastic
search
q,
q
streaming
like
to
nats
cloud
functions,
and
if
you
go
to
falco.org
right
now,
slash
blog
you'll
see
that
somebody
extended
it.
One
of
the
community
created
an
article
about
response
engine
where,
if
a
rule
is
violated,
it
has
a
function.
B
You
can
write
a
google
function,
a
cubeless
function,
a
k
native
function,
an
fast
function,
so
you
have
all
of
these
capabilities
that
you
can
extend
and
contribute.
So
you
say:
hey,
there's
a
new
tech.
You
know
tech.
I
want
to
integrate
this
with
cool.
Let
me
do
it
this
way.
So
that's
what
falco
sidekick
is
all
right.
So
enough
of
me
talking,
let's
get
to
some
some,
let's
make
some
magic
here.
B
So
I'm
going
to
go
ahead
and
I'm
going
to
deploy
a
cluster
in
I'm
going
to
deploy
a
cluster
at
siebel
cloud
if
you're
all
familiar
with
civil
cloud,
it's
a
very
simple
kind
of
k3s
managed
deployment,
big
fan
of
them,
and
I
think
it's
really
quick
and
sure
you
can
get
a
cluster
up
within
you
know:
god
willing
90
seconds.
So
let's
go
ahead
and
do
that.
B
I
gotta
remember
which
one
okay,
so
I've
created
a
lot
of
clusters.
So
here's
what
we're
going
to
do
we're
going
to.
Let
me
just
create
a
smaller
cluster
lab
there
we
go
we're
going
to
create
one
called,
get
lab,
we're
going
to
wait,
save
and
merge.
That's
going
to
merge
the
the
context
of
cube
ctl
there.
B
A
No,
no,
no
germans
are
not
funny
and
don't
have
any
humor.
I
I
can
say
that,
because
I'm
austrian
but
yeah
pineapple
pizza,
it's
an
interesting
reminder.
B
I
mean
this
could
be
any
cloud
right.
I
mean
there's
learning
environments
that
we
post.
If
you
go
to
falco.org
right
now,
maybe
I
can
do
that
real
quick,
so
you
see
like
in
our
documentation
if
you
want
to
create
a
learning
environment,
there's
things
through
mini
cube
right
or
if
you
want
to
do
this
through
kind
or
micro
case,
or
you
know,
from
a
production
perspective.
A
B
B
Here
yeah
he's
he's
extended,
he's
working
on
some
stuff
with,
I
think
caverno
project
as
well,
and
he's
he's
a
he
actually
is
one
of
our
contributors
of
the
month.
That's
the
other
thing
I
love
about
the
project.
Is
we
have
such
a
vibrant
community
folks
come
by?
They
they
jump
in,
and
you
know,
they'll
they'll
do
contributions
back
to
the
project,
love
to
see
some
some
contribution
from
gitlab
back
to
the
project
as
well.
B
So
with
that
being
said
now,
let's
go
ahead
and
go
ahead
and
see
yep
it's
k,
get
nodes
see
if
our
nodes
are
ready,
looks
like
two
already
of
the
three
okay.
So
now
what
I'm
going
to
do
is
I'm
going
to
install
falco,
so
I'm
going
to
use
the
helm
deployment.
Now,
let's
go
back
to
the
slides,
real
quick.
Let
me
show
you
how
simple
it
is.
B
B
So
I'm
going
to
go
ahead
and
let
me
create
the
namespace
falco,
then
I'm
going
to
install,
but
I
created
a
custom
rule-
and
this
is
my
now
you've
all
probably
seen
a
couple
of
ones
I've
done
in
the
past,
but
I
do
this
thing
where
it's
basically
like
a
cookie
recipe
right,
and
so
you
can
look
at
this
and
use
this
to
be
able
to
say
that's
like
an
nginx
deployment.
But
I
want
to
show
you.
This
is
a
rule.
B
If
you
look
at
the
syntax
of
a
falco
rule,
it's
a
rule,
there's
a
description
and
then
there's
the
condition.
So
you
notice
like.
Basically,
if
I
want
to
look
at
anything,
that's
happening
within
user
share
engine
x
or
you
know
whatever
and
then
have
it
send
out
an
alert
of
some
sort,
which
is
again
if
we
talk
when
we
get
into
package
hunter
later,
that's
exactly
what
our
friends
at
gidlab
did.
Is
they
created
a
subset
of
some
local
rules
that
you
know,
look
for
npm.
B
Look
for
like
you
know,
package
issues
and
all
those
things
right.
So
that's
kind
of
the.
