diff --git a/About-Falco.md b/About-Falco.md index 7d8a0eb..5e45ea8 100644 --- a/About-Falco.md +++ b/About-Falco.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs** + # About Falco Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by sysdig’s system call capture infrastructure, Falco lets you continuously monitor and detect container, application, host, and network activity... all in one place, from one source of data, with one set of rules. diff --git a/Actions-For-Dropped-System-Call-Events.md b/Actions-For-Dropped-System-Call-Events.md index bdedf3d..76702ac 100644 --- a/Actions-For-Dropped-System-Call-Events.md +++ b/Actions-For-Dropped-System-Call-Events.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/event-sources/dropped-events/** + # Introduction A new feature in 0.15.0 allows Falco to take actions when it detects dropped system call events. When system call events are dropped, Falco may have problems building its internal view of the processes, files, containers, and orchestrator metadata in use, which in turn may affect rules that depend on that metadata. These actions make it easier to detect when dropped system calls are occurring. diff --git a/Falco-Alerts.md b/Falco-Alerts.md index c9814f0..8379dbe 100644 --- a/Falco-Alerts.md +++ b/Falco-Alerts.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/alerts/** + # Falco Alerts Falco can send alerts to one or more channels: diff --git a/Falco-Configuration.md b/Falco-Configuration.md index 6d65a8f..90a355d 100644 --- a/Falco-Configuration.md +++ b/Falco-Configuration.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/configuration/** + # Falco Configuration Falco's configuration file is a [YAML](http://www.yaml.org/start.html) diff --git a/Falco-Default-and-Local-Rules-Files.md b/Falco-Default-and-Local-Rules-Files.md index 88350a9..807d603 100644 --- a/Falco-Default-and-Local-Rules-Files.md +++ b/Falco-Default-and-Local-Rules-Files.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/rules/default-custom/** + Starting with Falco 0.8.0, falco officially supports the notion of a _default_ rules file and a _local_ rules file. This has previously been supported by running falco with multiple `-r` arguments. In 0.8.0, we're formalizing this notion to make it easier to customize falco's behavior but still retain access to rule changes as a part of software upgrades. Of course, you can always customize the set of files you want to read by changing the `rules_file` option in `falco.yaml`. The default rules file is always read first, followed by the local rules file. diff --git a/Falco-Examples.md b/Falco-Examples.md index 28a1ddb..8709cda 100644 --- a/Falco-Examples.md +++ b/Falco-Examples.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/examples/** + # Falco Examples Here are some examples of the types of behavior falco can detect. diff --git a/Falco-Formatting-for-Containers-and-Orchestration.md b/Falco-Formatting-for-Containers-and-Orchestration.md index 1aed92c..c0ddb90 100644 --- a/Falco-Formatting-for-Containers-and-Orchestration.md +++ b/Falco-Formatting-for-Containers-and-Orchestration.md @@ -1,3 +1,9 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/alerts/formatting/** + + Like sysdig, falco has native support for containers and orchestration environments. With `-k`, falco communicates with the provided K8s API server to decorate events with the K8s pod/namespace/deployment/etc. associated with the event. With `-m`, falco communicates with the marathon server to do the same thing. Like sysdig, falco can be run with `-pk`/`-pm`/`-pc`/`-p` arguments that change the formatted output to be a k8s-friendly/mesos-friendly/container-friendly/general format. However, unlike sysdig, the source of formatted output is in the set of rules and not on the command line. This page provides more detail on how `-pk`/`-pm`/`-pc`/`-p` interacts with the format strings in the `output` attribute of rules. diff --git a/Falco-Kernel-Module.md b/Falco-Kernel-Module.md index 63fdff2..44c1183 100644 --- a/Falco-Kernel-Module.md +++ b/Falco-Kernel-Module.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/event-sources/kernel-module/** + # Introduction Falco depends on a kernel module that taps into the stream of system calls on a machine and passes those system calls to user space. diff --git a/Falco-Roadmap.md b/Falco-Roadmap.md deleted file mode 100644 index 6aa4e2e..0000000 --- a/Falco-Roadmap.md +++ /dev/null @@ -1,21 +0,0 @@ -Here's a sketch of the features we're planning on adding to Falco in the next several releases. When relevant, we've included links to the relevant github issues. Afterward, we'll list the specific features we're planning on adding in the next Falco relase (0.7.0). Of course, plans may change, but this should give you an idea of what's on the roadmap for Falco. If you see specific features you're especially excited for, or if you have features that you'd like to see that aren't on this list, let us know! - -# Overall Roadmap - -## Rule Improvements: - -* Bring back rulesets devoted to specific applications like apache, cassandra, etc. We originally commented these out as enabling them all slowed down falco too much, but we probably have more headroom now that rules are initially filtered by event type. Also if we add rule triggers they will only be enabled when the process is running. [[#183](https://github.com/draios/falco/issues/183)] -* Add rules that implement as much of the CIS Docker benchmark as possible in falco. [[#186](https://github.com/draios/falco/issues/186)] - -## Rule Mechanics Improvements - -* Rule triggers--load/unload sets of rules based on other rules firing. This allows gateways based on processes starting/stopping. [[#149](https://github.com/draios/falco/issues/149)] - -## New measurement capabilities -* Have the trigger for a rule be meta-information like resource usage instead of a specific action. [[#167](https://github.com/draios/falco/issues/167)] -* Flight data recorder--when a rule triggers, save the last N events to a trace file. [[#81](https://github.com/draios/falco/issues/81)] - -# 0.14.0 Planned Features - -* Add rulesets that provide support for specific applications packaged as containers. -* Add rules that implement as much of the CIS Docker benchmark as possible in falco. \ No newline at end of file diff --git a/Falco-Rules-Default-Macros.md b/Falco-Rules-Default-Macros.md index e0a0781..05f2fa8 100644 --- a/Falco-Rules-Default-Macros.md +++ b/Falco-Rules-Default-Macros.