add(falco)

This commit is contained in:
nold 2023-03-11 20:12:22 +01:00
parent e479cc4a7c
commit 365e221bb6
2 changed files with 920 additions and 0 deletions

View file

@ -0,0 +1,8 @@
config:
description: Cloud Native Runtime Security
apps:
- name: falco
repoURL: https://falcosecurity.github.io/charts
chart: falco
targetRevision: 3.1.1

View file

@ -0,0 +1,912 @@
# Default values for Falco.
###############################
# General deployment settings #
###############################
image:
# -- The image pull policy.
pullPolicy: IfNotPresent
# -- The image registry to pull from.
registry: docker.io
# -- The image repository to pull from
repository: falcosecurity/falco-no-driver
# -- The image tag to pull. Overrides the image tag whose default is the chart appVersion.
tag: ""
# -- Secrets containing credentials when pulling from private/secure registries.
imagePullSecrets: []
# -- Put here the new name if you want to override the release name used for Falco components.
nameOverride: ""
# -- Same as nameOverride but for the fullname.
fullnameOverride: ""
# -- Override the deployment namespace
namespaceOverride: ""
rbac:
# Create and use rbac resources when set to true. Needed to fetch k8s metadata from the api-server.
create: true
serviceAccount:
# -- Specifies whether a service account should be created.
create: true
# -- Annotations to add to the service account.
annotations: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# -- Add additional pod annotations
podAnnotations: {}
# -- Add additional pod labels
podLabels: {}
# -- Set pod priorityClassName
podPriorityClassName:
# -- Set securityContext for the pods
# These security settings are overriden by the ones specified for the specific
# containers when there is overlap.
podSecurityContext: {}
# Note that `containerSecurityContext`:
# - will not apply to init containers, if any;
# - takes precedence over other automatic configurations (see below).
#
# Based on the `driver` configuration the auto generated settings are:
# 1) driver.enabled = false:
# securityContext: {}
#
# 2) driver.enabled = true and (driver.kind = module || driver.kind = modern-bpf):
# securityContext:
# privileged: true
#
# 3) driver.enabled = true and driver.kind = ebpf:
# securityContext:
# privileged: true
#
# 4) driver.enabled = true and driver.kind = ebpf and driver.ebpf.leastPrivileged = true
# securityContext:
# capabilities:
# add:
# - BPF
# - SYS_RESOURCE
# - PERFMON
# - SYS_PTRACE
#
# -- Set securityContext for the Falco container.For more info see the "falco.securityContext" helper in "pod-template.tpl"
containerSecurityContext: {}
scc:
# -- Create OpenShift's Security Context Constraint.
create: true
resources:
# -- Although resources needed are subjective on the actual workload we provide
# a sane defaults ones. If you have more questions or concerns, please refer
# to #falco slack channel for more info about it.
requests:
cpu: 100m
memory: 512Mi
# -- Maximum amount of resources that Falco container could get.
# If you are enabling more than one source in falco, than consider to increase
# the cpu limits.
limits:
cpu: 1000m
memory: 1024Mi
# -- Selectors used to deploy Falco on a given node/nodes.
nodeSelector: {}
# -- Affinity constraint for pods' scheduling.
affinity: {}
# -- Tolerations to allow Falco to run on Kubernetes masters.
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
# -- Parameters used
healthChecks:
livenessProbe:
# -- Tells the kubelet that it should wait X seconds before performing the first probe.
initialDelaySeconds: 60
# -- Number of seconds after which the probe times out.
timeoutSeconds: 5
# -- Specifies that the kubelet should perform the check every x seconds.
periodSeconds: 15
readinessProbe:
# -- Tells the kubelet that it should wait X seconds before performing the first probe.
initialDelaySeconds: 30
# -- Number of seconds after which the probe times out.
timeoutSeconds: 5
# -- Specifies that the kubelet should perform the check every x seconds.
periodSeconds: 15
# -- Attach the Falco process to a tty inside the container. Needed to flush Falco logs as soon as they are emitted.
# Set it to "true" when you need the Falco logs to be immediately displayed.
tty: false
#########################
# Scenario requirements #
#########################
# Sensors dislocation configuration (scenario requirement)
controller:
# Available options: deployment, daemonset.
kind: daemonset
# Annotations to add to the daemonset or deployment
annotations: {}
daemonset:
updateStrategy:
# You can also customize maxUnavailable or minReadySeconds if you
# need it
# -- Perform rolling updates by default in the DaemonSet agent
# ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
type: RollingUpdate
deployment:
# -- Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing.
# For more info check the section on Plugins in the README.md file.
replicas: 1
# -- Network services configuration (scenario requirement)
# Add here your services to be deployed together with Falco.
services:
# Example configuration for the "k8sauditlog" plugin
# - name: k8saudit-webhook
# type: NodePort
# ports:
# - port: 9765 # See plugin open_params
# nodePort: 30007
# protocol: TCP
# File access configuration (scenario requirement)
mounts:
# -- A list of volumes you want to add to the Falco pods.
volumes: []
# -- A list of volumes you want to add to the Falco pods.
volumeMounts: []
# -- By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins).
enforceProcMount: false
# Driver settings (scenario requirement)
driver:
# -- Set it to false if you want to deploy Falco without the drivers.
# Always set it to false when using Falco with plugins.
enabled: true
# -- Tell Falco which driver to use. Available options: module (kernel driver), ebpf (eBPF probe), modern-bpf (modern eBPF probe).
kind: module
# -- Configuration section for ebpf driver.
ebpf:
# -- Path where the eBPF probe is located. It comes handy when the probe have been installed in the nodes using tools other than the init
# container deployed with the chart.
path:
# -- Needed to enable eBPF JIT at runtime for performance reasons.
# Can be skipped if eBPF JIT is enabled from outside the container
hostNetwork: false
# -- Constrain Falco with capabilities instead of running a privileged container.
# This option is only supported with the eBPF driver and a kernel >= 5.8.
# Ensure the eBPF driver is enabled (i.e., setting the `driver.kind` option to `ebpf`).
leastPrivileged: false
# -- Configuration for the Falco init container.
loader:
# -- Enable/disable the init container.
enabled: true
initContainer:
image:
# -- The image pull policy.
pullPolicy: IfNotPresent
# -- The image registry to pull from.
registry: docker.io
# -- The image repository to pull from.
repository: falcosecurity/falco-driver-loader
# -- Overrides the image tag whose default is the chart appVersion.
tag: ""
# -- Extra environment variables that will be pass onto Falco driver loader init container.
env: []
# -- Arguments to pass to the Falco driver loader init container.
args: []
# -- Resources requests and limits for the Falco driver loader init container.
resources: {}
# -- Security context for the Falco driver loader init container. Overrides the default security context. If driver.kind == "module" you must at least set `privileged: true`.
securityContext: {}
# -- Gvisor configuration. Based on your system you need to set the appropriate values.
# Please, rembember to add pod tolerations and affinities in order to schedule the Falco pods in the gVisor enabled nodes.
gvisor:
# -- Set it to true if you want to deploy Falco with gVisor support.
enabled: false
# -- Runsc container runtime configuration. Falco needs to interact with it in order to intercept the activity of the sandboxed pods.
runsc:
# -- Absolute path of the `runsc` binary in the k8s nodes.
path: /home/containerd/usr/local/sbin
# -- Absolute path of the root directory of the `runsc` container runtime. It is of vital importance for Falco since `runsc` stores there the information of the workloads handled by it;
root: /run/containerd/runsc
# -- Absolute path of the `runsc` configuration file, used by Falco to set its configuration and make aware `gVisor` of its presence.
config: /run/containerd/runsc/config.toml
# Collectors for data enrichment (scenario requirement)
collectors:
# -- Enable/disable all the metadata collectors.
enabled: true
docker:
# -- Enable Docker support.
enabled: true
# -- The path of the Docker daemon socket.
socket: /var/run/docker.sock
containerd:
# -- Enable ContainerD support.
enabled: true
# -- The path of the ContainerD socket.
socket: /run/containerd/containerd.sock
crio:
# -- Enable CRI-O support.
enabled: true
# -- The path of the CRI-O socket.
socket: /run/crio/crio.sock
kubernetes:
# -- Enable Kubernetes meta data collection via a connection to the Kubernetes API server.
# When this option is disabled, Falco falls back to the container annotations to grap the meta data.
# In such a case, only the ID, name, namespace, labels of the pod will be available.
enabled: true
# -- The apiAuth value is to provide the authentication method Falco should use to connect to the Kubernetes API.
# The argument's documentation from Falco is provided here for reference:
#
# <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>], --k8s-api-cert <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>]
# Use the provided files names to authenticate user and (optionally) verify the K8S API server identity.
# Each entry must specify full (absolute, or relative to the current directory) path to the respective file.
# Private key password is optional (needed only if key is password protected).
# CA certificate is optional. For all files, only PEM file format is supported.
# Specifying CA certificate only is obsoleted - when single entry is provided
# for this option, it will be interpreted as the name of a file containing bearer token.
# Note that the format of this command-line option prohibits use of files whose names contain
# ':' or '#' characters in the file name.
# -- Provide the authentication method Falco should use to connect to the Kubernetes API.
apiAuth: /var/run/secrets/kubernetes.io/serviceaccount/token
## -- Provide the URL Falco should use to connect to the Kubernetes API.
apiUrl: "https://$(KUBERNETES_SERVICE_HOST)"
# -- If true, only the current node (on which Falco is running) will be considered when requesting metadata of pods
# to the API server. Disabling this option may have a performance penalty on large clusters.
enableNodeFilter: true
###########################
# Extras and customization #
############################
extra:
# -- Extra environment variables that will be pass onto Falco containers.
env: []
# -- Extra command-line arguments.
args: []
# -- Additional initContainers for Falco pods.
initContainers: []
# -- certificates used by webserver and grpc server.
# paste certificate content or use helm with --set-file
# or use existing secret containing key, crt, ca as well as pem bundle
certs:
# -- Existing secret containing the following key, crt and ca as well as the bundle pem.
existingSecret: ""
server:
# -- Key used by gRPC and webserver.
key: ""
# -- Certificate used by gRPC and webserver.
crt: ""
ca:
# -- CA certificate used by gRPC, webserver and AuditSink validation.
crt: ""
# -- Third party rules enabled for Falco. More info on the dedicated section in README.md file.
customRules:
{}
# Although Falco comes with a nice default rule set for detecting weird
# behavior in containers, our users are going to customize the run-time
# security rule sets or policies for the specific container images and
# applications they run. This feature can be handled in this section.
#
# Example:
#
# rules-traefik.yaml: |-
# [ rule body ]
########################
# Falco integrations #
########################
# -- For configuration values, see https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml
falcosidekick:
# -- Enable falcosidekick deployment.
enabled: true
# -- Enable usage of full FQDN of falcosidekick service (useful when a Proxy is used).
fullfqdn: false
# -- Listen port. Default value: 2801
listenPort: ""
replicaCount: 1
image:
# -- The image registry to pull from
registry: docker.io
# -- The image repository to pull from
repository: falcosecurity/falcosidekick
# -- The image tag to pull
tag: 2.27.0
webui:
# -- enable Falcosidekick-UI
enabled: true
# -- number of running pods
replicaCount: 1
image:
# -- The web UI image registry to pull from
registry: docker.io
# -- The web UI image repository to pull from
repository: falcosecurity/falcosidekick-ui
# -- The web UI image tag to pull
tag: "v2.1.0"
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: ingress-internal
cert-manager.io/cluster-issuer: vault-issuer
hosts:
- host: falco.dc
paths:
- path: /
tls:
- secretName: falco-tls
hosts:
- falco.dc
####################
# falcoctl config #
####################
falcoctl:
image:
# -- The image pull policy.
pullPolicy: IfNotPresent
# -- The image registry to pull from.
registry: docker.io
# -- The image repository to pull from.
repository: falcosecurity/falcoctl
# -- Overrides the image tag whose default is the chart appVersion.
tag: "0.4.0"
artifact:
# -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before
# Falco starts. It provides them to Falco by using an emptyDir volume.
install:
enabled: true
# -- Extra environment variables that will be pass onto falcoctl-artifact-install init container.
env: {}
# -- Arguments to pass to the falcoctl-artifact-install init container.
args: ["--verbose"]
# -- Resources requests and limits for the falcoctl-artifact-install init container.
resources: {}
# -- Security context for the falcoctl init container.
securityContext: {}
# -- Runs "falcoctl artifact follow" command as a sidecar container. It is used to automatically check for
# updates given a list of artifacts. If an update is found it downloads and installs it in a shared folder (emptyDir)
# that is accessible by Falco. Rulesfiles are automatically detected and loaded by Falco once they are installed in the
# correct folder by falcoctl. To prevent new versions of artifacts from breaking Falco, the tool checks if it is compatible
# with the running version of Falco before installing it.
follow:
enabled: true
# -- Extra environment variables that will be pass onto falcoctl-artifact-follow sidecar container.
env: {}
# -- Arguments to pass to the falcoctl-artifact-follow sidecar container.
args: ["--verbose"]
# -- Resources requests and limits for the falcoctl-artifact-follow sidecar container.
resources: {}
# -- Security context for the falcoctl-artifact-follow sidecar container.
securityContext: {}
# -- Configuration file of the falcoctl tool. It is saved in a configmap and mounted on the falcotl containers.
config:
# -- List of indexes that falcoctl downloads and uses to locate and download artiafcts. For more info see:
# https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md#index-file-overview
indexes:
- name: falcosecurity
url: https://falcosecurity.github.io/falcoctl/index.yaml
# -- Configuration used by the artifact commands.
artifact:
# -- List of artifact types that falcoctl will handle. If the configured refs resolves to an artifact whose type is not contained
# in the list it will refuse to downloade and install that artifact.
allowedTypes:
- rulesfile
install:
# -- Do not resolve the depenencies for artifacts. By default is true, but for our use case we disable it.
resolveDeps: false
# -- List of artifacts to be installed by the falcoctl init container.
refs: [falco-rules:0]
# -- Directory where the rulesfiles are saved. The path is relative to the container, which in this case is an emptyDir
# mounted also by the Falco pod.
rulesfilesDir: /rulesfiles
# -- Same as the one above but for the artifacts.
pluginsDir: /plugins
follow:
# -- List of artifacts to be followed by the falcoctl sidecar container.
refs: [falco-rules:0]
# -- How often the tool checks for new versions of the followed artifacts.
every: 6h
# -- HTTP endpoint that serves the api versions of the Falco instance. It is used to check if the new versions are compatible
# with the running Falco instance.
falcoversions: http://localhost:8765/versions
# -- See the fields of the artifact.install section.
rulesfilesDir: /rulesfiles
# -- See the fields of the artifact.install section.
pluginsDir: /plugins
######################
# falco.yaml config #
######################
falco:
# File(s) or Directories containing Falco rules, loaded at startup.
# The name "rules_file" is only for backwards compatibility.
# If the entry is a file, it will be read directly. If the entry is a directory,
# every file in that directory will be read, in alphabetical order.
#
# falco_rules.yaml ships with the falco package and is overridden with
# every new software version. falco_rules.local.yaml is only created
# if it doesn't exist. If you want to customize the set of rules, add
# your customizations to falco_rules.local.yaml.
#
# The files will be read in the order presented here, so make sure if
# you have overrides they appear in later files.
# -- The location of the rules files that will be consumed by Falco.
rules_file:
- /etc/falco/falco_rules.yaml
- /etc/falco/falco_rules.local.yaml
- /etc/falco/rules.d
#
# Plugins that are available for use. These plugins are not loaded by
# default, as they require explicit configuration to point to
# cloudtrail log files.
#
# To learn more about the supported formats for
# init_config/open_params for the cloudtrail plugin, see the README at
# https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md.
# -- Plugins configuration. Add here all plugins and their configuration. Please
# consult the plugins documentation for more info. Remember to add the plugins name in
# "load_plugins: []" in order to load them in Falco.
plugins:
- name: k8saudit
library_path: libk8saudit.so
init_config:
# maxEventSize: 262144
# webhookMaxBatchSize: 12582912
# sslCertificate: /etc/falco/falco.pem
open_params: "http://:9765/k8s-audit"
- name: cloudtrail
library_path: libcloudtrail.so
# see docs for init_config and open_params:
# https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md
- name: json
library_path: libjson.so
init_config: ""
