diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml new file mode 100644 index 000000000..551f6da1d --- /dev/null +++ b/.github/workflows/links.yml @@ -0,0 +1,23 @@ +name: Links + +on: + workflow_dispatch: + pull_request: + push: + branches: + - master + +jobs: + linkChecker: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Link Checker + uses: lycheeverse/lychee-action@f796c8b7d468feb9b8c0a46da3fac0af6874d374 #v2.2.0 + with: + args: --no-progress --offline './content/en/**/*.md' + fail: true \ No newline at end of file diff --git a/content/en/blog/atomic-red-falco/index.md b/content/en/blog/atomic-red-falco/index.md index 396bd1d10..69884046e 100644 --- a/content/en/blog/atomic-red-falco/index.md +++ b/content/en/blog/atomic-red-falco/index.md @@ -315,8 +315,6 @@ Hurrah! We detected the boot initialization scripts with the above command. To r Invoke-AtomicTest T1037.004 -ShowDetails ``` -![](images/re-local.png) - We can see from the command that it is using the 'python3' command to run Python scripts. However, the script itself is executed as a base64-encoded string to evade some traditional detection tools. diff --git a/content/en/blog/falcosidekick-2-29-0/index.md b/content/en/blog/falcosidekick-2-29-0/index.md index a0c3d26b8..f8cfd0b64 100644 --- a/content/en/blog/falcosidekick-2-29-0/index.md +++ b/content/en/blog/falcosidekick-2-29-0/index.md @@ -50,7 +50,7 @@ After a demo of Falco at a CNCF Meetup, the [Quickwit](https://quickwit.io/) tea ### Falco Talon -New born in the Falco ecosystem, trying to complete the last missing piece: the reaction. You can now forward the Falco events to [Falco Talon](https//docs.falco-talon.org), a tailor made no-code response engine for Falco. The project is still in alpha stage, but moves quickly. Stay tuned. +New born in the Falco ecosystem, trying to complete the last missing piece: the reaction. You can now forward the Falco events to [Falco Talon](https://docs.falco-talon.org), a tailor made no-code response engine for Falco. The project is still in alpha stage, but moves quickly. Stay tuned. ![](images/falco-talon.png) diff --git a/content/en/docs/_index.md b/content/en/docs/_index.md index 20c69f6ff..591875c3a 100644 --- a/content/en/docs/_index.md +++ b/content/en/docs/_index.md @@ -10,7 +10,7 @@ aliases: Falco is a cloud native security tool that provides runtime security across hosts, containers, Kubernetes, and cloud environments. It is designed to detect and alert on abnormal behavior and potential security threats in real-time. -At its core, Falco is a monitoring and detection agent that observes events (such as [Linux kernel events](event-sources/kernel) and other data sources through [plugins](plugins)) and delivers real-time alerts based on custom rules. Falco also enhances these events by integrating contextual metadata from container runtimes and Kubernetes. The generated alert events can be forwarded to other components to take action or be analyzed in SIEM or data lake systems for further investigation. +At its core, Falco is a monitoring and detection agent that observes events (such as [Linux kernel events](/docs/concepts/event-sources/kernel) and other data sources through [plugins](/docs/concepts/plugins)) and delivers real-time alerts based on custom rules. Falco also enhances these events by integrating contextual metadata from container runtimes and Kubernetes. The generated alert events can be forwarded to other components to take action or be analyzed in SIEM or data lake systems for further investigation. Falco, originally created by [Sysdig](https://sysdig.com), is now a graduate [Cloud Native Computing Foundation](https://cncf.io) (CNCF) project used in production by various [organisations](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md). @@ -23,9 +23,9 @@ Falco uses syscalls to monitor a system's activity, by: - Asserting the stream against a powerful rules engine - Alerting when a rule is violated -For more information, see Falco [Rules](rules). +For more information, see Falco [Rules](/docs/concepts/rules). -Falco's monitoring capabilities are not limited to syscalls as it can be extended via [plugins](plugins) to ingest data from many more types of sources. +Falco's monitoring capabilities are not limited to syscalls as it can be extended via [plugins](/docs/concepts/plugins) to ingest data from many more types of sources. ## What does Falco check for? @@ -47,11 +47,11 @@ Falco ships with