If
you
look
at
the
syntax
of
this
right,
it's
pretty
kind
of
standard,
it's
like
it's
a
standard
yaml
that
you
would
do
for
a
custom
roll.
So
what
I'm
doing
here
in
this
helm
install
is
I'm
just
saying:
okay,
use
that
custom
rule
yaml,
so
let's
go
k,
get
pods,
dash,
end
falco
and
we're
contin,
creating
containers,
we're
creating
the
side
kick
and
we're
creating
the
ui.
B
You
see
all
those
things
in
one
fell
swoop,
one
helm
truck
deployment.
So
when
people
come
to
us
and
they
say
it's-
you
know
I
can't
get
a
test
in
sandbox
environment.
I'm
telling
you
look
we're
just
doing
this
on
the
live
stream
right
now
we're
seat
of
our
pants
here,
michael
we're
doing
what
we
can
right.
B
B
Okay,
so
there's
our
our
cookie
recipe,
which
I
should
probably
have
changed,
the
name
because
it
is
within
other
people.
So
now,
if
we
go
here-
and
we
see
that
this
pod
is
running,
we
have
falco
running
and
we
have
that
custom
rule.
This
get
labs,
cookie
tampering,
rule
right.
So
here's
what
I
want
to
do
is
I
want
to
try
to
attack
one
of
those
pods
right,
let's
go
ahead
and
do
that,
I'm
going
to
use
cube
ns
and
I'm
going
to
set
the
name
space
to
the
secret
just
to
make
it
life
easier.
B
With
no
yep
yeah,
so
it's
familiar
with
ahmet
a
matt
from
google
created
a
bunch
of
really
cool
tools
that
let
you
kind
of
easily
kind
of
manipulate,
and
you
know
your
environment,
as
you
know,
like
cube,
contacts,
are
really
difficult
to
track
and
keep
you
know,
keeping
in
charge
of
them.
There's
other
tools
like
k9s
and
others
like
this,
but
I
I
just
tend
to
use
cube,
ctx
and
qms,
so
we
go
cube.
Pods,
okay,.
D
So
let's
go
ahead:
yeah
my
favorite
tool
is
cube
tail
because
it
can
attach
directly
into
namespace,
and
you
get
all
the
lots
of
all
containers
that
are
currently
running
in
that.
It's
really
true,
because
some
pots
have
three
containers
and
it's
sometimes
hard
to
date,
a
lot
of
everyone.
Then
you
see
it
live
updating
this
really
cool.
B
B
Okay,
so
again,
there's
these
out
of
the
box
rules-
and
there
was
one
here.
This
is
the
terminal,
shell
and
container
right.
Because
look,
I
remember
I
terminaled
into
that
container.
If
we
go
here,
you
can
see
I'm
in
that
container
right
now,
oops,
I'm
in
that
container,
okay,
but
we're
going
to
do
some
more
mischief
in
a
second.
This
is
showing
me
the
user,
the
login
id
the
k,
the
name
the
pod
name.
B
So
I
have
this
detail
of
what
happened
right
now,
let's
go
ahead
and
try
to
trigger
that
rule
that
I
meant
earlier
now
again
you
have
all
of
these
rules.
Pre-Built,
there's
60!
Remember
I
showed
you
there's
65
and
there's
45,
so
there's
in
total.
I
think
140
rules
that
you
get
out
of
the
box,
but
it's
extensible.
B
B
B
Okay,
you're,
saying
to
me
well
pop:
what
is
this
telling
me?
Well,
I
want
to
know
if
somebody's
dropping
a
workload
anywhere
I
want
to
know
and
if
it's
a
system
call
right,
it's
network
connection
and
if
we
go
back
to
our
here,
look
at
that
something
happened.
Let
me
go
and
close
this.
It's
our
gitlab's
cookie
tampering
detector
right!
There's
our
rule
that
we
just
deployed
that
custom
rule
there
and
what
does
it
tell
us
tells
us
that
it
was
tampered
that
shows
us
exactly
which
deployment
this
happened.
B
On
so
remember,
let's
say
I
have
10
nodes
in
a
cluster
and
I
have
17
clusters.
I
have
falco
deployed.
I
know
exactly
where
somebody
is
in.
I
can
take
this
and
maybe,
if
I
have
falco
sidekick
deployed,
maybe
I
might
do
something
like
this.
Where
I
have
it
in
this
case
here
hold
on,
I
have
pops
cookies.
B
Now,
look
at
my
falco
alerts.
There
you
go.
Look
at
that.
Gitlab's
cookie,
tampering
detector,
it's
all
done
with
one
see
that
all
using
falco
sidekick
and
the
ui
so
riddle
riddle
me
this
you
all.
