github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-01 06:29:47 +00:00
Code Issues Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Henri DF 2016-02-21 15:11:13 -08:00
parent 8d7efbfc6b
commit 37da302b39
1 changed files with 71 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
README.md
View File

@ -1 +1,71 @@
Digwatch: security monitoring with sysdig
# Digwatch: security monitoring with sysdig
## Build and run instructions
_Note:_ This is not yet set up to be propertly packaged and installed. For now, running digwatch means building it and installing it manually on the host where you want to run it.
### Building
Clone this repo in a directory that also contains the sysdig source repo. The result should be something like:
```
22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig
$ pwd
/sysdig
22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig
$ ls -la
total 20
drwxr-xr-x 1 vagrant vagrant 306 Feb 16 23:06 .
drwxr-xr-x 25 root root 4096 Feb 18 19:24 ..
drwxr-xr-x 1 vagrant vagrant 680 Jan 23 19:32 agent
drwxr-xr-x 1 vagrant vagrant 238 Feb 21 21:44 digwatch
drwxr-xr-x 1 vagrant vagrant 646 Feb 21 17:41 sysdig
```
create a build dir, then setup cmake and run make from that dir:
```
$ mkdir build
$ cd build
$ cmake ..
$ make
```
as a result, you should have a digwatch executable `build/userspace/digwatch/digwatch`.
Still not quite done yet! we need to install the [lpeg](http://www.inf.puc-rio.br/~roberto/lpeg/) Lua library. (This should be done automatically as part of the build of course...). To install it, just do: `luarocks install lpeg`.
### Running
Set the path of the digwatch lua directory in the env var `DIGWATCH_LUA_DIR`:
`export DIGWATCH_LUA_DIR=/sysdig/digwatch/userspace/digwatch/lua/`
(this is just for the manually-built version; the packaged/installed version will not need such an env var).
Create a file with some [digwatch rules](Rule-syntax-and-design). For example:
```
write: (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename
interactive: evt.type=execve and proc.pname=bash
write and interactive and fd.name contains sysdig
write and interactive and fd.name contains .txt
```
Let's assume you called that file rules.txt. Now you can run digwatch like so:
`./userspace/digwatch/digwatch rules.txt`
And you will see an output event for any interactive process that touches a file with "sysdig" or ".txt" in its name!