From cc446f86f490641830f2f969ec2e1f1033a006db Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Tue, 17 Dec 2024 16:01:36 +0100 Subject: [PATCH] chore(content): plugins section adjustments Signed-off-by: Leonardo Grasso --- content/en/docs/concepts/plugins/_index.md | 8 +++--- .../en/docs/concepts/plugins/architecture.md | 2 ++ content/en/docs/concepts/plugins/usage.md | 6 +++-- .../en/docs/concepts/plugins/where-code.md | 25 ----------------- .../en/docs/developer-guide/plugins/sdks.md | 27 +++++++++++++++++++ 5 files changed, 36 insertions(+), 32 deletions(-) delete mode 100644 content/en/docs/concepts/plugins/where-code.md create mode 100644 content/en/docs/developer-guide/plugins/sdks.md diff --git a/content/en/docs/concepts/plugins/_index.md b/content/en/docs/concepts/plugins/_index.md index 919e2c595..0c7e8aa85 100644 --- a/content/en/docs/concepts/plugins/_index.md +++ b/content/en/docs/concepts/plugins/_index.md @@ -1,8 +1,10 @@ --- title: Falco Plugins linktitle: Plugins -description: Extend Falco functionality using Plugins for Falco libraries/Falco daemon +description: Extend Falco functionality using Plugins weight: 40 +aliases: +- ../plugins --- The Falco libraries and Falco itself can be extended by using *Plugins*. Plugins are shared libraries that conform to a documented API, hooking into the core functionalities of Falco to allow things such as: @@ -13,7 +15,3 @@ The Falco libraries and Falco itself can be extended by using *Plugins*. Plugins - Injecting events asynchronously in a given data stream. This section describes how plugins fit into the existing event processing pipeline and how to enable/configure plugins in Falco. - -{{% alert color=primary %}} -If you're interested in how this feature came about, you can view the [original proposal](https://github.com/falcosecurity/falco/blob/master/proposals/20210501-plugin-system.md) for the plugin system. -{{% /alert %}} diff --git a/content/en/docs/concepts/plugins/architecture.md b/content/en/docs/concepts/plugins/architecture.md index 2cc5e6068..c1eded1f8 100644 --- a/content/en/docs/concepts/plugins/architecture.md +++ b/content/en/docs/concepts/plugins/architecture.md @@ -3,6 +3,8 @@ title: Plugins Architecture Concepts linktitle: Architecture description: Learn the basic concepts of the Plugin Architecture weight: 10 +aliases: + - ../plugins/architecture --- ## Overview diff --git a/content/en/docs/concepts/plugins/usage.md b/content/en/docs/concepts/plugins/usage.md index 9b2eb8a9a..c7fbe8426 100644 --- a/content/en/docs/concepts/plugins/usage.md +++ b/content/en/docs/concepts/plugins/usage.md @@ -1,8 +1,10 @@ --- title: How Falco Uses Plugins -linktitle: Plugins Usage +linktitle: Usage description: Plugins for Falco libraries/Falco daemon weight: 20 +aliases: +- ../plugins/usage --- Falco loads plugins based on configuration in [`falco.yaml`](https://github.com/falcosecurity/falco/blob/master/falco.yaml). Currently, if a plugin with event sourcing capability is loaded then the *only* events processed are from that plugin; syscall events are disabled. There are other restrictions on loaded plugins (see below). @@ -65,4 +67,4 @@ Falco can load multiple rules files, and each file may contain its own `required ## Plugin Developer's Guide -If you are interested in authoring your own plugin, or modifying an existing plugin to add new functionality, we've written a [developer's guide](/docs/plugins/developers-guide) that documents the full plugin APIs and walks through two existing plugins to show how the API is used. +If you are interested in authoring your own plugin, or modifying an existing plugin to add new functionality, we've written a [developer's guide](/docs/developer-guide/plugins) that documents the full plugin APIs and walks through two existing plugins to show how the API is used. diff --git a/content/en/docs/concepts/plugins/where-code.md b/content/en/docs/concepts/plugins/where-code.md deleted file mode 100644 index 0cbff091e..000000000 --- a/content/en/docs/concepts/plugins/where-code.