If
you
were
just
going
to
take
a
default,
you
know
cluster.
You
would
have
this
level
of
of
observability
slash
security
security
is
understanding.
What's
going
on
in
your
environment,
you
can
have
all
the
policies
you
want
and
block
all
you
want,
but
let's
just
say
somebody
gets
in.
You
have
a
situation
like
solarwinds,
and
that
situation
is
this.
B
Misconfiguration
and
security
issues
account
for
5.2
trillion
dollars.
This
is
not
my
words.
This
is
accenture
of
issues
that
happen
in
the
world.
This
is
why,
right
now,
falco
to
me
is
the
greatest
runtime,
the
de
facto
tool.
That's
out
there.
It
literally
out
of
the
box
did
all
of
the
stuff
it's
extensible
and
all
of
that,
okay,
I'm
going
to
show
you
one
more
thing
and
then
any
questions
you
all
may
have.
B
I
want
to
talk
to
you
all
about
again.
You
saw
that
this
is
how
I
deployed
this.
I
added
the
repo
I
did
the
file
code
deploy.
I
added
a
couple
more
things
like
the
the
slack
you
you
know,
webhook,
uid
and
stuff,
like
that,
it's
that's
a
little
bit
more
of
the
magic
that
I
did
and
I
also
created
like
custom
rules
right,
but
you
still
get
those
things
out
of
the
box
too.
B
You
want
to
play
with
this
right
now:
spin
up
a
sibo
cluster
spin
up
a
gk
cluster
in
azure
cluster
and
deploy
it
right.
Now
you
can
do
exactly
what
I
just
did
here
right.
The
other
part
of
this
is
contribute
to
falco.
We
have
one
of
our
amazing
doctors
again,
gitlab
love
the
fact
that
they've
been
with
us
for
years
and
basically
using
this
tool
in
their
environment,
but
also
you
know,
adding
additional
projects
like
we're
going
to
see
with
package
hunter.
Take
a
look
at
falco.org.
B
You
all
check
out
the
falco
project
in
github.
Give
it
a
star
play
around
with
it.
There's
many
ways
you
can
contribute.
There's
you
know
there's
core.
If
you're,
if
you're
into
ebpf,
there's
core
things,
you
can
do,
there's
rule
creation,
you
can
do.
There's
integrations,
like
we
mentioned
earlier.
Frank
frank
was
somebody
off
the
street
who
literally
came
in
thomas
as
well
and
created
falco
psychic
and
that
beautiful
ui
I
saw
you
saw
think
about
the
dart.
Like
I
one
day,
we
were
joking
about
dark
mode.
B
Two
weeks
later,
the
community
built
it
out
by
community.
I
mean
frank,
that's
the
beauty
of
this.
This
thing
I
I
love
it
and
getting
involved
in
the
human
community
we're
on
kubernetes
slacks.
If
you
go
kubernetes
slack
slash,
falco
go
in
that
channel.
Kick
the
tires.
Ask
the
questions
we're
here.
All
of
the
all
the
time
we
have
a
set
of
amazing
maintainers
that
aren't
just
system
maintainers,
there's
folks
from
ibm.
There's
folks
from
you
know,
amazon!
B
D
Hey,
I
have
a
question
really
more
technical
one.
So
how
big
is
vidcon
assumption
resource
consumption
of
the
velcro
agent
on
the
node.
B
I
I
get
this
question
all
the
time.
It's
super
super
minimal
because
we're
tapping
at
the
functions
of
vbpf
that
are
kernel
based
right,
and
so
it's
not
like
it's
I've
seen.
It
depends
on
the
amount
of
containers
or
system
calls
that
are
there
and
there's
ability
to
like
filter
through
them
as
well.
B
But
I've
seen
between
zero
zero
point,
one
percent
to
like
three
percent
total
cpu
and
that's
at
peak
where
somebody
was
using
like
hundreds
of
containers
that
had
hundreds
of
system
calls
that
were
chatty
system
calls
like
reads
reads
and
writes,
are
very
chatty
system.
D
B
Cool
but
here's
what
I
would
say
to
you
is
take
a
look
and
put
it
in
like
a
like
a
develop
development
environment
and
see
like
how
what
you
know
what
the
utilization
is
and
if
there's
any
issues
there.
Let
us
know
we
can
try
to
address
them,
but
I
can
tell
you:
I
I've
seen
a
lot
of
end
users
using
this
in
in
environments
and
it's
doesn't
affect
them.
