github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-12 14:08:27 +00:00
Code Issues Projects Releases Wiki Activity
Cloud Native Runtime Security
183 Commits 118 Branches 173 Tags 104 MiB
C++ 83.7%
CMake 8.2%
C 3.5%
Shell 3.1%
Dockerfile 1.2%
Other 0.3%
657573d3a9
Go to file
Henri DF 657573d3a9 Merge pull request #31 from draios/discard-by-type 
Drop high-volume events
2016-04-28 15:36:33 -07:00
rules Renaming 2016-04-28 03:28:19 +00:00
scripts Renaming 2016-04-28 03:28:19 +00:00
userspace/falco Drop high-volume events 2016-04-28 20:58:28 +00:00
.gitignore .gitignore 2016-03-06 15:16:13 -08:00
CMakeCPackOptions.cmake Build .deb, .rpm, and .tgz 2016-03-31 18:54:52 -07:00
CMakeLists.txt Renaming 2016-04-28 03:28:19 +00:00
falco.yaml Renaming 2016-04-28 03:28:19 +00:00
README.md Update README.md 2016-04-27 22:10:35 -07:00

README.md

Sysdig Falco

Host Activity Monitoring using Sysdig Event Filtering

Overview

Brief description of what, why, how, and pointer to website.

What kind of events can falco detect?

Installing Falco

Installation instructions.

Configuring Falco

Digwatch is primarily configured via two files: a configuration file (such as the falco.yaml in this repository) and a rules file (such as the digwatch_rules.conf file in rules/). These two files are written to /etc after you install the Falco package.

Rules file

Explain the rules file syntax

Configuration file

Explain the config file contents and syntax

Running Falco

Digwatch is intended to be run as a service. But for experimentation and designing/testing rulesets, you will likely want to run it manually from the command-line.

Running Falco as a service

Instructions for Centos and Ubuntu.

Running Falco manually

Building Falco

Building

Clone this repo in a directory that also contains the sysdig source repo. The result should be something like:

22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig
$ pwd
/sysdig
22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig
$ ls -l
total 20
drwxr-xr-x  1 vagrant vagrant  238 Feb 21 21:44 falco
drwxr-xr-x  1 vagrant vagrant  646 Feb 21 17:41 sysdig

create a build dir, then setup cmake and run make from that dir:

$ mkdir build
$ cd build
$ cmake ..
$ make

as a result, you should have a falco executable in build/userspace/falco/falco.

Running locally-built sysdig

Assuming you are in the build dir, you can run falco as:

$ sudo ./userspace/falco/falco -c ../falco.yaml -r ../rules/falco_rules.conf

Or instead you can try using some of the simpler rules files in rules. Or to get started, try creating a file with this:

Create a file with some falco rules. For example:

write: (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename
interactive: proc.pname = bash or proc.pname = sshd
write and interactive and fd.name contains sysdig
write and interactive and fd.name contains .txt

And you will see an output event for any interactive process that touches a file with "sysdig" or ".txt" in its name!