From fe3a0f534f559c9ee56a295121c2be3c1b6a3295 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 9 Oct 2017 16:46:03 -0700 Subject: [PATCH] Updated Falco Alerts (markdown) --- Falco-Alerts.md | 44 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/Falco-Alerts.md b/Falco-Alerts.md index 28fe3ef..04422a9 100644 --- a/Falco-Alerts.md +++ b/Falco-Alerts.md @@ -13,6 +13,11 @@ The channels are configured via the falco configuration file `falco.yaml`. See t When configured to send alerts via standard output, a line is printed for each alert. Here's an example: +```yaml +stdout_output: + enabled: true +``` + ``` 10:20:05.408091526: Warning Sensitive file opened for reading by non-trusted program (user=root command=cat /etc/shadow file=/etc/shadow) ``` @@ -20,14 +25,26 @@ When run in the background via the `-d/--daemon` command line option, standard o ## File Output -When configured to send alerts to a file, a message is written to the file for each alert. The format is identical to the Standard Output format. +When configured to send alerts to a file, a message is written to the file for each alert. The format is very similar to the Standard Output format: -For each alert, the file is opened for appending, the single alert is written, and the file is closed. The file is not rotated or truncated. +``` +file_output: + enabled: true + keep_alive: false + filename: ./events.txt +``` + +When `keep_alive` is false (the default), for each alert the file is opened for appending, the single alert is written, and the file is closed. The file is not rotated or truncated. If `keep_alive` is set to true, the file is opened before the first alert and kept open for all subsequent alerts. Output is buffered and will be flushed only on close. (This can be changed with `--unbuffered`). ## Syslog Output When configured to send alerts to syslog, a syslog message is sent for each alert. The actual format depends on your syslog daemon, but here's an example: +```yaml +syslog_output: + enabled: true +``` + ``` Jun 7 10:20:05 ubuntu falco: Sensitive file opened for reading by non-trusted program (user=root command=cat /etc/shadow file=/etc/shadow) ``` @@ -36,15 +53,18 @@ Syslog messages are sent with a facility of LOG_USER. The rule's priority is use ## Program Output -When configured to send alerts to a program, for each alert the program is started and written to it's standard input. For example, given a `falco.yaml` configuration of: +When configured to send alerts to a program, for each alert the program is started and written to its standard input. For example, given a `falco.yaml` configuration of: ``` program_output: enabled: true + keep_alive: false program: mail -s "Falco Notification" someone@example.com ``` -For each alert, falco will run the program `mail -s ...` and write the alert to the program. The program is run via a shell, so it's possible to specify a command pipeline if you wish to add additional formatting. +When `keep_alive` is false (the default), for each alert falco will run the program `mail -s ...` and write the alert to the program. The program is run via a shell, so it's possible to specify a command pipeline if you wish to add additional formatting. + +If `keep_alive` is set to true, before the first alert falco will spawn the program and write the alert. The program pipe will be kept open for subsequent alerts. *Note*: the program spawned by falco is in the same process group as falco and will receive all signals that falco receives. If you want to, say, ignore SIGTERM to allow for a clean shutdown in the face of buffered outputs, you must override the signal handler yourself. ### Program Output Example: Posting to a Slack Incoming Webhook @@ -59,6 +79,22 @@ program_output: program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX” ``` +### Program Output: Sending Alerts to Network Channel + +If you'd like to send a stream of alerts over a network connection, here's an example: + +``` +# Whether to output events in json or text +json_output: true +… +program_output: + enabled: true + keep_alive: true + program: "nc host.example.com 1234" +``` + +Note the use of `keep_alive: true` to keep the network connection persistent. + ## JSON Output For all output channels, you can switch to JSON output either in the configuration file or on the command line. For each alert, falco will print a JSON object, on a single line, containing the following properties: