Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate Witness, Falco, Tracee, Cilium, etc. for demo of runtime visibility #212

Open
mlieberman85 opened this issue May 4, 2022 · 6 comments
Open

Integrate Witness, Falco, Tracee, Cilium, etc. for demo of runtime visibility #212

mlieberman85 opened this issue May 4, 2022 · 6 comments
Labels
enhancement New feature or request

Comments

@mlieberman85
Copy link
Contributor

secure software factory ref arch

SSF is an implementation of Secure Software Factory Ref Arch as shown above. A gap we currently have is in runtime visibility space. We should explore various runtime visibility (tracing, eBPF) tools to see how we could integrate them into SSF.

Common ones to explore are:

  • Witness
  • Falco
  • Tracee
  • Cilium

SSF is intended to abstract out underlying implementations but we do want to explore which ones might be easiest to integrate for the default.
@mlieberman85 mlieberman85 added the enhancement New feature or request label May 4, 2022
@colek42
Copy link

colek42 commented May 4, 2022
edited
Loading

I would like to have a better understanding of how were can interrogate Cillum and Falco to generate attestations.

witness knows the PID and all of the metadata for the CI process

@fkautz do you have any implementation ideas?

@fkautz
Copy link

fkautz commented May 4, 2022

We can look at pulling information from cilium and Falco and use them in the attestation process. Normalize, correlate, and sign the information gathered.

e.g. should be possible to capture network policy configuration, connection information, and other relevant info and correlate with the information traced by witness.

Would need some work to gather and perform the correlation, but would give us the ability to look for anomalies.

@colek42
Copy link

colek42 commented May 5, 2022

@mlieberman85 how do you see cilium fitting in?

@colek42
Copy link

colek42 commented May 5, 2022
edited
Loading

We can look at pulling information from cilium and Falco and use them in the attestation process. Normalize, correlate, and sign the information gathered.

Option 1

Falco has a GRPC API that we can connect to over UDS. This seems like a good fit.

I think we can hack in some code to connect to the Falco API to listen to events happening in the system when the commandrun attestor is working.

Option 2

I'm not sure if this will work, but may fit in better with witrness' model.

Create a Falco Source Plugin. that filters events we care about for witness. We can then communicate these events to witness using a postrun attestor.

@ChaosInTheCRD
Copy link

Hi everyone! This is awesome :) I was in the process of trying to build a Kubernetes tool that can create 'Falco Attestations' in a similar way to what is discussed here. I would love to talk about this more and understand how Tracee, Witness and Cilium all ties in.

@colek42
Copy link

colek42 commented May 19, 2022

https://github.com/cilium/tetragon seems like a good fit for integration with witness. I added an issue here: in-toto/witness#186

@pxp928 pxp928 mentioned this issue Jul 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fkautz @mlieberman85 @colek42 @ChaosInTheCRD