►
From YouTube: Discuss Wazuh evaluation / PoC
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
So
this
meeting,
just
at
a
high
level,
I'm,
really
excited
to
hear
the
feedback
and
results
of
the
research
that
you've
done.
I
just
wanted
to.
You
know
as
a
reminder
say
that
we've
got
requirements,
customer
requirements
that
we've
got
feedback
on
and
that
we're
looking
to
meet
and
I'm
just
you
know,
really
excited
to
hear
you
know
the
results
of
that
research
and
how
was
a
will
or
won't
work,
or
you
know
what
the
recommendations
are
to
help
address
those
at
the
end
of
the
day.
A
Thanks
Sam
so
just
to
reek.
Lera,
fie
and
I
made
some
comments
this
morning.
So
I
don't
think
anybody
got
a
chance
to
read
them
because
I
just
made
them
just
very
recently.
Can
we
just
reek
Lera
fie,
some
of
the
requirements
make
sure
I
understand
the
put
some
comments
on
file
integrity
so
file
integrity.
Monitoring
would
this?
Would
it
would
a
good
way
to
be
say
that
would
be
detective
on
file
has
changed,
they
shouldn't
have
per
standard
and
custom
customer
written
policies
that
that
capture
it.
B
There's
a
piece,
that's
missing,
which
is
once
I
have
something
running
in
production.
How
do
I
make
sure
that
it
still
hasn't
changed
on
an
ongoing
basis
into
a
video,
so
I
I've
got
a
running
container.
How
do
I
make
sure
that
that
container
hasn't
been
tampered
with?
The
configuration
files
haven't
been
messed
with,
but
it's
still
is
the
same
codebase
and
configuration
that
I
initially
launched
from
my
trusted
image.
That
would
be
the
use
case
that
we're
looking
to
address
with
that
one.
Okay,.
A
And
then
application
allow
listing
the
way
I
interpret
I
only
allow
applications
to
run
if
they're
explicitly
allowed
by
the
standard
and
customer
written
policies.
Some
policies
will
block
applications
from
starting
and
some
policies
will
gauge
this
star
plug
the
start
is
potentially
suspicious.
Is
that
correct.
B
A
Okay
and
then
active
response
blocking
I
misunderstood
this
one
a
couple
times,
not
because
it
wasn't
written
well,
just
just
just
me,
but
the
way
I
would
summarize
this,
and
let
me
know
if
I'm
understanding
you
allow
specific
activities
on
the
container
to
be
detected
based
on
rules
and
allow
those
rules
to
run
scripts.
To
take
action.
Is
that
does
that
capture?
Well,.
B
A
It
okay
so
too
prescriptive,
but
in
the
right
direction.
And,
lastly,
just
a
question:
not
not
a
clarification,
so
acceptable
performance
overhead,
definitely
a
requirement
what
it
reminds
me
of
those
we
could
put,
for
example,
high
load
on
a
container
or
moderate
load
on
a
container
which
doesn't
cause
performance
issues
for
the
applications
running
on
the
container,
but
may
drive
up
like
cloud
costs
to
run.
Those
containers
should
we
be
like
you
know,
like
sustained,
moderate
CPU
load
for
hours,
like
would
drive
up,
will
drive
up
cloud
file.
A
B
No,
both
definitely
customers
are
going
to
care
about
the
you
know
the
additional
cost
I
would
say
it
is
all
a
little
bit
relative
as
well.
I
mean
we're
not
going
to
be
able
to
do
anything
without
incurring
some
additional
AWS
cost.
I.
Think
really.
The
question
is
you
know
what
order
of
magnitude
is
that
on
it,
but
something
that
you
know
is
stomach
a
bowl
compared
to
you
know
what
it
would
be
without
us,
or
is
it
like
we're,
multiplying
the
cost
by
10x
yep.
A
A
Why
am
I
thinking,
yeah,
yeah
Tiago,
put
notes?
I
saw
his
name
there,
I
really
meant
Sameer
and
Allen
I.
Don't
know.
Why
did
that
apologist
young
Sameer
I
see
his
name
there,
but
then
I'm
looking
at
you
so
yeah.
So
no
wonder
for
the
blank
stare
of
what
is
waiting
talking
about
it's
entirely
appropriate
so
Sameer
now
and
who
wants
to
go
first.
D
Yeah
I
believe
I
can
I
can
summarize
quickly
how
we
split
our
work
for
gas.
The
gate
was
a
so
I
I
took
the
agent
part
in
summer
to
the
server
part,
and
we
try
to
fill
the
solution
that
will
use
kubernetes
and
that's
that's
basically,
that's
basically
it
we
wanted
to
address
all
requirements
and
see
how
we
can
use
that
so
yeah.
Maybe
some
of
you
would
like
to
start
about
the
server
and
then
we
can
switch
the
agent
because
that
will
be
I
believe
the
longest
part.
C
Sure
so
I
wrote
a
couple
of
comments
here.
Some
of
them
are
not
straight
to
relate
to
the
glass
of
thing
it's
more
like
just
the
number
for,
for
example,
I,
think
those
are
things
that
we
can
keep
in
mind
for
next
time
that
we
have
appeals
to
like
this,
but
like
going
focusing
on
wasu
what
I
noticed
that
it
has
lots
of
features?
It's
it's
it's
widely
used,
but
it
really
feels
that
it's
a
application
for
dedicated
servers.
C
You
don't
feel
much
of
the
things
that
the
containerized
environment
provides
an
especially
kubernetes
there.
They
they
are
kind
of
counter
to
that.
So
you
have
lots
of
features
for
example,
that
they
they
they
assume
that
the
day
OS
is
going
to
be
long-running.
They
don't
assume
that
the
in
kubernetes
environment,
the
pod,
can
be
distracted
and
then
recreated
from
a
fresh
image,
for
example.
So
that's
why
I
think
most
of
the
features
most
of
the
people.
C
They
had
trouble
understanding
this,
while
so
for
kubernetes,
because
we
are
trying
to
kind
of
get
a
solution
that
was
created
before
kubernetes.
Even
was
creator
at
the
senior
year
and
kind
of
trying
to
fit
that,
and
then
it
raised
a
cup
of
issues
in
terms
of
compatibility,
workload
and
main
features.
So
with
that
said,
there's
another
point
as
well.
In
docker,
we
have
usually
like
three
or
four
types
of
image
types.
One
of
them
is
the
regular
OS
feature,
OS
image
that
we
have
with
vehicle
bone
to
opine
in
this
software.
C
This,
oh
s,
there
is
second
one
called
intermediary
that
kind
of
build
up
in
the
second
image
and
the
most
the
most
popular
image
right
now
is
distress
from
Google.
It
means
that
just
going
to
help
is
not
what
you
have
a
fool
or
s
over
there.
It's
basically
just
real
time
to
run
the
application
that
you
want
and
also
scratch
images
subscribe.
Team
is
also
doesn't
have
OS,
it's
very
bare-bones
for
you,
for
example,
to
run
your
go
application.
C
C
And
these
open
up
a
little
bit
for,
for
example,
for
vulnerabilities
in
terms
of
CVS
for
for
kubernetes,
you
can
grab
the
CVS
from
the
you
can
scan
the
civvies
through
the
image
that
you
have.
So
it's
a
you
might
think.
It's
it's
a
same
problem,
but
just
the
way,
the
main
difference
that
we're,
not
forgetting
the
customer
requirement,
is
just
as
it's
a
different
environment,
the
approach
to
get
to
the
point.
It's
slightly
different
and
then
change
mark
more
of
the
whole
paradigm.
C
For
that,
so
there's
software
solutions
for
scanning
the
image
that
you
have
and
that
you
can
see
the
CV
is
there
and
you
can
see
a
couple
of
other
things,
because
each
image
is
building
layers.
So
then
you
can
stand
each
layer
to
see
the
vulnerabilities
there.
It's
not
much
of
a
new
problem
over
there
and
ok.
So
just.
B
C
C
C
C
Used
a
distro,
less
application
image
for
go.
They
cannot
use
the
agent
because
the
agents
not
going
to
be
able
to
recruit
you
to
have
access
to
the
features
on
the
OS.
Most
of
the
features
are
really
on
the
system
level,
and
then
you
lose
a
lot
of
this
I'm
not
going
to
talk
too
much
about
agent,
otherwise
I'm
gonna
say
most
of
this
stuff.
That
Alan
has
to
say
about
the
Asians.
C
So
just
it's
I
think
this
paradigm
is
very
important
for
us,
because
most
of
us
are
new
to
kubernetes,
and
on
top
of
that,
our
team
is
also
new.
So
it's
show
us
a
good
experience
for
this.
Ok,
so
moving
on
a
little
bit,
the
load
itself,
for
example,
for
that
they
have
made
available
the
kubernetes
charts,
not
help
charts,
but
they
made
available
distillation
for
kubernetes
and
basically,
you
have
to
install
elasticsearch
with
file,
beat
logs,
not
logs
elasticsearch
and
key
burner
and
also
nginx.
C
Like
us,
I,
don't
know,
teens
computation
or
something
like
this,
so,
but
that
is
the
most
of
the
solutions
for
kubernetes.
They
are
going
to
have
just
a
daemon
or
they're
going
to
have
a
simple
deployment.
You
have
these
similar
features,
but
for
Y.
So
it's
pretty
heavy
because
of
these
of
this
nature
of
the
wasn't
for
this
so
then,
but
I
play
it
around.
I
was
able
to
run
that
on
Kiki
and
I
was
able
to
run
local
as
well.
So
there's
a
little
bit
of
flexibility.
C
We
just
need
to
change
the
storage
class
because
the
main
the
main
version
is
focused
on
AWS
PS
and
from
get
labs
so
far,
I
think
the
most
of
the
solutions.
The
first
people
usually
make
the
first
working
on
GE,
but
that
was
something
that
we
can
get
a
permission
to
have
some
aqui
esta
counts
and
and
play
around
with
that
and.
C
Yeah
so
in
terms
of
features
I
mentioned
before
I
think
kubernetes
have
solutions
for
most
of
the
features
that
we
are
talking
about.
But
maybe
it's
not
going
to
be
a
single
solution
and
I
know
understand
that
from
the
product
perspective,
that
might
be
a
issue
because
we
need
to
have
lots
of
solutions
for
for
tecnique.
The
same
thing.
C
C
E
I
I,
don't
I,
wouldn't
necessarily
say,
at
least
from
my
point
of
view
that
it's
a
problem
that
you
need
multiple
things
to
address
the
needs.
The
concern
came
in
on
the
long-term
viability
and
management
of
it.
I've
I've
in
other
places,
maybe
places
that
Alan's
also
been
where
we
decided
to
come
in
and
solve
a
problem
and
we're
like.
Oh,
we
will
use
couch,
which
is
the
database
and
Redis
is
our
message.
Bus
and
then
six
months
go
by
and
were
like.
Well,
that's
not
really
meeting
our
needs,
one.
E
We
throw
in
0
mq
to
improve
our
message.
Bus
capacity-
oh
wait!
Maybe
we
should
switch
over
to
MongoDB
and
by
the
time
we
were
done.
Two
years
later,
we
had
three
databases,
I
think
for
message:
buses
running
rails,
3
and
rails
4,
you
know-
and
so
the
concern
comes
in
in
that
what
is
the
long-term
viability
and
stability
based
off
the
choice?
We're
making
not
necessarily
how
many
things
are
stapled
together
to
meet
the
goals
of
that
same
as
it
played
out.
I
know
that
makes
sense
that
clarification
just
like.
E
If
you
came
back
and
said
well,
it's
these
six
open-source
projects
and
we
feel
that
that's
easily
maintainable
for
us
I
think
you
get
a
thumbs-up
from
Santa.
It's
mean
the
requirements.
