Created Generating Sample Events (markdown)

2025-09-20 01:17:46 +00:00 · 2016-08-12 14:37:32 -07:00
parent a78bbb184f
commit 79486a0dc0
1 changed files with 46 additions and 0 deletions
--- a/Generating-Sample-Events.md
+++ b/Generating-Sample-Events.md
@@ -0,0 +1,46 @@
+If you'd like to see if falco is working properly, we've created a test program [generate_events](https://github.com/draios/falco/blob/dev/docker/event-generator/event_generator.cpp) that performs a bunch of suspect actions that are detected by the current falco ruleset.
+
+Here's the usage block for the test program:
+
+```
+Usage /usr/local/bin/event_generator [options]
+
+Options:
+     -h/--help: show this help
+     -a/--action: actions to perform. Can be one of the following:
+          write_binary_dir                           Write to files below /bin
+          write_etc                                  Write to files below /etc
+          read_sensitive_file                        Read a sensitive file
+          read_sensitive_file_after_startup          As a trusted program, wait a while,
+                                                     then read a sensitive file
+          write_rpm_database                         Write to files below /var/lib/rpm
+          spawn_shell                                Run a shell (bash)
+          db_program_spawn_process                   As a database program, try to spawn
+                                                     another program
+          modify_binary_dirs                         Modify a file below /bin
+          mkdir_binary_dirs                          Create a directory below /bin
+          change_thread_namespace                    Change namespace
+          system_user_interactive                    Change to a system user and try to
+                                                     run an interactive command
+          network_activity                           Open network connections
+                                                     (used by system_procs_network_activity below)
+          system_procs_network_activity              Open network connections as a program
+                                                     that should not perform network actions
+          non_sudo_setuid                            Setuid as a non-root user
+          create_files_below_dev                     Create files below /dev
+          exec_ls                                    execve() the program ls
+                                                     (used by user_mgmt_binaries below)
+          user_mgmt_binaries                         Become the program "vipw", which triggers
+                                                     rules related to user management programs
+          all                                        All of the above
+     -i/--interval: Number of seconds between actions
+     -o/--once: Perform actions once and exit
+```
+
+This program is packaged in a [docker image](https://hub.docker.com/r/sysdig/falco-event-generator/) at docker hub. You can run it via the following:
+
+```
+docker run sysdig/falco-event-generator
+```
+
+It's highly recommended to run the program within docker, as it modifies files and directories below `/bin`, `/etc`, `/dev`, etc.