# Default values for Falco. ############################### # General deployment settings # ############################### image: # -- The image pull policy. pullPolicy: IfNotPresent # -- The image registry to pull from. registry: docker.io # -- The image repository to pull from repository: falcosecurity/falco-no-driver # -- The image tag to pull. Overrides the image tag whose default is the chart appVersion. tag: "" # -- Secrets containing credentials when pulling from private/secure registries. imagePullSecrets: [] # -- Put here the new name if you want to override the release name used for Falco components. nameOverride: "" # -- Same as nameOverride but for the fullname. fullnameOverride: "" # -- Override the deployment namespace namespaceOverride: "" rbac: # Create and use rbac resources when set to true. Needed to fetch k8s metadata from the api-server. create: true serviceAccount: # -- Specifies whether a service account should be created. create: true # -- Annotations to add to the service account. annotations: {} # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" # -- Add additional pod annotations podAnnotations: {} # -- Add additional pod labels podLabels: {} # -- Set pod priorityClassName podPriorityClassName: # -- Set securityContext for the pods # These security settings are overriden by the ones specified for the specific # containers when there is overlap. podSecurityContext: {} # Note that `containerSecurityContext`: # - will not apply to init containers, if any; # - takes precedence over other automatic configurations (see below). # # Based on the `driver` configuration the auto generated settings are: # 1) driver.enabled = false: # securityContext: {} # # 2) driver.enabled = true and (driver.kind = module || driver.kind = modern-bpf): # securityContext: # privileged: true # # 3) driver.enabled = true and driver.kind = ebpf: # securityContext: # privileged: true # # 4) driver.enabled = true and driver.kind = ebpf and driver.ebpf.leastPrivileged = true # securityContext: # capabilities: # add: # - BPF # - SYS_RESOURCE # - PERFMON # - SYS_PTRACE # # -- Set securityContext for the Falco container.For more info see the "falco.securityContext" helper in "pod-template.tpl" containerSecurityContext: {} scc: # -- Create OpenShift's Security Context Constraint. create: true resources: # -- Although resources needed are subjective on the actual workload we provide # a sane defaults ones. If you have more questions or concerns, please refer # to #falco slack channel for more info about it. requests: cpu: 100m memory: 512Mi # -- Maximum amount of resources that Falco container could get. # If you are enabling more than one source in falco, than consider to increase # the cpu limits. limits: cpu: 1000m memory: 1024Mi # -- Selectors used to deploy Falco on a given node/nodes. nodeSelector: {} # -- Affinity constraint for pods' scheduling. affinity: {} # -- Tolerations to allow Falco to run on Kubernetes masters. tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane # -- Parameters used healthChecks: livenessProbe: # -- Tells the kubelet that it should wait X seconds before performing the first probe. initialDelaySeconds: 60 # -- Number of seconds after which the probe times out. timeoutSeconds: 5 # -- Specifies that the kubelet should perform the check every x seconds. periodSeconds: 15 readinessProbe: # -- Tells the kubelet that it should wait X seconds before performing the first probe. initialDelaySeconds: 30 # -- Number of seconds after which the probe times out. timeoutSeconds: 5 # -- Specifies that the kubelet should perform the check every x seconds. periodSeconds: 15 # -- Attach the Falco process to a tty inside the container. Needed to flush Falco logs as soon as they are emitted. # Set it to "true" when you need the Falco logs to be immediately displayed. tty: false ######################### # Scenario requirements # ######################### # Sensors dislocation configuration (scenario requirement) controller: # Available options: deployment, daemonset. kind: daemonset # Annotations to add to the daemonset or deployment annotations: {} daemonset: updateStrategy: # You can also customize maxUnavailable or minReadySeconds if you # need it # -- Perform rolling updates by default in the DaemonSet agent # ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ type: RollingUpdate deployment: # -- Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing. # For more info check the section on Plugins in the README.md file. replicas: 1 # -- Network services configuration (scenario requirement) # Add here your services to be deployed together with Falco. services: # Example configuration for the "k8sauditlog" plugin # - name: k8saudit-webhook # type: NodePort # ports: # - port: 9765 # See plugin open_params # nodePort: 30007 # protocol: TCP # File access configuration (scenario requirement) mounts: # -- A list of volumes you want to add to the Falco pods. volumes: [] # -- A list of volumes you want to add to the Falco pods. volumeMounts: [] # -- By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins). enforceProcMount: false # Driver settings (scenario requirement) driver: # -- Set it to false if you want to deploy Falco without the drivers. # Always set it to false when using Falco with plugins. enabled: true # -- Tell Falco which driver to use. Available options: module (kernel driver), ebpf (eBPF probe), modern-bpf (modern eBPF probe). kind: module # -- Configuration section for ebpf driver. ebpf: # -- Path where the eBPF probe is located. It comes handy when the probe have been installed in the nodes using tools other than the init # container deployed with the chart. path: # -- Needed to enable eBPF JIT at runtime for performance reasons. # Can be skipped if eBPF JIT is enabled from outside the container hostNetwork: false # -- Constrain Falco with capabilities instead of running a privileged container. # This option is only supported with the eBPF driver and a kernel >= 5.8. # Ensure the eBPF driver is enabled (i.e., setting the `driver.kind` option to `ebpf`). leastPrivileged: false # -- Configuration for the Falco init container. loader: # -- Enable/disable the init container. enabled: true initContainer: image: # -- The image pull policy. pullPolicy: IfNotPresent # -- The image registry to pull from. registry: docker.io # -- The image repository to pull from. repository: falcosecurity/falco-driver-loader # -- Overrides the image tag whose default is the chart appVersion. tag: "" # -- Extra environment variables that will be pass onto Falco driver loader init container. env: [] # -- Arguments to pass to the Falco driver loader init container. args: [] # -- Resources requests and limits for the Falco driver loader init container. resources: {} # -- Security context for the Falco driver loader init container. Overrides the default security context. If driver.kind == "module" you must at least set `privileged: true`. securityContext: {} # -- Gvisor configuration. Based on your system you need to set the appropriate values. # Please, rembember to add pod tolerations and affinities in order to schedule the Falco pods in the gVisor enabled nodes. gvisor: # -- Set it to true if you want to deploy Falco with gVisor support. enabled: false # -- Runsc container runtime configuration. Falco needs to interact with it in order to intercept the activity of the sandboxed pods. runsc: # -- Absolute path of the `runsc` binary in the k8s nodes. path: /home/containerd/usr/local/sbin # -- Absolute path of the root directory of the `runsc` container runtime. It is of vital importance for Falco since `runsc` stores there the information of the workloads handled by it; root: /run/containerd/runsc # -- Absolute path of the `runsc` configuration file, used by Falco to set its configuration and make aware `gVisor` of its presence. config: /run/containerd/runsc/config.toml # Collectors for data enrichment (scenario requirement) collectors: # -- Enable/disable all the metadata collectors. enabled: true docker: # -- Enable Docker support. enabled: true # -- The path of the Docker daemon socket. socket: /var/run/docker.sock containerd: # -- Enable ContainerD support. enabled: true # -- The path of the ContainerD socket. socket: /run/containerd/containerd.sock crio: # -- Enable CRI-O support. enabled: true # -- The path of the CRI-O socket. socket: /run/crio/crio.sock kubernetes: # -- Enable Kubernetes meta data collection via a connection to the Kubernetes API server. # When this option is disabled, Falco falls back to the container annotations to grap the meta data. # In such a case, only the ID, name, namespace, labels of the pod will be available. enabled: true # -- The apiAuth value is to provide the authentication method Falco should use to connect to the Kubernetes API. # The argument's documentation from Falco is provided here for reference: # # | :[:], --k8s-api-cert | :[:] # Use the provided files names to authenticate user and (optionally) verify the K8S API server identity. # Each entry must specify full (absolute, or relative to the current directory) path to the respective file. # Private key password is optional (needed only if key is password protected). # CA certificate is optional. For all files, only PEM file format is supported. # Specifying CA certificate only is obsoleted - when single entry is provided # for this option, it will be interpreted as the name of a file containing bearer token. # Note that the format of this command-line option prohibits use of files whose names contain # ':' or '#' characters in the file name. # -- Provide the authentication method Falco should use to connect to the Kubernetes API. apiAuth: /var/run/secrets/kubernetes.io/serviceaccount/token ## -- Provide the URL Falco should use to connect to the Kubernetes API. apiUrl: "https://$(KUBERNETES_SERVICE_HOST)" # -- If true, only the current node (on which Falco is running) will be considered when requesting metadata of pods # to the API server. Disabling this option may have a performance penalty on large clusters. enableNodeFilter: true ########################### # Extras and customization # ############################ extra: # -- Extra environment variables that will be pass onto Falco containers. env: [] # -- Extra command-line arguments. args: [] # -- Additional initContainers for Falco pods. initContainers: [] # -- certificates used by webserver and grpc server. # paste certificate content or use helm with --set-file # or use existing secret containing key, crt, ca as well as pem bundle certs: # -- Existing secret containing the following key, crt and ca as well as the bundle pem. existingSecret: "" server: # -- Key used by gRPC and webserver. key: "" # -- Certificate used by gRPC and webserver. crt: "" ca: # -- CA certificate used by gRPC, webserver and AuditSink validation. crt: "" # -- Third party rules enabled for Falco. More info on the dedicated section in README.md file. customRules: {} # Although Falco comes with a nice default rule set for detecting weird # behavior in containers, our users are going to customize the run-time # security rule sets or policies for the specific container images and # applications they run. This feature can be handled in this section. # # Example: # # rules-traefik.yaml: |- # [ rule body ] ######################## # Falco integrations # ######################## # -- For configuration values, see https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml falcosidekick: # -- Enable falcosidekick deployment. enabled: true # -- Enable usage of full FQDN of falcosidekick service (useful when a Proxy is used). fullfqdn: false # -- Listen port. Default value: 2801 listenPort: "" replicaCount: 1 image: # -- The image registry to pull from registry: docker.io # -- The image repository to pull from repository: falcosecurity/falcosidekick # -- The image tag to pull tag: 2.27.0 webui: # -- enable Falcosidekick-UI enabled: true # -- number of running pods replicaCount: 1 image: # -- The web UI image registry to pull from registry: docker.io # -- The web UI image repository to pull from repository: falcosecurity/falcosidekick-ui # -- The web UI image tag to pull tag: "v2.1.0" ingress: enabled: true annotations: kubernetes.io/ingress.class: ingress-internal cert-manager.io/cluster-issuer: vault-issuer hosts: - host: falco.dc paths: - path: / tls: - secretName: falco-tls hosts: - falco.dc #################### # falcoctl config # #################### falcoctl: image: # -- The image pull policy. pullPolicy: IfNotPresent # -- The image registry to pull from. registry: docker.io # -- The image repository to pull from. repository: falcosecurity/falcoctl # -- Overrides the image tag whose default is the chart appVersion. tag: "0.4.0" artifact: # -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before # Falco starts. It provides them to Falco by using an emptyDir volume. install: enabled: true # -- Extra environment variables that will be pass onto falcoctl-artifact-install init container. env: {} # -- Arguments to pass to the falcoctl-artifact-install init container. args: ["--verbose"] # -- Resources requests and limits for the falcoctl-artifact-install init container. resources: {} # -- Security context for the falcoctl init container. securityContext: {} # -- Runs "falcoctl artifact follow" command as a sidecar container. It is used to automatically check for # updates given a list of artifacts. If an update is found it downloads and installs it in a shared folder (emptyDir) # that is accessible by Falco. Rulesfiles are automatically detected and loaded by Falco once they are installed in the # correct folder by falcoctl. To prevent new versions of artifacts from breaking Falco, the tool checks if it is compatible # with the running version of Falco before installing it. follow: enabled: true # -- Extra environment variables that will be pass onto falcoctl-artifact-follow sidecar container. env: {} # -- Arguments to pass to the falcoctl-artifact-follow sidecar container. args: ["--verbose"] # -- Resources requests and limits for the falcoctl-artifact-follow sidecar container. resources: {} # -- Security context for the falcoctl-artifact-follow sidecar container. securityContext: {} # -- Configuration file of the falcoctl tool. It is saved in a configmap and mounted on the falcotl containers. config: # -- List of indexes that falcoctl downloads and uses to locate and download artiafcts. For more info see: # https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md#index-file-overview indexes: - name: falcosecurity url: https://falcosecurity.github.io/falcoctl/index.yaml # -- Configuration used by the artifact commands. artifact: # -- List of artifact types that falcoctl will handle. If the configured refs resolves to an artifact whose type is not contained # in the list it will refuse to downloade and install that artifact. allowedTypes: - rulesfile install: # -- Do not resolve the depenencies for artifacts. By default is true, but for our use case we disable it. resolveDeps: false # -- List of artifacts to be installed by the falcoctl init container. refs: [falco-rules:0] # -- Directory where the rulesfiles are saved. The path is relative to the container, which in this case is an emptyDir # mounted also by the Falco pod. rulesfilesDir: /rulesfiles # -- Same as the one above but for the artifacts. pluginsDir: /plugins follow: # -- List of artifacts to be followed by the falcoctl sidecar container. refs: [falco-rules:0] # -- How often the tool checks for new versions of the followed artifacts. every: 6h # -- HTTP endpoint that serves the api versions of the Falco instance. It is used to check if the new versions are compatible # with the running Falco instance. falcoversions: http://localhost:8765/versions # -- See the fields of the artifact.install section. rulesfilesDir: /rulesfiles # -- See the fields of the artifact.install section. pluginsDir: /plugins ###################### # falco.yaml config # ###################### falco: # File(s) or Directories containing Falco rules, loaded at startup. # The name "rules_file" is only for backwards compatibility. # If the entry is a file, it will be read directly. If the entry is a directory, # every file in that directory will be read, in alphabetical order. # # falco_rules.yaml ships with the falco package and is overridden with # every new software version. falco_rules.local.yaml is only created # if it doesn't exist. If you want to customize the set of rules, add # your customizations to falco_rules.local.yaml. # # The files will be read in the order presented here, so make sure if # you have overrides they appear in later files. # -- The location of the rules files that will be consumed by Falco. rules_file: - /etc/falco/falco_rules.yaml - /etc/falco/falco_rules.local.yaml - /etc/falco/rules.d # # Plugins that are available for use. These plugins are not loaded by # default, as they require explicit configuration to point to # cloudtrail log files. # # To learn more about the supported formats for # init_config/open_params for the cloudtrail plugin, see the README at # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md. # -- Plugins configuration. Add here all plugins and their configuration. Please # consult the plugins documentation for more info. Remember to add the plugins name in # "load_plugins: []" in order to load them in Falco. plugins: - name: k8saudit library_path: libk8saudit.so init_config: # maxEventSize: 262144 # webhookMaxBatchSize: 12582912 # sslCertificate: /etc/falco/falco.pem open_params: "http://:9765/k8s-audit" - name: cloudtrail library_path: libcloudtrail.so # see docs for init_config and open_params: # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md - name: json library_path: libjson.so init_config: "" # Setting this list to empty ensures that the above plugins are *not* # loaded and enabled by default. If you want to use the above plugins, # set a meaningful init_config/open_params for the cloudtrail plugin # and then change this to: # load_plugins: [cloudtrail, json] # -- Add here the names of the plugins that you want to be loaded by Falco. Please make sure that # plugins have been configured under the "plugins" section before adding them here. # Please make sure to configure the falcoctl tool to download and install the very same plugins # you are loading here. You should add the references in the falcoctl.config.artifact.install.refs array # for each plugin you are loading. load_plugins: ["k8saudit"] # -- Watch config file and rules files for modification. # When a file is modified, Falco will propagate new config, # by reloading itself. watch_config_files: true # -- If true, the times displayed in log messages and output messages # will be in ISO 8601. By default, times are displayed in the local # time zone, as governed by /etc/localtime. time_format_iso_8601: false # -- If "true", print falco alert messages and rules file # loading/validation results as json, which allows for easier # consumption by downstream programs. Default is "false". json_output: false # -- When using json output, whether or not to include the "output" property # itself (e.g. "File below a known binary directory opened for writing # (user=root ....") in the json output. json_include_output_property: true # -- When using json output, whether or not to include the "tags" property # itself in the json output. If set to true, outputs caused by rules # with no tags will have a "tags" field set to an empty array. If set to # false, the "tags" field will not be included in the json output at all. json_include_tags_property: true # -- Send information logs to stderr. Note these are *not* security # notification logs! These are just Falco lifecycle (and possibly error) logs. log_stderr: true # -- Send information logs to syslog. Note these are *not* security # notification logs! These are just Falco lifecycle (and possibly error) logs. log_syslog: true # -- Minimum log level to include in logs. Note: these levels are # separate from the priority field of rules. This refers only to the # log level of falco's internal logging. Can be one of "emergency", # "alert", "critical", "error", "warning", "notice", "info", "debug". log_level: info # Falco is capable of managing the logs coming from libs. If enabled, # the libs logger send its log records the same outputs supported by # Falco (stderr and syslog). Disabled by default. libs_logger: # -- Enable the libs logger. enabled: false # -- Minimum log severity to include in the libs logs. Note: this value is # separate from the log level of the Falco logger and does not affect it. # Can be one of "fatal", "critical", "error", "warning", "notice", # "info", "debug", "trace". severity: debug # -- Minimum rule priority level to load and run. All rules having a # priority more severe than this level will be loaded/run. Can be one # of "emergency", "alert", "critical", "error", "warning", "notice", # "informational", "debug". priority: debug # -- Whether or not output to any of the output channels below is # buffered. Defaults to false buffered_outputs: false # Falco uses a shared buffer between the kernel and userspace to pass # system call information. When Falco detects that this buffer is # full and system calls have been dropped, it can take one or more of # the following actions: # - ignore: do nothing (default when list of actions is empty) # - log: log a DEBUG message noting that the buffer was full # - alert: emit a Falco alert noting that the buffer was full # - exit: exit Falco with a non-zero rc # # Notice it is not possible to ignore and log/alert messages at the same time. # # The rate at which log/alert messages are emitted is governed by a # token bucket. The rate corresponds to one message every 30 seconds # with a burst of one message (by default). # # The messages are emitted when the percentage of dropped system calls # with respect the number of events in the last second # is greater than the given threshold (a double in the range [0, 1]). # # For debugging/testing it is possible to simulate the drops using # the `simulate_drops: true`. In this case the threshold does not apply. syscall_event_drops: # -- The messages are emitted when the percentage of dropped system calls # with respect the number of events in the last second # is greater than the given threshold (a double in the range [0, 1]). threshold: .1 # -- Actions to be taken when system calls were dropped from the circular buffer. actions: - log - alert # -- Rate at which log/alert messages are emitted. rate: .03333 # -- Max burst of messages emitted. max_burst: 1 # -- Flag to enable drops for debug purposes. simulate_drops: false # Falco uses a shared buffer between the kernel and userspace to receive # the events (eg., system call information) in userspace. # # Anyways, the underlying libraries can also timeout for various reasons. # For example, there could have been issues while reading an event. # Or the particular event needs to be skipped. # Normally, it's very unlikely that Falco does not receive events consecutively. # # Falco is able to detect such uncommon situation. # # Here you can configure the maximum number of consecutive timeouts without an event # after which you want Falco to alert. # By default this value is set to 1000 consecutive timeouts without an event at all. # How this value maps to a time interval depends on the CPU frequency. syscall_event_timeouts: # -- Maximum number of consecutive timeouts without an event # after which you want Falco to alert. max_consecutives: 1000 # --- [Description] # # This is an index that controls the dimension of the syscall buffers. # The syscall buffer is the shared space between Falco and its drivers where all the syscall events # are stored. # Falco uses a syscall buffer for every online CPU, and all these buffers share the same dimension. # So this parameter allows you to control the size of all the buffers! # # --- [Usage] # # You can choose between different indexes: from `1` to `10` (`0` is reserved for future uses). # Every index corresponds to a dimension in bytes: # # [(*), 1 MB, 2 MB, 4 MB, 8 MB, 16 MB, 32 MB, 64 MB, 128 MB, 256 MB, 512 MB] # ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ # | | | | | | | | | | | # 0 1 2 3 4 5 6 7 8 9 10 # # As you can see the `0` index is reserved, while the index `1` corresponds to # `1 MB` and so on. # # These dimensions in bytes derive from the fact that the buffer size must be: # (1) a power of 2. # (2) a multiple of your system_page_dimension. # (3) greater than `2 * (system_page_dimension)`. # # According to these constraints is possible that sometimes you cannot use all the indexes, let's consider an # example to better understand it: # If you have a `page_size` of 1 MB the first available buffer size is 4 MB because 2 MB is exactly # `2 * (system_page_size)` -> `2 * 1 MB`, but this is not enough we need more than `2 * (system_page_size)`! # So from this example is clear that if you have a page size of 1 MB the first index that you can use is `3`. # # Please note: this is a very extreme case just to let you understand the mechanism, usually the page size is something # like 4 KB so you have no problem at all and you can use all the indexes (from `1` to `10`). # # To check your system page size use the Falco `--page-size` command line option. The output on a system with a page # size of 4096 Bytes (4 KB) should be the following: # # "Your system page size is: 4096 bytes." # # --- [Suggestions] # # Before the introduction of this param the buffer size was fixed to 8 MB (so index `4`, as you can see # in the default value below). # You can increase the buffer size when you face syscall drops. A size of 16 MB (so index `5`) can reduce # syscall drops in production-heavy systems without noticeable impact. Very large buffers however could # slow down the entire machine. # On the other side you can try to reduce the buffer size to speed up the system, but this could # increase the number of syscall drops! # As a final remark consider that the buffer size is mapped twice in the process' virtual memory so a buffer of 8 MB # will result in a 16 MB area in the process virtual memory. # Please pay attention when you use this parameter and change it only if the default size doesn't fit your use case. # -- This is an index that controls the dimension of the syscall buffers. syscall_buf_size_preset: 4 ############## [EXPERIMENTAL] Modern BPF probe specific ############## # Please note: these configs regard only the modern BPF probe. They # are experimental so they could change over releases. # # `cpus_for_each_syscall_buffer` # # --- [Description] # # This is an index that controls how many CPUs you want to assign to a single # syscall buffer (ring buffer). By default, every syscall buffer is associated to # 2 CPUs, so the mapping is 1:2. The modern BPF probe allows you to choose different # mappings, for example, 1:1 would mean a syscall buffer for each CPU. # # --- [Usage] # # You can choose between different indexes: from `0` to `MAX_NUMBER_ONLINE_CPUs`. # `0` is a special value and it means a single syscall buffer shared between all # your online CPUs. `0` has the same effect as `MAX_NUMBER_ONLINE_CPUs`, the rationale # is that `0` allows you to create a single buffer without knowing the number of online # CPUs on your system. # Let's consider an example to better understand it: # # Consider a system with 7 online CPUs: # # CPUs 0 X 2 3 X X 6 7 8 9 (X means offline CPU) # # - `1` means a syscall buffer for each CPU so 7 buffers # # CPUs 0 X 2 3 X X 6 7 8 9 (X means offline CPU) # | | | | | | | # BUFFERs 0 1 2 3 4 5 6 # # - `2` (Default value) means a syscall buffer for each CPU pair, so 4 buffers # # CPUs 0 X 2 3 X X 6 7 8 9 (X means offline CPU) # | | | | | | | # BUFFERs 0 0 1 1 2 2 3 # # Please note that we need 4 buffers, 3 buffers are associated with CPU pairs, the last # one is mapped with just 1 CPU since we have an odd number of CPUs. # # - `0` or `MAX_NUMBER_ONLINE_CPUs` mean a syscall buffer shared between all CPUs, so 1 buffer # # CPUs 0 X 2 3 X X 6 7 8 9 (X means offline CPU) # | | | | | | | # BUFFERs 0 0 0 0 0 0 0 # # Moreover you can combine this param with `syscall_buf_size_preset` # index, for example, you could create a huge single syscall buffer # shared between all your online CPUs of 512 MB (so `syscall_buf_size_preset=10`). # # --- [Suggestions] # # We chose index `2` (so one syscall buffer for each CPU pair) as default because the modern bpf probe # follows a different memory allocation strategy with respect to the other 2 drivers (bpf and kernel module). # By the way, you are free to find the preferred configuration for your system. # Considering a fixed `syscall_buf_size_preset` and so a fixed buffer dimension: # - a lower number of buffers can speed up your system (lower memory footprint) # - a too lower number of buffers could increase contention in the kernel causing an # overall slowdown of the system. # If you don't have huge events throughputs and you are not experimenting with tons of drops # you can try to reduce the number of buffers to have a lower memory footprint modern_bpf: # -- [MODERN PROBE ONLY] This is an index that controls how many CPUs you want to assign to a single syscall buffer. cpus_for_each_syscall_buffer: 2 ############## [EXPERIMENTAL] Modern BPF probe specific ############## # Falco continuously monitors outputs performance. When an output channel does not allow # to deliver an alert within a given deadline, an error is reported indicating # which output is blocking notifications. # The timeout error will be reported to the log according to the above log_* settings. # Note that the notification will not be discarded from the output queue; thus, # output channels may indefinitely remain blocked. # An output timeout error indeed indicate a misconfiguration issue or I/O problems # that cannot be recovered by Falco and should be fixed by the user. # # The "output_timeout" value specifies the duration in milliseconds to wait before # considering the deadline exceed. # # With a 2000ms default, the notification consumer can block the Falco output # for up to 2 seconds without reaching the timeout. # -- Duration in milliseconds to wait before considering the output timeout deadline exceed. output_timeout: 2000 # A throttling mechanism implemented as a token bucket limits the # rate of Falco notifications. One rate limiter is assigned to each event # source, so that alerts coming from one can't influence the throttling # mechanism of the others. This is controlled by the following options: # - rate: the number of tokens (i.e. right to send a notification) # gained per second. When 0, the throttling mechanism is disabled. # Defaults to 0. # - max_burst: the maximum number of tokens outstanding. Defaults to 1000. # # With these defaults, the throttling mechanism is disabled. # For example, by setting rate to 1 Falco could send up to 1000 notifications # after an initial quiet period, and then up to 1 notification per second # afterward. It would gain the full burst back after 1000 seconds of # no activity. outputs: # -- Number of tokens gained per second. rate: 1 # -- Maximum number of tokens outstanding. max_burst: 1000 # Where security notifications should go. # Multiple outputs can be enabled. syslog_output: # -- Enable syslog output for security notifications. enabled: true # If keep_alive is set to true, the file will be opened once and # continuously written to, with each output message on its own # line. If keep_alive is set to false, the file will be re-opened # for each output message. # # Also, the file will be closed and reopened if falco is signaled with # SIGUSR1. file_output: # -- Enable file output for security notifications. enabled: false # -- Open file once or every time a new notification arrives. keep_alive: false # -- The filename for logging notifications. filename: ./events.txt stdout_output: # -- Enable stdout output for security notifications. enabled: true # Falco contains an embedded webserver that exposes a healthy endpoint that can be used to check if Falco is up and running. # By default the endpoint is /healthz # # The ssl_certificate is a combination SSL Certificate and corresponding # key contained in a single file. You can generate a key/cert as follows: # # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem # $ cat certificate.pem key.pem > falco.pem # $ sudo cp falco.pem /etc/falco/falco.pem webserver: # -- Enable Falco embedded webserver. enabled: true # -- Number of threads depending on the number of online cores. threadiness: 0 # -- Port where Falco embedded webserver listen to connections. listen_port: 8765 # -- Endpoint where Falco exposes the health status. k8s_healthz_endpoint: /healthz # -- Enable SSL on Falco embedded webserver. ssl_enabled: false # -- Certificate bundle path for the Falco embedded webserver. ssl_certificate: /etc/falco/falco.pem # Possible additional things you might want to do with program output: # - send to a slack webhook: # program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" # - logging (alternate method than syslog): # program: logger -t falco-test # - send over a network connection: # program: nc host.example.com 80 # If keep_alive is set to true, the program will be started once and # continuously written to, with each output message on its own # line. If keep_alive is set to false, the program will be re-spawned # for each output message. # # Also, the program will be closed and reopened if falco is signaled with # SIGUSR1. program_output: # -- Enable program output for security notifications. enabled: false # -- Start the program once or re-spawn when a notification arrives. keep_alive: false # -- Command to execute for program output. program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" http_output: # -- Enable http output for security notifications. enabled: false # -- When set, this will override an auto-generated URL which matches the falcosidekick Service. # -- When including Falco inside a parent helm chart, you must set this since the auto-generated URL won't match (#280). url: "" user_agent: "falcosecurity/falco" # Falco supports running a gRPC server with two main binding types # 1. Over the network with mandatory mutual TLS authentication (mTLS) # 2. Over a local unix socket with no authentication # By default, the gRPC server is disabled, with no enabled services (see grpc_output) # please comment/uncomment and change accordingly the options below to configure it. # Important note: if Falco has any troubles creating the gRPC server # this information will be logged, however the main Falco daemon will not be stopped. # gRPC server over network with (mandatory) mutual TLS configuration. # This gRPC server is secure by default so you need to generate certificates and update their paths here. # By default the gRPC server is off. # You can configure the address to bind and expose it. # By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use. # grpc: # enabled: true # bind_address: "0.0.0.0:5060" # # when threadiness is 0, Falco sets it by automatically figuring out the number of online cores # threadiness: 0 # private_key: "/etc/falco/certs/server.key" # cert_chain: "/etc/falco/certs/server.crt" # root_certs: "/etc/falco/certs/ca.crt" # -- gRPC server using an unix socket grpc: # -- Enable the Falco gRPC server. enabled: false # -- Bind address for the grpc server. bind_address: "unix:///run/falco/falco.sock" # -- Number of threads (and context) the gRPC server will use, 0 by default, which means "auto". threadiness: 0 # gRPC output service. # By default it is off. # By enabling this all the output events will be kept in memory until you read them with a gRPC client. # Make sure to have a consumer for them or leave this disabled. grpc_output: # -- Enable the gRPC output and events will be kept in memory until you read them with a gRPC client. enabled: false # Container orchestrator metadata fetching params metadata_download: # -- Max allowed response size (in Mb) when fetching metadata from Kubernetes. max_mb: 100 # -- Sleep time (in μs) for each download chunck when fetching metadata from Kubernetes. chunk_wait_us: 1000 # -- Watch frequency (in seconds) when fetching metadata from Kubernetes. watch_freq_sec: 1