cleanup(config): fine tune new configs ordering and organization

* incorporate reviewers suggestions re ordering and phrasing * minor additional cleanups Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2025-06-29 16:17:32 +00:00 · 2023-05-24 07:58:54 -07:00 · 2023-05-24 07:58:54 -07:00 · f00b853fd4
commit f00b853fd4
parent e269057c41
1 changed files with 204 additions and 173 deletions
--- a/falco.yaml
+++ b/falco.yaml
@ -22,45 +22,48 @@
 # Here is an index of the configuration categories to help you navigate
 # the Falco configuration file:
 #
-# Falco rules + config files
+# Falco rules files
 #     rules_file
 # Falco config files
 #     watch_config_files
-# Falco outputs (basic)
+# Falco outputs settings
 #     time_format_iso_8601
 #     priority
 #     json_output
 #     json_include_output_property
 #     json_include_tags_property
 #     buffered_outputs
 #     outputs (throttling)
 # Falco outputs channels
 #     stdout_output
 #     syslog_output
 #     file_output
-#     buffered_outputs
+#     http_output
-#     outputs (throttling)
+#     program_output
-# Falco internal logging / alerting / metrics (basic)
+#     grpc_output
 # Falco exposed services
 #     grpc
 #     webserver
 # Falco logging / alerting / metrics related to software functioning (basic)
 #     log_stderr
 #     log_syslog
 #     log_level
 #     libs_logger
-# Falco outputs (advanced)
+# Falco logging / alerting / metrics related to software functioning (advanced)
 #     grpc_output
 #     grpc
 #     http_output
 #     program_output
 #     webserver
 # Falco internal logging / alerting / metrics (advanced)
 #     syscall_event_timeouts
 #     syscall_event_drops
 #     metrics
 #     output_timeout
-# Falco cloud native relevant configs
+# Falco performance tuning (advanced)
 #     metadata_download
 #     load_plugins
 #     plugins
 # Falco performance tuning
 #     syscall_buf_size_preset
 #     syscall_drop_failed_exit
 #     base_syscalls
 #     modern_bpf.cpus_for_each_syscall_buffer
 #     metadata_download
 # Falco plugins
 #     load_plugins
 #     plugins
 ################################
 # Falco command-line arguments #
@ -71,15 +74,15 @@
 # configuration options from this config file as command-line arguments by using
 # the `-o` flag followed by the option name and value. In the following example,
 # three config options (`json_output`, `log_level`, and `log_stderr`) are passed as
-# command-line arguments with their corresponding values :
+# command-line arguments with their corresponding values:
 # `falco -o "json_output=true" -o "log_level=debug" -o "log_stderr=true"`. Please
 # note that command-line arguments take precedence over the options specified in
 # this config file.
-##############################
+#####################
-# Falco rules + config files #
+# Falco rules files #
-##############################
+#####################
 # Falco rules can be specified using files or directories, which are loaded at
 # startup. The name "rules_file" is maintained for backwards compatibility. If
@ -110,6 +113,11 @@ rules_file:
  - /etc/falco/falco_rules.local.yaml
  - /etc/falco/rules.d
 ######################
 # Falco config files #
 ######################
 # Falco monitors configuration and rule files for changes and automatically
 # reloads itself to apply the updated configuration when any modifications are
 # detected. This feature is particularly useful when you want to make real-time
@ -119,20 +127,21 @@ rules_file:
