Finish adding install docs and add sample event docs

Signed-off-by: lucperkins <lucperkins@gmail.com>
falcosecurity · Jan 28, 2019 · 18f77a0 · 18f77a0
1 parent 4e061cb
commit 18f77a0
Show file tree

Hide file tree

Showing 2 changed files with 137 additions and 2 deletions.
diff --git a/content/docs/installation.md b/content/docs/installation.md
@@ -1,13 +1,16 @@
 ---
 title: Installing Falco
 short: Install
-description: Get up and running on Linux
+description: Get up and running on Linux and a variety of container platforms
 weight: 1
 ---
 
-Falco can be installed on three platforms:
+Falco can be installed on several platforms:
 
 * [Linux](#linux)
+* [Docker](#docker)
+* [CoreOS](#coreos)
+* [Kubernetes](#kubernetes)
 
 ## Linux
 
@@ -105,3 +108,78 @@ A [Puppet](https://puppet.com/) module for Falco, `sysdig-falco`, is available o
 ### Ansible
 
 [@juju4](https://github.com/juju4/) has helpfully written an [Ansible](https://ansible.com) role for Falco, `juju4.falco`. It's available on [GitHub](https://github.com/juju4/ansible-falco/) and [Ansible Galaxy](https://galaxy.ansible.com/juju4/falco/). The latest version of Ansible Galaxy (v0.7) doesn't work with Falco 0.9, but the version on GitHub does.
+
+## Docker
+
+If you have full control of your host operating system, then installing Falco using the normal installation method is the recommended best practice. This method allows full visibility into all containers on the host OS. No changes to the standard automatic/manual installation procedures are required.
+
+Falco can also, however, run inside a [Docker](https://docker.com) container. To guarantee a smooth deployment, the kernel headers must be installed in the host operating system before running Falco.
+
+This can usually be done on Debian-like distributions using `apt-get`:
+
+```shell
+apt-get -y install linux-headers-$(uname -r)
+```
+
+On RHEL-like distributions:
+
+```shell
+yum -y install kernel-devel-$(uname -r)
+```
+
+Falco can then be running using Docker:
+
+```shell
+docker pull falcosecurity/falco
+docker run -i -t \
+    --name falco \
+    --privileged \
+    -v /var/run/docker.sock:/host/var/run/docker.sock \
+    -v /dev:/host/dev \
+    -v /proc:/host/proc:ro \
+    -v /boot:/host/boot:ro \
+    -v /lib/modules:/host/lib/modules:ro \
+    -v /usr:/host/usr:ro \
+    falcosecurity/falco
+```
+
+To see it in action, also run the [event generator](../sample-events) to perform actions that trigger Falco's ruleset:
+
+```shell
+docker pull sysdig/falco-event-generator
+docker run -it --name falco-event-generator sysdig/falco-event-generator
+```
+
+### Using custom rules with the Docker container
+
+The Falco image has a built-in set of rules located at `/etc/falco/falco_rules.yaml` which is suitable for most purposes. However, you may want to provide your own rules file and still use the Falco image. In that case, you should add a volume mapping to map the external rules file to `/etc/falco/falco_rules.yaml` within the container by adding `-v path-to-falco-rules.yaml:/etc/falco/falco_rules.yaml` to your `docker run` command.
+
+## CoreOS
+
+The recommended way to run Falco on CoreOS is inside of its own Docker container using the install commands in the [Docker section](#docker) above. This method allows full visibility into all containers on the host OS.
+
+This method is automatically updated, includes some nice features such as automatic setup and bash completion, and is a generic approach that can be used on other distributions outside CoreOS as well.
+
+However, some users may prefer to run Falco in the CoreOS toolbox. While not the recommended method, this can be achieved by installing Falco inside the toolbox using the normal installation method, and then manually running the `falco-probe-loader` script:
+
+```shell
+toolbox --bind=/dev --bind=/var/run/docker.sock
+curl -s https://s3.amazonaws.com/download.draios.com/stable/install-falco | bash
+falco-probe-loader
+```
+
+## Kubernetes
+
+To run Falco as a Kubernetes [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/), we have instructions and some sample YAML files [here](https://github.com/falcosecurity/falco/tree/dev/integrations/k8s-using-daemonset).
+
+The easiest way to use Falco on Kubernetes in a local environment is on [Minikube](https://kubernetes.io/docs/tutorials/hello-minikube/).
+
+### Notes on kernel modules
+
+A part of Falco's installation involves compiling a kernel module that allows it to see the stream of system calls on the machine on which Falco runs. The kernel module is built using DKMS and relies on the kernel headers being installed for the running kernel. If the DKMS step fails, as a fallback the installation script will try to download pre-built kernel modules from https://s3.amazonaws.com/download.draios.com.