I
just
want
to
be
in
a
situation
where
we're
like
oh
wow,
and
by
the
way
I
had
this
reaction.
When
I
did
installed,
wasn't
myself
I'm
like
wow,
it's
installed,
elasticsearch
and
Splunk,
like
you
know,
just
kind
of
hear
that
context
right
and
my
Alan's
laughing
cuz.
He
knows
I'm
right
like
that
was
that
was
our
world
for
like
three
years.
C
Yeah,
that
can
be
the
case
for
sure,
and
one
thing
with
that.
Let
me
see
here
so
they
don't
have
a
home
shot
the
fire,
and
so
we
would
have
to
maintain
the
home
shot
by
ourselves.
I
know
we
did
that
in
the
past,
with
a
couple
of
things,
even
the
first
version
of
ceiling,
I
think
it
was
maintained
by
us.
You
know
how
sharks
were
that
perspective,
so
that
would
be
a
little
bit
of
maintenance
over
there
and
that
would
be
for
that
client.
C
C
Yeah,
so
the
last
thing
is
this:
it's
a
it's
similar
to
the
first
point
that
I
mention
about
is
that
most
of
the
vectors
and
the
back
surface
is
from
kubernetes.
It's
usually
looking
from
different
perspectives.
The
fact
that
you
have
an
image
pre-built
in
that
chickens
can
build
the
image
and
then,
as
soon
as
you
have
the
image
you
have
access
to
the
image
itself,
like
dr.
Damon
I
know
that
Simon
mentioned
that
we
arere
test
this
problem
and
we
are.
C
We
are
concerned
with
the
problem
of
the
deployed,
but
I'm
just
trying
to
bring
to
us
the
culture
that
there
is
very
different
ways
of
techne
the
problem
and
also,
if
you
have
let's
say
I
insecure.
Let's
say
that
you
view
the
image
everything
is
alright,
the
person
has
a
permission
to
have
docker
diamond
and
the
person
has
the
permission
to
use
tube
CTL
and
everything
is
okay.
C
But
if
the
image
is
filled
with,
let's
say,
host
Network,
then
whatever
happens
inside,
that
image
is
going
to
hurt
the
whole
cluster,
so
those
those
capabilities
for
docker
I
think
most
of
the
time
they
could
be
simply
very
simple
light.
Not
too
long
the
person
should
have
a
root
user.
It's
going
to
be
a
single
parameter
that
you
sent
to
the
docker,
but
it's
something
that
if
we
always
think
with
the
mindset
of
dedicated
servers,
it's
something
that
it's
it
was
not.
There
didn't
exist
at
that
time.
C
C
A
Know
one
big
difference
between
a
Falco
style
solution
and
it
was
was
a
style
solution
or
an
agent
needs
to
be
installed
or
was
to
operate.
Sam
has
found
with
the
research
he
did
that
customers
are
ok.
The
discussion
we
talked
to
so
far,
but
ok
with
putting
an
agent
on
each
container
just
worth
noting
the
the
other
comment.
I
really
just
wanted
to
highlight
the
mirror.
A
You
see
sittin
umbrella
I,
wanted
to
emphasize
that
the
threat,
vectors
and
attack
services
on
dedicated
server
scenarios
have
some
differences
and
are
usually
approached
from
a
different
angle.
They're,
definitely
they're.
Big
differences,
there's
some
similarities,
but
that
is
a
very
salient
comment.
Thank.
F
F
Yeah,
so
I
was
saying
that
the
main
difference
for
me
between
Wesley
and
Fargo
is
not
related
to
the
agent
and
self.
It's
mostly
related
to
the
how
the
product
is
actually
working
weather
is
actually
something
doing
polling
to
get
the
information
that
they
need
to
take
decisions,
but
falco
is
not
using
putting.
They
are
using
an
even
based
loop.
That
is
much
much
more
efficient
than
pouring
that
around
what
I'm
like.
F
If
you
want
to
do,
fine
integrative
adviser
you
have
to
we
can
all
define
such
multi-monitor
store
somewhere
to
check
some
of
these
files
and
run
again
the
same
loop
and
checked
the
checksums
with
the
database
that
well
it's
very
tedious.
It's
going
to
use
a
lot
of
time,
a
lot
of
resources,
a
lot
of
I/o,
whereas
if
you
take
exactly
the
same
case
in
Falco,
the
only
thing
that
Falco
is
doing
is
defining
a
room.
Saying
tell
me
if
any
of
these
files
is
getting
accessed
in
read
mode
or
write
mode.
F
If
you
have
that
on
write
mode,
any
process
that
will
write
on
that
file,
that
will
generate
an
event
that
we
do
forwarded
wherever
you
want.
So
it's
much
much
more
lighter
than
what
we
were
doing
and
that's
the
case
for
every
single
requirement
that
we
have
here.
So
that's
why
I
want
to
interfaces
that
was
is
not
fitted
for
that
kind
of
process.
F
The
first
thing
you
want
to
do
is
to
stop
the
container
save
the
container,
because
you
need
forensics
to
figure
out
what's
going
on
and
what
was
what
was
the
issue
and
you
will
respawn
a
new
container
from
the
same
image
that
will
be
completely
clean.
So
you
don't
need
to
block
or
say
the
process
that
is
starting.
You
need
to
to
understand.
What's
going
on
first,
so
not
so
sure
about
the
requirements.
Is
that
it
makes.
E
Your
comment
makes
sense:
I
guess
the
the
concern
I
have
with
it,
and
it's
later
in
the
document,
I
probably
won't
I
have
to
drop
at
the
bottom
of
the
hour,
so
I
probably
want
to
Cinco
basing
on
it
is
like
her
the
reason
for
looking
beyond
Falco,
because
trust
me
fleep
like
last
year,
you
convinced
me
Falco
was
the
right
solution
right.
The
is
the
I
did
not
find
in
my
research
I,
don't
think
Sam
did
either
a
solution
to
the
out
of
out-of-band
deployment.
E
E
You
distracted
me
when
your
hand
disappeared
into
your
face.