B
Nice,
so
you
use
the
terminal
shell
or
the
shell
they're
out
of
the
box
yeah,
it's
really
useful
one
of
the
ones
I've
seen,
which
I
love.
This
was
a
really
good
one
was
we
did
a
talk,
and
one
of
the
of
shopify
is
one
of
our
very
large
adopters
and
you
know
they
they're.
They
were
using
it
for
ways
to
kind
of
understand
what
was
happening
in
in
set
pods
and
and
even
from
a
network
connectivity
perspective.
They
were
able
to
say,
okay,
this.
B
This
is
something
obtrusive
things
that
were
happening
from
a
specific
sip,
so
I
was
pretty
that's
pretty
exciting
right
and
also
they
contributed
some
of
those
rules
back.
So
there
was
some
minor
rules
that
they
created
and
all
that.
C
I
mean,
I
think,
from
my
perspective
and
from
my
understanding
is
the
default
ruleset,
which
ships
as
you
thought,
is
for
starting
good
enough,
and
then
you
can
extend
contribute
back,
but
from
the
start,
you
get
everything
you
need
to
get
started.
It's
not
like
that.
They
have
developed
your
your
own
policies,
let's
say
with
oppa
or
kyvano.
Okay.
There
are
also
some
best
practices,
but
I
mean
they
don't
chip
100
rules.
So
that's
really
great.
Also,
there's
some.
C
I
think
there
are
adopted
committed
routes
from
fico
which,
coming
with
the
hem
chart
with
shipping,
I
think
there's
some
default.
Let's
say
node
rules
yeah
for
the
operating
system.
B
C
Special
kubernetes
routes,
which
shipping,
when
you're
inside
a
headshot-
and
this
is
really
nice
that
you
don't
have
to
select
which
routes
I
want
and
which
not
so
they're,
just
chipping
and
you're
good
to
go.
B
Yeah
and
like
I
said,
there's
110
or
120
rules
that
come
out
of
the
box
right,
but
that
includes
system
calls,
but
also
audit
log
rules,
but
here's
the
thing
I
I
wanted
to
show
you
all
about
as
well.
This
is
again
where
folks
would
contribute
back
here's
where,
if
look
you're,
looking
for
a
specific
thing
where
you
want
to
control
like
etsy
d,
for
instance,
there's
the
example
of
the
rule
here,
so
you
can
copy
and
paste
this
right.
B
Some
of
these
already
defaulted
in
there,
but,
let's
just
say,
hey,
I
got
an
nginx
deployment.
I
want
to
use
and
say:
okay,
I
want
this
to
be
in
this.
You
know
whitelist
this
file
descriptor
or
this
command
prompt
and
all
that
or
this
is
what
the
output
that
I
want
to
have.
So
this
is
again
where
you
have
that
basis
to
be
able
to
say.
Oh,
you
know
I
need
to
protect
this
very
sensitive
directory,
or
I
need
to
protect
this
specific
connectivity
going
out
to
a
specific
place.
B
One
of
the
things
that
also
one
of
the
contributors
did
was
there's
something
called
the
awesome,
repo
and
literally
they've.
Compated,
every
single
one
and
I'll
put
this
in
the
chat
right
now.
Basically,
they've
concatenated,
every
single
rule
or
excuse
me
every
single
article.
That's
ever
been
written
on
falco,
so
you
can
see
hey.
You
know
somebody
created
this
and
somebody
did
this
and
it's
also
repo.
If
you
wanted,
you
know
if
you
wanted
to
add
your
own
details
here,
you
can
as
well.
B
D
I'm
trying
installing
it
in
one
of
our
sandbox
clusters
right
now
to
see
how
it's
working
on
our
site,
nice,
and
I
really
like
also
not
the
benefit
that
you
can
use
it
on
juveniles,
so
that
you
can
also
use
it
in
not
kubernetes
so
on
static
workload.
Sometimes,
and
that
should
be
a
case
that
you
probably
don't
want
your
database
into
benitez.
D
So
they
have
a
little
bit
with
fear
of
that
when
you
get
started
on
those
two.
It's
mostly
you
get
a
lot
of
information,
but
you
don't
know
what
to
do
with
that
and
then
it's
also
not
like
a
big
win
in
some
charts
but
yeah.
B
And
you
can
tear
down
those
rules
too.
So,
if
you
saw
like
again,
I
have
the
custom
rules
that
are
defined.
You
can
basically
say
I
want
to
go
and
say
no
rules,
and
these
are
the
five
that
I
care
about.
Like
you
know
again,
it's
if
you
think
about
philip
mentioned
earlier.
It's
like.
