forked from falcosecurity/evolution
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[stable/falco] Add support for more options for
falco.yaml: syscall…
…_event_drops, time_format_iso8601 and httpOutput (#15361) * [stable/falco] Add a parameter to use ISO8601 formatted dates If true, the times displayed in log messages and output messages will be in ISO 8601. By default, times are displayed in the local time zone, as governed by /etc/localtime. Signed-off-by: Néstor Salceda <[email protected]> * [stable/falco] Allow configuration for `syscall_event_drops` in falco.yaml Falco uses a shared buffer between the kernel and userspace to pass system call information. When falco detects that this buffer is full and system calls have been dropped, it can take one or more of the following actions: - "ignore": do nothing. If an empty list is provided, ignore is assumed. - "log": log a CRITICAL message noting that the buffer was full. - "alert": emit a falco alert noting that the buffer was full. - "exit": exit falco with a non-zero rc. The rate at which log/alert messages are emitted is governed by a token bucket. The rate corresponds to one message every 30 seconds with a burst of 10 messages. Signed-off-by: Néstor Salceda <[email protected]> * [stable/falco] Enable httpOutput section from the configmap Signed-off-by: Néstor Salceda <[email protected]> * [stable/falco] Add CHANGELOG entry for 0.8.0 This was not done in [its own PR](helm/charts#14813 (comment)) Signed-off-by: Néstor Salceda <[email protected]> * [stable/falco] Bump version and add CHANGELOG entries Signed-off-by: Néstor Salceda <[email protected]>
- Loading branch information
1 parent
b9feeb4
commit 0773e4a
Showing
5 changed files
with
84 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| apiVersion: v1 | ||
| name: falco | ||
| version: 0.9.0 | ||
| version: 0.9.1 | ||
| appVersion: 0.15.3 | ||
| description: Falco | ||
| keywords: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -63,21 +63,25 @@ The following table lists the configurable parameters of the Falco chart and the | |
| | `fakeEventGenerator.replicas` | How many replicas of falco-event-generator to run | `1` | | ||
| | `daemonset.updateStrategy.type` | The updateStrategy for updating the daemonset | `RollingUpdate` | | ||
| | `podSecurityPolicy.create` | If true, create & use podSecurityPolicy | `false` | | ||
| | `proxy.httpProxy` | Set the Proxy server if is behind a firewall | `` | | ||
| | `proxy.httpsProxy` | Set the Proxy server if is behind a firewall | `` | | ||
| | `proxy.noProxy` | Set the Proxy server if is behind a firewall | `` | | ||
| | `timezone` | Set the daemonset's timezone | `` | | ||
| | `proxy.httpProxy` | Set the Proxy server if is behind a firewall | ` ` | | ||
| | `proxy.httpsProxy` | Set the Proxy server if is behind a firewall | ` ` | | ||
| | `proxy.noProxy` | Set the Proxy server if is behind a firewall | ` ` | | ||
| | `timezone` | Set the daemonset's timezone | ` ` | | ||
| | `ebpf.enabled` | Enable eBPF support for Falco instead of `falco-probe` kernel module | `false` | | ||
| | `ebpf.settings.hostNetwork` | Needed to enable eBPF JIT at runtime for performance reasons | `true` | | ||
| | `ebpf.settings.mountEtcVolume` | Needed to detect which kernel version are running in Google COS | `true` | | ||
| | `falco.rulesFile` | The location of the rules files | `[/etc/falco/falco_rules.yaml, /etc/falco/falco_rules.local.yaml, /etc/falco/rules.d]` | | ||
| | `falco.timeFormatISO8601` | Display times using ISO 8601 instead of local time zone | `false` | | ||
| | `falco.jsonOutput` | Output events in json or text | `false` | | ||
| | `falco.jsonIncludeOutputProperty` | Include output property in json output | `true` | | ||
| | `falco.logStderr` | Send Falco debugging information logs to stderr | `true` | | ||
| | `falco.logSyslog` | Send Falco debugging information logs to syslog | `true` | | ||
