github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-21 19:44:57 +00:00
Code Issues Projects Releases Wiki Activity

Renaming

Browse Source
This commit is contained in:
Henri DF
2016-04-28 02:57:50 +00:00
parent 8b5fcf866a
commit abe6220651
28 changed files with 43 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@@ -1,18 +1,18 @@
# Digwatch: Host Activity Monitoring with Sysdig Filters
# Sysdig Falco: Host Activity Monitoring with Sysdig Filters
## Overview
Brief description of what, why, how, and pointer to website.
### What kind of events can digwatch detect?
### What kind of events can falco detect?
## Installing Digwatch
## Installing Falco
Installation instructions.
## Configuring Digwatch
## Configuring Falco
Digwatch is primarily configured via two files: a configuration file (such as the `digwatch.yaml` in this repository) and a rules file (such as the `digwatch_rules.conf` file in `rules/`). These two files are written to `/etc` after you install the Digwatch package.
Digwatch is primarily configured via two files: a configuration file (such as the `falco.yaml` in this repository) and a rules file (such as the `digwatch_rules.conf` file in `rules/`). These two files are written to `/etc` after you install the Falco package.
### Rules file
Explain the rules file syntax
@@ -21,17 +21,17 @@ Explain the rules file syntax
Explain the config file contents and syntax
## Running Digwatch
## Running Falco
Digwatch is intended to be run as a service. But for experimentation and designing/testing rulesets, you will likely want to run it manually from the command-line.
### Running Digwatch as a service
### Running Falco as a service
Instructions for Centos and Ubuntu.
### Running Digwatch manually
### Running Falco manually
## Building Digwatch
## Building Falco
### Building
Clone this repo in a directory that also contains the sysdig source repo. The result should be something like:
@@ -43,7 +43,7 @@ $ pwd
22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig
$ ls -l
total 20
drwxr-xr-x 1 vagrant vagrant 238 Feb 21 21:44 digwatch
drwxr-xr-x 1 vagrant vagrant 238 Feb 21 21:44 falco
drwxr-xr-x 1 vagrant vagrant 646 Feb 21 17:41 sysdig
```
@@ -56,18 +56,18 @@ $ cmake ..
$ make
```
as a result, you should have a digwatch executable in `build/userspace/digwatch/digwatch`.
as a result, you should have a falco executable in `build/userspace/falco/falco`.
### Running locally-built sysdig
Assuming you are in the `build` dir, you can run digwatch as:
Assuming you are in the `build` dir, you can run falco as:
`$ sudo ./userspace/digwatch/digwatch -c ../digwatch.yaml -r ../rules/digwatch_rules.conf`
`$ sudo ./userspace/falco/falco -c ../falco.yaml -r ../rules/falco_rules.conf`
Or instead you can try using some of the simpler rules files in `rules`. Or to get started, try creating a file with this:
Create a file with some [digwatch rules](Rule-syntax-and-design). For example:
Create a file with some [falco rules](Rule-syntax-and-design). For example:
```
write: (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename
interactive: proc.pname = bash or proc.pname = sshd