I
just
wanted
to
understand
my
developers
determining
into
the
environment.
That
could
be
the
only
rule
you
want
to
set
up
for
or
grab
some
from
the
the
secure
hub
right,
hey
just
there's
nginx
ones.
B
I
want
to
deal
with.
You
know
those
are
ones
to
think
about
what
like
what
I've
seen
too,
and
we
have
an
article
on
on
this
as
well,
where
you
can
use
things
like
get
ops
right,
so
you
can
basically,
you
know,
use
something
like
you
know.
An
update
to
that
rule
like
an
update,
basically
does
a
deploy.
So
there's
tools
like
argo
cd
flux,
all
those
types
of
things
where
you
can
say,
okay,
connect
in
like
this
is
a
rule,
update
push
it
out,
turn
it
on
turn
it
off
that
type
of
thing.
B
I
did
that
in
the
talk
which
was
kind
of
cool
it
was
like
it
was
at
first,
the
rule
was
in
a
a
lower
priority
and
then
we
made
it
to
an
emergency
and
that
would
trigger
a
a
function
and
the
function
would
kill
the
pod
if
somebody
terminal
into
it.
So
that's
a
response
engine.
So
if
you
go
to
falco.org
blog,
you
can
see
some
examples.
There's
literally
seven
part
response
engine
blog.
We
wrote
that
can
show
you
how
you
can
interact
with
other
projects
that
are
in
the
community.
C
C
B
Why
couldn't
you
continue?
I
mean
you,
could
you
would
you
could
delay
yeah
you
one
time
you
could
take
one
of
the
rules
right?
Maybe
it's
a
default
rule
that
you've
created
and
and
share
that
with
the
world.
I
I
know
again.
I
mentioned
the
the
minor
one
one.
It
was
a
stratum
protocol
that
somebody
wrote
early
on
and
which
was
very
cool,
or
somebody
actually
went
out
and
updated
this
scbe
and
updated
that
presented
that.
A
And
we
we
can
also
look
into
it
together,
like
learning
a
new
programming.
Language
is
also
something
we
do
often
times
it's
not
fecker
is
not
written
in
rust,
but
who
knows,
I
hope.
B
It's
gold
falco's
written
in
c
plus
plus,
but
the
but
the
you
know
the
yama
and
you
know
like
go
falco.
Psychics
rating
go
so
you
know
you
can
play
around
with
with
that.
There's
also
like
a
go
client
as
well.
So
there's
a
lot
of
things
and
and-
and
I
think
like
if
we
gonna
segue,
this
is
my
look
at
the
segue
michael.
You
like
this
package
hunter,
I
believe,
is
using
some
npm
packages
to
be
able
to
do
this
off
to
you,
michael.
A
Building
building
the
bridges,
I
was
just
looking
at
the
development
clients,
which
mentions
go
rust
and
python
for
farco,
but
yeah.
Let
me
show
my
screen
and
in
this
case
I
want
to
sing.
A
You
probably
should
see
my
entire
screen
now
yeah
like
building
the
bridge
to
package
hunter-
and
this
was
kind
of
this-
was
an
announcement
I
think
two
weeks
ago
around
like
how
can
we
monitor
us
package
dependencies
who
invoke
a
specific
download
or
to
do
something
which
we
don't
expect
and
similar
to
other
security
scanners
and
analyzers?
There
must
be
found
a
way
to
actually
monitor
that
and
one
of
the
things
I've
like
learned
myself
is,
like
you
create
a
sandbox
environment.
A
You
do
the
installation-
and
you
monitor
this
course
and
while
following
up
on
the
package
on
the
blog
post
and
reading
like
the,
why
on
like
supply
chain
attacks
going
on-
and
you
never
know,
what's
pulled
in
from
a
reverse
dependency
tree
to
like
learning,
okay,
there's
falco
in
the
background
and
like
from
from
the
cloud
native
community,
a
new
falco
and
I've
always
had
a
peak
in
in
there,
but
I
like
it's
deep
down
in
the
curl
and
it's
yeah,
I'm
just
taking
the
time
to
evaluate
it.
A
So
I'm
really
happy
that
I've
learned
today,
but
a
little
more
about
it
and
can
actually
like
put
it
into
production
and
trying
to
show
you
how
package
hunter
works
and
the
general
idea
behind
package
hunter
or
like
the
general
idea,
it's
currently
in
beta
it's
in
development,
but
it's
it
has
been
made
available
for
the
wider
community
in
order
in
order
to
try
it
out,
collect
feedback,
yeah
and
also
foster
a
way
to
maybe
contribute
the
rules
back
to
falco
find
ways
to
integrate
it
just
make
it
a
a
good
experience.