| | `falco.logLevel` | The minimum level of Falco debugging information to include in logs | `info` | | ||
| | `falco.priority` | The minimum rule priority level to load and run | `debug` | | ||
| | `falco.bufferedOutputs` | Use buffered outputs to channels | `false` | | ||
| | `falco.syscallEventDrops.actions` | Actions to be taken when system calls were dropped from the circular buffer | `[log, alert]` | | ||
| | `falco.syscallEventDrops.rate` | Rate at which log/alert messages are emitted | `.03333` | | ||
| | `falco.syscallEventDrops.maxBurst` | Max burst of messages emitted | `10` | | ||
| | `falco.outputs.rate` | Number of tokens gained per second | `1` | | ||
| | `falco.outputs.maxBurst` | Maximum number of tokens outstanding | `1000` | | ||
| | `falco.syslogOutput.enabled` | Enable syslog output for security notifications | `true` | | ||
|
|
@@ -88,6 +92,8 @@ The following table lists the configurable parameters of the Falco chart and the | |
| | `falco.programOutput.enabled` | Enable program output for security notifications | `false` | | ||
| | `falco.programOutput.keepAlive` | Start the program once or re-spawn when a notification arrives | `false` | | ||
| | `falco.programOutput.program` | Command to execute for program output | `mail -s "Falco Notification" [email protected]` | | ||
| | `falco.httpOutput.enabled` | Enable http output for security notifications | `false` | | ||
| | `falco.httpOutput.url` | Url to notify using the http output when a notification arrives | `http://some.url` | | ||
| | `customRules` | Third party rules enabled for Falco | `{}` | | ||
| | `integrations.gcscc.enabled` | Enable Google Cloud Security Command Center integration | `false` | | ||
| | `integrations.gcscc.webhookUrl` | The URL where sysdig-gcscc-connector webhook is listening | `http://sysdig-gcscc-connector.default.svc.cluster.local:8080/events` | | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -82,6 +82,11 @@ falco: | |
| - /etc/falco/falco_rules.local.yaml | ||
| - /etc/falco/rules.d | ||
|
|
||
| # If true, the times displayed in log messages and output messages | ||
| # will be in ISO 8601. By default, times are displayed in the local | ||
| # time zone, as governed by /etc/localtime. | ||
| timeFormatISO8601: false | ||
|
|
||
| # Whether to output events in json or text | ||
| jsonOutput: false | ||
|
|
||
|
|
@@ -111,6 +116,25 @@ falco: | |
| # buffered. | ||
| bufferedOutputs: false | ||
|
|
||
| # Falco uses a shared buffer between the kernel and userspace to pass | ||
| # system call information. When falco detects that this buffer is | ||
| # full and system calls have been dropped, it can take one or more of | ||
| # the following actions: | ||
| # - "ignore": do nothing. If an empty list is provided, ignore is assumed. | ||
| # - "log": log a CRITICAL message noting that the buffer was full. | ||
| # - "alert": emit a falco alert noting that the buffer was full. | ||
| # - "exit": exit falco with a non-zero rc. | ||
| # | ||
| # The rate at which log/alert messages are emitted is governed by a | ||
| # token bucket. The rate corresponds to one message every 30 seconds | ||
| # with a burst of 10 messages. | ||
| syscallEventDrops: | ||
| actions: | ||
| - log | ||
| - alert | ||
| rate: .03333 | ||
| maxBurst: 10 | ||
|
|
||
| # A throttling mechanism implemented as a token bucket limits the | ||
| # rate of falco notifications. This throttling is controlled by the following configuration | ||
| # options: | ||
|
|
@@ -166,6 +190,10 @@ falco: | |
| keepAlive: false | ||
| program: mail -s "Falco Notification" [email protected] | ||
|
|
||
| httpOutput: | ||
| enabled: false | ||
| url: http://some.url | ||
|
|
||
| customRules: {} | ||
| # Although Falco comes with a nice default rule set for detecting weird | ||
| # behavior in containers, our users are going to customize the run-time | ||
|
|
||