falcosecurity / falco-website Goto Github PK

What to document

Falco is touching critical parts of the operating system.
It would be extremely useful to have a list of system dependencies like:

• mandatory host mounts
• required Linux capabilities
• seccomp filter
• SELinux/Apparmor profiles

for:

• stand alone Falco deployment without probes
• Falco using eBPF probe
• Falco using kernel module
• probe-loader for kernel module
• probe-loader for eBPF

So we could create least privileged Falco deployments.

/area documentation

What would you like to be added:

The Falco go client https://github.com/falcosecurity/client-go
now has a documentation page at https://godoc.org/github.com/falcosecurity/client-go/pkg/client

I think that we want to link that in the main website when we document the gRPC feature.

We can wait
Why is this needed:

Because we want the world to use the go client!

Blocked by #77

/area documentation

What would you like to be added:

Recently, Mattia created a Python client for the Falco gRPC API.

I'd like it to be documented also on Falco's website, in the same way the Go client is documented (see here).

Why is this needed:

We need to document everything in order to foster comprension, adoption, and contribution.

/area documentation

What would you like to be added:
We need to document:

• Falco gRPC server configuration and usage
• Falco gRPC outputs configuration and usage
• gRPC API documentation
• How to generate the certificates for mutual TLS
• How to use the SDK with examples

Why is this needed:

Because it's a new feature and people will want to use it!

/area documentation

What would you like to be added:

Document workaround for civetweb + openssl.

Comment: falcosecurity/falco#860 (comment)

Why is this needed:

/area blog

What would you like to be added:

I've written a step-by-step blog post on how to integrate Falco with YugabyteDB running on GKE. See attached PDF. Happy to share out the source file with the appropriate folks.

Why is this needed:

YugabyteDB is a 100% open source, cloud-native database and we are looking to provide our users with as much information as possible on how to integrate YugabyteDB with CNCF projects...Falco being one of them.

Getting Started with Falco and Cloud-Native Distributed SQL on Google Kubernetes Engine (1).pdf

This issue intends to propose the creation of a cheatsheet-style doc for Falco, following from this tweet by @lucperkins.

I think that the target of the cheatsheet have to be the Falco rules (conditions, rules macros, common rules that the community most asks).

The existing form on falco.org for subscribing to Falco project updates pushes to a deprecated Pardot instance hosted by Sysdig.

This issue is logged to update the form such that it instead points to a Marketo instance hosted by Sysdig. Subscribers will be ringfenced from other promotions unless they explicitly opt in.

<form id="mktoForm_1186"></form>
<script>MktoForms2.loadForm("//app-ab34.marketo.com", "067-QZT-881", 1186);</script>```

Add falco website link (https://falco.org/) to falcosecurity org page

Specify that to build the bpf probe one need to compile the target using clang instead of gcc (at least for now that most gcc installation do not support the bpf backend)

Page: content/source.md

What would you like to be added:

A write up on the work done with falcosecurity/falco#532

Why is this needed:

What happened:

RSS feed of blog is broken : https://falco.org/blog/index.xml

What you expected to happen:

Gather a XMLfile with full articles of blog

How to reproduce it (as minimally and precisely as possible):

Just access to https://falco.org/blog/index.xml

Anything else we need to know?:

N/A

With falcosecurity/falco#719 merged in the default FALCO_VERSION variable value is no more a constant (ie., 0.1.1dev) value.

Thus documentation needs to reflect those changes.

Page: source.md

What would you like to be added:

We want to have a blog for falco, to publish announcments, how-tos share ideas, and so on.

We have a couple of ideas on the execution of this:

1. A static blog with hugo
2. A medium publication

Why is this needed:

We already have articles for it!

• https://docs.google.com/document/d/1hSpSNnlrkW5Z_hEondp5dz8apA_Zd1EKmtV1Lq4J1Rk/edit?usp=sharing
• falcosecurity/falco#792

I think it would be useful to create another section on the documentation (similar to what you have right now) to address the Docker image creation process using Alpine Linux as the base OS. A lot of people like this approach because the image is very lightweight (~5MB) and reduces the attack surface a lot.

The same way we did for Falco (and others) repository in this organization, this repo needs issues and pull-requests templates too.

/area blog

What would you like to be added:

A blog post about security audits once they are published.

Why is this needed:

falcosecurity/falco#886

/assign @mfdii

/area blog

What would you like to be added:

I'd like to have the blog posts about the falco/examples.

