docker 上的 Falco 安全性和 falcosidekick 撰写
Falco security and falcosidekick on docker compose
我正在尝试 运行 falco 和 falcosikick 容器 docker 撰写.
version: "3.9"
services:
falco:
image: falcosecurity/falco:latest
privileged: true
volumes:
- /var/run/docker.sock:/host/var/run/docker.sock
- /dev:/host/dev
- /proc:/host/proc:ro
- /boot:/host/boot:ro
- /lib/modules:/host/lib/modules:ro
- /usr:/host/usr:ro
- /etc:/host/etc:ro
- /var/log/falco_events.log:/var/log/falco_events.log
- /home/ubuntu/falco.yaml:/etc/falco/falco.yaml
- /home/ubuntu/falco_rules.yaml:/etc/falco/falco_rules.yaml
- /home/ubuntu/falco_rules.local.yaml:/etc/falco/rules.d/custom-rules.yaml
falcosidekick:
image: falcosecurity/falcosidekick
ports:
- 2801:2801
我配置 falco.yaml 发送 http_output 到 falcosidekick 容器:
http_output:
enabled: true
url: "http://falcosidekick:2801"
然后我在 falco.yaml
中添加了 slack 配置
debug: false
customfields: # custom fields are added to falco events
Akey: "AValue"
Bkey: "BValue"
Ckey: "CValue"
mutualtlsfilespath: "/etc/certs" # folder which will used to store client.crt, client.key and ca.crt files for mutual tls (default: "/etc/certs")
slack:
webhookurl: "https://hooks.slack.com/services/XXX/XXXX/XXXXX"
#footer: "" # Slack footer
#icon: "" # Slack icon (avatar)
#username: "" # Slack username (default: Falcosidekick)
outputformat: "all" # all (default), text, fields
minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields "user.name" }}*' # a Go template to format Slack Text above Attachment, displayed in addition to the output from `SLACK_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Attachment.
使用此配置,我的 Slack 频道上从未收到过警报。
怎么了?
谢谢
falco 和 falcosidekick 的配置必须在 2 个不同的文件中,这意味着您还需要在 falcosidekick 容器中安装一个卷。如果愿意,您也可以使用环境变量(但这意味着您的 slack webhook url 将以明文形式出现在您的 docker-compose 文件中)。
version: "3.9"
services:
falco:
image: falcosecurity/falco:latest
privileged: true
volumes:
- /var/run/docker.sock:/host/var/run/docker.sock
- /dev:/host/dev
- /proc:/host/proc:ro
- /boot:/host/boot:ro
- /lib/modules:/host/lib/modules:ro
- /usr:/host/usr:ro
- /etc:/host/etc:ro
- /var/log/falco_events.log:/var/log/falco_events.log
- /home/ubuntu/falco.yaml:/etc/falco/falco.yaml
- /home/ubuntu/falco_rules.yaml:/etc/falco/falco_rules.yaml
- /home/ubuntu/falco_rules.local.yaml:/etc/falco/rules.d/custom-rules.yaml
falcosidekick:
image: falcosecurity/falcosidekick
ports:
- 2801:2801
volumes:
- /home/ubuntu/falcosidekick.yaml:/etc/falco/falcosidekick.yaml
command: "-c /etc/falco/falcosidekick.yaml"
我正在尝试 运行 falco 和 falcosikick 容器 docker 撰写.
version: "3.9"
services:
falco:
image: falcosecurity/falco:latest
privileged: true
volumes:
- /var/run/docker.sock:/host/var/run/docker.sock
- /dev:/host/dev
- /proc:/host/proc:ro
- /boot:/host/boot:ro
- /lib/modules:/host/lib/modules:ro
- /usr:/host/usr:ro
- /etc:/host/etc:ro
- /var/log/falco_events.log:/var/log/falco_events.log
- /home/ubuntu/falco.yaml:/etc/falco/falco.yaml
- /home/ubuntu/falco_rules.yaml:/etc/falco/falco_rules.yaml
- /home/ubuntu/falco_rules.local.yaml:/etc/falco/rules.d/custom-rules.yaml
falcosidekick:
image: falcosecurity/falcosidekick
ports:
- 2801:2801
我配置 falco.yaml 发送 http_output 到 falcosidekick 容器:
http_output:
enabled: true
url: "http://falcosidekick:2801"
然后我在 falco.yaml
中添加了 slack 配置
debug: false
customfields: # custom fields are added to falco events
Akey: "AValue"
Bkey: "BValue"
Ckey: "CValue"
mutualtlsfilespath: "/etc/certs" # folder which will used to store client.crt, client.key and ca.crt files for mutual tls (default: "/etc/certs")
slack:
webhookurl: "https://hooks.slack.com/services/XXX/XXXX/XXXXX"
#footer: "" # Slack footer
#icon: "" # Slack icon (avatar)
#username: "" # Slack username (default: Falcosidekick)
outputformat: "all" # all (default), text, fields
minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields "user.name" }}*' # a Go template to format Slack Text above Attachment, displayed in addition to the output from `SLACK_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Attachment.
使用此配置,我的 Slack 频道上从未收到过警报。 怎么了?
谢谢
falco 和 falcosidekick 的配置必须在 2 个不同的文件中,这意味着您还需要在 falcosidekick 容器中安装一个卷。如果愿意,您也可以使用环境变量(但这意味着您的 slack webhook url 将以明文形式出现在您的 docker-compose 文件中)。
version: "3.9"
services:
falco:
image: falcosecurity/falco:latest
privileged: true
volumes:
- /var/run/docker.sock:/host/var/run/docker.sock
- /dev:/host/dev
- /proc:/host/proc:ro
- /boot:/host/boot:ro
- /lib/modules:/host/lib/modules:ro
- /usr:/host/usr:ro
- /etc:/host/etc:ro
- /var/log/falco_events.log:/var/log/falco_events.log
- /home/ubuntu/falco.yaml:/etc/falco/falco.yaml
- /home/ubuntu/falco_rules.yaml:/etc/falco/falco_rules.yaml
- /home/ubuntu/falco_rules.local.yaml:/etc/falco/rules.d/custom-rules.yaml
falcosidekick:
image: falcosecurity/falcosidekick
ports:
- 2801:2801
volumes:
- /home/ubuntu/falcosidekick.yaml:/etc/falco/falcosidekick.yaml
command: "-c /etc/falco/falcosidekick.yaml"