github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-21 01:47:47 +00:00
Code Issues Projects Releases Wiki Activity

Updated Running Falco (markdown)

Mark Stemm
2016-10-24 15:23:48 -07:00
parent 982a0c6f45
commit b7d8e20a7f
1 changed files with 38 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
Running-Falco.md

@@ -19,17 +19,49 @@ Usage: falco [options]
Options:
-h, --help Print this page
-c Configuration file (default /mnt/sf_mstemm/work/src/falco.dev/falco/falco.yaml, /etc/falco.yaml)
-o, --option <key>=<val> Set the value of option <key> to <val>. Overrides values in configuration file.
<key> can be a two-part <key>.<subkey>
-c Configuration file (default /mnt/sf_mstemm/work/src/falco/falco.yaml, /etc/falco.yaml)
-A Monitor all events, including those with EF_DROP_FALCO flag.
-d, --daemon Run as a daemon
-p, --pidfile <pid_file> When run as a daemon, write pid to specified file
-D <pattern> Disable any rules matching the regex <pattern>. Can be specified multiple times.
-e <events_file> Read the events from <events_file> (in .scap format) instead of tapping into live.
-r <rules_file> Rules file (defaults to value set in configuration file, or /etc/falco_rules.yaml).
-k <url>, --k8s-api=<url>
Enable Kubernetes support by connecting to the API server
specified as argument. E.g. "http://admin:password@127.0.0.1:8080".
The API server can also be specified via the environment variable
FALCO_K8S_API.
-K <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>], --k8s-api-cert=<bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>]
Use the provided files names to authenticate user and (optionally) verify the K8S API
server identity.
Each entry must specify full (absolute, or relative to the current directory) path
to the respective file.
Private key password is optional (needed only if key is password protected).
CA certificate is optional. For all files, only PEM file format is supported.
Specifying CA certificate only is obsoleted - when single entry is provided
for this option, it will be interpreted as the name of a file containing bearer token.
Note that the format of this command-line option prohibits use of files whose names contain
':' or '#' characters in the file name.
-L Show the name and description of all rules and exit.
-l <rule> Show the name and description of the rule with name <rule> and exit.
-m <url[,marathon_url]>, --mesos-api=<url[,marathon_url]>
Enable Mesos support by connecting to the API server
specified as argument. E.g. "http://admin:password@127.0.0.1:5050".
Marathon url is optional and defaults to Mesos address, port 8080.
The API servers can also be specified via the environment variable
FALCO_MESOS_API.
-o, --option <key>=<val> Set the value of option <key> to <val>. Overrides values in configuration file.
<key> can be a two-part <key>.<subkey>
-p <output_format>, --print=<output_format>
Add additional information to each falco notification's output.
With -pc or -pcontainer will use a container-friendly format.
With -pk or -pkubernetes will use a kubernetes-friendly format.
With -pm or -pmesos will use a mesos-friendly format.
Additionally, specifying -pc/-pk/-pm will change the interpretation
of %container.info in rule output fields
See the examples section below for more info.
-P, --pidfile <pid_file> When run as a daemon, write pid to specified file
-r <rules_file> Rules file (defaults to value set in configuration file, or /etc/falco_rules.yaml).
Can be specified multiple times to read from multiple files.
-v Verbose output.
-A Monitor all events, including those with EF_DROP_FALCO flag.
```