Sunday, August 13, 2023

Prototyping my Falco install

Just spent a couple hours getting Falco + Sidekick + UI + Redis figured out. Following works. Next up: getting it to work in K8s.

#!/bin/bash

docker run -d -p 6379:6379 redislabs/redisearch:2.2.4

docker run -itd --name falco \
           --privileged \
           -v /var/run/docker.sock:/host/var/run/docker.sock \
           -v /proc:/host/proc:ro \
           -e HTTP_OUTPUT_URL=http://192.168.2.22:2801 \
           falcosecurity/falco-no-driver:latest falco --modern-bpf

docker run -itd --name falcosidekick -p 2801:2801 \
           -e WEBUI_URL=http://192.168.2.22:2802 \
           falcosecurity/falcosidekick

docker run -itd --name fs-ui -p 2802:2802 \
           -e FALCOSIDEKICK_UI_REDIS_URL=192.168.2.22:6379 \
           falcosecurity/falcosidekick-ui falcosidekick-ui 


3 comments:

  1. I also need to step back from using that "--privileged" switch. I'd be sad if someone escaped/escalated privilege through the very tool that's supposed to watch for such stuff.

    ReplyDelete
  2. Hmm... Falco is pointing out a bad choice (made by me years ago), involving a setuid bit set on an ancient binary (which now resides inside of a Docker container). One more thing for the "to do/to fix" list, I guess.

    ReplyDelete
  3. also had to modify Falco's config file (falco.yaml) as per https://hub.docker.com/r/falcosecurity/falcosidekick

    ReplyDelete