Why is this needed:

Because the blog needs some love and users needs a place where to find a starting point for using and for working with Falco.

While working on falcosecurity/falco#650 - @caquino shared the Terraform they used to deploy Falco on GKE.

What we want to do is to add a documentation page, specific for GKE and specify the installation methods for it, adding this terraform config as a viable option.

resource "kubernetes_service_account" "falco_sa" {
  metadata {
    name = "falco-account"
    labels = {
      app  = "falco"
      role = "security"
    }
  }
  automount_service_account_token = true
}

resource "kubernetes_cluster_role" "falco_cr" {
  metadata {
    name = "falco-cluster-role"
    labels = {
      app  = "falco"
      role = "security"
    }
  }
  rule {
    api_groups = ["extensions", ""]
    resources  = ["nodes", "namespaces", "pods", "replicationcontrollers", "replicasets", "services", "daemonsets", "deployments", "events", "configmaps"]
    verbs      = ["get", "list", "watch"]
  }
  rule {
    non_resource_urls = ["/healthz", "/healthz/*"]
    verbs             = ["get"]
  }
}

resource "kubernetes_cluster_role_binding" "falco_crb" {
  metadata {
    name = "falco-cluster-role-bind"
    labels = {
      app  = "falco"
      role = "security"
    }
  }

  subject {
    kind      = "ServiceAccount"
    name      = kubernetes_service_account.falco_sa.metadata.0.name
    namespace = "default"
  }

  role_ref {
    kind      = "ClusterRole"
    name      = kubernetes_cluster_role.falco_cr.metadata.0.name
    api_group = "rbac.authorization.k8s.io"
  }
}

resource "kubernetes_config_map" "falco_cfgmap" {
  metadata {
    name = "falco-cfgmap"
    labels = {
      app  = "falco"
      role = "security"
    }
  }

  data = {
    "application_rules.yaml" = file("configs/falco/application_rules.yaml")
    "falco_rules.local.yaml" = file("configs/falco/falco_rules.local.yaml")
    "falco_rules.yaml"       = file("configs/falco/falco_rules.yaml")
    "k8s_audit_rules.yaml"   = file("configs/falco/k8s_audit_rules.yaml")
    "falco.yaml"             = file("configs/falco/falco.yaml")
  }
}

resource "kubernetes_daemonset" "falco_ds" {
  metadata {
    name = "falco-daemonset"
    labels = {
      app  = "falco"
      role = "security"
    }
  }

  spec {

    selector {
      match_labels = {
        app  = "falco"
        role = "security"
      }
    }

    template {
      metadata {
        labels = {
          app  = "falco"
          role = "security"
        }
      }

      spec {
        host_network         = true
        service_account_name = kubernetes_service_account.falco_sa.metadata.0.name
        dns_policy           = "ClusterFirstWithHostNet"

        volume {
          name = "docker-socket"
          host_path {
            path = "/var/run/docker.socket"
          }
        }
        volume {
          name = "containerd-socket"
          host_path {
            path = "/run/containerd/containerd.sock"
          }
        }
        volume {
          name = "dev-fs"
          host_path {
            path = "/dev"
          }
        }
        volume {
          name = "proc-fs"
          host_path {
            path = "/proc"
          }
        }
        volume {
          name = "boot-fs"
          host_path {
            path = "/boot"
          }
        }
        volume {
          name = "lib-modules"
          host_path {
            path = "/lib/modules"
          }
        }
        volume {
          name = "usr-fs"
          host_path {
            path = "/usr"
          }
        }
        volume {
          name = "etc-fs"
          host_path {
            path = "/etc"
          }
        }
        volume {
          name = "dshm"
          empty_dir {
            medium = "Memory"
          }
        }
        volume {
          name = "falco-config"
          config_map {
            name = kubernetes_config_map.falco_cfgmap.metadata.0.name
          }
        }