It
was
like
you
just
had
like
the
one
side
of
your
face
left.
All
the
comings
are
doing
Falco
in
a
blocky
mode
like
cystic,
like
that's
a
commercial
offering
they
built
and
when,
like
I
quickly,
google,
the
stuff
that
even
Allen
mentions
later
and
then
we'll.
Let
him
explain
it.
None
of
those
say
they
turn
Falco
into
an
active
blocking
mode,
intrusion
prevention.
E
If
you
solve
sanz
requirements
and
that's
Falco
and
other
things,
you
feel
confident
about
again
and
I
think
Sam
would
be
okay
with
that
it
just
I
feel
like
the
conversation
becomes
a
comparison
of
the
two
and
why
Falco?
So
much
better,
but
then
it's
not
which,
oh
by
the
way
I
agree
in
a
cloud
native
environments,
way
better
but
doesn't
address
the
well,
but
we
know
customers
want
to
be
able
to
have
visible
in
the
container.
They
want
to
be
able
to
check
file
integrity
in
the
container.
E
E
A
D
Yeah,
let
me
let
me
third,
by
sharing
my
screen
actually
I
wrote
a
lot
in
the
document,
so
I
I
do
believe.
You'll
not
have
time
to
you
didn't
have
time
to
read
it
and
that's
fine
I'll
try
to
talk
a
little
bit,
what
I
did
and
and
how
I
tried
to
compare
those
two
solutions
and
but
at
the
same
time
I
want
to
like
share
with
you
the
other
findings
and
other
solutions
that
we
could
use,
not
not
specifically
to
was
our
Falco.
So
what
I
did
I
created?
D
Super
simple
go
web
service
that
they
basically
has
like
three
options
like
you
can
think
IP
address
if
you've
ever
played
with
capture
the
flag
or
anything
like
it.
It's
just
you
know
it
just
shows
you
the
vulnerabilities
in
the
app
itself
and
deployment
for
stalkers,
so
for
docker
without
was
so.
This
is
like
regular,
go
docker
file,
and
for
was
our
that
we
need
to
get
the
script,
that
I
wrote
to
install
the
agent
and
then
run
it
run
it
and
then
gets
the
all
packages.
D
So
that's
that's
possible
way
to
get
and
have
installed
T.
There
was
our
agent
into
into
the
container.
Of
course,
what
Amir
was
talking
about
is
about
the
image
at
the
base,
image
that
we
can
use
so
here
I'm
using
Ubuntu.
If
that
application
has
to
run
in
different
environments
like
this
release
or
stretch
or
scratch
it,
it
will
not
be
possible
to
install
an
agent
simply
because
it
requires
to
have
some
things
from
the
from
the
system
right
so
yeah
and
the
application.
The
service
have
been
scary.
D
Okay,
so
I'll
just
go
one
by
one
man
and
thank
you
show
you
some
demo
of
what
and
I
will
just
do
the
demo
in
both
environment
and
we'll
see
if
we
have
any
events
and
lazar
and
we
have
fun
events
in
Falco.
So,
okay,
let
me
let
go
here.
I'll
I'll
just
use
this
one
today,
I,
don't
believe
you
and
have
time
to
test
you
at
once.
Okay,
so
under
hood
here,
I
have
Falco
running
in
the
cluster.
That
is
checking
some
things
currently
that
are
happening.
D
I
hadn't
got
time
to
configure
it
like
fully
and
properly
so
it
will
report
some
things
that
are
happening.
These
are
okay,
like
Google,
accounts,
team
and
and
other
things,
but
that's
fine,
I
really
didn't
want
to
I
wanted
to
do
it
quickly.
So
in
terms
of
file,
integrity,
monitoring
Falco
by
default,
has
some
rules,
but
we
need
to
write
them.
Actually,
that's
the
whole
solution.
You
have
the
solution
that
gives
you
the
events
and
you
need
to
write
rules
and
macros
to
detect
and
and
react
upon
them.
D
I
mean
react
by
I
mean
alerting
some
other
services
or
and
I'll
get
gets
to
active
response
in
the
moment
and
for
whether
we
by
default,
we
have
rules
its
performs,
can
practically
what
Philippe
said
and
scans
directly
in
a
real-time.
If
we,
if
you
want,
but
it's
not
by
default,
so
by
default,
it
will
count
them
every
six
hours,
I
believe
for
10
hours
and
we'll
compare
those
md5,
hashes
or
so
on.
Okay,
so
I'll
start
by
doing
the
I
Sarah
I
want
to
aren't
actually
what
I'll
do?
D
Okay,
normally
it
will
do
the
pink
right,
so
it
is
like
normal
application
like
it
should
work
like
this,
but
I
tricked
it.
So
I
now
execute
some.
Some
message
comment
on
on
the
on
the
content:
so
I've
executed
the
cat,
so
okay
in
Falco
I
was
able
to
get
that
easily
because
I
have
a
roll.
That
does
it
for
me
and
if
I
want
to
do
the
same
here,
I
haven't
got
any
any
option
actually
to
detect
that
right
now,
because
I
haven't
changed
any
file.
D
I
just
ran
some
script
on
the
on
the
container,
but
that
that's
possibly
because
I
wasn't
able
to
configure
fully
was
I.
I
really
hope
that
Thiago
will
be
able
to
help
us,
since
he
has
more
experience
with
was
out.
I
went
to
documentation,
I
couldn't
find
anything
that
supports
it,
but
that
that's
that's
one
thing
so
I
can
I
can
do
more
now.
I
can
do
I,
don't
know
into
something
like
this.
D
For
for
wasn't
we
gonna
check
if
it
will
recognize
it
or
not.
I
want
to
wait
for
it,
because
the
event
might
might
not
happen
that
often
and
I
can
I
can
do
more
things
with
it.
I
now
like
I,
don't
like
change
their
template
of
the
application,
but
I'll
go
further.
The
next
thing
that
and
that's
the
file
integrity
monitoring.
