### Falco Driver Directory Structure Example Source: https://github.com/falcosecurity/falco/blob/master/proposals/20201025-drivers-storage-s3.md This is the expected directory structure for drivers hosted on S3, as referenced in the Falco installation documentation. ```bash /$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o] ``` -------------------------------- ### Falcoctl Configuration for Artifacts Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/BREAKING-CHANGES.md Configure Falcoctl to install and manage rulesfiles for loaded plugins. This example shows how to set allowed artifact types, disable dependency resolution, specify installation references, and define directories for rulesfiles and plugins. ```yaml # -- Extra environment variables that will be pass onto falcoctl-artifact-follow sidecar container. env: {} # -- Arguments to pass to the falcoctl-artifact-follow sidecar container. args: ["--verbose"] # -- Resources requests and limits for the falcoctl-artifact-follow sidecar container. resources: {} # -- Security context for the falcoctl-artifact-follow sidecar container. securityContext: {} # -- Configuration file of the falcoctl tool. It is saved in a configmap and mounted on the falcotl containers. config: # -- List of indexes that falcoctl downloads and uses to locate and download artiafcts. For more info see: # https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md#index-file-overview indexes: - name: falcosecurity url: https://falcosecurity.github.io/falcoctl/index.yaml # -- Configuration used by the artifact commands. artifact: # -- List of artifact types that falcoctl will handle. If the configured refs resolves to an artifact whose type is not contained # in the list it will refuse to download and install that artifact. allowedTypes: - rulesfile install: # -- Do not resolve the dependencies for artifacts. By default is true, but for our use case we disable it. resolveDeps: false # -- List of artifacts to be installed by the falcoctl init container. refs: [k8saudit-rules:0.5] # -- Directory where the *rulesfiles* are saved. The path is relative to the container, which in this case is an emptyDir # mounted also by the Falco pod. rulesfilesDir: /rulesfiles # -- Same as the one above but for the artifacts. pluginsDir: /plugins follow: # -- List of artifacts to be installed by the falcoctl init container. refs: [k8saudit-rules:0.5] # -- Directory where the *rulesfiles* are saved. The path is relative to the container, which in this case is an emptyDir # mounted also by the Falco pod. rulesfilesDir: /rulesfiles # -- Same as the one above but for the artifacts. pluginsDir: /plugins EOF ``` -------------------------------- ### Install Falco Executable for Windows Source: https://github.com/falcosecurity/falco/blob/master/userspace/falco/CMakeLists.txt Installs the Falco target executable to the 'bin' directory when building on Windows. ```cmake elseif(WIN32) install( TARGETS falco DESTINATION bin COMPONENT "${FALCO_COMPONENT_NAME}" ) ``` -------------------------------- ### Install Falco Helm Chart Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Installs the Falco Helm chart with a specified release name and namespace, creating the namespace if it doesn't exist. ```bash helm install falco falcosecurity/falco \ --create-namespace \ --namespace falco ``` -------------------------------- ### Falco Pod Status Example Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md An example output showing that Falco instances are running on different nodes within the Kubernetes cluster. ```text NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES falco-57w7q 1/1 Running 0 3m12s 10.244.0.1 control-plane falco-h4596 1/1 Running 0 3m12s 10.244.1.2 worker-node-1 falco-kb55h 1/1 Running 0 3m12s 10.244.2.3 worker-node-2 ``` -------------------------------- ### Install Falco with Modern eBPF Probe Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Installs Falco using Helm, forcing the use of the modern eBPF probe driver. ```bash helm install falco falcosecurity/falco \ --create-namespace \ --namespace falco \ --set driver.kind=modern_ebpf ``` -------------------------------- ### Falco Log Output Example Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Example log output from a Falco instance, showing version, configuration loading, plugin loading, rules file loading, and internal webserver status. ```text Fri Jul 8 16:07:24 2022: Falco version 0.32.0 (driver version 39ae7d40496793cf3d3e7890c9bbdc202263836b) Fri Jul 8 16:07:24 2022: Falco initialized with configuration file /etc/falco/falco.yaml Fri Jul 8 16:07:24 2022: Loading plugin (k8saudit) from file /usr/share/falco/plugins/libk8saudit.so Fri Jul 8 16:07:24 2022: Loading plugin (json) from file /usr/share/falco/plugins/libjson.so Fri Jul 8 16:07:24 2022: Loading rules from file /etc/falco/k8s_audit_rules.yaml: Fri Jul 8 16:07:24 2022: Starting internal webserver, listening on port 8765 ``` -------------------------------- ### Install Falco with Kernel Module Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Installs Falco using Helm, forcing the use of the kernel module driver. ```bash helm install falco falcosecurity/falco \ --create-namespace \ --namespace falco \ --set driver.kind=kmod ``` -------------------------------- ### Start Falco Environment with Docker Compose Source: https://github.com/falcosecurity/falco/blob/master/docker/docker-compose/README.md Use this command to launch the Falco demonstration environment. You might need to prefix with 'sudo'. ```bash docker-compose up ``` -------------------------------- ### Helm Install Command Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Installs Falco using Helm, creating a namespace and applying a custom values file. Ensure the 'falco' namespace exists before running. ```bash #make sure the falco namespace exists helm install falco falcosecurity/falco \ --create-namespace \ --namespace falco \ -f ./values-k8saudit.yaml ``` -------------------------------- ### Install Falco with Custom Rules Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Installs the Falco Helm chart using a custom rules file, enabling the loaded custom rules in the Falco deployment. ```bash helm install falco -f custom-rules.yaml falcosecurity/falco ``` -------------------------------- ### Install Falcoctl Configuration Source: https://github.com/falcosecurity/falco/blob/master/scripts/CMakeLists.txt Installs the falcoctl configuration file to the system's configuration directory. This is performed on non-Windows, non-macOS, non-Emscripten, and non-MUSL builds. ```cmake if(NOT WIN32 AND NOT APPLE AND NOT EMSCRIPTEN AND NOT MUSL_OPTIMIZED_BUILD ) if(NOT DEFINED FALCOCTL_ETC_DIR) set(FALCOCTL_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falcoctl") endif() set(FALCOCTL_DRIVER_TYPES_LIST "") if(BUILD_FALCO_MODERN_BPF) list(APPEND FALCOCTL_DRIVER_TYPES_LIST "modern_ebpf") endif() if(BUILD_DRIVER) list(APPEND FALCOCTL_DRIVER_TYPES_LIST "kmod") endif() string(REPLACE ";" ", " FALCOCTL_DRIVER_TYPES "${FALCOCTL_DRIVER_TYPES_LIST}") configure_file( ${CMAKE_CURRENT_SOURCE_DIR}/falcoctl/falcoctl.yaml.in ${PROJECT_BINARY_DIR}/scripts/falcoctl/falcoctl.yaml ) install( FILES ${PROJECT_BINARY_DIR}/scripts/falcoctl/falcoctl.yaml DESTINATION "${FALCOCTL_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}" ) endif() ``` -------------------------------- ### Install Falco Executable and Assets for Emscripten Source: https://github.com/falcosecurity/falco/blob/master/userspace/falco/CMakeLists.txt Installs the Falco JavaScript and WebAssembly files to the specified destination when building with Emscripten. ```cmake if(EMSCRIPTEN) install( FILES "$/falco.js" "$/falco.wasm" DESTINATION ${FALCO_BIN_DIR} COMPONENT "${FALCO_COMPONENT_NAME}" ) ``` -------------------------------- ### Install Falco Executable for Non-Windows/Non-Emscripten Source: https://github.com/falcosecurity/falco/blob/master/userspace/falco/CMakeLists.txt Installs the Falco target executable to the FALCO_BIN_DIR when building on non-Windows and non-Emscripten platforms. ```cmake else() install(TARGETS falco RUNTIME DESTINATION ${FALCO_BIN_DIR} COMPONENT "${FALCO_COMPONENT_NAME}") endif() ``` -------------------------------- ### Install pre-commit hooks for clang-format and cmake-format Source: https://github.com/falcosecurity/falco/blob/master/Contributing.md Installs the pre-commit git hooks for code formatting. Use this command to automatically format staged changes before committing. ```bash pre-commit install --install-hooks --hook-type pre-commit --overwrite ``` -------------------------------- ### Format all code with Makefile Source: https://github.com/falcosecurity/falco/blob/master/Contributing.md Formats all project code according to the defined style using the Makefile. Ensure clang-format and cmake-format are installed with the correct versions before running. ```bash make format-all ``` -------------------------------- ### Configure Falcoctl for Artifact Installation and Following Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/BREAKING-CHANGES.md Save this YAML configuration to a file to enable falcoctl for installing and automatically following updates for Falco artifacts like rulesfiles and