# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 apiVersion: v1 kind: ConfigMap metadata: name: falco-config data: falco.yaml: | # File(s) or Directories containing Falco rules, loaded at startup. # The name "rules_file" is only for backwards compatibility. # If the entry is a file, it will be read directly. If the entry is a directory, # every file in that directory will be read, in alphabetical order. # # falco_rules.yaml ships with the falco package and is overridden with # every new software version. falco_rules.local.yaml is only created # if it doesn't exist. If you want to customize the set of rules, add # your customizations to falco_rules.local.yaml. # # The files will be read in the order presented here, so make sure if # you have overrides they appear in later files. rules_file: - /vendor/falco/etc/falco/falco_rules.yaml - /vendor/falco/etc/falco/rules.d - /data/falco_rules.local.yaml # # Plugins that are available for use. These plugins are not loaded by # default, as they require explicit configuration to point to # cloudtrail log files. # # To learn more about the supported formats for # init_config/open_params for the cloudtrail plugin, see the README at # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md. plugins: - name: k8saudit library_path: libk8saudit.so init_config: # maxEventSize: 262144 # webhookMaxBatchSize: 12582912 # sslCertificate: /etc/falco/falco.pem open_params: "http://:9765/k8s-audit" - name: cloudtrail library_path: libcloudtrail.so # see docs for init_config and open_params: # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md - name: json library_path: libjson.so # Setting this list to empty ensures that the above plugins are *not* # loaded and enabled by default. If you want to use the above plugins, # set a meaningful init_config/open_params for the cloudtrail plugin # and then change this to: # load_plugins: [cloudtrail, json] load_plugins: [] # Watch config file and rules files for modification. # When a file is modified, Falco will propagate new config, # by reloading itself. watch_config_files: true # If true, the times displayed in log messages and output messages # will be in ISO 8601. By default, times are displayed in the local # time zone, as governed by /etc/localtime. time_format_iso_8601: true # Whether to output events in json or text json_output: true # When using json output, whether or not to include the "output" property # itself (e.g. "File below a known binary directory opened for writing # (user=root ....") in the json output. json_include_output_property: true # When using json output, whether or not to include the "tags" property # itself in the json output. If set to true, outputs caused by rules # with no tags will have a "tags" field set to an empty array. If set to # false, the "tags" field will not be included in the json output at all. json_include_tags_property: true # Send information logs to stderr and/or syslog Note these are *not* security # notification logs! These are just Falco lifecycle (and possibly error) logs. log_stderr: true log_syslog: true # Minimum log level to include in logs. Note: these levels are # separate from the priority field of rules. This refers only to the # log level of falco's internal logging. Can be one of "emergency", # "alert", "critical", "error", "warning", "notice", "info", "debug". log_level: info # Falco is capable of managing the logs coming from libs. If enabled, # the libs logger send its log records the same outputs supported by # Falco (stderr and syslog). Disabled by default. libs_logger: enabled: false # Minimum log severity to include in the libs logs. Note: this value is # separate from the log level of the Falco logger and does not affect it. # Can be one of "fatal", "critical", "error", "warning", "notice", # "info", "debug", "trace". severity: debug # Minimum rule priority level to load and run. All rules having a # priority more severe than this level will be loaded/run. Can be one # of "emergency", "alert", "critical", "error", "warning", "notice", # "informational", "debug". priority: debug # Whether or not output to any of the output channels below is # buffered. Defaults to false buffered_outputs: false # Falco uses a shared buffer between the kernel and userspace to pass # system call information. When Falco detects that this buffer is # full and system calls have been dropped, it can take one or more of # the following actions: # - ignore: do nothing (default when list of actions is empty) # - log: log a DEBUG message noting that the buffer was full # - alert: emit a Falco alert noting that the buffer was full # - exit: exit Falco with a non-zero rc # # Notice it is not possible to ignore and log/alert messages at the same time. # # The rate at which log/alert messages are emitted is governed by a # token bucket. The rate corresponds to one message every 30 seconds # with a burst of one message (by default). # # The messages are emitted when the percentage of dropped system calls # with respect the number of events in the last second # is greater than the given threshold (a double in the range [0, 1]). # # For debugging/testing it is possible to simulate the drops using # the `simulate_drops: true`. In this case the threshold does not apply. syscall_event_drops: threshold: .1 actions: - log - alert rate: .03333 max_burst: 1 # Falco uses a shared buffer between the kernel and userspace to receive # the events (eg., system call information) in userspace. # # Anyways, the underlying libraries can also timeout for various reasons. # For example, there could have been issues while reading an event. # Or the particular event needs to be skipped. # Normally, it's