We
want
to
be
able
to
check
if
the
file
it
was
changed
or
not
so
the
main
difference
between
Falco
and
what's
ours.
That
was
our.
D
We
need
to
configure
it
to
support
real-time
changes
and
and
with
Falco.
You
have
that
out-of-the-box,
because
this
is
how
it
was
designed
and
it's
working
right
for
image.
Signature,
verification,
I
believe
we're
gonna
have
the
another.
A
meeting
about
that,
because
this
mirror
Falkor
was
a
has
the
capability
to
to
verify
if
your
images
are
signed
or
not,
and
we
need
to
work
with
other
teams
on
that
to
introduce
secure
container
registry
and
and
other
things,
we
need
to
be
able
to
sign
those
containers.
D
Possibly
we
Falco,
you
could
detect
that
someone
is
trying
to
to
start
the
container
that
it's
not
signed,
but
that's
up
to
us
how
we
gonna
write
those
rules.
The
interesting
part
is
application.
Allow
listings,
because
I
was
not
able
to
find
now
in
Falco
and
was
a
way
to
do
it
because
Falco
only
did
thing
was
I
can
react.
It
can
has
active
response,
but
active
response.
It's
not
something
that
should
do
the
application.
D
A
low
listing,
so
I
was
going
through
the
whole
solution
and
trying
to
find
something
that
will
be
80s
to
the
kubernetes
world.
What
I
found
is
a
farmer
actually
can
you
can
read
about
it
later,
I
believe
a
farm
is
a
part
of
Linux
kernel
security,
so
it
allows
you
to
to
add
to
your
systems
some
profiles.
So
these,
like
example,
the
profile
I,
have
profile,
and
this
profile
will
allow
me
to
use
ping
and
I
I'm,
adding.
Oh,
those
are
my
capable
please.
D
I
would
like
to
be
able
to
use
the
pink
application,
but
I
would
like
to
deny
also
all
rights
to
the
DC
filesystem.
So
now,
if
I'll
I'll
go
to
deployment
and
I'll
also
see
I
personal
application
diet,
it's
very
loading
up
arm,
quick,
quick,
put
yeah
better
app
armor
integrates
how,
with
the
container
so
yeah
I
create
a
small
application.
Actually
I,
just
stick
it
from
from
the
examples
on
google
kubernetes
repository.
So
it's
basically
it
looks
for
this
config
map.
A
D
B
B
Said
earlier
about
the
image,
signature
verification,
so
that's
a
little
bit
separate
what
you
just
the
way
you
describe.
That
is
an
effort
that
actually
I
think
is
being
taken
on
by
the
compliance
team.
I
think
Thiago
found
out
a
separate
issue
that
that
another
grouping
at
lab
is
working
on.
So
it's
one
thing
to
make
sure
that
containers
are
only
generated
from
trusted
images,
but
that's
kind
of
outside
the
scope
of
where
we're
focused.
What
we're
focused
on
is
once
the
container
is
generated.
How
does
it?
D
Yeah,
thank
you
yes.
So
the
solution
is
quite
simple.
We
have
the
profiles
here,
as
you
can
see.
Like
writing
those
profiles-
maybe
not
the
nice
thing
in
the
world
you
can
do,
but
we
can
simplify
it
with
adding
some
UI
or
something
like
that
and
in
the
future,
as
we
have
as
we
should
have
for
policies
and
other
things.
So
I
will
use
that
allowed
thing
and
I'll
go
to
and
I
will
just
show
you
how
easy
it
is
just
to
apply
it
to
your
working
or
like
deployment.
So
I
just
add
annotation.
D
So
currently
it's
in
better.
It
should
be
soon
I
hope
as
a
part
of
the
of
the
kubernetes,
but
it
is
already
in
the
kubernetes,
but
it's
just
use
annotations
and
not
are
not
separate
kind
of
of
metal
like
a
manifest
file.
So
I'm
here
I'm
using
ela
thing
and
I'll
just
do
k
fly
deployment,
amal
file,
I'll
just
wait
for
it
to
to
actually
execute
it.
I'll
just
check.
D
D
It's
not
showing
any
way,
but
I
can
I
can
write.
I
can
still
write
to
other
other
files
because
in
the
in
the
config
map,
I
specified
I
want
to
deny
the
et
Cie
so
I
can
I
can
still
do
the
writing.
Like
I'll
go
test,
let's
say:
root
test
and
I
can
read
this
test
file
and
it
this
will
work
right.
This
will
still
work,
but
at
the
same
time
the
writing
to
other
folder
is
not
working.
I
have
few
profiles
prepared
here.
D
Actually,
you
can
read
through
the
document
later
on
how
it's
all
being
integrated,
but
it's
actually
a
separate
solution
that
is
part
of
kubernetes
world.
Already,
it's
not
something
that
we
need
to
install
the
only
thing
we
need
to
install
is
this
app,
armor
or
diamond
set
that
will
simply
take
those
profiles
and
install
them
onto
note
and
that's
it.
Okay,
active
free
stones
blocking.
C
A
little
bit
sure
so,
regarding
at
armor,
there
is
also
another
profiler
system
of
profile
that
does
similar
things
to
this.
It's
called
stack
comp
in
the
shop
fire.
A
cup
of
some
time
ago,
put
up
up
solution,
called
QB
out
it
that
kind
of
wraps
all
up
in
a
single
application,
and
it's
a
it's
a
it's
widely
used
for
for
this
type
of
usage,
and
there
is
another
application
as
well.
It's
called
kill
the
bench
that
does
very
similar
things.
D
D
Okay,
I'll
I'll
jump
to
active
response
blocking
because
that's
something
that
David
mentioned
it's
it's
something
that
falco
does
not
support,
doesn't
support.
It
I
believe
it
was
design
it
like
this
by
default,
like
cystic,
secure
it's
using
another
solution
internally
that
uses
Falco
but
then
extends
it
bye-bye
in
this
blocking
mode.