A
B
Can
you
talk
about
that
real
quick,
you
don't
mind
because
I'm
thinking
again
it's
a
natural
segue.
If
you
look
at
the
foul
remember
I
showed
you
all
the
rules
right,
there's
the
falco
rule
set
that's
getting
created.
We
see
the
yaml
there.
So
if
we
can
go
into
that
falco
director,
the
falco
rules,
yeah,
that's
the
one
right
I
mean
you
see
the
syntax
that
we
used
before
the
amazing
folks
at
gitlab.
Took
this
right
and
looked
at
you
know,
spawn
process
around.
B
I
really
wanted
to
set
that
as
again
the
kind
of
the
segue
between
the
tools
before
you
show
the
magic
that
is
the
npm
piece
and
and
how
you
all
are
the
the
how
you
all
kind
of
got
the
note
stuff
going
so.
A
It's
actually
it's
a
lot
to
learn
and
a
lot
to
unpack,
and
I
I'm
not
the
author
of
it.
So
I'm
also
just
learning
myself
while
scrolling
now,
but
it's
really
it's
really
interesting.
That,
like
there
is,
I
I
remember
myself
looking
into
ways
how
I
can
monitor
a
cisco
or,
however,
I
can
like
do
that
myself,
maybe
not
in
the
security
way.
A
But,
generally
speaking,
I
wanted
to
know
what
specific
program,
programs
and
apps
are
doing
and
oftentimes
it's
a
tcp
time
dumper
way,
but
doing
that
in
a
different
way,
with
defining
rules
and
just
making
it
approachable.
A
A
This
can
also
be
generated
with
a
tool
or
something
like
that,
but
yeah
the
the
main,
the
like
the
getting
started
process,
except
for
like
reading
everything
which
is
needed
is
there
is
a
vagrant
box,
avoidable
which
we
can
run,
and
I
already
did
that
and
you
also
need
virtualbox
or
anything
else
as
a
virtual
machine
provider
and
then
do
a
vagrant
up
wait
for
a
while
until
everything
is
permissioned
and
installed
and
then
use
like
vagrant
ssh
to
get
a
terminal
in
the
virtual
machine.
A
And
this
is
basically
what
I
have
on
this
side
and
I'm
oops.
It's
amazing
how
a
terminal
is
transforming
when
you're
trying
to
increase
the
zoom.
It's
like
a
vagrant
ssh
and
we
can,
as
we
are
then
hopefully
in
the
box
or
my
macbook-
is
dying
because
of
zoom
and
vagrant
and
in.
A
Oh
yeah
yeah:
let's
hope
that
nothing
breaks
and
if
it
breaks
then
I'm
gone.
No.
A
A
Now
it's
installing
something,
but
at
least
this
took,
I
think,
20
seconds.
The
way
went
up
took
two
to
five
minutes
or
something
depending
on
the
internet
connection
and
the
packages
being
installed.
I
also
looked
into
the
vagrant
file,
which
does
the
provisioning,
so
it
should
be
straightforward
to
more
straightforward.
A
I
didn't
have
the
time
to
be
honest,
to
put
it
into
an
ansible
or
terraform
script,
or
something
like
that,
because
it's
yeah
it's
doing
quite
a
lot
of
things,
but
I
usually
just
want
to
put
that
into
a
script
and
then
you
can
like
provision
it
into
a
cloud
of
virtual
machine
and
everything
is
running,
but
this
is
right
now
it's
a
local
server.
A
A
A
repository
to
test-
and
the
thing
I
did
is,
I
also
installed
the
package
hunter
cli,
which
is
referenced
in
the
blog
post.
As
far
as
I
remember,
which
allows
you
to
integrate
it
into
a
ci
cd,
so
in
sdicd
pipeline.
A
There
is
a
manual
command,
and
this
is
not
here,
but
here
this
one,
because
the
because
package
hunter
is
now
running
in
the
development
mode
which
doesn't
need
any
authorization
by
default.
It
needs
also
authorization
and
I've.
Let
me
see
I
have.
A
Is
it
yarn,
I
think
so,
and
I'm
actually
not
sure
if
that
that
works.
A
Maybe
the
the
table
is
too
big.
It
could
also
be
the
case.
A
The
other
thing
I
tried
no
seriously,
I'm
not
here.
Oh.
A
Okay,
it's
two
gigabytes.
Do
we
have
something
else?
I
was
wondering
about
like
creating
a
test
project
which
does
something
malicious.