+
+When running minikube with the default `--driver` arguments, Minikube creates a VM that runs the various Kubernetes services and a container framework to run Pods, etc. Generally, it's not possible to build kernel modules directly on the Minikube VM, as the VM doesn't include the kernel headers for the running kernel.
+
+To address this, starting with falco 0.13.1 we pre-build kernel modules for the last 10 Minikube versions and make them available at https://s3.amazonaws.com/download.draios.com. This allows the fallback step to succeed with a loadable kernel module.
+
+Going forward, we'll continue to support the most recent 10 Minikube versions with each new Falco release. We also keep previously built kernel modules around for download, so we will continue to have limited historical support as well.
diff --git a/content/docs/sample-events.md b/content/docs/sample-events.md
@@ -0,0 +1,57 @@
+---
+title: Generating sample events
+short: Sample events
+---
+
+If you'd like to check if Falco is working properly, we've created a test program [`event_generator`](https://github.com/falcosecurity/falco/blob/dev/docker/event-generator/event_generator.cpp) that performs a variety of suspect actions that are detected by the current Falco ruleset.
+
+Here's the usage block for the test program:
+
+```shell
+Usage event_generator [options]
+
+Options:
+     -h/--help: show this help
+     -a/--action: actions to perform. Can be one of the following:
+          write_binary_dir                           Write to files below /bin
+          write_etc                                  Write to files below /etc
+          read_sensitive_file                        Read a sensitive file
+          read_sensitive_file_after_startup          As a trusted program, wait a while,
+                                                     then read a sensitive file
+          write_rpm_database                         Write to files below /var/lib/rpm
+          spawn_shell                                Run a shell (bash)
+          db_program_spawn_process                   As a database program, try to spawn
+                                                     another program
+          modify_binary_dirs                         Modify a file below /bin
+          mkdir_binary_dirs                          Create a directory below /bin
+          change_thread_namespace                    Change namespace
+          system_user_interactive                    Change to a system user and try to
+                                                     run an interactive command
+          network_activity                           Open network connections
+                                                     (used by system_procs_network_activity below)
+          system_procs_network_activity              Open network connections as a program
+                                                     that should not perform network actions
+          non_sudo_setuid                            Setuid as a non-root user
+          create_files_below_dev                     Create files below /dev
+          exec_ls                                    execve() the program ls
+                                                     (used by user_mgmt_binaries below)
+          user_mgmt_binaries                         Become the program "vipw", which triggers
+                                                     rules related to user management programs
+          exfiltration                               Read /etc/shadow and send it via udp to a
+                                                     specific address and port
+          all                                        All of the above
+       The action can also be specified via the environment variable EVENT_GENERATOR_ACTIONS
+           as a colon-separated list
+       if specified, -a/--action overrides any environment variables
+     -i/--interval: Number of seconds between actions
+     -o/--once: Perform actions once and exit
+```
+
+The program packaged as a [Docker image](https://hub.docker.com/r/sysdig/falco-event-generator/) on [Docker Hub](https://hub.docker.com). To run the image:
+
+```shell
+docker pull sysdig/falco-event-generator
+docker run -it --name falco-event-generator sysdig/falco-event-generator
+```
+
+> **Warning** — We strongly recommend that you run the program within Docker, as it modifies files and directories below `/bin`, `/etc`, `/dev`, etc.