content/en/blog/extend-falco-inputs-with-a-plugin-register.md
This post is is part of a series of articles about
How to develop Falco plugins. It's addressed to anybody who would like to understand how plugins are written and want to contribute. See other articles:
- [Extend Falco inputs by creating a Plugin: the basics]({{< ref "/blog/extend-falco-inputs-with-a-plugin-the-basics" >}})
- [Extend Falco inputs by creating a Plugin: Distribute the plugin]({{< ref "/blog/extend-falco-inputs-with-a-plugin-distribute" >}})
In the previous [post]({{< ref "/blog/extend-falco-inputs-with-a-plugin-the-basics" >}}) article we covered all the basics to develop a plugin. In this article, we'll focus on the steps to register and allow the community to use it.
The registration is mandatory for
sourceplugins and optional (but still recommend) forextractorplugins. This blog will talk about the registration ofsourceplugins.
At the moment, what we call the Plugin Registry is a git repository that centralizes all available plugins through a yaml file.
The table in the README is auto generated by aforementioned registry:
| ID | Name | Event Source | Description | Info |
|---|---|---|---|---|
| 2 | cloudtrail | aws_cloudtrail | Reads Cloudtrail JSON logs from files/S3 and injects as events | Authors: The Falco Authors |
| License: Apache-2.0 | ||||
| 3 | dummy | dummy | Reference plugin used to document interface | Authors: The Falco Authors |
| License: Apache-2.0 | ||||
| 4 | dummy_c | dummy_c | Like Dummy, but written in C++ | Authors: The Falco Authors |
| License: Apache-2.0 | ||||
| 999 | test | test | This ID is reserved for source plugin development. Any plugin author can use this ID, but authors can expect events from other developers with this ID. After development is complete, the author should request an actual ID | Authors: N/A |
| License: N/A |
In this section, we'll describe the key elements to get your plugin allowed to register.
The registration needs you to create a nice README for your plugin, but also complete all fields for plugins section of registry.yaml, like:
plugins:
source:
- id: 2
source: aws_cloudtrail
name: cloudtrail
description: Reads Cloudtrail JSON logs from files/S3 and injects as events
authors: The Falco Authors
contact: https://falco.org/community
url: https://github.com/falcosecurity/plugins/tree/master/plugins/cloudtrail
license: Apache-2.0
You're free to choose the open source license you want, you can check https://choosealicense.com/ for help. Most of current plugins are under Apache License 2.0.
Every source plugin requires its own unique plugin event ID to interoperate with Falco and the other plugins. This ID is used in the following ways:
It must be unique to ensure that events written by a given plugin will be properly associated with that plugin (and its event sources, see below).
Each plugin in the registry must have its own name and can be different from event source, that can be shared across different plugins (eg, for k8s audit logs, we may have different plugins but only one type of event source).
The name should match this regular expression ^[a-z]+[a-z0-9_]*$.
The fields are used for conditions in rules, you must describe the available fields of your plugin in the README.
For example:
| Name | Type | Description |
|---|---|---|
docker.status | string | Status of the event |
docker.id | string | ID of the event |
docker.from | string | From of the event (deprecated) |
docker.type | string | Type of the event |
docker.action | string | Action of the event |
docker.stack.namespace | string | Stack Namespace |
Once you're ready, you can submit your plugin to registration:
plugins sectionFollowing our
ContributingGuide your commits must be signed-off.
You can find more information here.
By sharing your idea and code with the community, you will have direct feedbacks. Don't hesitate to share your work in the Slack kubernetes#falco before submitting your PR too!
You should now be able to propose your plugin to the community and have feedbacks about it. The following posts will describe more advanced use-cases like events from Cloud Services. Stay tuned!
You can find us in the Falco community. Please feel free to reach out to us for any questions, suggestions, or even for a friendly chat!
If you would like to find out more about Falco: