diff --git a/cmake/cpack/CMakeCPackOptions.cmake b/cmake/cpack/CMakeCPackOptions.cmake index 11e527d5..967cf882 100644 --- a/cmake/cpack/CMakeCPackOptions.cmake +++ b/cmake/cpack/CMakeCPackOptions.cmake @@ -5,6 +5,7 @@ if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-plugin.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falcoctl.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") endif() if(CPACK_GENERATOR MATCHES "TGZ") diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index e1330401..de6b2aa2 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -26,6 +26,8 @@ file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service" DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-plugin.service" DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") +file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falcoctl.service" + DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") # Debian configure_file(debian/postinst.in debian/postinst) diff --git a/scripts/debian/postinst.in b/scripts/debian/postinst.in index 0a77454c..08c6b736 100755 --- a/scripts/debian/postinst.in +++ b/scripts/debian/postinst.in @@ -17,19 +17,19 @@ # chosen_driver= +enable_falcoctl=0 if [ "$1" = "configure" ]; then if [ -x /usr/bin/dialog ]; then # If dialog is installed, create a dialog to let users choose the correct driver for them - CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco drivers" --menu "Choose one of the following options:" 15 40 5 \ + CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 40 5 \ 1 "Don't start" \ 2 "Kmod" \ 3 "eBPF" \ 4 "Modern eBPF" \ 5 "Plugin" \ 2>&1 >/dev/tty) - if [ $? -eq 0 ]; then - case $CHOICE in + case $CHOICE in 2) chosen_driver="kmod" ;; @@ -42,9 +42,20 @@ if [ "$1" = "configure" ]; then 5) chosen_driver="plugin" ;; - esac - fi - clear + esac + + if [ -n "$chosen_driver" ]; then + CHOICE=$(dialog --clear --title "Falcoctl" --menu "Do you want to subscribe to automatic ruleset feed?" 10 40 2 \ + 1 "No" \ + 2 "Yes" \ + 2>&1 >/dev/tty) + case $CHOICE in + 2) + enable_falcoctl=1 + ;; + esac + fi + clear fi fi @@ -68,6 +79,13 @@ if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-decon systemctl --system enable "falco-$chosen_driver.service" || true echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':" systemctl --system start "falco-$chosen_driver.service" || true + + if [ $enable_falcoctl -eq 1 ]; then + echo "[POST-INSTALL] Enable 'falcoctl.service':" + systemctl --system enable "falcoctl.service" || true + echo "[POST-INSTALL] Start 'falcoctl.service':" + systemctl --system start "falcoctl.service" || true + fi fi fi @@ -79,6 +97,12 @@ if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-decon echo "[POST-INSTALL] Trigger 'falco-$chosen_driver.service' condrestart:" # restart falco on upgrade if service is already running systemctl --system condrestart "falco-$chosen_driver.service" || true + + if [ $enable_falcoctl -eq 1 ]; then + echo "[POST-INSTALL] Trigger 'falcoctl.service' condrestart:" + # restart falcoctl on upgrade if service is already running + systemctl --system condrestart "falcoctl.service" || true + fi fi fi fi diff --git a/scripts/debian/postrm.in b/scripts/debian/postrm.in index 02876b5b..1bce2b47 100755 --- a/scripts/debian/postrm.in +++ b/scripts/debian/postrm.in @@ -27,6 +27,7 @@ if [ -d /run/systemd/system ] && [ "$1" = remove ]; then systemctl --system disable 'falco-bpf.service' || true systemctl --system disable 'falco-modern-bpf.service' || true systemctl --system disable 'falco-plugin.service' || true + systemctl --system disable 'falcoctl.service' || true echo "[POST-REMOVE] Trigger deamon-reload:" systemctl --system daemon-reload || true diff --git a/scripts/debian/prerm.in b/scripts/debian/prerm.in index 72f1013e..90cb8816 100755 --- a/scripts/debian/prerm.in +++ b/scripts/debian/prerm.in @@ -28,6 +28,7 @@ case "$1" in systemctl --system stop 'falco-bpf.service' || true systemctl --system stop 'falco-modern-bpf.service' || true systemctl --system stop 'falco-plugin.service' || true + systemctl --system stop 'falcoctl.service' || true echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'" falco-driver-loader --clean diff --git a/scripts/rpm/postinstall.in b/scripts/rpm/postinstall.in index 7dfaf3f2..800c914d 100755 --- a/scripts/rpm/postinstall.in +++ b/scripts/rpm/postinstall.in @@ -16,32 +16,41 @@ # chosen_driver= +enable_falcoctl=0 if [ $1 -eq 1 ]; then if [ -x /usr/bin/dialog ]; then # If dialog is installed, create a dialog to let users choose the correct driver for them - CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco drivers" --menu "Choose one of the following options:" 15 40 5 \ + CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 40 5 \ 1 "Don't start" \ 2 "Kmod" \ 3 "eBPF" \ 4 "Modern eBPF" \ 5 "Plugin" \ 2>&1 >/dev/tty) - # When user presses cancel, go on as default (don't start) - if [ $? -eq 0 ]; then + case $CHOICE in + 2) + chosen_driver="kmod" + ;; + 3) + chosen_driver="bpf" + ;; + 4) + chosen_driver="modern-bpf" + ;; + 5) + chosen_driver="plugin" + ;; + esac + if [ -n "$chosen_driver" ]; then + CHOICE=$(dialog --clear --title "Falcoctl" --menu "Do you want to subscribe to automatic ruleset feed?" 10 40 2 \ + 1 "No" \ + 2 "Yes" \ + 2>&1 >/dev/tty) case $CHOICE in - 2) - chosen_driver="kmod" - ;; - 3) - chosen_driver="bpf" - ;; - 4) - chosen_driver="modern-bpf" - ;; - 5) - chosen_driver="plugin" - ;; + 2) + enable_falcoctl=1 + ;; esac fi clear @@ -78,6 +87,13 @@ if [ $1 -eq 1 ]; then systemctl --system enable "falco-$chosen_driver.service" || true echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':" systemctl --system start "falco-$chosen_driver.service" || true + + if [ $enable_falcoctl -eq 1 ]; then + echo "[POST-INSTALL] Enable 'falcoctl.service':" + systemctl --system enable "falcoctl.service" || true + echo "[POST-INSTALL] Start 'falcoctl.service':" + systemctl --system start "falcoctl.service" || true + fi fi fi @@ -90,6 +106,11 @@ if [ $1 -gt 1 ]; then echo "[POST-INSTALL] Trigger 'falco-$chosen_driver.service' condrestart:" # restart falco on upgrade if service is already running systemctl --system condrestart "falco-$chosen_driver.service" || true + if [ $enable_falcoctl -eq 1 ]; then + echo "[POST-INSTALL] Trigger 'falcoctl.service' condrestart:" + # restart falcoctl on upgrade if service is already running + systemctl --system condrestart "falcoctl.service" || true + fi fi fi fi diff --git a/scripts/rpm/postuninstall.in b/scripts/rpm/postuninstall.in index 8e148a5a..d63e14ea 100755 --- a/scripts/rpm/postuninstall.in +++ b/scripts/rpm/postuninstall.in @@ -23,6 +23,7 @@ if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then systemctl --system disable 'falco-bpf.service' || true systemctl --system disable 'falco-modern-bpf.service' || true systemctl --system disable 'falco-plugin.service' || true + systemctl --system disable 'falcoctl.service' || true echo "[POST-REMOVE] Trigger deamon-reload:" systemctl --system daemon-reload || true diff --git a/scripts/rpm/preuninstall.in b/scripts/rpm/preuninstall.in index 3039d25b..dd7c0cf1 100755 --- a/scripts/rpm/preuninstall.in +++ b/scripts/rpm/preuninstall.in @@ -22,6 +22,7 @@ systemctl --system stop 'falco-kmod.service' || true systemctl --system stop 'falco-bpf.service' || true systemctl --system stop 'falco-modern-bpf.service' || true systemctl --system stop 'falco-plugin.service' || true +systemctl --system stop 'falcoctl.service' || true echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'" falco-driver-loader --clean @@ -37,3 +38,4 @@ falco-driver-loader --clean %systemd_preun 'falco-bpf.service' %systemd_preun 'falco-modern-bpf.service' %systemd_preun 'falco-plugin.service' +%systemd_preun 'falcoctl.service' \ No newline at end of file diff --git a/scripts/systemd/falcoctl.service b/scripts/systemd/falcoctl.service new file mode 100644 index 00000000..123d782f --- /dev/null +++ b/scripts/systemd/falcoctl.service @@ -0,0 +1,22 @@ +[Unit] +Description=Falcoctl: Administrative tooling for Falco +Documentation=https://github.com/falcosecurity/falcoctl + +[Service] +Type=simple +ExecStart=/usr/bin/falcoctl --follow +UMask=0077 +TimeoutSec=30 +RestartSec=15s +Restart=on-failure +PrivateTmp=true +NoNewPrivileges=yes +ProtectHome=read-only +ProtectSystem=full +ProtectKernelTunables=true +RestrictRealtime=true +RestrictAddressFamilies=~AF_PACKET +StandardOutput=null + +[Install] +WantedBy=multi-user.target