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: Where's the Code -linktitle: Where's the Code -description: Find out about the included plugins in Falco and the Plugins SDK -weight: 30 ---- - -## Plugins - -Plugins hosted and maintained by the Falcosecurity community are at the [plugins GitHub repository](https://github.com/falcosecurity/plugins). There, you can also find the [plugin registry](https://github.com/falcosecurity/plugins/blob/master/registry.yaml) containing info about all the plugins officially recognized by the Falcosecurity organization, which include both the ones hosted by the community and the external ones. - -### Included with Falco - -Falco itself includes the `k8saudit`, `cloudtrail` and `json` plugins in its packages and container images. The plugins are defined in `falco.yaml` but by default, no plugins are loaded when Falco starts. - -To add plugins, you can put them as shared libraries below `/usr/share/falco/plugins`, and use a relative path in the value for `library_path` in falco.yaml. - -## Plugins SDKs - -To facilitate the development of plugins written in Go, we've written a [SDK](https://github.com/falcosecurity/plugin-sdk-go) that provides support code for writing plugins. The SDK provides Go structs/enums corresponding to the C structs/enums used by the API, has utility packages that manage the details of memory management/type conversion, and presents abstract interfaces that provide a more streamlined interface to potential plugin authors. We go through the details and the architecture of the GO SDK in the [Go SDK walkthrough section](/docs/plugins/go-sdk-walkthrough). - -There is also an experimental [C++](https://github.com/falcosecurity/plugins/tree/master/sdk/cpp) SDK that defines abstract C++ base classes for plugins. Plugin authors can derive from these base classes and implement the abstract methods to provide demographic information, events, and extract fields from events. This SDK is currently in line with the most recent changes in the plugin API, and will be subject to many updates in the near future. - -All of the Falcosecurity-provided plugins use these SDKs. - diff --git a/content/en/docs/developer-guide/plugins/sdks.md b/content/en/docs/developer-guide/plugins/sdks.md new file mode 100644 index 000000000..fc46a15e3 --- /dev/null +++ b/content/en/docs/developer-guide/plugins/sdks.md @@ -0,0 +1,27 @@ +--- +title: Plugins SDKs +linktitle: SDKs +description: Available Falco Plugins SDKs +weight: 15 +--- + +## Plugins SDKs + +To facilitate the development of plugins, The Falco Project provides SDKs for multiple programming languages: Go, C++, and Rust. These SDKs provide flexibility for developers to choose the programming language they are most comfortable with while ensuring a consistent and streamlined experience when building Falco plugins. + +### C++ SDK +The [C++ SDK](https://github.com/falcosecurity/plugin-sdk-cpp) provides abstract base classes for plugin development. Plugin authors can derive from these base classes and implement abstract methods to: +- Supply plugin metadata and capabilities. +- Provide events. +- Extract fields from events. + +### Go SDK +We offer a [Go SDK](https://github.com/falcosecurity/plugin-sdk-go) that simplifies plugin development by providing support code and abstractions. This SDK includes: +- Go structs and enums corresponding to the C structs and enums used by the plugin API. +- Utility packages to handle memory management and type conversions. +- Abstract interfaces that provide a streamlined and user-friendly way to implement plugins. + +For a detailed explanation of the architecture and usage of the Go SDK, refer to the [Go SDK walkthrough section](/docs/plugins/go-sdk-walkthrough). + +### Rust SDK +We recently introduced a [Rust SDK](https://github.com/falcosecurity/plugin-sdk-rs), enabling developers to write plugins in Rust. The Rust SDK offers a safe, idiomatic interface for interacting with the Falco plugin API while leveraging Rust’s strong type system and memory safety guarantees. \ No newline at end of file