 watch_config_files: true
-#########################
+##########################
-# Falco outputs (basic) #
+# Falco outputs settings #
-#########################
+##########################
 # When enabled, Falco will display log and output messages with times in the ISO
 # 8601 format. By default, times are shown in the local time zone determined by
 # the /etc/localtime configuration.
 time_format_iso_8601: false
-# Any rule with a priority level more severe than the specified minimum level
+# Any rule with a priority level more severe than or equal to the specified
-# will be loaded and run by Falco. This allows you to filter and control the
+# minimum level will be loaded and run by Falco. This allows you to filter and
-# rules based on their severity, ensuring that only rules of a certain priority
+# control the rules based on their severity, ensuring that only rules of a
-# or higher are active and evaluated by Falco. Supported levels: "emergency",
+# certain priority or higher are active and evaluated by Falco. Supported
-# "alert", "critical", "error", "warning", "notice", "info", "debug"
+# levels: "emergency", "alert", "critical", "error", "warning", "notice",
 # "info", "debug"
 priority: debug
 # When enabled, Falco will output alert messages and rules file
@ -154,29 +163,6 @@ json_include_output_property: true
 # be added at a later stage, it is recommended to turn it off.
 json_include_tags_property: true
 # Falco supports various output sinks, such as syslog, stdout, file, gRPC,
 # webhook, and more (explore the advanced Falco outputs options). You can enable
 # or disable these sinks as needed to control where Falco alerts and log
 # messages are directed. This flexibility allows seamless integration with your
 # preferred logging and alerting systems. Multiple outputs can be enabled
 # simultaneously.
 stdout_output:
  enabled: true
 syslog_output:
  enabled: true
 # When appending Falco alerts to a file, each new output will be added to a new
 # line. It's important to note that Falco does not perform log rotation for this
 # file. If the `keep_alive` option is set to true, the file will be opened once
 # and continuously written to, else the file will be reopened for each output
 # message. Furthermore, the file will be closed and reopened if Falco receives
 # the SIGUSR1 signal.
 file_output:
  enabled: false
  keep_alive: false
  filename: ./events.txt
 # Enabling buffering for the output queue can offer performance optimization,
 # efficient resource usage, and smoother data flow, resulting in a more reliable
 # output mechanism. By default, buffering is disabled (false).
@ -206,52 +192,97 @@ outputs:
  max_burst: 1000
-#######################################################
+##########################
-# Falco internal logging / alerting / metrics (basic) #
+# Falco outputs channels #
-#######################################################
+##########################
-# Falco's internal informational logs, which are not related to Falco alert
+# Falco supports various output channels, such as syslog, stdout, file, gRPC,
-# outputs but rather its lifecycle and potential errors, can be directed to
+# webhook, and more. You can enable or disable these channels as needed to
-# stderr and/or syslog.
+# control where Falco alerts and log messages are directed. This flexibility
-log_stderr: true
+# allows seamless integration with your preferred logging and alerting systems.
-log_syslog: true
+# Multiple outputs can be enabled simultaneously.
-# The `log_level` setting determines the minimum log level to include in Falco's
+# [Stable] `stdout_output`
 # internal logs. This setting is separate from the `priority` field of rules and
 # specifically controls the log level of Falco's internal logging. By specifying
 # a log level, you can control the verbosity of Falco's internal logs. Only logs
 # of a certain severity level or higher will be emitted. Supported levels:
 # "emergency", "alert", "critical", "error", "warning", "notice", "info",
 # "debug".
 log_level: info
 # The `libs_logger` setting in Falco determines the minimum log level to include
 # in the internal logs of the underlying `libs`` library, which Falco utilizes.
 # This setting is independent of the `priority`` field of rules and the `log_level``
 # setting that controls Falco's internal logs. It allows you to specify the
 # desired log level for the `libs` library specifically, providing more granular
 # control over the logging behavior of the underlying components used by Falco.
 # Only logs of a certain severity level or higher will be emitted. Supported
 # levels: "emergency", "alert", "critical", "error", "warning", "notice",
 # "info", "debug". It is not recommended for production use.
 libs_logger:
  enabled: false
  severity: debug
 ############################
 # Falco outputs (advanced) #
 ############################
 # [Stable] `grpc_output` and `grpc`
 #
-# gRPC output service.
+# Redirect logs to standard output.
 stdout_output:
  enabled: true
 # [Stable] `syslog_output`
 #
 # Send logs to syslog.
 syslog_output:
  enabled: true
 # [Stable] `file_output`
 #
 # When appending Falco alerts to a file, each new alert will be added to a new
 # line. It's important to note that Falco does not perform log rotation for this
 # file. If the `keep_alive` option is set to true, the file will be opened once
 # and continuously written to, else the file will be reopened for each output
 # message. Furthermore, the file will be closed and reopened if Falco receives
 # the SIGUSR1 signal.
 file_output:
  enabled: false
  keep_alive: false
  filename: ./events.txt
 # [Stable] `http_output`
 #
 # Send logs to an HTTP endpoint or webhook.
 http_output:
  enabled: false
  url: http://some.url
  user_agent: "falcosecurity/falco"
  # Tell Falco to not verify the remote server.
  insecure: false
  # Path to the CA certificate that can verify the remote server.
  ca_cert: ""
  # Path to a specific file that will be used as the CA certificate store.
  ca_bundle: ""
  # Path to a folder that will be used as the CA certificate store. CA certificate need to be
  # stored as indivitual PEM files in this directory.
  ca_path: "/etc/ssl/certs"
 # [Stable] `program_output`
 #
 # Redirect the output to another program or command.
 #
 # Possible additional things you might want to do with program output:
 #   - send to a slack webhook:
 #         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
 #   - logging (alternate method than syslog):
 #         program: logger -t falco-test
 #   - send over a network connection:
 #         program: nc host.example.com 80
 # If keep_alive is set to true, the program will be started once and
 # continuously written to, with each output message on its own
 # line. If keep_alive is set to false, the program will be re-spawned
 # for each output message.
 #
 # Also, the program will be closed and reopened if falco is signaled with
 # SIGUSR1.
 program_output:
  enabled: false
  keep_alive: false
  program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
 # [Stable] `grpc_output`
 #
 # Use gRPC as an output service.
 # By default it is off.
 # By enabling this all the output events will be kept in memory until you read them with a gRPC client.
 # Make sure to have a consumer for them or leave this disabled.
 grpc_output:
  enabled: false
 ##########################
 # Falco exposed services #
 ##########################
 # [Stable] `grpc`
 #
 # Falco supports running a gRPC server with two main binding types
 # 1. Over the network with mandatory mutual TLS authentication (mTLS)
 # 2. Over a local unix socket with no authentication
@ -280,43 +311,6 @@ grpc:
  # when threadiness is 0, Falco automatically guesses it depending on the number of online cores
  threadiness: 0
 # [Stable] `http_output`
 #
 http_output:
  enabled: false
  url: http://some.url
  user_agent: "falcosecurity/falco"
  # Tell Falco to not verify the remote server.
  insecure: false
  # Path to the CA certificate that can verify the remote server.
  ca_cert: ""
  # Path to a specific file that will be used as the CA certificate store.
  ca_bundle: ""
  # Path to a folder that will be used as the CA certificate store. CA certificate need to be
  # stored as indivitual PEM files in this directory.
  ca_path: "/etc/ssl/certs"
 # [Stable] `program_output`
 #
 # Possible additional things you might want to do with program output:
 #   - send to a slack webhook:
 #         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
 #   - logging (alternate method than syslog):
 #         program: logger -t falco-test
 #   - send over a network connection:
 #         program: nc host.example.com 80
 # If keep_alive is set to true, the program will be started once and
 # continuously written to, with each output message on its own
 # line. If keep_alive is set to false, the program will be re-spawned
 # for each output message.
 #
 # Also, the program will be closed and reopened if falco is signaled with
 # SIGUSR1.
 program_output:
  enabled: false
  keep_alive: false
  program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
 # [Stable] `webserver`
 #
 # Falco supports an embedded webserver and exposes the following endpoints:
@ -347,9 +341,43 @@ webserver:
