From b7d8e20a7fd833fb3e3b2763248d0712f35a84fe Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 24 Oct 2016 15:23:48 -0700 Subject: [PATCH] Updated Running Falco (markdown) --- Running-Falco.md | 44 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 38 insertions(+), 6 deletions(-) diff --git a/Running-Falco.md b/Running-Falco.md index a813557..f9833dc 100644 --- a/Running-Falco.md +++ b/Running-Falco.md @@ -19,17 +19,49 @@ Usage: falco [options] Options: -h, --help Print this page - -c Configuration file (default /mnt/sf_mstemm/work/src/falco.dev/falco/falco.yaml, /etc/falco.yaml) - -o, --option = Set the value of option to . Overrides values in configuration file. - can be a two-part . + -c Configuration file (default /mnt/sf_mstemm/work/src/falco/falco.yaml, /etc/falco.yaml) + -A Monitor all events, including those with EF_DROP_FALCO flag. -d, --daemon Run as a daemon - -p, --pidfile When run as a daemon, write pid to specified file + -D Disable any rules matching the regex . Can be specified multiple times. -e Read the events from (in .scap format) instead of tapping into live. - -r Rules file (defaults to value set in configuration file, or /etc/falco_rules.yaml). + -k , --k8s-api= + Enable Kubernetes support by connecting to the API server + specified as argument. E.g. "http://admin:password@127.0.0.1:8080". + The API server can also be specified via the environment variable + FALCO_K8S_API. + -K | :[:], --k8s-api-cert= | :[:] + Use the provided files names to authenticate user and (optionally) verify the K8S API + server identity. + Each entry must specify full (absolute, or relative to the current directory) path + to the respective file. + Private key password is optional (needed only if key is password protected). + CA certificate is optional. For all files, only PEM file format is supported. + Specifying CA certificate only is obsoleted - when single entry is provided + for this option, it will be interpreted as the name of a file containing bearer token. + Note that the format of this command-line option prohibits use of files whose names contain + ':' or '#' characters in the file name. -L Show the name and description of all rules and exit. -l Show the name and description of the rule with name and exit. + -m , --mesos-api= + Enable Mesos support by connecting to the API server + specified as argument. E.g. "http://admin:password@127.0.0.1:5050". + Marathon url is optional and defaults to Mesos address, port 8080. + The API servers can also be specified via the environment variable + FALCO_MESOS_API. + -o, --option = Set the value of option to . Overrides values in configuration file. + can be a two-part . + -p , --print= + Add additional information to each falco notification's output. + With -pc or -pcontainer will use a container-friendly format. + With -pk or -pkubernetes will use a kubernetes-friendly format. + With -pm or -pmesos will use a mesos-friendly format. + Additionally, specifying -pc/-pk/-pm will change the interpretation + of %container.info in rule output fields + See the examples section below for more info. + -P, --pidfile When run as a daemon, write pid to specified file + -r Rules file (defaults to value set in configuration file, or /etc/falco_rules.yaml). + Can be specified multiple times to read from multiple files. -v Verbose output. - -A Monitor all events, including those with EF_DROP_FALCO flag. ```