        container {
          name  = "falco"
          image = "falcosecurity/falco:latest"
          args = [
            "/usr/bin/falco",
            "--cri", "/host/run/containerd/containerd.sock",
            "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token",
            "-k", "https://$(KUBERNETES_SERVICE_HOST)",
            "-pk",
          ]
          security_context {
            privileged = true
          }
          env {
            name  = "SYSDIG_BPF_PROBE"
            value = ""
          }
          env {
            name  = "KBUILD_EXTRA_CPPFLAGS"
            value = "-DCOS_73_WORKAROUND"
          }
          volume_mount {
            name       = "docker-socket"
            mount_path = "/host/var/run/docker.sock"
          }
          volume_mount {
            name       = "containerd-socket"
            mount_path = "/host/run/containerd/containerd.sock"
          }
          volume_mount {
            name       = "dev-fs"
            mount_path = "/host/dev"
          }
          volume_mount {
            name       = "proc-fs"
            mount_path = "/host/proc"
            read_only  = true
          }
          volume_mount {
            name       = "boot-fs"
            mount_path = "/host/boot"
            read_only  = true
          }
          volume_mount {
            name       = "lib-modules"
            mount_path = "/host/lib/modules"
            read_only  = true
          }
          volume_mount {
            name       = "usr-fs"
            mount_path = "/host/usr"
            read_only  = true
          }
          volume_mount {
            name       = "etc-fs"
            mount_path = "/host/etc"
            read_only  = true
          }
          volume_mount {
            name       = "dshm"
            mount_path = "/dev/shm"
          }
          volume_mount {
            name       = "falco-config"
            mount_path = "/etc/falco"
          }
        }
      }
    }
  }
}

resource "kubernetes_service" "falco_svc" {
  metadata {
    name = kubernetes_daemonset.falco_ds.metadata.0.name
    labels = {
      app  = "falco"
      role = "security"
    }
  }
  spec {
    type = "ClusterIP"

    port {
      protocol = "TCP"
      port     = 8765
    }

    selector = {
      app  = "falco"
      role = "security"
    }
  }
}

/area documentation

What would you like to be added:

Recently, I and @fntlnz created a Rust client for the Falco gRPC API.

I'd like it to be documented also on Falco's website, in the same way the Go client is documented (see here).

Why is this needed:

We need to document everything in order to foster comprension, adoption, and contribution.

What would you like to be added:

A blog that talks about the falco sidekick joining the falcosecurity org.
We also want to describe what the falco sidekick can do.
We also want to talk about how we will use the new gRPC falcosecurity/falco#789 work with the new Go SDK falcosecurity/falco#785 with the falco sidekick

Why is this needed:

To share the many use cases of Falco

We need a page on https://falco.org/security to let people disclose security issues privately.

The page is already linked in the upcoming change to issues and pr templates here: falcosecurity/falco#644

Similar page for inspiration: https://kubernetes.io/docs/reference/issues-security/security/

/area documentation

What would you like to be added:
On the Falco slack channel, @tembleking shared a very nice deck he is using to present how to send Falco events to Elasticsearch. I think we want to have that same content in the form of a documentation page that our users can follow when installing Falco.

Presentation here: https://docs.google.com/presentation/d/1vC5PIHMjh_x8BsWRou-g7pGHe6f6lOK2aeSbIAVh7B4/edit?usp=sharing
Why is this needed:

Because many users want a place to aggregate their events, and this can be a good opportunity to simplify their lives by providing a tutorial.

What happened:

As a user, while navigating the Falco Documentation on my mobile devices with less than 800px width I can't see the navigation.

This is preventing me to go through the pages and learn how to use Falco.

Vertical Example on a phone screen 320x480

This is what I see if I click the menu icon top right, always on phone screen 320x480. It only shows the top level menus.

Horizontal Example on a phone screen 320x480

Horizontal Example on an iPad 768x1024

What you expected to happen:

I expect it to show me the menu, like in this figure. However it will need to be adapted for mobile devices.

How to reproduce it (as minimally and precisely as possible):

Go to https://falco.org/docs using a mobile device and see how you can't navigate the docs.

Anything else we need to know?:

What would you like to be added:

A blog on the memory leak issues worked on in falcosecurity/falco#740

Why is this needed:

To share a high level digest with the community

What would you like to be added:

There is concern around abandoned sub-processes with running Falco as a service. Can we write up a blog on this, explaining why it's happening.

Also can we open github issues for any work generated from this.

Why is this needed:

Visiting the link https://falco.org/docs/installation/#GKE does not take the visitor to the GKE section of the same page.

Clicking on GKE section link in the test does not work.

Clicking on GKE in the lateral TOC menu works.

Thanks @markyjackson-taulia for noticing and reporting this to me.

Hi,

I noticed that the Kubernetes Audit example defines the following create macro

- macro: create
  condition: ka.verb=create

Then a bit further down, in the breakdown section, it mentions

3. modify: Checks whether the value of verb is one of the following: create, update, patch.

Looks like the breakdown section was updated in #140 10-days ago so perhaps the macro definition was forgotten?

What happened:

When in the docs section, the menu on the left shows duplicated entries for folders.

For example, "Rules", See this image:

What you expected to happen:

Entries are reported only once

How to reproduce it (as minimally and precisely as possible):

• Go to https://falco.org/docs/
• Look at the menu on the left
• Observe the duplicated entries

Anything else we need to know?:

/area documentation

What would you like to be added:
Add Korean as a supported language for falco documentations.

Why is this needed:
To help Korean users understand falco better.

Right now, when a new falco version is released we don't automatically upgrade the version in the docs.

That is handled manually and everyone forgets about doing it on releases.

As an option, we can have prow opening a PR here when a new release is done, then just approve it.

Example, now we are on 0.17.0, website says 0.16.0

https://github.com/falcosecurity/falco-website/blob/master/content/en/docs/event-sources/dropped-events.md has a broken link at the end of the page.
https://github.com/falcosecurity/falco-website/blob/master/docs/configuration/#syscall_event_drops does not exist.

What happened:

The footer is not sticky.

The main part of the page should fill the space pushing it to the bottom.

What you expected to happen:

This to work.

How to reproduce it (as minimally and precisely as possible):

Create an empty page.

Anything else we need to know?:

/kind user-interface

After the @Kaizhe's talk about Falco at KubeCon China we started to think there is a need to have Falco documentation translated to Simplified Chinese.

/kind translation

/area blog

What would you like to be added:

Document how the eBPF probe does NOT use the ring buffer

Why is this needed:

Because myself, and others, are confused about how the eBPF probe works.

/area documentation

What would you like to be added:

gRPC version service documentation.

The feature was added here falcosecurity/falco#872

Why is this needed:
Once 0.20.0 is released users might want to use this feature but they have no way to know how besides reading the code.

We need something like this for the outputs: https://falco.org/docs/grpc/

/area documentation

What would you like to be added:

Documentation explaining why Falco does DNS lookups for crypto mining servers.

Why is this needed:

This gets asked about once a week in the #falco Slack.

Document (into the installation docs) how to build falco probe loader with a docker container on linuxkit.

Ref falcosecurity/falco#657 (comment)

As it stands there is some misleading documentation on falco.org

Particularly where we mention language such as:

Powered by Sysdig’s system call capture infrastructure

Can we please update the website to follow the official website guidelines that the CNCF suggests.

CC @caniszczyk @dankohn

/area documentation

What would you like to be added:

We need to let the user navigate documentation for old versions.

Why is this needed:

Because not everyone runs on the latest version of Falco.

What would you like to be added:

A blog on fillers and rules in Falco, with examples of how to do basic tasks:

• Check if a file exists
• Check if a new socket connection is opened
• Check if a file is opened
• Other commonly used features

Why is this needed:

To help advertise how Falco rules are implemented

What happened:

Clicking on the "Get started" link on the front page doesn't do anything.

What you expected to happen:

It should take me to #resources anchor on the same page. It points to non-existent #download anchor now.

How to reproduce it (as minimally and precisely as possible):

See above.

Anything else we need to know?:

You rock 😉

/area documentation

What would you like to be added:

We are implementing a gRPC server as a Falco API, see the proposal here.

We want to document that feature in the website.

Why is this needed:

Because we want to people to know how the gRPC API works!

Because of issue falcosecurity/falco#650 Falco (v0.15.3) introduced a fix for COS via the KBUILD_EXTRA_CPPFLAGS env variable and -DCOS_73_WORKAROUND option.

Centered text in long-form paragraphs is a big no-no from a readability standpoint. See here, here, and here.

Hi all,
This should be added to the website footer:
2020 © Falco Project Authors. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page: https://www.linuxfoundation.org/trademark-usage

Happy to submit a PR to correct, just direct me to the right place!

As of draios/sysdig#1443 - falco can be built with custom kernel headers location by specifying the path where they resides.

Page: content/source.md

While working on the build documentation, we noticed that the right menu doesn't respect indentation for sub-sections, this creates confusion on the user while trying to figure out what's the hierarchy of the sections.

Here's how the menu looks like now, highlighted in yellow:

Here's how it should be, respecting the sub-sections:

/area documentation

What would you like to be added:

falcosecurity/falco#1093 is proposing to change the Python version to run our regression tests from 2.7 to 3

Why is this needed:
We need to reflect those changes here to the documentation.