A
The
thing
is,
I
read
about
type
typos,
quoting
with
cross
end
and
different
namings,
and
where
this
could
be
a
problem,
let
me
see
we
have
something
about
farco
test.
A
A
A
So
there's
like
the
message
message:
detection
that
something
is
going
on
and
the
command
node
scripts
and
install
chest
or
something
malicious
or
at
least
tries
to
do
an
outbound
connection
which
is
defined
by
the
rules
that
it
doesn't
want
to.
To
do
that,
and
in
this
case
there
were
a
while
ago
it
was.
It
happened
in
node-sas.
A
A
binary
directly
from
github,
which
was
not
anticipated.
A
A
Just
wondering
do
I
have
there
was
a
package
json
which
was
linked
over
here,
but
this
doesn't
download
anything
and
I.
B
A
How
can
I
create
source
code,
which
is
which
tries
to
download
something?
There
is
no
chess
yarn
post
install
call.
D
We
can
sing
increase
the
body
limit.
Probably
it's
not
it's
an
express
app.
I
checked
it,
so
it
could
probably
say
that
it's
allowed.
If
your
vm
has
enough
memory,
then
it's
not
a
problem.
It's
the
one
liner
that
we
need
to
do.
D
Then
we
can
try
to
re-upload
it
again.
So
you
need
to
go
into
the
package
center
directory.
D
It's
set
to
200
megabytes
that
yeah.
That's
the
reason
why
it
doesn't
work
and
then
in
the
line
where
limit
is
currently
standing.
A
Yeah
later
actually
get
okay,
it
tracks
that
at
least
so.
I
don't
need
to
remember
that
I
changed
that.
Okay,
I'm
not
sure,
if,
like
the
upload,
will
actually
do
something
or
detect
something,
but
I
wanted
to
like
see
that
something
is
working.
The
other
idea
I
had
before
was
to
to
do
to
initialize
a
new.
D
A
I
I
had
the
the
the
obvious
warning
that
my
internet
connection
is
unstable,
which
sometimes
happens
at
this
time
in
in
europe.
But
you
can
see
my
screen
and
can
hear
me
talking
right.
D
A
Okay,
next
to
next
to
the
the
server,
I
also
had
the
idea
to
create
a
nodejs
project
with
a
package
package
json
where
something
is
executing
something
like
curling,
curlings,
curling
the
website
or
similar,
and
then
falco
detects
that
when
uploading
it,
because
I
can
imagine
that
the
the
gitlab
uploads
or
the
gitlab
project
upload-
is
not
as
efficient
or
might
not
unveil
something.
A
Let's
see,
let's
try
this
out.
So
basically,
we
learned
that
there
is
a
hardcoded
limit
right
now,
which
makes
sense
to
avoid
any
like
ddos.
But
potentially
we
want
to
configure
that
why
this
is
doing
an
upload
which
might
take
a
while.
B
And
michael
my
apologies,
I
have
to
I
have
a
hard
stop
at
1
55.
So
my
apologies.
Another
five
minutes.
A
That's
there's
no
problem
at
all.
I
told
you
sometimes
things
break.
Sometimes
we
extend
the
sessions
and
sometimes
everything
breaks.
So
I
really
appreciate
you
taking
the
time
to
show
us
today
to
inspire
us
to
think
about
contributing
and
and
how
the
rule
system
works
and
to
follow
up
on
everything.
A
Potentially,
we
will
try
now
to
fix,
fix
things
or
try
it
even
out.
I
will
share
the
recording
or
the
recording
is
already
on
youtube,
create
a
blog
post
around
it
and
send
you
send
you
the
links
and
we
might
be
doing
a
follow-up
session
in
a
bit
or
finding
new
ways
or
new
ideas.
So
that
being
said,
really
appreciate
you
in
our
session
today,
and
hopefully
we
meet
in
person
in
the
future.
At
some
point.
B
Absolutely
thank
you
so
much
for
having
me
on
and
again
really
great
work
that
you
know
get
labs
on.
We
again,
we
have
an
adopters
file
of
folks
that
are
that
are
using
falco
and
we
we're
very
proud
to
have
git
lab
as
an
adopter
of
falcons.
We
we
appreciate
it
and
looking
forward
to
doing
more
with
you
all
thanks.
A
Thank
you
thanks
pop
bye
yeah.
So
there
is
no
obligation
watching
me
break
things,
but
still.
A
A
And
start
again,
and
in
my
yarn
I
created
a
package
package
json
in
there.
The
only
thing
I
was
not
sure
of
is
how
the
syntax
of
post
install
works.
A
A
A
Scripts
there
you
go
reverse.
