From 635c413c5f6d2547602d74b57e132d39aed0187e Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 6 Oct 2021 09:44:15 -0700 Subject: [PATCH] Update default falco config for plugins The default config defines the cloudtrail/json plugins but does not give them any actual config for init config/open params. load_plugins is empty so neither plugin is actually loaded by default. Signed-off-by: Mark Stemm --- falco.yaml | 33 +++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/falco.yaml b/falco.yaml index 1756a674..7fb01286 100644 --- a/falco.yaml +++ b/falco.yaml @@ -15,12 +15,6 @@ # limitations under the License. # -input_plugin: - name: "" - path: "" - init_config: "" - open_params: "" - # File(s) or Directories containing Falco rules, loaded at startup. # The name "rules_file" is only for backwards compatibility. # If the entry is a file, it will be read directly. If the entry is a directory, @@ -39,6 +33,33 @@ rules_file: - /etc/falco/k8s_audit_rules.yaml - /etc/falco/rules.d + +# +# Plugins that are available for use. These plugins are not loaded by +# default, as they require explicit configuration to point to +# cloudtrail log files. +# + +# To learn more about the supported formats for +# init_config/open_params for the cloudtrail plugin, see the README at +# https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md. +plugins: + - name: cloudtrail + library_path: libcloudtrail.so + init_config: "" + open_params: "" + - name: json + library_path: libjson.so + init_config: "" + open_params: "" + +# Setting this list to empty ensures that the above plugins are *not* +# loaded and enabled by default. If you want to use the above plugins, +# set a meaningful init_config/open_params for the cloudtrail plugin +# and then change this to: +# load_plugins: [cloudtrail, json] +load_plugins: [] + # If true, the times displayed in log messages and output messages # will be in ISO 8601. By default, times are displayed in the local # time zone, as governed by /etc/localtime.