D
So
I
was
trying
to
have
something
similar,
there's
actually
a
solution
for
that,
but
that
will
require
you
to
to
have
more
solutions
like
not
only
Falco
but
also
others,
so
you
can
have
Falco
Nass
and
actually
that
there's
an
article
about
that,
so
cystic
Falco,
Nats
and
cublas,
so
I'll
just
quickly
tell
you
what
it
is
like.
Nats
is
a
messaging
platform,
so
it
will,
or
whenever,
like
Falco
will
report
all
alerts,
Nats
and
that's
based
and
that
will
do
something.
D
D
The
only
thing
that
there's
a
difference
between
those
two
solutions
is
that
if
we
have
the
weather
agent
in
the
in
the
container,
we
don't
want
to
container
to
have
access
to
kubernetes
cluster
to
master
node.
So
we
should
not
allow
the
kubernetes,
apart
and
containers
running
in
the
pod,
to
manipulate
with
things
that
are
happening
on
the
master
level
and
if
we
want
to
be
able
to
delete
the
pod
from
the
from
the
container
side.
D
That's
not
really
a
good
way
to
do
it,
because
we
we
can
easily
expose
the
credentials
to
credential
r2
to
keeps
the
cube
api
and-
and
that's
that's
the
main
difference
in
terms
of
falco
and
that
solution
with
mats
and
cube
list.
That
will
be
those
separate,
salut
armed
that
that
will
not
require
you
to
have
credentials
to
the
system.
D
A
It
something
like
this
so
definitely
can
take
actions
that
the
kubernetes
API
supports.
Could
it
also
take
an
action
if,
if
we
give
it
credentials
to
the
containers
running
or
a
container
running,
could
we
have
it?
Then
you
know
SSH
into
the
container
and
take
actions
in
the
container
itself
like
kill
a
process
or
delete
a
user
or
you
know
or
disable
a
user
or
something
like
that.
D
A
Without
requiring
credentials
on
each
container,
it
seems
like
the
way
to
not
to
detect
the
operations
that
you'd
want
to
take
actions
on,
but
to
take
the
actions
an
agent
agent
full
and
that,
rather
than
agent
less
that's
word.
An
agent
based
solution
would
probably
be
preferred,
because
the
agent
then
is
already
running
on
the
container,
so
you'll
need
access
to
it,
and
then
it
would
be
waiting
listening
for
commits
for
things
to
do
that
wouldn't
be
necessary.
A
The
way
we
detect
events
to
take
action
on
that's
how
we
take
action,
so
it
seems
like
the
actions
are
in
two
areas:
kubernetes
itself
and
inside
the
containers
and
I'm
not
sure
how
much
in
this
environment
customers
would
want
one
or
the
other
there's.
No,
it's
technically
kind
of
feasible
and
possible.
Not
what
actually
customers
would
want
to
do.
I'm,
not
sure
about
that
part.
B
D
A
A
That
is
not
already
approved,
for
it
to
connect
to
or
white
with
white
listed
for
it
to
connect
to,
and
you
may
want
to
have
create
a
maybe
I'm
coming
with
crazy
stuff,
but
create
a
ticket
for
this
operation
center
to
go
research
that
right,
where
it's
not
sure
but
like
that's,
that
that
kind
of
active
respondent,
if
we're
considering
you
know,
use
cases
like
that
like
go
push
work
to
a
person
to
go,
investigate
something.
That's
not
something
a
farmer
would
do
perhaps-
or
maybe
you
would
I,
don't
know.
I.
D
C
A
C
Like
that
either
right
I'm,
just
interesting
possibilities
can
I
just
say
one
comment
on
that,
so
the
a
farmer
or
set
comp
it's
going
to
be
based
on
the
policy
secure
one
security,
pod,
pod
security
policy
that
has
a
couple
of
settings
on
a
lower
level.
That's
something
that
I
think
that
if
I
was
since
the
beginning,
I
hope
to
push
us
to
do
that
even
before
Network,
even
before
Cillian,
because
that
defines
the
basics
of
the
permissions
and
then
with
at
armor
with
as
Islands
it's
explaining
in
a
very
good
way.
C
We
can
build
up
on
that.
The
other
things
that
we
talked
to
Wayne
was
mentioning
checking
out
arrests,
egress
connections.
That
would
be
the
job
of
the
network
policy
right,
yeah,
good
point
that
was
in
advance-
and
that
goes
back
to
the
point
that
well
it's
going
to
be
hard
to
find
one
solution.
That
does
everything
we
need
to
try
to
look
a
little
bit
more
on
how
the
probable
kubernetes
is
going
to
have
something
for
that.
D
So
it
has
this
little
demon
that
is
sitting
very
close
to
the
kernel
and
it's
getting
all
those
events
that
are
happening
anyway
and
it
can
then
send
it
to
the
application
and
application
react
based
on
those,
even
while
was
a
is
doing
most
of
those
things
by
pulling
checking
like
doing
some
computations
on
the
on
the
container,
but
I
I'm
not
able
to
compare
them.
I
was
not
able
to
compare
them.
So
I
didn't
want
to
talk
about
this.
This
part,
but
I,
believe
we
need
to
do
more
investigations
for
that
one.
D
Then
we
have
malware
scanning
those
nice
to
have
actually
so
for
malware
scanning
we
have
in
file
code
by
default,
will
not
have
it
will
not
support
it.
So
we
need
to
extend
it.
There
is
a
solution
called
Baghdad
that
adds
something
to
it,
so
it
will
run
or
run
the
discounts
and
then
it
will
send
events
to
to
Falco.
So
file
can
react
based
on
those
events
and
whether
we
have
already
integrated
it
does
not
doing
I
believe
in
free
version.
At
least
it
does
not
without
integration.
D
First
total
it
does
not
are
going
to
do
the
malware
scanning
using
some
antivirus
scanner
like
clamavi
or
total
or
total
scan.
So
it
will
just
try
to
look
for
root
case.
It
will
try
to
look
for
file
that
were
changed
and
based
on
that
it
can.
