Just spent a couple hours getting Falco + Sidekick + UI + Redis figured out. Following works. Next up: getting it to work in K8s.
#!/bin/bash
docker run -d -p 6379:6379 redislabs/redisearch:2.2.4
docker run -itd --name falco \
--privileged \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /proc:/host/proc:ro \
-e HTTP_OUTPUT_URL=http://192.168.2.22:2801 \
falcosecurity/falco-no-driver:latest falco --modern-bpf
docker run -itd --name falcosidekick -p 2801:2801 \
-e WEBUI_URL=http://192.168.2.22:2802 \
falcosecurity/falcosidekick
docker run -itd --name fs-ui -p 2802:2802 \
-e FALCOSIDEKICK_UI_REDIS_URL=192.168.2.22:6379 \
falcosecurity/falcosidekick-ui falcosidekick-ui
I also need to step back from using that "--privileged" switch. I'd be sad if someone escaped/escalated privilege through the very tool that's supposed to watch for such stuff.
ReplyDeleteHmm... Falco is pointing out a bad choice (made by me years ago), involving a setuid bit set on an ancient binary (which now resides inside of a Docker container). One more thing for the "to do/to fix" list, I guess.
ReplyDeletealso had to modify Falco's config file (falco.yaml) as per https://hub.docker.com/r/falcosecurity/falcosidekick
ReplyDelete