plugins. This configuration is intended for use with Helm. ```yaml cat << EOF > ./falcoctl-values.yaml #################### # falcoctl config # #################### falcoctl: image: # -- The image pull policy. pullPolicy: IfNotPresent # -- The image registry to pull from. registry: docker.io # -- The image repository to pull from. repository: falcosecurity/falcoctl # -- Overrides the image tag whose default is the chart appVersion. tag: "main" artifact: # -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before # Falco starts. It provides them to Falco by using an emptyDir volume. install: enabled: true # -- Extra environment variables that will be pass onto falcoctl-artifact-install init container. env: {} # -- Arguments to pass to the falcoctl-artifact-install init container. args: ["--verbose"] # -- Resources requests and limits for the falcoctl-artifact-install init container. resources: {} # -- Security context for the falcoctl init container. securityContext: {} # -- Runs "falcoctl artifact follow" command as a sidecar container. It is used to automatically check for # updates given a list of artifacts. If an update is found it downloads and installs it in a shared folder (emptyDir) # that is accessible by Falco. Rulesfiles are automatically detected and loaded by Falco once they are installed in the # correct folder by falcoctl. To prevent new versions of artifacts from breaking Falco, the tool checks if it is compatible # with the running version of Falco before installing it. follow: enabled: true ``` -------------------------------- ### Configure Additional Configuration Files Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Specify additional configuration files to be loaded after the main configuration. This example shows loading a folder with a default 'append' merge strategy. ```yaml falco.config_files: ["/etc/falco/config.d"] ``` -------------------------------- ### Global Variable Example Source: https://github.com/falcosecurity/falco/blob/master/Contributing.md Global variables should be prefixed with 'g_' to indicate their scope. ```c int g_nplugins; ``` -------------------------------- ### Enable Falco HTTP Output (Basic) Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Install the Falco Helm chart with basic HTTP output enabled. Ensure JSON output is enabled and includes the output property for structured event data. ```shell helm install falco falcosecurity/falco \ --create-namespace \ --namespace falco \ --set falco.http_output.enabled=true \ --set falco.http_output.url="http://some.url/some/path/" \ --set falco.json_output=true \ --set falco.json_include_output_property=true ``` -------------------------------- ### Configure SSL Certificate Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Provide the path to the combined SSL certificate and key file for the Falco webserver. Example command to generate a key/cert is provided. ```shell openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem cat certificate.pem key.pem > falco.pem sudo cp falco.pem /etc/falco/falco.pem ``` ```yaml falco.webserver.ssl_certificate: "/etc/falco/falco.pem" ``` -------------------------------- ### Packed Structure Example Source: https://github.com/falcosecurity/falco/blob/master/Contributing.md Use GCC and MSVC-compatible pragmas to define packed structures, ensuring memory alignment. ```c #pragma pack(push,1) struct frame_control { struct fields.... }; #pragma pack(pop) ``` -------------------------------- ### 64-bit Constant Example Source: https://github.com/falcosecurity/falco/blob/master/Contributing.md Append 'LL' to 64-bit constants to ensure they are interpreted correctly as 'long long' integers by compilers. ```c x=0X00FF00000000000LL ``` -------------------------------- ### Configure Falco Library Settings Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Adjust Falco's performance and resource utilization by tuning falco_libs parameters. This example shows default values for several parameters. ```yaml falco.falco_libs: snaplen: 80 thread_table_auto_purging_interval_s: 300 thread_table_auto_purging_thread_timeout_s: 300 thread_table_size: 262144 ``` -------------------------------- ### Install Falco with Kubernetes Metadata Collector Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Deploys Falco along with the k8s-metacollector and k8smeta plugin to gather Kubernetes resource metadata. ```bash helm install falco falcosecurity/falco \ --namespace falco \ --create-namespace \ --set collectors.kubernetes.enabled=true ``` -------------------------------- ### Configure Additional Configuration Files with Merge