I am using runtime detection tool Falco to analyse the container behavior for at least 40 seconds, using filters that detect newly spawning and executing processes store the incident file art /opt/falco-incident.txt containing the detected incidents. I try to format the output result one per line, in the format [timestamp],[uid],[user-name],[processName]
I created the yaml file audit.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
namespace: ""
verb: ""
resources:
- group: ""
resource: ""
- name: audit
hostPath:
path: /etc/kubernetes/audit.yaml
type: File
- name: audit-log
hostPath:
path: /var/log/all-resources.log
type: FileOrCreate
- mountPath: /etc/kubernetes/audit.yaml
name: audit
readOnly: true
- mountPath: /var/log/all-resources.log
name: audit-log
readOnly: false
I edited the kube-apiserver with adding this 3 lines
- --audit-policy-file=/etc/kubernetes/audit.yaml
- --audit-log-path=/var/log/all-resources.log
- --audit-log-maxage=1
The main question is: How and where to define the desired output which should look like this ?
[timestamp],[uid],[user-name],[processName]
[timestamp],[uid],[user-name],[processName]
....
I think you are going in the wrong direction. The question specifies using Falco tool so you need to edit the falco_rules.local.yaml file. THis has nothing to do with the Auditing policy. It could be something like this:
And when you try to run you can use the below command for running it 40 seconds
This will run the falco for 40 seconds with your given conditions and push the result in your desired format to log.txt file.
P.S: I know this is quite late to answer but someone else might benefit from this.