This is the multi-page printable view of this section. Click here to print.
Installation and Usage
1 - Usage
Falco Talon can also be used as a CLI to help you to manage your rules by checking their validities (useful in a CI), printing the result of their merges or by listing the available actionners, outputs and notifiers.
$ falco-talon --help
Falco Talon is a Response Engine for managing threats in Kubernetes
It enhances the solutions proposed by Falco community with a dedicated,
no-code solution. With easy rules, you can perform actions over compromised pods.
Usage:
falco-talon [command]
Available Commands:
actionners Manage the actionners
completion Generate the autocompletion script for the specified shell
help Help about any command
notifiers Manage the Notifiers
outputs Manage the Outputs
rules Manage Falco Talon rules
server Start Falco Talon server
version Print version of Falco Talon.
Flags:
-c, --config string Falco Talon Config File (default "/etc/falco-talon/config.yaml")
-h, --help help for falco-talon
-r, --rules stringArray Falco Talon Rules File (default [/etc/falco-talon/rules.yaml])
Use "falco-talon [command] --help" for more information about a command.
Start the server listening the events
$ falco-talon server --help
Start Falco Talon
Usage:
falco-talon server [flags]
Flags:
-h, --help help for server
Global Flags:
-c, --config string Falco Talon Config File (default "/etc/falco-talon/config.yaml")
-r, --rules stringArray Falco Talon Rules File (default [/etc/falco-talon/rules.yaml])
Manage the rules
$ falco-talon rules --help
Manage the rules loaded by Falco Talon. You can print them in the stdout or check their validity.
Usage:
falco-talon rules [command]
Available Commands:
check Check Falco Talon Rules file
print Print the loaded by Falco Talon in the stdout
Flags:
-h, --help help for rules
Global Flags:
-c, --config string Falco Talon Config File (default "/etc/falco-talon/config.yaml")
-r, --rules stringArray Falco Talon Rules File (default [/etc/falco-talon/rules.yaml])
Use "falco-talon rules [command] --help" for more information about a command.
Check the validity of the rules
$ falco-talon rules check --help
Check Falco Talon Rules file
Usage:
falco-talon rules check [flags]
Flags:
-h, --help help for check
Global Flags:
-c, --config string Falco Talon Config File (default "/etc/falco-talon/config.yaml")
-r, --rules stringArray Falco Talon Rules File (default [/etc/falco-talon/rules.yaml])
Examples
$ falco-talon rules check -r rules.yaml -r rules_override.yaml
2024-09-03T16:03:51+02:00 INF rules result="rules file valid"
falco-talon rules check -r rules.yaml -r rules_override.yaml
2024-09-03T16:04:53+02:00 ERR rules error="unknown actionner" action="Tests" actionner=kubernetes:wrong rule="Test bad actionner"
2024-09-03T16:04:53+02:00 FTL rules error="invalid rules"
Print the result of the merge of the rules files
$ falco-talon rules print --help
Print the result of the merge of the rules files by Falco Talon in the stdout.
Usage:
falco-talon rules print [flags]
Flags:
-h, --help help for print
Global Flags:
-c, --config string Falco Talon Config File (default "/etc/falco-talon/config.yaml")
-r, --rules stringArray Falco Talon Rules File (default [/etc/falco-talon/rules.yaml])
Lists
List the available actionners
$ falco-talon actionners list --help
List the available Actionners.
Usage:
falco-talon actionners list [flags]
Flags:
-h, --help help for list
Global Flags:
-c, --config string Falco Talon Config File (default "/etc/falco-talon/config.yaml")
-r, --rules stringArray Falco Talon Rules File (default [/etc/falco-talon/rules.yaml])
List the available outputs
$ falco-talon outputs list --help
List the available Outputs.
Usage:
falco-talon outputs list [flags]
Flags:
-h, --help help for list
Global Flags:
-c, --config string Falco Talon Config File (default "/etc/falco-talon/config.yaml")
-r, --rules stringArray Falco Talon Rules File (default [/etc/falco-talon/rules.yaml])
List the available notifiers
$ falco-talon notifiers list --help
List the available Notifiers.