Strategy Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Specify additional configuration files with a custom merge strategy. This example uses the 'override' strategy for a specific file path. ```yaml falco.config_files: - path: foo strategy: X ``` -------------------------------- ### Class Member Variable Example Source: https://github.com/falcosecurity/falco/blob/master/Contributing.md Class member variables should be prefixed with 'm_' to distinguish them from local variables. ```c public int32_t m_counter; ``` -------------------------------- ### Configure falcoctl artifact follow sidecar Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Runs the "falcoctl artifact follow" command as a sidecar container to automatically check for and install artifact updates. ```yaml falcoctl.artifact.follow: {"args":["--log-format=json"],"enabled":true,"env":[],"envFrom":[],"mounts":{"volumeMounts":[]},"resources":{},"securityContext":{}} ``` -------------------------------- ### Enable Event Capture for Specific Rules Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Configure individual rules to enable event capturing. This example shows how to set capture to true and specify a custom capture duration for a rule. ```yaml rule: Suspicious File Access desc: Detect suspicious file access patterns condition: > open_read and fd.name startswith "/etc/" output: > Suspicious file access (user=%user.name command=%proc.cmdline file=%fd.name) priority: WARNING capture: true capture_duration: 10000 # Capture for 10 seconds when this rule triggers ``` -------------------------------- ### Configure Systemd Service Files Source: https://github.com/falcosecurity/falco/blob/master/scripts/CMakeLists.txt Generates systemd service files for different Falco drivers on Linux systems. These files are copied to the build directory for subsequent installation. ```cmake file(MAKE_DIRECTORY ${PROJECT_BINARY_DIR}/scripts/systemd) configure_file( "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service" "${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY ) configure_file( "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service" "${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY ) configure_file( "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service" "${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY ) configure_file( "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-custom.service" "${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY ) configure_file( "${PROJECT_SOURCE_DIR}/scripts/systemd/falcoctl-artifact-follow.service" "${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY ) ``` -------------------------------- ### Configure RPM Package Scripts Source: https://github.com/falcosecurity/falco/blob/master/scripts/CMakeLists.txt Configures RPM package installation and uninstallation scripts. These scripts are crucial for managing Falco's lifecycle within RPM-based systems. ```cmake configure_file(rpm/postinstall.in rpm/postinstall COPYONLY) configure_file(rpm/postuninstall.in rpm/postuninstall COPYONLY) configure_file(rpm/preuninstall.in rpm/preuninstall COPYONLY) ``` -------------------------------- ### Define Custom Falco Rules Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Example of a YAML file defining custom Falco rules for Traefik, including macros, lists, and specific detection rules for inbound connections and spawned processes. ```yaml customRules: rules-traefik.yaml: |- - macro: traefik_consider_syscalls condition: (evt.num < 0) - macro: app_traefik condition: container and container.image startswith "traefik" # Restricting listening ports to selected set - list: traefik_allowed_inbound_ports_tcp items: [443, 80, 8080] - rule: Unexpected inbound tcp connection traefik desc: Detect inbound traffic to traefik using tcp on a port outside of expected set condition: inbound and evt.rawres >= 0 and not fd.sport in (traefik_allowed_inbound_ports_tcp) and app_traefik output: Inbound network connection to traefik on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image) priority: NOTICE # Restricting spawned processes to selected set - list: traefik_allowed_processes items: ["traefik"] - rule: Unexpected spawned process traefik desc: Detect a process started in a traefik container outside of an expected set condition: spawned_process and not proc.name in (traefik_allowed_processes) and app_traefik output: Unexpected process spawned in traefik container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image) priority: NOTICE ``` -------------------------------- ### Build and Run Falco Unit Tests Source: https://github.com/falcosecurity/falco/blob/master/unit_tests/README.md Configure the build with CMake, compile the unit tests using make, and then execute them with sudo privileges. Ensure MINIMAL_BUILD is On and BUILD_DRIVER is Off for unit test compilation. ```bash cmake -DMINIMAL_BUILD=On -DBUILD_DRIVER=Off -DBUILD_FALCO_UNIT_TESTS=On .. make falco_unit_tests sudo ./unit_tests/falco_unit_tests ``` -------------------------------- ### Install pre-commit hook for DCO signed-off Source: https://github.com/falcosecurity/falco/blob/master/Contributing.md Installs the pre-commit git hook for adding the Developer Certificate of Origin (DCO) to commits. Ensure DCO configuration is complete before running. ```bash pre-commit install --install-hooks --hook-type prepare-commit-msg --overwrite ``` -------------------------------- ### Initialize Plugin Source: https://github.com/falcosecurity/falco/blob/master/proposals/20210501-plugin-system.md Required function to initialize the plugin and allocate its state. It takes a configuration string and returns a pointer to the plugin's opaque state. The initialization result is reported via the `rc` parameter. ```c ss_plugin_t* (*init)(char* config, int32_t* rc); ``` -------------------------------- ### Plugin API Function Pointers Source: https://github.com/falcosecurity/falco/blob/master/proposals/20210501-plugin-system.md Defines the function pointers that a Falco source plugin must implement to interact with the Falco engine. These include functions for getting version, event source, fields, opening/closing captures, reading next events, getting progress, converting events to strings, and extracting field values. ```c char* (*get_version)(); ``` ```c char* (*get_event_source)(); ``` ```c char* (*get_fields)(); ``` ```c ss_instance_t* (*open)(ss_plugin_t* s, char* params, int32_t* rc); ``` ```c void (*close)(ss_plugin_t* s, ss_instance_t* h); ``` ```c int32_t (*next)(ss_plugin_t* s, ss_instance_t* h, ss_plugin_event **evt); ``` ```c char* (*get_progress)(ss_plugin_t* s, ss_instance_t* h, uint32_t* progress_pct); ``` ```c char *(*event_to_string)(ss_plugin_t *s, const uint8_t *data, uint32_t datalen); ``` ```c char *(*extract_str)(ss_plugin_t *s, uint32_t evtnum, const char *id, const char *arg, const uint8_t *data, uint32_t datalen, int32_t* field_present); ``` ```c uint64_t (*extract_uint64)(ss_plugin_t *s, uint32_t evtnum, const char *id, const char *arg, const uint8_t *data, uint32_t datalen, int32_t* field_present); ``` -------------------------------- ### Build and Run Falco Unit Tests Source: https://github.com/falcosecurity/falco/blob/master/README.md After configuring with CMake, this command builds the Falco unit tests using make and then executes them with sudo. It dynamically determines the number of available processors to optimize the build process. ```bash nproc=$(grep processor /proc/cpuinfo | tail -n 1 | awk '{print $3}'); make -j$(($nproc-1)) falco_unit_tests; # Run the tests sudo ./unit_tests/falco_unit_tests; ``` -------------------------------- ### Get Plugin Name Source: https://github.com/falcosecurity/falco/blob/master/proposals/20210501-plugin-system.md Required function to return the plugin's name, which will be displayed when listing plugin information. ```c char* (*get_name)(); ``` -------------------------------- ### Falco Plugin Configuration in falco.yaml Source: https://github.com/falcosecurity/falco/blob/master/proposals/20210501-plugin-system.md Defines how to configure plugins in Falco using the 'plugins' property in falco.yaml. Each plugin entry specifies its name, library path, and initialization/open parameters, which can be provided directly or via files. The 'load_plugins' property allows for selective loading of defined plugins. ```yaml plugins: - name: aws_cloudtrail library_path: aws_cloudtrail/plugin.so init_config: "..." open_params: "..." - name: http_json library_path: http_json/plugin.so init_config_file: http_json/config.txt open_params_file: http_json/params.txt # Optional load_plugins: [aws_cloudtrail] ``` -------------------------------- ### Get Plugin Description Source: https://github.com/falcosecurity/falco/blob/master/proposals/20210501-plugin-system.md Required function to return a descriptive string about the plugin, used when displaying plugin or event information. ```c char* (*get_description)(); ``` -------------------------------- ### Configure Falcosidekick Full FQDN for Proxy Environments Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md When using a proxy, set `falcosidekick.fullfqdn=true` to ensure requests between Falco and Falcosidekick use