  ssl_certificate: /etc/falco/falco.pem
-##########################################################
+##############################################################################
-# Falco internal logging / alerting / metrics (advanced) #
+# Falco logging / alerting / metrics related to software functioning (basic) #
-##########################################################
+##############################################################################
 # Falco's logs related to the functioning of the software, which are not related
 # to Falco alert outputs but rather its lifecycle, settings and potential
 # errors, can be directed to stderr and/or syslog.
 log_stderr: true
 log_syslog: true
 # The `log_level` setting determines the minimum log level to include in Falco's
 # internal logs. This setting is separate from the `priority` field of rules and
 # specifically controls the log level of Falco's internal logging. By specifying
 # a log level, you can control the verbosity of Falco's internal logs. Only logs
 # of a certain severity level or higher will be emitted. Supported levels:
 # "emergency", "alert", "critical", "error", "warning", "notice", "info",
 # "debug".
 log_level: info
 # The `libs_logger` setting in Falco determines the minimum log level to include
 # in the logs related to the functioning of the software of the underlying
 # `libs` library, which Falco utilizes. This setting is independent of the
 # `priority` field of rules and the `log_level` setting that controls Falco's
 # internal logs. It allows you to specify the desired log level for the `libs`
 # library specifically, providing more granular control over the logging
 # behavior of the underlying components used by Falco. Only logs of a certain
 # severity level or higher will be emitted. Supported levels: "emergency",
 # "alert", "critical", "error", "warning", "notice", "info", "debug". It is not
 # recommended for production use.
 libs_logger:
  enabled: false
  severity: debug
 #################################################################################
 # Falco logging / alerting / metrics related to software functioning (advanced) #
 #################################################################################
 # [Stable] `syscall_event_timeouts`
 #
@ -532,52 +560,9 @@ output_timeout: 2000
 #######################################
-# Falco cloud native relevant configs #
+# Falco performance tuning (advanced) #
 #######################################
 # [Stable] `metadata_download`
 #
 # Container orchestrator metadata fetching params
 metadata_download:
  max_mb: 100
  chunk_wait_us: 1000
  watch_freq_sec: 1
 # [Experimental] `load_plugins` and `plugins`
 #
 # Setting this list to empty ensures that the above plugins are *not*
 # loaded and enabled by default. If you want to use the above plugins,
 # set a meaningful init_config/open_params for the cloudtrail plugin
 # and then change this to:
 # load_plugins: [cloudtrail, json]
 load_plugins: []
 # Plugins that are available for use. These plugins are not loaded by
 # default, as they require explicit configuration to point to
 # cloudtrail log files.
 # To learn more about the supported formats for
 # init_config/open_params for the cloudtrail plugin, see the README at
 # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md.
 plugins:
  - name: k8saudit
    library_path: libk8saudit.so
    init_config:
    #   maxEventSize: 262144
    #   webhookMaxBatchSize: 12582912
    #   sslCertificate: /etc/falco/falco.pem
    open_params: "http://:9765/k8s-audit"
  - name: cloudtrail
    library_path: libcloudtrail.so
    # see docs for init_config and open_params:
    # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md
  - name: json
    library_path: libjson.so
 ############################
 # Falco performance tuning #
 ############################
 # [Stable] `syscall_buf_size_preset`
 #
 # --- [Description]
@ -813,3 +798,49 @@ base_syscalls:
 modern_bpf:
  cpus_for_each_syscall_buffer: 2
 # [Stable] `metadata_download`
 #
 # Container orchestrator metadata fetching params
 metadata_download:
  max_mb: 100
  chunk_wait_us: 1000
  watch_freq_sec: 1
 #################
 # Falco plugins #
 #################
 # [Stable] `load_plugins`
 #
 # Setting this list to empty ensures that the below plugins are *not*
 # loaded and enabled by default. If you want to use the below plugins,
 # set a meaningful init_config/open_params. For example, if you want to
 # use the k8saudit plugin, ensure it is configured appropriately and then
 # change this to:
 # load_plugins: [k8saudit, json]
 load_plugins: []
 # [Stable] `plugins`
 #
 # Plugins that are available for use. These plugins are not loaded by
 # default, as they require explicit configuration to point to
 # cloudtrail log files.
 # To learn more about the supported formats for
 # init_config/open_params for the cloudtrail plugin, see the README at
 # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md.
 plugins:
  - name: k8saudit
    library_path: libk8saudit.so
    init_config:
    #   maxEventSize: 262144
    #   webhookMaxBatchSize: 12582912
    #   sslCertificate: /etc/falco/falco.pem
    open_params: "http://:9765/k8s-audit"
  - name: cloudtrail
    library_path: libcloudtrail.so
    # see docs for init_config and open_params:
    # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md
  - name: json
    library_path: libjson.so