对 大家好 高兴可以在这里跟大家分享一下当然有报告的一个介绍当然我们有评论和评论和评论他们会谈到职业的职业和做职业的职业的职业的职业的职业我需要跟你翻译完吗不需要 不需要 不需要 从谈我想问一下 大家有用过滑孔吗有没有用过滑孔的职业背景调查一下 大家有多少是保安室有多少是保安室有多少是保安室有做保安室加保安室的吗有多少是保安室加保安室所以还是保安室多一点更多的保安室 对吧谢谢大家 谢谢大家我们现在开始我先给大家介绍一下我们是保安室的职业我是保安室的职业研究员保安室是在我挺多一部分时间的在进行保安室的职业我先介绍一下保安室在尝试建立一个社区我告诉你我们要建立一个社区我们要帮助所有人用滑孔做保安室职的职业我们有我们的网站我们也有我们的职业如果有任何问题如果我们用滑孔我们可以去职业去问问题我们也有我们的网站和网站是一种组织你会选择和学习因为这是一个文章你也可以说是文章还有一些文章的文章文章可以运行成为组织作为组织员我们除了我之外还有这些就是包括我的成员这是组织的数据它在美国和澳大利亚如果你有任何问题你会发现那些人在不同的时间中也会有问题在24小时组织上仍然是一个社区所以它还在成长在组织上它仍然在组织我们希望它可以更好以很多的观点这些计划我们可以在这里下一个计算项目如果我们有更多的信息如果我们有更多的信息所有的计算项目所有的计算项目会更加好第二个是计算项目和计算项目我们看到很多不同的语言其实我们在计算项目中有计算项目我们也用了计算项目来看到计算项目的计算项目第三个是计算项目计算项目我们在计算项目计算项目的计算项目是关于需要有花和功夫的我们需要花和功夫的计算项目的计算项目的也有很多不同的计算项目计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的计算项目的所有不同的職位的職位我们谈谈业务有些人在居住可能会有永恒来区域永恒去免费免费的职位所以这里我们会有很多的职位的职位因为我们希望我们会有职位的职位职位是一场检测如果说一场检测就意思就是就是说如果你用声音你可能会明白你在想什么是什么就是说我认为例如这个镜像在运行我认为这个镜像在运行我认为这个镜像在运行这个目录因为我认为预先会有预设所以你会有预防这些政治的行为这个行为是正常行为也就是一个是一个是一个供奖这是一个一个是一个流行手信这个是我们的基础这是我们的基础Port the system code to add the system code to the system code.Based on all the information, system code is going to operate.And we will also support all the orchestrators for their integration.And for our answer right now, it is going to be at the documentary level.And also some of the snog level.更多It can be wider and more expanded如果再回顾一下的话So if you are looking back to all of thisVocal is actually ever testing特别是针对容器EquipmentEspecially for the major equipmentsAnd for the extra treatment一个运行时的检测安全检测它现在还是一个沙箱的发掘It's still a projectIt needs to be finished我们现在就是来看一看So here let's look atSome go principleSo here the focus is on the rangeAnd we dig outAll the pathways for vocalSo we are going to go throughThis pathway is one by anotherThe first one in thatFor vocalLet's check about these pointsLet's wait for its free launchingWe say some of the container is operatingExactly就是一个进去So this is an ExcelAnd this is a terminal bashWhich was under operation我在开始考备EDC shadow fileWhen I was starting to call thisEDC shadow fileYou will see another eventWhich is happening那个病下面的一个文件进行的成续名然后我又考备了另外一个另外一个程序到那个病的内容下面去就是这些你会看到这些行为其实它某些大部分都是一些很奇怪的行为如果你是在一个Picculture behaviorCompared with the normal你不会期待有这么多的Cp各种各样奇奇怪怪的那个程序运行Programs operating here所以我们现在可以来讲一下就是Falco 它内部的一个价格就刚提到的就是Falco 它是基于CisticFalco 其实就是对于Falco 基于Cistic Core然后它都可以去不叫解去吧就是它可以解去然后Cistic Core 其实很简单就是一些可能就是一个3ID然后它就是一个3ID但是这些信息是不足以Dancing formation are not enough它在这过程当中让它就是它会被提名进来就是说it will be withinside of the internal pathway然后就开始去做一个and latercontext enrichmentwe are going to do the context enrichment一件事情就支持什么就比如说我看到这个3IDfor example, I see this third IDI will understandthis is coming from the process IDand if I see this IDI know that this is actually coming fromcapacicthen we will checkwhich names this ID belongs toand later on we find thatif it is subnatedwe will understand which pointit is equity就说在这个提取的这个过程当中我们是复化了这些信息以便能够包括可以去做运行式检测的这样一个决策那后来看到就是包括是一个route engine然后当它做到这些like rolling enginesystem co-events之后然后就看就看这些events是不是跟这些we will checkroute these eventsit is matchingwith all the different points然后就报告we are going to issue these reports那可以可以来看一下简单看一下就是这个focusingbut the focus is not其实就是定义成一个yaml file因为就是yaml file都是定义在一个yaml fileit is defined as a yaml fileand at this route就叫做right belowwe sum up all the right belowall the descriptionand all its descriptionsin the final directionof this test主要的检测的这样一个条件we need to check outabout the core part of the information不过这些system co-events买出这个条件for eventssatisfying thispervex is setting up for themwe will generatethe certain resultsso here in this outputlet's have a checkabout the permissionand how do we writeworld about itand for which partcan we work about our focus route好刚刚讲到就是we will talk aboutthat for the unityfrom the system codewe are going to say itit is a different behaviorit is an openit is going to be a document那打开是做什么呢which is going to be opened up这个打开是一个写的操作这个写的操作的话这是一个写的操作and if we finish this writing solution中国人我们就要这么欢迎file of action是在并或者是在优势的并里面the bottom action would be in the binor in the user bin这个操作是一个写的操作然后这个写的操作是在这两个目录下面这就是我对这个操作的评论这就是我对这个操作的评论就是说任何的资讯for access.coas long as it's meeting upwith these conditionsit's going to be an open conditionand it's actually written upin these two different conditions好那现在就说如果我知道有件事情是开了有人写就是有人做一个写操作在我的这个这个目录下面那我想知道这是写的所以我们就可以在这个就是file of action的output上面就输出画面就可以定义这个user可以写the user will be defined here就是这个百分号user.name就知道这是哪个用户然后每一条命令在写写这个写操作接下来就包括了你的你的这个程序的还有程序的这个输入参数然后接着就是继续是你写入哪一个文件如果大家还可以过去看看刚才那个操作的话就是刚才那个小达人的话就是ls.hack这个文件ls.hack写进了余生病或者病打热区it's being written into theambuction好所以就是基于一个system coresetrate based on the system core那在1.1之后呢after the 1.13cubinated audience大家有开始用of course we have the audiencecubinated audiencecubinated audit pockets没有do we have thatok 知道audit pockets是做什么so what are we using the audit pockets for就简单来说就是水灵在什么时候做了什么事情whereis the informationregathered at the audit pocketsthis is the logic for any data类似这样子的那就是知道这些有使用since we are telling that想想知道这些有使用are going to work in our cells我们可以互动一下因为人比较少because we don't have so many people herecan we get the interaction between each other可以省机驯载可以省机驯载就驯载it can work as an overload其实没有这个是没有的对神机其实audit的话就是神机的目的那神机的话就是说这个记录就可以包裹利用做检测这个对focal来说focal它提供的就是couplating的这个it's providing acouplating channel比如说我创建了一个deploymentfor example i set up astable set像这些的话在如果没有couplating event的话and for the couplating event就说我知道可能有一个container的运行for example i know there is a containerwhich is running on the wayand i know that there isthe input and output原来背后还发生了原来你创建的你可能偷偷的download an image然后创建一个新的话然后之后又有创建一个nevapolicy什么之类的you will create some of thenevapolicy当我们讲security的时候就需要一个context这个context就是couplating这个couplating lock使我们可以更加完整地发生一些发生一些什么样的事情这个就是一个简单的couplating event然后重要的什么时候发生然后它的动作是什么the action然后它的request就是user那它的对象是什么what is the object here这是一个name space的this is the name spaceso name spacedelete name space action对然后说一个话你不会想有人想you wouldn't think aboutsomebody delete a name spacebut you don't have a notificationthis will not happenwhen you refresh the UIyou see that the name space is not thereand you're confusedso for the Kubernetes eventit will give you those kind of informationwhich will vary from the confusioncouplating eventso how can Icouplating event然后couplatingactuallycouplating eventit supports all these events直接写到这个文件上面you can directly write it on the fileand the master noteyou can definethe audio log output那另外的话就是另外一个叫webput支持就是it supports all the eventsto reload it就像它于是一个restful requestall the eventsall the events另外一个叫audi syncit supportsyou have a dynamicchange of your audio policy一种机制发火它其实用的是吊着就是会有一个一个web server然后这个web server就是web server has only one job is to monitorall the audit events然后我们当另外同时如果你要使用if you use Kubernetes eventsyou have to configurecube API serveryour master noteand then you have to changedash-audi configurationsome parameters you need to changeand then point itweb serverall the audit eventswill be transferredto the Falco web server就是一个postso this is a post-border auditthis is the end那现在的话你会看到cube audit eventsfor cube audit eventsthere are two informationfirst one is the audio logthe other one issystem coresystem coreit is veryfoundationalthe other one is a very overallcube based on Kubernetesit is a betterinformational region那在这个可以简单跳过一下this is a little bit deep diveso I will not go very deep into thislet's pass this slidehow about let me return因为 Falcothere are differentoriginal resourcesinformation resources at the same timeso we need a genetic eventinterfaceand only in this wayin this way we canpass different information at the same timethe rationale behind thisis that we treatdifferent information regionas just event然后再像比如说这是一个用来对那个对他的那个就是一个词进行理用那比如说这是一个简单的例子you can see herethis is fullbecause one barboss tyou see that it slashesfull the value for theslashful is oneslashbar slashbass is tand then you seethis is the code for the JSON pointersthat we can have the valueso the purpose of this就是我们在写这个is that when we are doing the codingwe are doing the conditionyou need to use this像刚才想到的就是这个event typefor example event typefd.nameuser.nameso all of theseare JSON objectswe've just tried to pull that information好那这个就是一个globthis is a coordinate然后它的json functionthis is the verband its object reference就是对象的那个指向然后还有它的那个整齐然后这个左边的就是它的这个各种就是different JSON pointerreference method那就是当然就是因为就是如果你是想用那个这种指针的话if you want to use JSON pointer这个对象有一个非常清晰的认识it means that you need to havevery clear understanding about the pointeryou need to understandthe fields, the event fieldsyou need to understand what kind of valueit generates and return back to youso you need to create a focaled ruleit is quite difficultbut we've definedsome macrofillsor reservedka.verbit tells you what kind of action it iswhether it is the deleteor creationand then ka.urland ka.user.nameit means that the user doing itktarget means the targetthe objectwhether it is namespace or deploymentor partit is the sameto facilitateit is executionall of usis all reference JSON pointerto point to the actual event fieldsif you really want to knowwhat on earthis the event fieldsof the focaledyou just have to input focaledslashslash leastequal caseand thenyou see what kind of reference fieldor kind of macroor event fieldsit can be usedall rightlet's look at a little bit more complexinstanceit is okay becauseduring the demo sessioni will prepare you with some simple casebut this is a rather difficult oneso first the focaled roomisto look atconfig mapwithin the config mapthere are aws keywordsawsxsqids3so all of these keywordsrepresentspasswordor keythat will consist in this config mapany problem is thisdo you thinkthere is no problemok對 我也覺得其實就是關於密碼這東西when it comes to passwordyou need toat least you can use kubernetes's secret雖然我也不是很喜歡 kubernetes's secretalthough i don't like kubernetes's secretsbut it is better than config map建議大家if you want to storeminimum passwordprime secretinformationsso this is the only wayto create thisone way to create itsee this is the route上面定義了三個macro這個是我們支持macro這個leastjust help you tousely repeat itfor one macro it will be useddifficult它這個就是ka就是對於這一類信息的相關於是examplethis is a requestall the config mapall the objects in the requestit containsthree possibilitieswith the rest restrictaccess kd這是第一個紅調因為你不會想在你的route寫kayou don't want to writeka.target.sourceyou need to definemacro等於這個ka.target.resource等於config map然後還有一個就是更改macro is modifying你可能就不僅僅是updateprobably you are not updatingit is a patch所以這個modify就相當於創建更新created,update,patchwe call it modify如果再看focal routefocal route然後see the name of the routethe description of the routecondition of the routewhat is the computation herecondition here is thatconfig map and modifyit contains private credentialsmacroincluding some private敏感信息sensitive informations那輸出裏面有什麽就是一個config mapcreated,config map有用户信息usr equals the kaverbsname space其實這個output其實不太好爲什麽呢爲什麽呢爲什麽呢爲什麽呢應該不應該這麽做應該不應該這麽做好,這個就是對然後你會看到這是關於cuboded然後它這個你會看到它有一個叫做source就來源的叫fieldthe fieldcase and the scorethe default我一會會給大家講一下就是兩種不同類型的就是兩種不同類型的different kinds of rules好,那就我們來簡單看這個demo來簡單看這個demolook at the demo現場變成了,這好厲害現場變成了現在我有一個設計我現在這個focl它這個focldemo flow is a different setbut this is a mini-cookso you can only see there is only one part in the cluster running好,我看一下這是我之前的一些設計and this is some test I get before好,接下來這些就是我會進行的一些一些命令然後我會看到就是在foclyou will see what kind of output第一個就是crucatobeta count就是我創建一個我創建一個service account好,創建成功OK,create successful出來了有點慢這個是第一個你可以看到它這個是一個我看這個是誰創建了這個service account這個user是beta count然後是在name space是default然後這個decision就是看到所以這個事情會出發這是一個output events然後第二個我們來做另外一件事情we will do another thingcluster role bindingbeta bindingcluster role,cluster mirrorservice account,so this was created previouslybeta countbeta count我們在做什麼呢我把我創造的命路is that the main role of clusterwill be given to the beta count好OK然後另外一個剛才那條是previously it's about informationit's not so