If you are here, chances are that your pet is always running around, destroying things in your sweet house. We will show you how to enrich Falco security through a smart plugin that may not stop your pet from bad behavior, but will at least warn you when it does misbehave!
Out of the box, Falco is denoted as the cloud-native runtime security project. Recently though, it gained support for plugins, in other words, shared libraries that provide external event sources.
What does that mean? Basically, you are now able to tailor Falco to perfectly suit your needs.
One can imagine Falco as an IoT events centralizer, with rules to warn you when your smart thermostat is low on battery, or when someone turns on the kitchen light after 11pm, for example.
Today, our goal will be to consume video streams from webcams around the house to catch cuddly intruders!
This is a shift from Falco runtime security to so-called physical security. In other words, Falco will be able to offer a full stack security solution!
Requirements / What you’ll need
Our plugin will make use of OpenCV to receive the video streams and its DNN (Deep Neural Network) module to load a Tensorflow model, that is open source and can be found at:
http://download.tensorflow.org/models/object_blob/ssd_mobilenet_v1_coco_2017_11_17.tar.gz
Together, with its config file:
https://gist.githubusercontent.com/dkurt/45118a9c57c38677b65d6953ae62924a/raw/b0edd9e8c992c25fe1c804e77b06d20a89064871/ssd_mobilenet_v1_coco_2017_11_17.pbtxt
Moreover, we will obviously make use of the Falco plugins go sdk, which is a small SDK to write Falco plugins.
Finally, a webcam will be used as a video stream source. You can find the plugin source code at:
https://github.com/FedeDP/falco-home-security
Step-by-step instructions and launch
You are surely wondering how to run this. First, you need the latest Falco from master, or can wait until Falco 0.31 is released. This is mandatory as plugin support was introduced quite recently.
Additionally, you should extract the tarball of the aforementioned Tensorflow model. You should now be able to build the plugin. Move into plugin folder and issue the following:
$ make libhomesecurity.so
To run the plugin, you first need to enable it in Falco config, following: https://falco.org/blog/falco-plugins-early-access/#configuring-plugins-in-falco.
In the falco-home-security repository, some configs and rules ready to be used can be found; the config files use small videos (mostly found on Youtube) as sources, instead of webcams.
Be sure to update your chosen config “videoSource” key. This is the rule we have used:
- rule: Pet detected desc: We detected a pretty pet condition: video.entities[animal] > 0 output: "!!PET ALERT 😍!! -> source=%video.source, n_pets=%video.entities[animal]\n%evt.plugininfo" priority: Warning source: homesecurity
Finally, Falco can be run pointing at the new configuration and rule file, for example:
$ falco -c falco-home-security/confs/falco_pet_webcam.yaml -r falco-home-security/rules/pet_in_webcam.yaml
The plugin has quite a lot of parameters to enhance object tracking; moreover, you are able to specify if you want a GUI to be shown, and if you want to store a snapshot when an event is triggered.
DEMO TIME
In all seriousness, here is a small demo that showcases the security implications of this plugin.
As you can see, it is able to enhance Falco in many different ways, both funny and significant.
This project has been made possible thanks to Hackathon 2021 in Sysdig.
Other examples of Falco + cameras IoT
The current plugin implementation does not distinguish between animals. In other ways, it has only a giant ‘animal’ group.
Given that the coco dataset supports lots of categories, you can easily expand the example, filtering multiple categories like ‘cats,’ ‘dogs,’ ‘cows,’ etc.
For the full list of supported categories, head to:
https://tech.amikelive.com/node-718/what-object-categories-labels-are-in-coco-dataset/
Conclusion
Was it that simple?
Yes! Falco with plugin support is aiming to become the standard way to secure your infrastructure, the cloud one and eventually even the physical one.
And what about a Falco and IoT?
Starting from the current example, it is quite easy to imagine other integrations, like using Falco to aggregate IoT data coming from all the smart sensors in your home.
If your smart sensor offers an SDK, it is incredibly straightforward to create a Falco plugin around it. See you next time, with new awesome wonders from the land of Falco!
If you would like to find out more about Falco:
- Get started at Falco.org.
- Check out the Falco project on GitHub.
- Get involved with the Falco community.
- Meet the maintainers on the Falco Slack.
- Follow @falco_org on Twitter.