Usage:
falco-talon notifiers list [flags]
Flags:
-h, --help help for list
Global Flags:
-c, --config string Falco Talon Config File (default "/etc/falco-talon/config.yaml")
-r, --rules stringArray Falco Talon Rules File (default [/etc/falco-talon/rules.yaml])
2 - Connect Falcosidekick to Falco Talon
Once you have installed Falco Talon
with Helm in the falco
namespace, you have to connect Falcosidekick
by adding the flag --set falcosidekick.config.talon.address=http://falco-talon:2803
helm install falco falcosecurity/falco --namespace falco \
--create-namespace \
--set tty=true \
--set falcosidekick.enabled=true \
--set falcosidekick.config.talon.address=http://falco-talon:2803
3 - Installation from the sources
Todo
4 - Installation in k8s with Helm
Helm
The helm chart is available on the official falcosecurity/charts repository
.
Two main config files are provided:
values.yaml
allows you to configure the static settings ofFalcon Talon
and its deploymentrules.yaml
contains the rules to set
Info
If yourvalues.yaml
contains watchRules: true
, the changes in the rules are detected and the Falco Talon
pods will automatically reload their configuration.Install
To install Falco Talon, first add the chart repository:
helm repo add falcosecurity https://falcosecurity.github.io/charts
In case you already have the remote repository configured, updated it:
helm repo update falcosecurity
Now, just deploy falcosecurity/falco-talon chart:
helm upgrade --install falco-talon falcosecurity/falco-talon
After deploying, you can check if pods are running properly:
kubectl get pods -n <namespace> | grep falco-talon
5 - Metrics
Prometheus metrics
Falco Talon exposes a /metrics
endpoint with some metrics in the Prometheus format.
# HELP action_total number of actions
# TYPE action_total counter
action_total{action="Disable outbound connections",actionner="kubernetes:networkpolicy",event="Test logs",namespace="falco",otel_scope_name="github.com/Falco-Talon/falco-talon",otel_scope_version="devel",pod="falco-5b7kc",rule="Suspicious outbound connection",status="failure"} 6
action_total{action="Terminate Pod",actionner="kubernetes:terminate",event="Test logs",namespace="falco",otel_scope_name="github.com/Falco-Talon/falco-talon",otel_scope_version="devel",pod="falco-5b7kc",rule="Suspicious outbound connection",status="failure"} 6
# HELP event_total number of received events
# TYPE event_total counter
event_total{event="Unexpected outbound connection destination",otel_scope_name="github.com/Falco-Talon/falco-talon",otel_scope_version="devel",priority="Critical",source="syscalls"} 2
# HELP match_total number of matched events
# TYPE match_total counter
match_total{event="Unexpected outbound connection destination",otel_scope_name="github.com/Falco-Talon/falco-talon",otel_scope_version="devel",priority="Critical",rule="Suspicious outbound connection",source="syscalls"} 2
OTEL metrics
If you use OTEL Collector, you can configure Falco Talon to push its metrics to:
otel:
metrics_enabled: true
collector_port: 4317
collector_endpoint: localhost
collector_use_insecure_grpc: true
timeout: 10
6 - Traces
Falco Talon can export traces which are very useful to have observability over its performed actions.
You can enable the traces by enabling them in the config.yaml
and setting the address and port of the OTEL collector.
otel:
traces_enabled: true
collector_port: 4317
collector_endpoint: localhost
collector_use_insecure_grpc: true
timeout: 10
Information
A trace is emitted for every events received by Falco Talon, you can configure the OTEL Collector to do some tail sampling and only store the traces with actions.
...
processors:
batch:
tail_sampling:
decision_wait: 1s
num_traces: 200
policies:
[
{
name: ignore-unmatched,
type: ottl_condition,
ottl_condition: {
error_mode: ignore,
span: [
"IsMatch(name, \"match\")"
]
}
}
]
service:
pipelines:
traces:
...
processors: [tail_sampling, batch]
...
...