Highest Voted 'falco' Questions

6

votes

1 answer

Logs not getting sent to AWS Cloudwatch when docker in detached or foreground

When I run the docker script in interactive mode it works. I can see the logs in the console and also in AWS CloudWatch Logs. The below docker script runs in interactive mode and I have added the awslogs configuration so the logs go into cloudwatch.…

docker amazon-cloudwatch falco

asked Jun 04 '20 at 09:52

kumar

8,207
20
85
176

2

votes

0 answers

Falco installation on Digital Ocean Kubernetes

While installing falco on Digital Ocean managed kubernetes. I am getting the following error Runtime error: can't open BPF probe '/root/.falco/falco-bpf.o': Errno 2. Exiting. I know this is caused because the ebpf probe was not installed on the…

kubernetes digital-ocean falco

asked Mar 14 '22 at 05:29

Ajinkya16

227
2
11

2

votes

0 answers

Loop crashes with Falco

I'm currently experimenting with Falco (a runtime monitoring solution for container). I'm working locally on a Mac (Catalina v10.15.3), have Helm (v3.1.2) installed, Docker (version 2.2.0.5 (43884)) and K8s running (v1.15.5). I try deploying Falco…

docker security kubernetes falco

asked Apr 02 '20 at 16:00

Pacifuras

116
1
6

1

vote

1 answer

Combining two different CMakefiles (gRPC and libsinsp) into a same program

I need to create a consolidated program with Libsinsp and gRPC. How the program works? Collects the syscall data with Libsinsp Transfer the data with gRPC I have created both programs, and would like to consolidate them into a single program. I…

grpc grpc-c++ falco

asked Mar 15 '23 at 08:01

Jeremy Chong

31
2

1

vote

0 answers

In /etc/falco i can't see falco_rules.yaml

In /etc/falco i can only see falco_rules.yaml . I can't see falco_rules.local.yaml or rules.d directory. I am installing through official helm chart How to load local falco rule file with own set of rules ??

falco

asked Feb 26 '23 at 06:25

Abhishek Kumar

11
1

1

vote

2 answers

How to define a rule to capture alerts when any manual command gets executed inside the container on Falco

Installed Falco drivers on the host. Able to capture alerts for specific conditions like when there is a process spawned or if any script is getting executed inside the container. But the requirement is to trigger an alert whenever any manual…

docker containers alert audit falco

asked Dec 29 '22 at 12:51

Harika

11
4

1

vote

2 answers

Issue installing Falco on K3s (PopOS)

I am trying to install Falco on my home lab (K3s v1.23.6+k3s1 on Pop!_OS v20.04). For work I need to create a response engine, for that I have chosen FalcoSidekick and OpenFAAS - before taking this to EKS I want to test it locally. I am using the…

kubernetes k3s falco

asked Sep 03 '22 at 16:49

user1314147

174
1
5
25

1

vote

0 answers

Falco k8s, when add an exception, some fields become null

If I add an exception to the rule 'The docker client is executed in a container' like: exceptions: - name: kube_mon fields: [container.image.repository, k8s.ns.name, k8s.pod.name] comps: [=, =, startswith] values: - [repo/myimg,…

kubernetes falco

asked Apr 11 '22 at 09:01

OlehR

11
2

1

vote

0 answers

What is causing rules to fire repeatedly?

I have created a local test environment using minikube to test custom falco rules. The goal is to search for keywords in the namespace and pod names and set an Info priority on them so they can be filtered out in Kibana. The following are the custom…

falco

asked Mar 03 '22 at 20:40

CastleCorp

55
1
1
11

1

vote

2 answers

Falco output aws instance metadata

I run falco and falcosidekick with docker compose, without k8s. I need to retrive aws instance metadata to falco rules output. I've found the jevt field class but I encountered an error on falco container start Invalid output format…

amazon-web-services docker amazon-ec2 docker-compose falco

asked Nov 18 '21 at 12:27

Daniele

538
1
5
17

1

vote

1 answer

Falco security and falcosidekick on docker compose

I'm trying to run falco and falcosikick container in a docker compose. version: "3.9" services: falco: image: falcosecurity/falco:latest privileged: true volumes: - /var/run/docker.sock:/host/var/run/docker.sock -…

docker docker-compose slack falco

asked Nov 16 '21 at 11:24

Daniele

538
1
5
17

1

vote

0 answers

Falco audit rules is not showing any alerts

I trying to enable falco audit rules. [https://sysdig.com/blog/kubernetes-audit-log-falco/][1] Iam following this blog to get enable k8s audit rules in falco . Iam using minikube v1.22.0 Kubernetes v1.21.2. As mentioned in the blog I created a audit…

kubernetes google-kubernetes-engine minikube opa falco

asked Sep 09 '21 at 06:10

Sathya

69
2
8

1

vote

1 answer

How to identify commands ran by Ansible on a remote host in Falco context?

I would like to know if someone has an idea about how to identify commands ran by Ansible within a remote host. To give you more context I'm gonna describe my workflow in-depth: I have a scheduled job between 1 am to 6 am which runs a compliance…

docker ssh ansible devops falco

asked Mar 14 '21 at 00:56

Arch

13
2

0

votes

1 answer

Falco k8s audit plugin usage

I am using Azure AKS cluster. Have deployed the falco helm chart with the k8s-audit plugin. But I am not getting any events for k8s-audit in the falco log.Following is the falco configuration. falco: falcoctl: artifact: …

kubernetes falco

asked Jun 22 '23 at 05:57

Ajinkya16

227
2
11

0

votes

1 answer

Why I do not see the file path in a simple falco rule output concerning the cat command?

Here is my rule: - rule: My test rule desc: Alert when cat is executed condition: spawned_process and proc.name = cat output: TEST_RULE_ALERT (command=%proc.cmdline pid=%proc.pid file=%fd.name user=%user.name user_loginuid=%user.loginuid…

falco

asked Jun 03 '23 at 14:32

mark

59,016
79
296
580

Questions tagged [falco]