# Setting this list to empty ensures that the above plugins are *not*
# loaded and enabled by default. If you want to use the above plugins,
# set a meaningful init_config/open_params for the cloudtrail plugin
# and then change this to:
# load_plugins: [cloudtrail, json]
# -- Add here the names of the plugins that you want to be loaded by Falco. Please make sure that
# plugins have been configured under the "plugins" section before adding them here.
# Please make sure to configure the falcoctl tool to download and install the very same plugins
# you are loading here. You should add the references in the falcoctl.config.artifact.install.refs array
# for each plugin you are loading.
load_plugins: ["k8saudit"]
# -- Watch config file and rules files for modification.
# When a file is modified, Falco will propagate new config,
# by reloading itself.
watch_config_files: true
# -- If true, the times displayed in log messages and output messages
# will be in ISO 8601. By default, times are displayed in the local
# time zone, as governed by /etc/localtime.
time_format_iso_8601: false
# -- If "true", print falco alert messages and rules file
# loading/validation results as json, which allows for easier
# consumption by downstream programs. Default is "false".
json_output: false
# -- When using json output, whether or not to include the "output" property
# itself (e.g. "File below a known binary directory opened for writing
# (user=root ....") in the json output.
json_include_output_property: true
# -- When using json output, whether or not to include the "tags" property
# itself in the json output. If set to true, outputs caused by rules
# with no tags will have a "tags" field set to an empty array. If set to
# false, the "tags" field will not be included in the json output at all.
json_include_tags_property: true
# -- Send information logs to stderr. Note these are *not* security
# notification logs! These are just Falco lifecycle (and possibly error) logs.
log_stderr: true
# -- Send information logs to syslog. Note these are *not* security
# notification logs! These are just Falco lifecycle (and possibly error) logs.
log_syslog: true
# -- Minimum log level to include in logs. Note: these levels are
# separate from the priority field of rules. This refers only to the
# log level of falco's internal logging. Can be one of "emergency",
# "alert", "critical", "error", "warning", "notice", "info", "debug".
log_level: info
# Falco is capable of managing the logs coming from libs. If enabled,
# the libs logger send its log records the same outputs supported by
# Falco (stderr and syslog). Disabled by default.
libs_logger:
# -- Enable the libs logger.
enabled: false
# -- Minimum log severity to include in the libs logs. Note: this value is
# separate from the log level of the Falco logger and does not affect it.
# Can be one of "fatal", "critical", "error", "warning", "notice",
# "info", "debug", "trace".
severity: debug
# -- Minimum rule priority level to load and run. All rules having a
# priority more severe than this level will be loaded/run. Can be one
# of "emergency", "alert", "critical", "error", "warning", "notice",
# "informational", "debug".
priority: debug
# -- Whether or not output to any of the output channels below is
# buffered. Defaults to false
buffered_outputs: false
# Falco uses a shared buffer between the kernel and userspace to pass
# system call information. When Falco detects that this buffer is
# full and system calls have been dropped, it can take one or more of
# the following actions:
# - ignore: do nothing (default when list of actions is empty)
# - log: log a DEBUG message noting that the buffer was full
# - alert: emit a Falco alert noting that the buffer was full
# - exit: exit Falco with a non-zero rc
#
# Notice it is not possible to ignore and log/alert messages at the same time.
#
# The rate at which log/alert messages are emitted is governed by a
# token bucket. The rate corresponds to one message every 30 seconds
# with a burst of one message (by default).
#
# The messages are emitted when the percentage of dropped system calls
# with respect the number of events in the last second
# is greater than the given threshold (a double in the range [0, 1]).
#
# For debugging/testing it is possible to simulate the drops using
# the `simulate_drops: true`. In this case the threshold does not apply.
syscall_event_drops:
# -- The messages are emitted when the percentage of dropped system calls
# with respect the number of events in the last second
# is greater than the given threshold (a double in the range [0, 1]).
threshold: .1
# -- Actions to be taken when system calls were dropped from the circular buffer.
actions:
- log
- alert
# -- Rate at which log/alert messages are emitted.
rate: .03333
# -- Max burst of messages emitted.
max_burst: 1
# -- Flag to enable drops for debug purposes.
simulate_drops: false
# Falco uses a shared buffer between the kernel and userspace to receive
# the events (eg., system call information) in userspace.
#
# Anyways, the underlying libraries can also timeout for various reasons.
# For example, there could have been issues while reading an event.
# Or the particular event needs to be skipped.
# Normally, it's very unlikely that Falco does not receive events consecutively.
#
# Falco is able to detect such uncommon situation.
#
# Here you can configure the maximum number of consecutive timeouts without an event
# after which you want Falco to alert.
# By default this value is set to 1000 consecutive timeouts without an event at all.
# How this value maps to a time interval depends on the CPU frequency.
syscall_event_timeouts:
# -- Maximum number of consecutive timeouts without an event
# after which you want Falco to alert.
max_consecutives: 1000
# --- [Description]
#
# This is an index that controls the dimension of the syscall buffers.
# The syscall buffer is the shared space between Falco and its drivers where all the syscall events
# are stored.
# Falco uses a syscall buffer for every online CPU, and all these buffers share the same dimension.
# So this parameter allows you to control the size of all the buffers!
#
# --- [Usage]
#
# You can choose between different indexes: from `1` to `10` (`0` is reserved for future uses).
# Every index corresponds to a dimension in bytes:
#
# [(*), 1 MB, 2 MB, 4 MB, 8 MB, 16 MB, 32 MB, 64 MB, 128 MB, 256 MB, 512 MB]
# ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
# | | | | | | | | | | |
# 0 1 2 3 4 5 6 7 8 9 10
#
# As you can see the `0` index is reserved, while the index `1` corresponds to
# `1 MB` and so on.
#
# These dimensions in bytes derive from the fact that the buffer size must be:
# (1) a power of 2.
# (2) a multiple of your system_page_dimension.
# (3) greater than `2 * (system_page_dimension)`.
#
# According to these constraints is possible that sometimes you cannot use all the indexes, let's consider an
# example to better understand it:
# If you have a `page_size` of 1 MB the first available buffer size is 4 MB because 2 MB is exactly
# `2 * (system_page_size)` -> `2 * 1 MB`, but this is not enough we need more than `2 * (system_page_size)`!
# So from this example is clear that if you have a page size of 1 MB the first index that you can use is `3`.
#
# Please note: this is a very extreme case just to let you understand the mechanism, usually the page size is something
# like 4 KB so you have no problem at all and you can use all the indexes (from `1` to `10`).
#
# To check your system page size use the Falco `--page-size` command line option. The output on a system with a page
# size of 4096 Bytes (4 KB) should be the following:
#
# "Your system page size is: 4096 bytes."
#
# --- [Suggestions]
#
# Before the introduction of this param the buffer size was fixed to 8 MB (so index `4`, as you can see
# in the default value below).
# You can increase the buffer size when you face syscall drops. A size of 16 MB (so index `5`) can reduce
# syscall drops in production-heavy systems without noticeable impact. Very large buffers however could
# slow down the entire machine.
# On the other side you can try to reduce the buffer size to speed up the system, but this could
# increase the number of syscall drops!
# As a final remark consider that the buffer size is mapped twice in the process' virtual memory so a buffer of 8 MB
# will result in a 16 MB area in the process virtual memory.
# Please pay attention when you use this parameter and change it only if the default size doesn't fit your use case.
# -- This is an index that controls the dimension of the syscall buffers.
syscall_buf_size_preset: 4
############## [EXPERIMENTAL] Modern BPF probe specific ##############
# Please note: these configs regard only the modern BPF probe. They
# are experimental so they could change over releases.
#
# `cpus_for_each_syscall_buffer`
#
# --- [Description]
#
# This is an index that controls how many CPUs you want to assign to a single
# syscall buffer (ring buffer). By default, every syscall buffer is associated to
# 2 CPUs, so the mapping is 1:2. The modern BPF probe allows you to choose different
# mappings, for example, 1:1 would mean a syscall buffer for each CPU.
#
# --- [Usage]
#
# You can choose between different indexes: from `0` to `MAX_NUMBER_ONLINE_CPUs`.
# `0` is a special value and it means a single syscall buffer shared between all
# your online CPUs. `0` has the same effect as `MAX_NUMBER_ONLINE_CPUs`, the rationale
# is that `0` allows you to create a single buffer without knowing the number of online
# CPUs on your system.
# Let's consider an example to better understand it:
#
# Consider a system with 7 online CPUs:
#
# CPUs 0 X 2 3 X X 6 7 8 9 (X means offline CPU)
#
# - `1` means a syscall buffer for each CPU so 7 buffers
#
# CPUs 0 X 2 3 X X 6 7 8 9 (X means offline CPU)
# | | | | | | |
# BUFFERs 0 1 2 3 4 5 6
#
# - `2` (Default value) means a syscall buffer for each CPU pair, so 4 buffers
#
# CPUs 0 X 2 3 X X 6 7 8 9 (X means offline CPU)
# | | | | | | |
# BUFFERs 0 0 1 1 2 2 3
#
# Please note that we need 4 buffers, 3 buffers are associated with CPU pairs, the last
# one is mapped with just 1 CPU since we have an odd number of CPUs.
#
# - `0` or `MAX_NUMBER_ONLINE_CPUs` mean a syscall buffer shared between all CPUs, so 1 buffer
#
# CPUs 0 X 2 3 X X 6 7 8 9 (X means offline CPU)
# | | | | | | |
# BUFFERs 0 0 0 0 0 0 0
#
# Moreover you can combine this param with `syscall_buf_size_preset`
# index, for example, you could create a huge single syscall buffer
# shared between all your online CPUs of 512 MB (so `syscall_buf_size_preset=10`).
#
# --- [Suggestions]
#
# We chose index `2` (so one syscall buffer for each CPU pair) as default because the modern bpf probe
# follows a different memory allocation strategy with respect to the other 2 drivers (bpf and kernel module).
# By the way, you are free to find the preferred configuration for your system.
# Considering a fixed `syscall_buf_size_preset` and so a fixed buffer dimension:
# - a lower number of buffers can speed up your system (lower memory footprint)
# - a too lower number of buffers could increase contention in the kernel causing an
# overall slowdown of the system.
# If you don't have huge events throughputs and you are not experimenting with tons of drops
# you can try to reduce the number of buffers to have a lower memory footprint
modern_bpf:
# -- [MODERN PROBE ONLY] This is an index that controls how many CPUs you want to assign to a single syscall buffer.
cpus_for_each_syscall_buffer: 2
############## [EXPERIMENTAL] Modern BPF probe specific ##############
# Falco continuously monitors outputs performance. When an output channel does not allow
# to deliver an alert within a given deadline, an error is reported indicating
# which output is blocking notifications.
# The timeout error will be reported to the log according to the above log_* settings.
# Note that the notification will not be discarded from the output queue; thus,
# output channels may indefinitely remain blocked.
# An output timeout error indeed indicate a misconfiguration issue or I/O problems
# that cannot be recovered by Falco and should be fixed by the user.
#
# The "output_timeout" value specifies the duration in milliseconds to wait before
# considering the deadline exceed.
#
# With a 2000ms default, the notification consumer can block the Falco output
# for up to 2 seconds without reaching the timeout.
# -- Duration in milliseconds to wait before considering the output timeout deadline exceed.
output_timeout: 2000
# A throttling mechanism implemented as a token bucket limits the
# rate of Falco notifications. One rate limiter is assigned to each event
# source, so that alerts coming from one can't influence the throttling
# mechanism of the others. This is controlled by the following options:
# - rate: the number of tokens (i.e. right to send a notification)
# gained per second. When 0, the throttling mechanism is disabled.
# Defaults to 0.
# - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
#
# With these defaults, the throttling mechanism is disabled.
# For example, by setting rate to 1 Falco could send up to 1000 notifications
# after an initial quiet period, and then up to 1 notification per second
# afterward. It would gain the full burst back after 1000 seconds of
# no activity.
outputs:
# -- Number of tokens gained per second.
rate: 1
# -- Maximum number of tokens outstanding.
max_burst: 1000
# Where security notifications should go.
# Multiple outputs can be enabled.
syslog_output:
# -- Enable syslog output for security notifications.
enabled: true
# If keep_alive is set to true, the file will be opened once and
# continuously written to, with each output message on its own
# line. If keep_alive is set to false, the file will be re-opened
# for each output message.
#
# Also, the file will be closed and reopened if falco is signaled with
# SIGUSR1.
file_output:
# -- Enable file output for security notifications.
enabled: false
# -- Open file once or every time a new notification arrives.
keep_alive: false
# -- The filename for logging notifications.
filename: ./events.txt
stdout_output:
# -- Enable stdout output for security notifications.
enabled: true
# Falco contains an embedded webserver that exposes a healthy endpoint that can be used to check if Falco is up and running.