the full FQDN, preventing potential interception by the proxy. ```shell --set falcosidekick.fullfqdn=true ``` -------------------------------- ### Get Plugin Contact Info Source: https://github.com/falcosecurity/falco/blob/master/proposals/20210501-plugin-system.md Required function to provide contact information for the plugin author, such as a URL, email, or Twitter handle. ```c char* (*get_contact)(); ``` -------------------------------- ### Enable Falco Webserver Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Enable the embedded webserver within the Falco process. ```yaml falco.webserver.enabled: true ``` -------------------------------- ### Get Plugin Type Source: https://github.com/falcosecurity/falco/blob/master/proposals/20210501-plugin-system.md Required function that should return `TYPE_EXTRACTOR_PLUGIN`. This is necessary because the engine cannot inspect C struct types directly when using `dlsym`. ```c uint32_t (*get_type)(); ``` -------------------------------- ### Falco Rule with Unintended Append Behavior Source: https://github.com/falcosecurity/falco/blob/master/proposals/20200828-structured-exception-handling.md Example demonstrating how appending a condition without proper parentheses can lead to unintended logical behavior in Falco rules. ```yaml rule: my_rule condition: (evt.type=open and (fd.name=/tmp/foo or fd.name=/tmp/bar)) rule: my_rule condition: or fd.name=/tmp/baz append: true ``` -------------------------------- ### Configure Debian Package Scripts Source: https://github.com/falcosecurity/falco/blob/master/scripts/CMakeLists.txt Configures Debian package installation and removal scripts. These scripts are essential for managing Falco's lifecycle within Debian-based systems. ```cmake configure_file(debian/postinst.in debian/postinst COPYONLY) configure_file(debian/postrm.in debian/postrm COPYONLY) configure_file(debian/prerm.in debian/prerm COPYONLY) ``` -------------------------------- ### Enable Falco HTTP Output with mTLS Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Install the Falco Helm chart with HTTP output enabled, including mutual TLS (mTLS) for secure communication. Client certificates, keys, and CA certificates can be provided via direct set or by mounting existing secrets. ```shell helm install falco falcosecurity/falco \ --create-namespace \ --namespace falco \ --set falco.http_output.enabled=true \ --set falco.http_output.url="https://some.url/some/path/" \ --set falco.json_output=true \ --set falco.json_include_output_property=true \ --set falco.http_output.mtls=true \ --set falco.http_output.client_cert="/etc/falco/certs/client/client.crt" \ --set falco.http_output.client_key="/etc/falco/certs/client/client.key" \ --set falco.http_output.ca_cert="/etc/falco/certs/client/ca.crt" \ --set-file certs.client.key="/path/to/client.key",certs.client.crt="/path/to/client.crt",certs.ca.crt="/path/to/cacert.crt" ``` -------------------------------- ### Enable Syslog Output Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Enable sending Falco alerts to syslog. ```yaml falco.syslog_output.enabled: true ``` -------------------------------- ### Overwriting Falco Macro Condition Source: https://github.com/falcosecurity/falco/blob/master/proposals/20200828-structured-exception-handling.md Illustrates how to overwrite an existing macro's condition using `append: false`. This example modifies `user_known_update_package_registry` to include an exception for 'npm'. ```yaml - macro: user_known_update_package_registry condition: (proc.name in (npm)) append: false ``` -------------------------------- ### Deploy Falcosidekick with Falco Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Enable the deployment of Falcosidekick alongside Falco by setting `falcosidekick.enabled=true`. This automatically configures Falco for integration and allows for further customization of Falcosidekick via prefixed values. ```shell --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true ``` -------------------------------- ### Get Extract Event Sources Source: https://github.com/falcosecurity/falco/blob/master/proposals/20210501-plugin-system.md Optional function that returns a JSON array of strings representing the event sources the plugin can consume. If NULL, the extractor receives all events. ```c char* (*get_extract_event_sources)(); ``` -------------------------------- ### Stream Falco Container Logs Live Source: https://github.com/falcosecurity/falco/blob/master/chart/falco/README.md Follows and streams logs from a Falco pod in real-time. Useful for live debugging. ```bash kubectl logs -f -n falco falco-pod-name ```