github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-16 07:47:00 +00:00
Code Issues Projects Releases Wiki Activity
Cloud Native Runtime Security
178 Commits 118 Branches 173 Tags 104 MiB
C++ 83.7%
CMake 8.2%
C 3.5%
Shell 3.1%
Dockerfile 1.2%
Other 0.3%
8b5fcf866a
Go to file
Henri DF 8b5fcf866a Merge pull request #30 from draios/logging 
Logging
2016-04-22 16:01:37 -07:00
rules Rename digwatch.conf -> digwatch_rules.conf 2016-04-13 03:43:30 +00:00
scripts Add install-digwatch script template 2016-04-21 16:33:17 -07:00
userspace/digwatch rename digwatch_syslog -> digwatch_logger 2016-04-22 16:01:00 -07:00
.gitignore .gitignore 2016-03-06 15:16:13 -08:00
CMakeCPackOptions.cmake Build .deb, .rpm, and .tgz 2016-03-31 18:54:52 -07:00
CMakeLists.txt Change s3 URL https->http for Jenkins 2016-04-21 23:17:00 +00:00
digwatch.yaml Digwatch logging 2016-04-22 15:56:18 -07:00
README.md Update README.md 2016-04-12 21:57:10 -07:00

README.md

Digwatch: Host Activity Monitoring with Sysdig Filters

Overview

Brief description of what, why, how, and pointer to website.

What kind of events can digwatch detect?

Installing Digwatch

Installation instructions.

Configuring Digwatch

Digwatch is primarily configured via two files: a configuration file (such as the digwatch.yaml in this repository) and a rules file (such as the digwatch_rules.conf file in rules/). These two files are written to /etc after you install the Digwatch package.

Rules file

Explain the rules file syntax

Configuration file

Explain the config file contents and syntax

Running Digwatch

Digwatch is intended to be run as a service. But for experimentation and designing/testing rulesets, you will likely want to run it manually from the command-line.

Running Digwatch as a service

Instructions for Centos and Ubuntu.

Running Digwatch manually

Building Digwatch

Building

Clone this repo in a directory that also contains the sysdig source repo. The result should be something like:

22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig
$ pwd
/sysdig
22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig
$ ls -l
total 20
drwxr-xr-x  1 vagrant vagrant  238 Feb 21 21:44 digwatch
drwxr-xr-x  1 vagrant vagrant  646 Feb 21 17:41 sysdig

create a build dir, then setup cmake and run make from that dir:

$ mkdir build
$ cd build
$ cmake ..
$ make

as a result, you should have a digwatch executable in build/userspace/digwatch/digwatch.

Running locally-built sysdig

Assuming you are in the build dir, you can run digwatch as:

$ sudo ./userspace/digwatch/digwatch -c ../digwatch.yaml -r ../rules/digwatch_rules.conf

Or instead you can try using some of the simpler rules files in rules. Or to get started, try creating a file with this:

Create a file with some digwatch rules. For example:

write: (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename
interactive: proc.pname = bash or proc.pname = sshd
write and interactive and fd.name contains sysdig
write and interactive and fd.name contains .txt

And you will see an output event for any interactive process that touches a file with "sysdig" or ".txt" in its name!