# By default the endpoint is /healthz
#
# The ssl_certificate is a combination SSL Certificate and corresponding
# key contained in a single file. You can generate a key/cert as follows:
#
# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
# $ cat certificate.pem key.pem > falco.pem
# $ sudo cp falco.pem /etc/falco/falco.pem
webserver:
# -- Enable Falco embedded webserver.
enabled: true
# -- Number of threads depending on the number of online cores.
threadiness: 0
# -- Port where Falco embedded webserver listen to connections.
listen_port: 8765
# -- Endpoint where Falco exposes the health status.
k8s_healthz_endpoint: /healthz
# -- Enable SSL on Falco embedded webserver.
ssl_enabled: false
# -- Certificate bundle path for the Falco embedded webserver.
ssl_certificate: /etc/falco/falco.pem
# Possible additional things you might want to do with program output:
# - send to a slack webhook:
# program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
# - logging (alternate method than syslog):
# program: logger -t falco-test
# - send over a network connection:
# program: nc host.example.com 80
# If keep_alive is set to true, the program will be started once and
# continuously written to, with each output message on its own
# line. If keep_alive is set to false, the program will be re-spawned
# for each output message.
#
# Also, the program will be closed and reopened if falco is signaled with
# SIGUSR1.
program_output:
# -- Enable program output for security notifications.
enabled: false
# -- Start the program once or re-spawn when a notification arrives.
keep_alive: false
# -- Command to execute for program output.
program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
http_output:
# -- Enable http output for security notifications.
enabled: false
# -- When set, this will override an auto-generated URL which matches the falcosidekick Service.
# -- When including Falco inside a parent helm chart, you must set this since the auto-generated URL won't match (#280).
url: ""
user_agent: "falcosecurity/falco"
# Falco supports running a gRPC server with two main binding types
# 1. Over the network with mandatory mutual TLS authentication (mTLS)
# 2. Over a local unix socket with no authentication
# By default, the gRPC server is disabled, with no enabled services (see grpc_output)
# please comment/uncomment and change accordingly the options below to configure it.
# Important note: if Falco has any troubles creating the gRPC server
# this information will be logged, however the main Falco daemon will not be stopped.
# gRPC server over network with (mandatory) mutual TLS configuration.
# This gRPC server is secure by default so you need to generate certificates and update their paths here.
# By default the gRPC server is off.
# You can configure the address to bind and expose it.
# By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use.
# grpc:
# enabled: true
# bind_address: "0.0.0.0:5060"
# # when threadiness is 0, Falco sets it by automatically figuring out the number of online cores
# threadiness: 0
# private_key: "/etc/falco/certs/server.key"
# cert_chain: "/etc/falco/certs/server.crt"
# root_certs: "/etc/falco/certs/ca.crt"
# -- gRPC server using an unix socket
grpc:
# -- Enable the Falco gRPC server.
enabled: false
# -- Bind address for the grpc server.
bind_address: "unix:///run/falco/falco.sock"
# -- Number of threads (and context) the gRPC server will use, 0 by default, which means "auto".
threadiness: 0
# gRPC output service.
# By default it is off.
# By enabling this all the output events will be kept in memory until you read them with a gRPC client.
# Make sure to have a consumer for them or leave this disabled.
grpc_output:
# -- Enable the gRPC output and events will be kept in memory until you read them with a gRPC client.
enabled: false
# Container orchestrator metadata fetching params
metadata_download:
# -- Max allowed response size (in Mb) when fetching metadata from Kubernetes.
max_mb: 100
# -- Sleep time (in μs) for each download chunck when fetching metadata from Kubernetes.
chunk_wait_us: 1000
# -- Watch frequency (in seconds) when fetching metadata from Kubernetes.
watch_freq_sec: 1