diff --git a/Falco-Alerts.md b/Falco-Alerts.md index 65cb6ba..9c73df7 100644 --- a/Falco-Alerts.md +++ b/Falco-Alerts.md @@ -15,7 +15,7 @@ When configured to send alerts via standard output, a line is printed for each a ``` 10:20:05.408091526: Warning Sensitive file opened for reading by non-trusted program (user=root command=cat /etc/shadow file=/etc/shadow) ``` -When run in the background via the `-d/--daemon` command line option, standard output output is discarded. +When run in the background via the `-d/--daemon` command line option, standard output messages are discarded. ## File Output diff --git a/Falco-Configuration.md b/Falco-Configuration.md index 9ae1e65..3c05d71 100644 --- a/Falco-Configuration.md +++ b/Falco-Configuration.md @@ -7,15 +7,41 @@ Any configuration option can be overridden on the command line via the `-o/--opt The current configuration keys are: - * `rules_file: `: the location of the rules file. This can also be overridden on the command line via `-r`. - * `json_output: [true|false]`: whether to use JSON output for alert messages. - * `log_stderr: [true|false]`: if true, log messages describing falco's activity will be logged to stderr. Note these are *not* alert messages--these are log messages for falco itself. - * `log_syslog: [true|false]`: if true, log messages describing falco's activity will be logged to syslog. - * `syslog_output`: a list containing these sub-keys: - ** `enabled: [true|false]`: if true, falco alerts will be sent via syslog - * `file_output`: a list containing these sub-keys: - ** `enabled: [true|false]`: if true, falco alerts will be sent to the specified file - ** `filename: `: the location of the file to which alerts will be sent - * `stdout_output`: a list containing thse sub-keys: - ** `enabled: [true|false]`: if true, falco alerts will be sent to standard output +####`rules_file: ` + +the location of the rules file. This can also be overridden on the command line via `-r`. + +####`json_output: [true|false]` + +whether to use JSON output for alert messages. + +####`log_stderr: [true|false]` + +if true, log messages describing falco's activity will be logged to stderr. Note these are *not* alert messages--these are log messages for falco itself. + +####`log_syslog: [true|false]` + +if true, log messages describing falco's activity will be logged to syslog. + + +####`syslog_output` + +a list containing these sub-keys: + +* `enabled: [true|false]`: if true, falco alerts will be sent via syslog + + +####`file_output` + +a list containing these sub-keys: + +* `enabled: [true|false]`: if true, falco alerts will be sent to the specified file +* `filename: `: the location of the file to which alerts will be sent + + +####`stdout_output` + +a list containing thse sub-keys: + +* `enabled: [true|false]`: if true, falco alerts will be sent to standard output diff --git a/Falco-Examples.md b/Falco-Examples.md index 5bfc44a..a5fc978 100644 --- a/Falco-Examples.md +++ b/Falco-Examples.md @@ -2,7 +2,7 @@ Here are some examples of the types of behavior falco can detect. -For a more comprehnsive set of examples, see the full rules file at `falco_rules.yaml` +For a more comprehnsive set of examples, see the full rules file at `falco_rules.yaml`. ##A shell is run in a container diff --git a/Falco-Rules.md b/Falco-Rules.md index 653e512..8e24f12 100644 --- a/Falco-Rules.md +++ b/Falco-Rules.md @@ -2,7 +2,7 @@ _Call for contributions: If you come up with additional rules which you'd like to see in the core repository - PR welcome!_ -A falco rules file is a [YAML](http://www.yaml.org/start.html) file containing two kinds of elements: *rules* and *macros*. Rules consiste of a *condition* under which an alert should be generated and a *output string* to send with the alert. +A falco rules file is a [YAML](http://www.yaml.org/start.html) file containing two kinds of elements: *rules* and *macros*. Rules consist of a *condition* under which an alert should be generated and a *output string* to send with the alert. Macros are simply rule condition snippets that can be re-used inside rules and other macros, providing a way to factor out and name common patterns. @@ -33,7 +33,7 @@ A complete rule using the above condition might be: - rule: shell_in_container desc: notice shell activity within a container condition: container.id != host and proc.name = bash - output: "shell in a container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline) + output: shell in a container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline) priority: WARNING ``` diff --git a/Home.md b/Home.md index 4761641..7b8663e 100644 --- a/Home.md +++ b/Home.md @@ -17,7 +17,7 @@ On this wiki, you can find information about sysdig falco. If this is your first * [Falco Alerts](Falco Alerts): Describing the alert channels * [Falco Examples](Falco Examples): Examples of what falco can detect * Helpful blog posts -** [Introducing Falco](https://sysdig.com/blog/sysdig-falco/) + * [Introducing Falco](https://sysdig.com/blog/sysdig-falco/) ####Releases * [List of falco releases](https://github.com/draios/falco/releases) diff --git a/How-to-Install-Falco-for-Linux.md b/How-to-Install-Falco-for-Linux.md index 2bb0e9e..408f52e 100644 --- a/How-to-Install-Falco-for-Linux.md +++ b/How-to-Install-Falco-for-Linux.md @@ -17,7 +17,7 @@ curl -s -o /etc/yum.repos.d/draios.repo http://download.draios.com/stable/rpm/dr ``` - Install the EPEL repository -Note: The following command is required only if DKMS is not available in the distribution. You can verify if DKMS is available with yum list dkms +Note: The following command is required only if DKMS is not available in the distribution. You can verify if DKMS is available with `yum list dkms`. If required, install using: `rpm -i http://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm` @@ -46,7 +46,7 @@ apt-get update - Install kernel headers -Warning: The following command might not work with any kernel. Make sure to customize the name of the package properly +Warning: The following command might not work with any kernel. Make sure to customize the name of the package properly. `apt-get -y install linux-headers-$(uname -r)` diff --git a/How-to-Install-Falco-from-Source.md b/How-to-Install-Falco-from-Source.md index 9d9ad32..f301b5c 100644 --- a/How-to-Install-Falco-from-Source.md +++ b/How-to-Install-Falco-from-Source.md @@ -1,5 +1,7 @@ # Building falco from source +Building falco requires having `cmake` and `g++` installed. + ## Check out source code Clone this repo in a directory that also contains the sysdig source repo. The result should be something like: diff --git a/How-to-Install-Falco-using-Containers.md b/How-to-Install-Falco-using-Containers.md index 92428aa..e832aea 100644 --- a/How-to-Install-Falco-using-Containers.md +++ b/How-to-Install-Falco-using-Containers.md @@ -33,9 +33,3 @@ curl -s https://s3.amazonaws.com/download.draios.com/stable/install-falco | bash sysdig-probe-loader ``` - - -## Building and running falco locally from source -Building falco requires having `cmake` and `g++` installed. - -