very unlikely that Falco does not receive events consecutively. # # Falco is able to detect such uncommon situation. # # Here you can configure the maximum number of consecutive timeouts without an event # after which you want Falco to alert. # By default this value is set to 1000 consecutive timeouts without an event at all. # How this value maps to a time interval depends on the CPU frequency. syscall_event_timeouts: max_consecutives: 1000 # Falco continuously monitors outputs performance. When an output channel does not allow # to deliver an alert within a given deadline, an error is reported indicating # which output is blocking notifications. # The timeout error will be reported to the log according to the above log_* settings. # Note that the notification will not be discarded from the output queue; thus, # output channels may indefinitely remain blocked. # An output timeout error indeed indicate a misconfiguration issue or I/O problems # that cannot be recovered by Falco and should be fixed by the user. # # The "output_timeout" value specifies the duration in milliseconds to wait before # considering the deadline exceed. # # With a 2000ms default, the notification consumer can block the Falco output # for up to 2 seconds without reaching the timeout. output_timeout: 2000 # A throttling mechanism implemented as a token bucket limits the # rate of falco notifications. This throttling is controlled by the following configuration # options: # - rate: the number of tokens (i.e. right to send a notification) # gained per second. Defaults to 1. # - max_burst: the maximum number of tokens outstanding. Defaults to 1000. # # With these defaults, falco could send up to 1000 notifications after # an initial quiet period, and then up to 1 notification per second # afterward. It would gain the full burst back after 1000 seconds of # no activity. outputs: rate: 1 max_burst: 1000 # Where security notifications should go. # Multiple outputs can be enabled. syslog_output: enabled: true # If keep_alive is set to true, the file will be opened once and # continuously written to, with each output message on its own # line. If keep_alive is set to false, the file will be re-opened # for each output message. # # Also, the file will be closed and reopened if falco is signaled with # SIGUSR1. file_output: enabled: false keep_alive: false filename: /var/log/falco.log stdout_output: enabled: true # Falco contains an embedded webserver that can be used to accept K8s # Audit Events. These config options control the behavior of that # webserver. (By default, the webserver is enabled). # # The ssl_certificate is a combination SSL Certificate and corresponding # key contained in a single file. You can generate a key/cert as follows: # # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem # $ cat certificate.pem key.pem > falco.pem # $ sudo cp falco.pem /etc/falco/falco.pem # # It also exposes a healthy endpoint that can be used to check if Falco is up and running # By default the endpoint is /healthz webserver: enabled: false listen_port: 8765 k8s_healthz_endpoint: /healthz ssl_enabled: false ssl_certificate: /etc/falco/falco.pem # Possible additional things you might want to do with program output: # - send to a slack webhook: # program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" # - logging (alternate method than syslog): # program: logger -t falco-test # - send over a network connection: # program: nc host.example.com 80 # If keep_alive is set to true, the program will be started once and # continuously written to, with each output message on its own # line. If keep_alive is set to false, the program will be re-spawned # for each output message. # # Also, the program will be closed and reopened if falco is signaled with # SIGUSR1. program_output: enabled: false keep_alive: true program: "/vendor/falco/bin/logshipper" http_output: enabled: false url: "http://sk.falco-demos.local:2801/" user_agent: "falcosecurity/falco" # Falco supports running a gRPC server with two main binding types # 1. Over the network with mandatory mutual TLS authentication (mTLS) # 2. Over a local unix socket with no authentication # By default, the gRPC server is disabled, with no enabled services (see grpc_output) # please comment/uncomment and change accordingly the options below to configure it. # Important note: if Falco has any troubles creating the gRPC server # this information will be logged, however the main Falco daemon will not be stopped. # gRPC server over network with (mandatory) mutual TLS configuration. # This gRPC server is secure by default so you need to generate certificates and update their paths here. # By default the gRPC server is off. # You can configure the address to bind and expose it. # By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use. # grpc: # enabled: true # bind_address: "0.0.0.0:5060" # # when threadiness is 0, Falco sets it by automatically figuring out the number of online cores # threadiness: 0 # private_key: "/etc/falco/certs/server.key" # cert_chain: "/etc/falco/certs/server.crt" # root_certs: "/etc/falco/certs/ca.crt" # gRPC server using an unix socket grpc: enabled: false bind_address: "unix:///var/run/falco.sock" # when threadiness is 0, Falco automatically guesses it depending on the number of online cores threadiness: 0 # gRPC output service. # By default it is off. # By enabling this all the output events will be kept in memory until you read them with a gRPC client. # Make sure to have a consumer for them or leave this disabled. grpc_output: enabled: false # Container orchestrator metadata fetching params metadata_download: max_mb: 100 chunk_wait_us: 1000 watch_freq_sec: 1