github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-27 07:07:23 +00:00
Code Issues Projects Releases Wiki Activity

Minor bug fixes after going through github view. 

Minor typo/formatting cleanups after going through wiki on github.
Mark Stemm 2016-06-07 11:54:44 -07:00
parent 597d579c8b
commit dbb35e99e7
8 changed files with 46 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Falco-Alerts.md

@ -15,7 +15,7 @@ When configured to send alerts via standard output, a line is printed for each a
``` ```
10:20:05.408091526: Warning Sensitive file opened for reading by non-trusted program (user=root command=cat /etc/shadow file=/etc/shadow) 10:20:05.408091526: Warning Sensitive file opened for reading by non-trusted program (user=root command=cat /etc/shadow file=/etc/shadow)
``` ```
When run in the background via the `-d/--daemon` command line option, standard output output is discarded. When run in the background via the `-d/--daemon` command line option, standard output messages are discarded.
## File Output ## File Output

48
Falco-Configuration.md

@ -7,15 +7,41 @@ Any configuration option can be overridden on the command line via the `-o/--opt
The current configuration keys are: The current configuration keys are:
* `rules_file: <path>`: the location of the rules file. This can also be overridden on the command line via `-r`. ####`rules_file: <path>`
* `json_output: [true|false]`: whether to use JSON output for alert messages.
* `log_stderr: [true|false]`: if true, log messages describing falco's activity will be logged to stderr. Note these are *not* alert messages--these are log messages for falco itself. the location of the rules file. This can also be overridden on the command line via `-r`.
* `log_syslog: [true|false]`: if true, log messages describing falco's activity will be logged to syslog.
* `syslog_output`: a list containing these sub-keys: ####`json_output: [true|false]`
** `enabled: [true|false]`: if true, falco alerts will be sent via syslog
* `file_output`: a list containing these sub-keys: whether to use JSON output for alert messages.
** `enabled: [true|false]`: if true, falco alerts will be sent to the specified file
** `filename: <path>`: the location of the file to which alerts will be sent ####`log_stderr: [true|false]`
* `stdout_output`: a list containing thse sub-keys:
** `enabled: [true|false]`: if true, falco alerts will be sent to standard output if true, log messages describing falco's activity will be logged to stderr. Note these are *not* alert messages--these are log messages for falco itself.
####`log_syslog: [true|false]`
if true, log messages describing falco's activity will be logged to syslog.
####`syslog_output`
a list containing these sub-keys:
* `enabled: [true|false]`: if true, falco alerts will be sent via syslog
####`file_output`
a list containing these sub-keys:
* `enabled: [true|false]`: if true, falco alerts will be sent to the specified file
* `filename: <path>`: the location of the file to which alerts will be sent
####`stdout_output`
a list containing thse sub-keys:
* `enabled: [true|false]`: if true, falco alerts will be sent to standard output

2
Falco-Examples.md

@ -2,7 +2,7 @@
Here are some examples of the types of behavior falco can detect. Here are some examples of the types of behavior falco can detect.
For a more comprehnsive set of examples, see the full rules file at `falco_rules.yaml` For a more comprehnsive set of examples, see the full rules file at `falco_rules.yaml`.
##A shell is run in a container ##A shell is run in a container

4
Falco-Rules.md

@ -2,7 +2,7 @@
_Call for contributions: If you come up with additional rules which you'd like to see in the core repository - PR welcome!_ _Call for contributions: If you come up with additional rules which you'd like to see in the core repository - PR welcome!_
A falco rules file is a [YAML](http://www.yaml.org/start.html) file containing two kinds of elements: *rules* and *macros*. Rules consiste of a *condition* under which an alert should be generated and a *output string* to send with the alert. A falco rules file is a [YAML](http://www.yaml.org/start.html) file containing two kinds of elements: *rules* and *macros*. Rules consist of a *condition* under which an alert should be generated and a *output string* to send with the alert.
Macros are simply rule condition snippets that can be re-used inside rules and other macros, providing a way to factor out and name common patterns. Macros are simply rule condition snippets that can be re-used inside rules and other macros, providing a way to factor out and name common patterns.
@ -33,7 +33,7 @@ A complete rule using the above condition might be:
- rule: shell_in_container - rule: shell_in_container
desc: notice shell activity within a container desc: notice shell activity within a container
condition: container.id != host and proc.name = bash condition: container.id != host and proc.name = bash
output: "shell in a container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline) output: shell in a container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)
priority: WARNING priority: WARNING
``` ```

2
Home.md

@ -17,7 +17,7 @@ On this wiki, you can find information about sysdig falco. If this is your first
* [Falco Alerts](Falco Alerts): Describing the alert channels * [Falco Alerts](Falco Alerts): Describing the alert channels
* [Falco Examples](Falco Examples): Examples of what falco can detect * [Falco Examples](Falco Examples): Examples of what falco can detect
* Helpful blog posts * Helpful blog posts
** [Introducing Falco](https://sysdig.com/blog/sysdig-falco/) * [Introducing Falco](https://sysdig.com/blog/sysdig-falco/)
####Releases ####Releases
* [List of falco releases](https://github.com/draios/falco/releases) * [List of falco releases](https://github.com/draios/falco/releases)

4
How-to-Install-Falco-for-Linux.md

@ -17,7 +17,7 @@ curl -s -o /etc/yum.repos.d/draios.repo http://download.draios.com/stable/rpm/dr
``` ```
- Install the EPEL repository - Install the EPEL repository
Note: The following command is required only if DKMS is not available in the distribution. You can verify if DKMS is available with yum list dkms Note: The following command is required only if DKMS is not available in the distribution. You can verify if DKMS is available with `yum list dkms`. If required, install using:
`rpm -i http://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm` `rpm -i http://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm`
@ -46,7 +46,7 @@ apt-get update
- Install kernel headers - Install kernel headers
Warning: The following command might not work with any kernel. Make sure to customize the name of the package properly Warning: The following command might not work with any kernel. Make sure to customize the name of the package properly.
`apt-get -y install linux-headers-$(uname -r)` `apt-get -y install linux-headers-$(uname -r)`

2
How-to-Install-Falco-from-Source.md

@ -1,5 +1,7 @@
# Building falco from source # Building falco from source
Building falco requires having `cmake` and `g++` installed.
## Check out source code ## Check out source code
Clone this repo in a directory that also contains the sysdig source repo. The result should be something like: Clone this repo in a directory that also contains the sysdig source repo. The result should be something like:

6
How-to-Install-Falco-using-Containers.md

@ -33,9 +33,3 @@ curl -s https://s3.amazonaws.com/download.draios.com/stable/install-falco | bash
sysdig-probe-loader sysdig-probe-loader
``` ```
## Building and running falco locally from source
Building falco requires having `cmake` and `g++` installed.