It
can
make
the
decision
that
that
was
some
malicious
behavior
and
in
there,
in
the
in
the
container,
the
other
solution.
D
The
first
alternative
is
like
running
clamavi,
for
example,
as
a
daemon
said
as
a
part
of
the
cluster,
and
periodically
run
it
for
for
malware
and
look
for
malware's,
but
that's
and
that's
something
that
we
need
to
to
look.
What
kind
of
features
in
in
that
area
would
like
to
have
I
think
Philippe
is
coming
yeah.
F
I
want
to
interject
here,
because
of
that
that
seems
wrong
to
me
the
way
that
we
are
presenting
malware
scanning
here
in
the
communities
Ward.
What
we
would
do
is
to
scan
the
image
before
deploying
it,
and
we
have
all
the
tools
for
that.
We
have
come
to
our
scanning
already.
We
can
maybe
run
climb
out
on
the
filesystem
if
needed.
We
generally
don't
do
that
on
the
file
system
during
the
runtime
for
a
good
reason.
F
A
This
case
is:
there's,
there's
a
there's,
a
remote
file,
inclusion
and
run
vulnerability
and
the
customer
written
zap.
So
somebody
can
write
to
slash
temp
and
then
run
a
run.
The
program
in
slash
tab.
Let's
just
assume
it-
has
such
a
vulnerability.
A
customer
written
app,
slash,
chimp,
we're
not
gonna,
stop
writes
to
write.
Temp
is
used
for
all
sorts
of
temporary
things
or
reads
from
so
somebody
could
write
a
file
to
slash
temp.
A
F
A
F
F
Only
other
case
that
you
need
to
cover
is
the
files
that
would
be
uploaded
but
they're
not
to
put
it
in
the
container
viral
protein
on
the
volume,
and
you
need
to
check
that
volume
on
a
regular
basis.
But
it's
not
in
the
container
over
say
you
don't
you
never
do
that
because
you
want
the
container
to
do.
Why
did.
A
You
upload
that
file
to
slash
Tim
and
it's
it's
a
it's
a
reverse
shell
via
shell
script,
so
you
run
it
with
bash,
so
you
tell
bash
to
go
run
or
you
know
it's
a
bash
script
until
bash
to
run
it
is
that
bash
is
not
a
new
process.
The
script
that
matches
running
is
a
new
process.
Would
that
be
caught?
Yeah,
of
course,.
F
A
F
A
B
Would
still
keep
that
as
a
nice
to
have
you
know,
even
if
you
know
we
are
able
to
100%
account
for
all
of
the
scenarios
that
makes
you
know
malware
scanning
entirely,
not
add
anything
more
from
a
practical
standpoint
to
a
customer
security
posture,
yeah,
there's
an
emotional
aspect
of
what
the
customers
are
getting
out
of
our
tool
as
well
and
that's
a
level
of
comfort.
You
know
they
may
not
have
all
of
those
things
configured.
Even
if
they
do
you
know
some
customers
have
boxes
to
check
that
yes,
I'm
doing
anti-malware
scanning,
maybe
maybe.
A
Mm,
maybe
they
check
that
box
and
appropriately
as
they
check
it
in
the
secure
stages,
they're
building
things
not
after
its
deployed,
maybe
right
now
we're
scanning
scanning
all
the
existing
files
on
a
periodic
basis.
That's
one
of
the
ones
in
particular
and
concern
not
about
performance
impact
because
you
can
make
it
lower
priority.
So
it
doesn't
create
a
performance
problem,
but
the
containers
are
running
but
but
a
hosting
cost
that
can
take
hours
on
depending
on
how
many
files
there
are
on
the
size
of
them.
They
actually
might
drive
up
streamers
hosting
costs.
A
D
I'm
looking
actually
what's
left,
we
have
the
vulnerability
scanning
configuration
ability,
detection
as
very
disgusted.
The
one
thing
is
that
we
have
already
that's
insecure
stage.
The
other
thing
is
that
you're
running
the
the
container
that
might
be
already
deployed,
and
after
some
time
some
vulnerability
were
was
found
and
it's
alternative.
What
we
could
do,
it's
very
likely
perform
scan
on
an
already
deployed
images,
so
can
demand
Oh.
Your
image
that
was
deployed
using
gitlab
is
outdated
and
outdated
packages
and
those
packages
has
right
now
full
nobility.
Something
like
that.
D
A
A
Let's
say
the
operating
system
end
releases
a
patch,
and
you
haven't
run
that
you
haven't
rebuilt
the
container
since
that
patch
was
created
and
customers
don't
want
to
know
about
that.
To
say,
hey,
you
know,
I
need
to
rebuild
my
container,
because
I
need
to
pick
up
that
patch
or
you
know,
I've
missed
or
containers
been
configured
in
a
way
either
when
built.
Well,
you
can
catch
that
when
it's
built,
perhaps
but
or
after
its
building's
changed
to
be
the
configuration,
has
changed
to
not
be
secure.
A
D
Course,
yeah.
What
I'm
saying
is
that,
after
it's
built
and
deployed,
we
can
still
run
checks
on
those
on
those
containers.
Without
going
to
running
container
I
mean
container
emerges,
so
there's
no
need
for
you
to
to
do
scans
on
running
containers.
You
can
periodically
can
already
deployed
container
images
and
we
already
have
kind
of
tools.
D
C
D
C
F
D
Okay
and
then
we
have
configuration
vulnerability,
detection
and
here
the
only
solution
that
I
found
that
is
available,
opens
gap,
and
so
what
is
using
it
Falco
is
not
I,
don't
know
if
we
could
configure
it
to
do
to
detect
things.
Open.
Skype
is
trying
to
scan
for
your
configuration
if
it
is
comprised
with
some
recommendations
or
some
certifications
like
PCI
and
other,
so
that
that's
the
other
solution,
I,
don't
know.
If
we
should
do
that
in
the
secure
stage.
We
could
that's
also
part
of
the
container
security,
like
the
container.