high leveljust a service accountbut now we have a warning levelwhich means that suddenly there is a cluster main rolebeing deployeda service account我不知道大家對how do you think about thiswe create a cluster main roleand you put it into a service accounthow do you think about thisspeaker is now using microphoneyour service accountit was used to manageyour own podcontentmicro servicecluster levelcluster levelroadyou need togive it to customer or groupnot the service accountand this is when the Kubernetesdefine servicethey are not for manage the clusterjust manage the micro service接下来next I createcreate namespacetest ns1對同樣的話我也會在這裡see there is informationnew spacenew space being created這個創建的話就是你應該知道你大概有多少個new space你可以有一個winelistyou don't have a wirelessthe name spaceoutside of the wirelessyou will understandand you will have aarrowmeanwhile因為你創建一個new space的時候you are creating a namespaceit's going to create a service accountit's going togenerate it around like thisso finally we are going toapply a yaml fileso what do we use thisyaml file forit's like a privilege portit's like a privilege port它是一個有特權的怎麼說principle如果我在apply之後if i apply itwhat will happen好創建了so after i created it然後你看到這又是一個警告from a warning levelpops started in privilege containerpops started in privilege container然後同時你會看到這個一條形是來自於focalyou are coming from thefocal system call resultsbecause if you don'tplug in the portall of your container will beprivilegedyou are actually triggeringtofocal routethe couple auditprid part launch route another is thefocal system call routeprid container launch routethat is whatsee thiswhat i want to see herethat kubernetes is a very complicated partyou need tohave enough informationenough protocolto make the safety decisionand you need a system call level informationand also thecruel audit informationto help youtask about the operational safetyduring the operation好時間我要到補充謝謝大家ok three minutesthank you very much這個再次就是歡迎大家welcome to join ourcommunities live channelyou can ask usit is in englishalso chinese speakingyou can also add myit is in chineseso if you have any questionthe major partand the coordinated operating partthe vendoris not so manyyou canor you could onlydo for one partyou need to usedifferent attempts and different toursto integratewith yourselfand your own application scenariothe speaker is now usingthe microphone so the interpretercannot translatedo you think thatwe have any method to do thevlogso i don't have thatso we call it vocaldo you think if the vocal works wellwell it can be openother different logs auditing對你說的沒錯我們有一些applicationif you got somethingapplicational level logit would be much better平白的那种日治to be usedin other different loganalyzing稍微討論過we have discussed it before反應速度比如說你可以把你所有的log都發到if you can send all of your loginto this boundand do a transformationand to match all the informationit would be much more slowerthis is one part of our concernour idealwe provided youa generala monitoring interfaceand youput your dataand finally send you datato meand then youget your definition of dataand you can actuallyworkanother side of the vocaland i will operateaccording to your vocal routethank youin the futurehow big is going to beabout this overheadbecause we are based on thecysticthe biggest overheadis under the cysticwe need to gathercystic and it's very easyfor us to matchbecause we never do itand for this overheadit's less thannot 5%i will limiti will limitso our limitsis this 4kbpsi know that the ccpis getting a monitoringwithout我想問一下so if i takingebbtcfto do this monitoringwhat is the benefit of thatfor cysticsocystic monitorcystic monitoris permittedand for them permittedthe problemis about the scalabilityand butcystic monitorcystic is going to permitthis to addressfor the cll issuefor thisso we are attempting thatwe are going to generatea unifiedprom-cell definitionand all the matrixis going to be writtenin the same languageabout this matrixok thank you very much