From 4e525e3114423a32781d2fa0c564d40f2f6a57ff Mon Sep 17 00:00:00 2001 From: Henri DF Date: Tue, 10 May 2016 13:27:05 -0700 Subject: [PATCH] Document general configuration --- README.md | 7 +++++-- falco.yaml | 11 ++++++++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 101dba0d..4af0c7d6 100644 --- a/README.md +++ b/README.md @@ -92,12 +92,15 @@ For many more examples of rules and macros, please take a look at the accompanyi #### Ignored system calls -For performance reasons, some system calls are currently discarded before Falco processing. The current list is: +For performance reasons, some system calls are currently discarded before Falco processing. The current list is: `clock_getres,clock_gettime,clock_nanosleep,clock_settime,close,epoll_create,epoll_create1,epoll_ctl,epoll_pwait,epoll_wait,eventfd,fcntl,fcntl64,fstat,fstat64,getitimer,gettimeofday,nanosleep,poll,ppoll,pread64,preadv,pselect6,pwrite64,pwritev,read,readv,recv,recvfrom,recvmmsg,recvmsg,select,send,sendfile,sendfile64,sendmmsg,sendmsg,sendto,setitimer,settimeofday,shutdown,socket,splice,switch,tee,timer_create,timer_delete,timerfd_create,timerfd_gettime,timerfd_settime,timer_getoverrun,timer_gettime,timer_settime,wait4,write,writev` ## Configuration -Falco is configured via a yaml file. The sample config `falco.yaml` in this repo has comments describing the various options. + +General configuration is done via a separate yaml file. The +[config file](falco.yaml) in this repo has comments describing the various +configuration options. ## Installation diff --git a/falco.yaml b/falco.yaml index 719e4598..41a4de53 100644 --- a/falco.yaml +++ b/falco.yaml @@ -1,9 +1,18 @@ -rules_file: /etc/falco_rules.yaml +# File containing Falco rules, loaded at startup. +rules_file: /etc/falco_rules.conf + +# Whether to output events in json or text json_output: false +# Send information logs to stderr and/or syslog Note these are *not* security +# notification logs! These are just Falco lifecycle (and possibly error) logs. log_stderr: false log_syslog: true + +# Where security notifications should go. +# Multiple outputs can be enabled. + syslog_output: enabled: true