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/rules/default-macros/** + ## Falco Rules Default Macros The default Falco rule set defines a number of macros that makes it easier to start writing rules. These macros provide shortcuts for a number of common scenarios and can be used in any user defined rule sets. Falco also provide Macros that should be overridden by the user to provide settings that are specific to a user's environment. The provided Macros can also be [appended to](Falco Rules Default Macros) in a local rules file. diff --git a/Falco-Rules.md b/Falco-Rules.md index 946d4d0..b1d8d71 100644 --- a/Falco-Rules.md +++ b/Falco-Rules.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/rules/** + # Rules _Call for contributions: If you come up with additional rules which you'd like to see in the core repository - PR welcome!_ diff --git a/Generating-Sample-Events.md b/Generating-Sample-Events.md index 9bce46e..3cdbe62 100644 --- a/Generating-Sample-Events.md +++ b/Generating-Sample-Events.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/event-sources/sample-events/** + If you'd like to see if falco is working properly, we've created a test program [event_generator](https://github.com/draios/falco/blob/dev/docker/event-generator/event_generator.cpp) that performs a bunch of suspect actions that are detected by the current falco ruleset. Here's the usage block for the test program: diff --git a/Home.md b/Home.md index 913eb9d..e34389d 100644 --- a/Home.md +++ b/Home.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**The wiki has been kept for historical reasons, but will be removed in the near future** + # Welcome to the **Falco** wiki! On this wiki, you can find information about Falco. If this is your first time hearing about Falco, we recommend you [start with the website](https://falco.org). diff --git a/How-to-Install-Falco-for-Linux.md b/How-to-Install-Falco-for-Linux.md index ebe108d..45a54b7 100644 --- a/How-to-Install-Falco-for-Linux.md +++ b/How-to-Install-Falco-for-Linux.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/installation/** + # Installation ## Scripted install diff --git a/How-to-Install-Falco-from-Source.md b/How-to-Install-Falco-from-Source.md index 41ba6eb..55e2acd 100644 --- a/How-to-Install-Falco-from-Source.md +++ b/How-to-Install-Falco-from-Source.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/source/** + # Building falco from source Building falco requires having `cmake` and `g++` installed. diff --git a/How-to-Install-Falco-using-Containers-and-or-Orchestration.md b/How-to-Install-Falco-using-Containers-and-or-Orchestration.md index f842093..555b5c1 100644 --- a/How-to-Install-Falco-using-Containers-and-or-Orchestration.md +++ b/How-to-Install-Falco-using-Containers-and-or-Orchestration.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/installation/** + # How to Install Falco using Containers ## Container install (general) diff --git a/Install-Falco-(Minikube).md b/Install-Falco-(Minikube).md index 8623731..af79e65 100644 --- a/Install-Falco-(Minikube).md +++ b/Install-Falco-(Minikube).md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/installation/** + # Introduction The installation steps for Minikube aren't any different than other K8s Environment. See our [K8s Installation Instructions](../blob/dev/integrations/k8s-using-daemonset/README.md) for details. diff --git a/K8s-Audit-Event-Support.md b/K8s-Audit-Event-Support.md index 9493df6..b7e025b 100644 --- a/K8s-Audit-Event-Support.md +++ b/K8s-Audit-Event-Support.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/event-sources/kubernetes-audit/** + # Introduction As of Falco 0.13.0, falco supports a second source of events in addition to system call events: [K8s Audit Events](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-backends). An improved implementation of k8s audit events was introduced in k8s v1.11 and provides a log of requests and responses to [kube-apiserver](https://kubernetes.io/docs/admin/kube-apiserver). Since almost all cluster management tasks are done through the api server, the audit log is a way to track the changes made to your cluster. Examples of this include: diff --git a/Running-Falco.md b/Running-Falco.md index 7eb3b6e..9fdd471 100644 --- a/Running-Falco.md +++ b/Running-Falco.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/running/** + # Running Falco Falco is intended to be run as a service. But for experimentation and designing/testing rulesets, you will likely want to run it manually from the command-line. diff --git a/Supported-Fields.md b/Supported-Fields.md index 8fea947..ccb1eb4 100644 --- a/Supported-Fields.md +++ b/Supported-Fields.md @@ -1,3 +1,8 @@ +# FALCO DOCUMENTATION HAS MOVED +**The [new home](https://falco.org/docs) for Falco Documentation can be found on the [main Falco site](https://falco.org/docs).** + +**This page can be found at https://falco.org/docs/rules/supported-fields/** + # Introduction Here are the fields supported by falco on top of those supported by [Sysdig](https://github.com/draios/sysdig/wiki/Sysdig-User-Guide#user-content-filtering). You can also see this set of fields via `falco --list=`, with `` being one of the sources below.