falcosecurity / falco-website Goto Github PK
View Code? Open in Web Editor NEWSource code of the official Falco website
Home Page: https://falco.org
License: Creative Commons Attribution 4.0 International
Source code of the official Falco website
Home Page: https://falco.org
License: Creative Commons Attribution 4.0 International
What to document
Falco is touching critical parts of the operating system.
It would be extremely useful to have a list of system dependencies like:
for:
So we could create least privileged Falco deployments.
/area documentation
What would you like to be added:
The Falco go client https://github.com/falcosecurity/client-go
now has a documentation page at https://godoc.org/github.com/falcosecurity/client-go/pkg/client
I think that we want to link that in the main website when we document the gRPC feature.
We can wait
Why is this needed:
Because we want the world to use the go client!
Blocked by #77
/area documentation
What would you like to be added:
Recently, Mattia created a Python client for the Falco gRPC API.
I'd like it to be documented also on Falco's website, in the same way the Go client is documented (see here).
Why is this needed:
We need to document everything in order to foster comprension, adoption, and contribution.
/area documentation
What would you like to be added:
We need to document:
Why is this needed:
Because it's a new feature and people will want to use it!
/area documentation
What would you like to be added:
Document workaround for civetweb + openssl.
Comment: falcosecurity/falco#860 (comment)
Why is this needed:
/area blog
What would you like to be added:
I've written a step-by-step blog post on how to integrate Falco with YugabyteDB running on GKE. See attached PDF. Happy to share out the source file with the appropriate folks.
Why is this needed:
YugabyteDB is a 100% open source, cloud-native database and we are looking to provide our users with as much information as possible on how to integrate YugabyteDB with CNCF projects...Falco being one of them.
Getting Started with Falco and Cloud-Native Distributed SQL on Google Kubernetes Engine (1).pdf
This issue intends to propose the creation of a cheatsheet-style doc for Falco, following from this tweet by @lucperkins.
I think that the target of the cheatsheet have to be the Falco rules (conditions, rules macros, common rules that the community most asks).
The existing form on falco.org for subscribing to Falco project updates pushes to a deprecated Pardot instance hosted by Sysdig.
This issue is logged to update the form such that it instead points to a Marketo instance hosted by Sysdig. Subscribers will be ringfenced from other promotions unless they explicitly opt in.
<form id="mktoForm_1186"></form>
<script>MktoForms2.loadForm("//app-ab34.marketo.com", "067-QZT-881", 1186);</script>```
Add falco website link (https://falco.org/) to falcosecurity org page
Specify that to build the bpf probe one need to compile the target using clang instead of gcc (at least for now that most gcc installation do not support the bpf backend)
Page: content/source.md
What would you like to be added:
A write up on the work done with falcosecurity/falco#532
Why is this needed:
What happened:
RSS feed of blog is broken : https://falco.org/blog/index.xml
What you expected to happen:
Gather a XMLfile with full articles of blog
How to reproduce it (as minimally and precisely as possible):
Just access to https://falco.org/blog/index.xml
Anything else we need to know?:
N/A
With falcosecurity/falco#719 merged in the default FALCO_VERSION
variable value is no more a constant (ie., 0.1.1dev) value.
Thus documentation needs to reflect those changes.
Page: source.md
What would you like to be added:
We want to have a blog for falco, to publish announcments, how-tos share ideas, and so on.
We have a couple of ideas on the execution of this:
Why is this needed:
We already have articles for it!
I think it would be useful to create another section on the documentation (similar to what you have right now) to address the Docker image creation process using Alpine Linux as the base OS. A lot of people like this approach because the image is very lightweight (~5MB) and reduces the attack surface a lot.
The same way we did for Falco (and others) repository in this organization, this repo needs issues and pull-requests templates too.
/area blog
What would you like to be added:
A blog post about security audits once they are published.
Why is this needed:
/assign @mfdii
/area blog
What would you like to be added:
I'd like to have the blog posts about the falco/examples.
Why is this needed:
Because the blog needs some love and users needs a place where to find a starting point for using and for working with Falco.
While working on falcosecurity/falco#650 - @caquino shared the Terraform they used to deploy Falco on GKE.
What we want to do is to add a documentation page, specific for GKE and specify the installation methods for it, adding this terraform config as a viable option.
resource "kubernetes_service_account" "falco_sa" {
metadata {
name = "falco-account"
labels = {
app = "falco"
role = "security"
}
}
automount_service_account_token = true
}
resource "kubernetes_cluster_role" "falco_cr" {
metadata {
name = "falco-cluster-role"
labels = {
app = "falco"
role = "security"
}
}
rule {
api_groups = ["extensions", ""]
resources = ["nodes", "namespaces", "pods", "replicationcontrollers", "replicasets", "services", "daemonsets", "deployments", "events", "configmaps"]
verbs = ["get", "list", "watch"]
}
rule {
non_resource_urls = ["/healthz", "/healthz/*"]
verbs = ["get"]
}
}
resource "kubernetes_cluster_role_binding" "falco_crb" {
metadata {
name = "falco-cluster-role-bind"
labels = {
app = "falco"
role = "security"
}
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.falco_sa.metadata.0.name
namespace = "default"
}
role_ref {
kind = "ClusterRole"
name = kubernetes_cluster_role.falco_cr.metadata.0.name
api_group = "rbac.authorization.k8s.io"
}
}
resource "kubernetes_config_map" "falco_cfgmap" {
metadata {
name = "falco-cfgmap"
labels = {
app = "falco"
role = "security"
}
}
data = {
"application_rules.yaml" = file("configs/falco/application_rules.yaml")
"falco_rules.local.yaml" = file("configs/falco/falco_rules.local.yaml")
"falco_rules.yaml" = file("configs/falco/falco_rules.yaml")
"k8s_audit_rules.yaml" = file("configs/falco/k8s_audit_rules.yaml")
"falco.yaml" = file("configs/falco/falco.yaml")
}
}
resource "kubernetes_daemonset" "falco_ds" {
metadata {
name = "falco-daemonset"
labels = {
app = "falco"
role = "security"
}
}
spec {
selector {
match_labels = {
app = "falco"
role = "security"
}
}
template {
metadata {
labels = {
app = "falco"
role = "security"
}
}
spec {
host_network = true
service_account_name = kubernetes_service_account.falco_sa.metadata.0.name
dns_policy = "ClusterFirstWithHostNet"
volume {
name = "docker-socket"
host_path {
path = "/var/run/docker.socket"
}
}
volume {
name = "containerd-socket"
host_path {
path = "/run/containerd/containerd.sock"
}
}
volume {
name = "dev-fs"
host_path {
path = "/dev"
}
}
volume {
name = "proc-fs"
host_path {
path = "/proc"
}
}
volume {
name = "boot-fs"
host_path {
path = "/boot"
}
}
volume {
name = "lib-modules"
host_path {
path = "/lib/modules"
}
}
volume {
name = "usr-fs"
host_path {
path = "/usr"
}
}
volume {
name = "etc-fs"
host_path {
path = "/etc"
}
}
volume {
name = "dshm"
empty_dir {
medium = "Memory"
}
}
volume {
name = "falco-config"
config_map {
name = kubernetes_config_map.falco_cfgmap.metadata.0.name
}
}
container {
name = "falco"
image = "falcosecurity/falco:latest"
args = [
"/usr/bin/falco",
"--cri", "/host/run/containerd/containerd.sock",
"-K", "/var/run/secrets/kubernetes.io/serviceaccount/token",
"-k", "https://$(KUBERNETES_SERVICE_HOST)",
"-pk",
]
security_context {
privileged = true
}
env {
name = "SYSDIG_BPF_PROBE"
value = ""
}
env {
name = "KBUILD_EXTRA_CPPFLAGS"
value = "-DCOS_73_WORKAROUND"
}
volume_mount {
name = "docker-socket"
mount_path = "/host/var/run/docker.sock"
}
volume_mount {
name = "containerd-socket"
mount_path = "/host/run/containerd/containerd.sock"
}
volume_mount {
name = "dev-fs"
mount_path = "/host/dev"
}
volume_mount {
name = "proc-fs"
mount_path = "/host/proc"
read_only = true
}
volume_mount {
name = "boot-fs"
mount_path = "/host/boot"
read_only = true
}
volume_mount {
name = "lib-modules"
mount_path = "/host/lib/modules"
read_only = true
}
volume_mount {
name = "usr-fs"
mount_path = "/host/usr"
read_only = true
}
volume_mount {
name = "etc-fs"
mount_path = "/host/etc"
read_only = true
}
volume_mount {
name = "dshm"
mount_path = "/dev/shm"
}
volume_mount {
name = "falco-config"
mount_path = "/etc/falco"
}
}
}
}
}
}
resource "kubernetes_service" "falco_svc" {
metadata {
name = kubernetes_daemonset.falco_ds.metadata.0.name
labels = {
app = "falco"
role = "security"
}
}
spec {
type = "ClusterIP"
port {
protocol = "TCP"
port = 8765
}
selector = {
app = "falco"
role = "security"
}
}
}
/area documentation
What would you like to be added:
Recently, I and @fntlnz created a Rust client for the Falco gRPC API.
I'd like it to be documented also on Falco's website, in the same way the Go client is documented (see here).
Why is this needed:
We need to document everything in order to foster comprension, adoption, and contribution.
What would you like to be added:
A blog that talks about the falco sidekick joining the falcosecurity org.
We also want to describe what the falco sidekick can do.
We also want to talk about how we will use the new gRPC falcosecurity/falco#789 work with the new Go SDK falcosecurity/falco#785 with the falco sidekick
Why is this needed:
To share the many use cases of Falco
We need a page on https://falco.org/security
to let people disclose security issues privately.
The page is already linked in the upcoming change to issues and pr templates here: falcosecurity/falco#644
Similar page for inspiration: https://kubernetes.io/docs/reference/issues-security/security/
/area documentation
What would you like to be added:
On the Falco slack channel, @tembleking shared a very nice deck he is using to present how to send Falco events to Elasticsearch. I think we want to have that same content in the form of a documentation page that our users can follow when installing Falco.
Presentation here: https://docs.google.com/presentation/d/1vC5PIHMjh_x8BsWRou-g7pGHe6f6lOK2aeSbIAVh7B4/edit?usp=sharing
Why is this needed:
Because many users want a place to aggregate their events, and this can be a good opportunity to simplify their lives by providing a tutorial.
What happened:
As a user, while navigating the Falco Documentation on my mobile devices with less than 800px width I can't see the navigation.
This is preventing me to go through the pages and learn how to use Falco.
Vertical Example on a phone screen 320x480
This is what I see if I click the menu icon top right, always on phone screen 320x480. It only shows the top level menus.
Horizontal Example on a phone screen 320x480
Horizontal Example on an iPad 768x1024
What you expected to happen:
I expect it to show me the menu, like in this figure. However it will need to be adapted for mobile devices.
How to reproduce it (as minimally and precisely as possible):
Go to https://falco.org/docs using a mobile device and see how you can't navigate the docs.
Anything else we need to know?:
What would you like to be added:
A blog on the memory leak issues worked on in falcosecurity/falco#740
Why is this needed:
To share a high level digest with the community
What would you like to be added:
There is concern around abandoned sub-processes with running Falco as a service. Can we write up a blog on this, explaining why it's happening.
Also can we open github issues for any work generated from this.
Why is this needed:
Visiting the link https://falco.org/docs/installation/#GKE does not take the visitor to the GKE section of the same page.
Clicking on GKE section
link in the test does not work.
Clicking on GKE
in the lateral TOC menu works.
Thanks @markyjackson-taulia for noticing and reporting this to me.
Hi,
I noticed that the Kubernetes Audit example defines the following create
macro
- macro: create
condition: ka.verb=create
Then a bit further down, in the breakdown section, it mentions
modify
: Checks whether the value of verb is one of the following:create
,update
,patch
.
Looks like the breakdown section was updated in #140 10-days ago so perhaps the macro definition was forgotten?
What happened:
When in the docs section, the menu on the left shows duplicated entries for folders.
For example, "Rules", See this image:
What you expected to happen:
Entries are reported only once
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
/area documentation
What would you like to be added:
Add Korean as a supported language for falco documentations.
Why is this needed:
To help Korean users understand falco better.
Right now, when a new falco version is released we don't automatically upgrade the version in the docs.
That is handled manually and everyone forgets about doing it on releases.
As an option, we can have prow opening a PR here when a new release is done, then just approve it.
Example, now we are on 0.17.0
, website says 0.16.0
https://github.com/falcosecurity/falco-website/blob/master/content/en/docs/event-sources/dropped-events.md has a broken link at the end of the page.
https://github.com/falcosecurity/falco-website/blob/master/docs/configuration/#syscall_event_drops does not exist.
After the @Kaizhe's talk about Falco at KubeCon China we started to think there is a need to have Falco documentation translated to Simplified Chinese.
/kind translation
/area blog
What would you like to be added:
Document how the eBPF probe does NOT use the ring buffer
Why is this needed:
Because myself, and others, are confused about how the eBPF probe works.
/area documentation
What would you like to be added:
gRPC version service documentation.
The feature was added here falcosecurity/falco#872
Why is this needed:
Once 0.20.0 is released users might want to use this feature but they have no way to know how besides reading the code.
We need something like this for the outputs: https://falco.org/docs/grpc/
/area documentation
What would you like to be added:
Documentation explaining why Falco does DNS lookups for crypto mining servers.
Why is this needed:
This gets asked about once a week in the #falco Slack.
Document (into the installation docs) how to build falco probe loader with a docker container on linuxkit.
As it stands there is some misleading documentation on falco.org
Particularly where we mention language such as:
Powered by Sysdig’s system call capture infrastructure
Can we please update the website to follow the official website guidelines that the CNCF suggests.
/area documentation
What would you like to be added:
We need to let the user navigate documentation for old versions.
Why is this needed:
Because not everyone runs on the latest version of Falco.
What would you like to be added:
A blog on fillers and rules in Falco, with examples of how to do basic tasks:
Why is this needed:
To help advertise how Falco rules are implemented
What happened:
Clicking on the "Get started" link on the front page doesn't do anything.
What you expected to happen:
It should take me to #resources anchor on the same page. It points to non-existent #download anchor now.
How to reproduce it (as minimally and precisely as possible):
See above.
Anything else we need to know?:
You rock 😉
/area documentation
What would you like to be added:
We are implementing a gRPC server as a Falco API, see the proposal here.
We want to document that feature in the website.
Why is this needed:
Because we want to people to know how the gRPC API works!
Because of issue falcosecurity/falco#650 Falco (v0.15.3) introduced a fix for COS via the KBUILD_EXTRA_CPPFLAGS
env variable and -DCOS_73_WORKAROUND
option.
Hi all,
This should be added to the website footer:
2020 © Falco Project Authors. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page: https://www.linuxfoundation.org/trademark-usage
Happy to submit a PR to correct, just direct me to the right place!
As of draios/sysdig#1443 - falco can be built with custom kernel headers location by specifying the path where they resides.
Page: content/source.md
While working on the build documentation, we noticed that the right menu doesn't respect indentation for sub-sections, this creates confusion on the user while trying to figure out what's the hierarchy of the sections.
Here's how the menu looks like now, highlighted in yellow:
/area documentation
What would you like to be added:
falcosecurity/falco#1093 is proposing to change the Python version to run our regression tests from 2.7 to 3
Why is this needed:
We need to reflect those changes here to the documentation.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.