A
And
post
install
today's
not
my
day
core
https,
everyone
can
contribute
dot
com.
A
A
A
A
D
A
A
A
D
Okay,
it
says
also,
but
can
you
go
back.
A
A
A
Should
I
really
be
doing
a
get
by
default?
Just
no,
maybe
maybe
the
the
request
method
is
wrong.
D
D
That's
really
chris:
does
the
route
has
changed
in
some
way
because
the
documentation
is
not
up
to
date,
so
we
can
check
this
in
the
road
jazz.
So
we
process
the
roads
that
are
available.
D
A
A
And
the
the
authorization
is
in
the
authorizer.js.
D
Which
actually
yeah
you
can
do
like
the
id
was
a
query
param
right,
so
that
would
be
when
you're
going
under
the
root
url,
you
can
say
id
and
then
the
id
number
that
you
get
from
the
report
when
you
submitted.
D
The
url:
that's
the
reason
why
you're
getting
the
idea
so,
but
did
the
master
target
set?
Do
we
have
the
same
package
here.
A
So
it
is
so
it's
like
it's
a
little
spread
between
the
package,
cli
and
picker
chant
itself.
There
is,
there
is
instructions
over
here
to
create
an
archive
of
the
project
sources,
and
this
is
basically
what
I'm
doing
like
creating
a
tg
set
and
upload
it,
the
cli
itself.
A
Yeah,
it
actually
does
the
program
which
commander
okay.
Oh
there
is
the
host
variable,
which
I
was
looking
to
override,
because
I
couldn't
really
figure
that
out
how
this
works
and
let
me
see,
click.
A
D
A
A
D
Is
me
you
need,
do
you
need
to
have
a
senior
quotes.
A
D
Yeah
we
can
it's
like
quite
simple,
also
to
expose
this
as
environment
variable.
So
it's
not
quite
hard,
I'm
probably
to
make
a
pool
request
to
that.
It's
it's
only.
You
need
to
grow,
process.n
and
then
the
environment
variable.
Then
you
can
set
up
also
default
value
with
pi
pipe,
and
then
we
default
videos.
That's
how
not
just
watching
or
my
understanding
of
what
sonja
is.
I'm
also
not
an
expert
on
that.
It's
but
separate
hangout.
Probably,
can
you
do
an
h-top
on
the
machine,
because
I
have
a
fear.
A
A
But
it
would
be
that's
a
great
idea
because
I
think
spinning
up
a
virtual
machine.
Now
it
takes
too
long
or
not
spinning
it
up,
but
copy
pasting
it
and
making
everything
work.
I
think,
first
of
all,
it
deserves
something
scripted
and
the
other
thing
is:
we
can
work
async
on
specific
source
code,
patches
or
ideas
which
we
have
so
the
sounds.
This
sounds
like
a
good
plan,
especially
because
it's
already
after
after
8
pm
and.
A
Yep,
that
being
said,
did
I
I'm
not
sure
if
I
wanted
to
mention
anything
but
yeah.
A
Let's
keep
this
in
mind
the
blog
post
and
the
repositories
and
also,
of
course,
falco
and
everything
we
learned
today
and
I
think
yeah.
I
also
tweeted
some
things
beforehand,
showing
showing
pop
and
all
the
magic
stuff
yep.
A
That
being
said,
I
will
stop
my
share
and
thanks
say
thanks
for
watching
thanks
for
joining
today,
and
we
will
do
the
session
or
continue
package
hunter
next
week
and
also
try
to
create
some
demos
and
some
more
interesting
insights
which
which
we
didn't
have
today
and
maybe
just
look
into
learning,
faker
rules
and
creating
one
ourselves
for
package
hunter
and.
D
A
I
think
I'm
I'm
not
sure,
but
I
think
farco
has
a
linter
built
in
or
at
least
you
can
validate
the
rules
and
the
configuration,
but
I'm
I'm
not
sure
about
it.
I
just
I'm
just
guessing,
because
it
felco
has
client
libraries
and
there's
lots
in
the
ecosystem
and
I
think
linting,
the
the
rules
engine
is
probably
something
which
which
is
built
in,
but
if
it's
not,
we
can
build
it.
So,
philip,
you
have
found
your
project
to
contribute.
A
Just
kidding
yeah
so
whatever
comes
to
mind
until
next
week,
I
will
prepare
or
try
to
prepare
the
setup
and
grant
you
access
to
the
virtual
machine
then,
and
from
there
we
can
just
go
ahead
and
learn
something
new.
Until
then,
bye
bye
have
a
great
week
and
talk
to
you
next
week.