Just spent a couple hours getting Falco + Sidekick + UI + Redis figured out. Following works. Next up: getting it to work in K8s.
#!/bin/bash docker run -d -p 6379:6379 redislabs/redisearch:2.2.4 docker run -itd --name falco \ --privileged \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /proc:/host/proc:ro \ -e HTTP_OUTPUT_URL=http://192.168.2.22:2801 \ falcosecurity/falco-no-driver:latest falco --modern-bpf docker run -itd --name falcosidekick -p 2801:2801 \ -e WEBUI_URL=http://192.168.2.22:2802 \ falcosecurity/falcosidekick docker run -itd --name fs-ui -p 2802:2802 \ -e FALCOSIDEKICK_UI_REDIS_URL=192.168.2.22:6379 \ falcosecurity/falcosidekick-ui falcosidekick-ui
I also need to step back from using that "--privileged" switch. I'd be sad if someone escaped/escalated privilege through the very tool that's supposed to watch for such stuff.
ReplyDeleteHmm... Falco is pointing out a bad choice (made by me years ago), involving a setuid bit set on an ancient binary (which now resides inside of a Docker container). One more thing for the "to do/to fix" list, I guess.
ReplyDeletealso had to modify Falco's config file (falco.yaml) as per https://hub.docker.com/r/falcosecurity/falcosidekick
ReplyDelete