D
So
whether
works
perfectly
with
this
one,
they
also
have
their
own
solution.
They
call
it
security
configuration
assessment;
they
they
just
download
the
information
from
from
distributions
like
Linux
distributions
and
checks.
If
there
is
a
package
that
is
out
out
of
date
and
if
has
vulnerabilities,
CD
idea,
sienten
and
so
on,
the
last
thing
that
we
need
to
give
get
left
initials
to
production,
kubernetes
or
container
environment
Falco,
okay,
we're
finally
going
to
deploy
it
with
Damon
set.
So
there's
no
need
for
us
to
do
it
for
was.
D
Are
we
gonna
we're
not
going
to
automate
it
anyway?
We're
gonna,
just
tell
customers,
oh
if
you
want
to
use
it
just
need
to
take
those
packages
run
that
script
and
you'll
have
it
already
as
a
part
of
your
container.
So
there's
no
need
for
us.
I,
really!
Don't
think
that
the
solution
that
we
could
have
a
so
give
me
your
credentials
to
into
your
notes
and
we're
gonna
install
some
agents
there.
D
B
D
Yeah
exactly
let
me
look
if
I
have
anything
for
for
the
demo.
I
believe.
That's
all
like
what
I
have
here.
I
can
do
X
like
just
to
check.
Oh
I,
don't
I
just
want
one
of
your
one
of
the
list
that
we
have
four
capabilities
that
would
like
to
be
able
to
detect
it,
for
example,
being
able
to
detect
if
a
shell
is
created.
So
let
me
just
do
like
open
shell
on
one
of
the
container.
D
Of
course
it's
I'm
doing
it
because
I
have
privileges
to
do
it,
but
there
are
options
that
you
can
SSH
to
your
container.
First
timers,
it's
misconfigured
or
something
like
that,
so
I'm
gonna
just
run
it
and
it
will
it'll.
Tell
me.
Oh,
the
dispel
was
spawned
in
the
container
with
attach
terminal,
as
far
as
I
know
was.
D
A
D
B
A
For
now
this
is
my
second
people
is
awesome
and
a
whole
lot
to
think
about
and
digest
play
I
don't
want
to
I,
don't
try
to
make
decisions
today.
That
was
not
the
purpose
of
today
and
also
you
know.
We
want
Thiago
to
be
part
of
the
whole
discussion
and
decision
making
process,
so
he
needs
to
I'm
sure,
read
the
document
and
all
the
comments
and
you,
the
the
recording,
I
don't
know
just
a
whole
lot
to
think
about.
That's
for
sure
I
don't
Sam.
You
were
saying.
B
B
B
What
would
the
proposed
architecture
solution
look
like
to
address
the
requirements
you
know
is
that
you
know
do
you
recommend
going
with
a
farmer
and
falco
doe,
a
farmer
and
calcio,
and
you
know
XYZ
other
product
and
maybe
if
we
can
get,
you
know
your
recommendation
of
what
that
complete
picture
looks
like
and
what
each
piece
would
add
as
we
layered
it
in
I.
Think
that
would
be
really
helpful
for
me
and
then
we
can
prioritize.
You
know
where
to
get
next
from
here,
yeah.
D
A
C
Probably
probably
part
of
the
proposal
is
that
we
can
move.
One,
though
requirement
as
a
must
as
a
nice-to-have
instead
of
must-haves,
and
then
we
can
propose
the
best
that
we
will
find
and
then
we
can
move
from
there.
I
like
that
I
like
that,
we
are
not
designed
in
anything
right
now.
There
is
lots
of
information
on
the
table
and
we
need
some
time
to
figure
that
out
for
sure.
A
Say,
let's
say
I
think
is
the
way
interpreters
make
we
we
have
must-haves
in
nice-to-haves
and
we
don't
want
to
make
a
dissection
or
decisions
just
based
on
the
must-haves,
because
then,
if
we
don't
consider
the
nice-to-haves
we
may
we
we
may
make
a
different
decision.
If
we
consider
them
all,
then
if
we
just
consider
the
must-haves,
so
we
definitely
want
to
implement
the
must-haves
first,
but
we
want
to
make
the
architectural
decisions
with
the
nice-to-haves
in
mind.
B
Looking
so
I
think
everything
there,
okay,
so
yeah
so
I
can
create
a
new
issue
for
that
I
added
a
table
back
here,
I
guess
what
I'm
envisioning
is
something
like
this
that
would
be
filled
out.
You
know,
like
here's,
the
proposed
architecture
from
engineering
that
addresses
100%
of
everything
or
as
close
as
you
can
get
200
percent,
and
then
you
know
we
have
that
broken
out
by
you
know.
What
does
he
give
us
that
we
can
figure
out
how
to
prioritize?
You
know
the
different
components
it.
A
Out
and
it's
a
great,
we
start
with
that
table
I
would
add
a
column
to
it
and
we'll
do
it
in
the
issue
rather
than
a
googol,
rather
than
Google
in
that
show
that,
as
an
example,
which
is
great,
is
a
pros
and
cons
column
to
a
B
or
I.
Think
because,
whatever
decision
we
make,
it's
not
gonna
be
all
pros
right,
they're
gonna,
be
they're,
gonna
be
definitely
some
pros,
that's
why
which
is,
and
some
and
some
cons
as
well
yeah.
G
A
A
C
A
C
B
A
A
A
B
B
A
D
D
We
need
to
also
think
about
the
jig's
design,
you're
gonna,
just
one
or
another
solution,
how
we
gonna
allow
users
to
modify.
It
are
rules
like
an
apartment
like
profiles
or
adding
macros
in
Falco
or
configuring
and
fusing
was
and
how
we
gonna
if
we're
gonna
go
with
was
are
how
we
gonna
deploy
eventually
so
yeah
yeah.
A
B
B
B
C
C
A
C
A
The
make
yes,
that's
gonna,
be
a
farmer
perhaps
but
we'll
see,
we'll
see
no
yeah.
That
sounds
reason.
Yeah.