Skip to content

This is a Falco Plugin allowing to gather events from Hashicorp Nomad API events stream.

License

Notifications You must be signed in to change notification settings

albertollamaso/nomad-plugin

Repository files navigation

Falcosecurity Nomad Plugin

This repositry contains the Nomad plugin, which can fetch event stream containing nomad events, parse the events, and emit sinsp/scap events (e.g. the events used by Falco) for each nomad event.

Event Source

The event source for nomad events is the /event/stream endpoint used to stream events generated by Nomad.

Supported Fields

Here is the current set of supported fields:

NAME TYPE ARG DESCRIPTION
nomad.index uint64 None The index of the nomad event.
nomad.alloc.name string None The name of the nomad allocation.
nomad.alloc.namespace string None The namespace of the allocation.
nomad.alloc.jobID string None The job ID of the allocation.
nomad.alloc.clientStatus string None The client status of the allocation.
nomad.alloc.images string (list) None The list of container images on allocations.
nomad.alloc.images.tags string (list) None The tags of each container image on allocations.
nomad.alloc.images.repositories string (list) None The container repositories used on allocations container images.
nomad.alloc.taskStates.type string (list) None The state of the task on the allocations.
nomad.alloc.res.cpu uint64 None The CPU required to run this allocation in MHz.
nomad.alloc.res.cores uint64 None The number of CPU cores to reserve for the allocation.
nomad.alloc.res.diskMB uint64 None the amount of disk required for the allocation.
nomad.alloc.res.iops uint64 None the number of iops required for the allocation.
nomad.alloc.res.memoryMB uint64 None The memory required in MB for the allocation.
nomad.alloc.res.memoryMaxMB uint64 None The maximum memory the allocation may use.
nomad.event.topic string None The topic of the nomad event.
nomad.event.type string None The type of the nomad event.

Configuration

falco.yaml Example

plugins:
  - name: nomad
    library_path: libnomad.so
    init_config:
      address: http://127.0.0.1:4646
      token: ""
      namespace: "*"

# Optional. If not specified the first entry in plugins is used.
load_plugins: [nomad, json]