a default set of rules that check the kernel for unusual behavi ## What are Falco rules? -Rules are the conditions under which an alert should be generated. A rule is accompanied by a descriptive output string sent with the alert. They are defined using YAML files and loaded by the Falco configuration file. For more information about writing, managing, and deploying rules, see Falco [Rules](rules). +Rules are the conditions under which an alert should be generated. A rule is accompanied by a descriptive output string sent with the alert. They are defined using YAML files and loaded by the Falco configuration file. For more information about writing, managing, and deploying rules, see Falco [Rules](/docs/concepts/rules). ## What are Falco alerts? -Alerts are configurable downstream actions that can be as simple as logging to `stdout` or as complex as delivering a {{< glossary_tooltip text="gRPC" term_id="grpc" >}} call to a client. For more information about configuring, understanding, and developing alerts, see [Falco Alerts](alerts). Falco can send alerts to: +Alerts are configurable downstream actions that can be as simple as logging to `stdout` or as complex as delivering a {{< glossary_tooltip text="gRPC" term_id="grpc" >}} call to a client. For more information about configuring, understanding, and developing alerts, see [Falco Outputs](/docs/concepts/outputs). Falco can send alerts to: - Standard Output - A file @@ -66,7 +66,7 @@ Falco is composed of several main components: - Userspace program - is the CLI tool `falco` that you can use to interact with Falco. The userspace program handles signals, parses information from a Falco driver, and sends alerts. - - Configuration - defines how Falco is run, what rules to assert, and how to perform alerts. For more information, see [Configuration](configuration). + - Configuration - defines how Falco is run, what rules to assert, and how to perform alerts. For more information, see [Configuration](/docs/reference/daemon/config-options). - Driver - is a software that adheres to the Falco driver specification and sends a stream of kernel events. Currently, Falco supports the following drivers: @@ -74,9 +74,9 @@ Falco is composed of several main components: - Legacy eBPF probe built - Kernel module - For more information, see [Falco Drivers](event-sources/drivers). + For more information, see [Falco Event Sources](/docs/concepts/event-sources). - - Plugins - allow to extend the functionality of Falco by adding new event sources and new fields that can extract information from events. For more information, see [Plugins](plugins). + - Plugins - allow to extend the functionality of Falco by adding new event sources and new fields that can extract information from events. For more information, see [Plugins](/docs/concepts/plugins). - [Falcoctl](https://github.com/falcosecurity/falcoctl) - allows to easily install rules and plugins and perform administrative tasks with Falco. It is bundled together with Falco. diff --git a/content/en/docs/concepts/event-sources/plugins/_index.md b/content/en/docs/concepts/event-sources/plugins/_index.md index b165296d1..553380e3f 100644 --- a/content/en/docs/concepts/event-sources/plugins/_index.md +++ b/content/en/docs/concepts/event-sources/plugins/_index.md @@ -11,9 +11,9 @@ Since the introduction of the [Plugin System](/docs/plugins), additional event s Examples of event source defined by offically-supported plugins are: -* [Kubernetes Audit Events](kubernetes-audit) -* [AWS CloudTrail](cloudtrail) -* [Okta](okta) +* [Kubernetes Audit Events](/docs/concepts/event-sources/plugins/kubernetes-audit) +* [AWS CloudTrail](/docs/concepts/event-sources/plugins/cloudtrail) +* [Okta](/docs/concepts/event-sources/plugins/okta) In addition to these plugins hosted by the Falcosecurity organization, others have written third-party [plugins](https://github.com/falcosecurity/plugins#readme) that support additional event sources. Please refer to the [official Plugin Registry](https://github.com/falcosecurity/plugins/blob/master/registry.yaml) for the most up-to-date information regarding the Falco plugins acknowledged by the community. diff --git a/content/en/docs/developer-guide/grpc/_index.md b/content/en/docs/developer-guide/grpc/_index.md index 1d106f400..f20fee4ad 100644 --- a/content/en/docs/developer-guide/grpc/_index.md +++ b/content/en/docs/developer-guide/grpc/_index.md @@ -11,7 +11,7 @@ Starting from version [0.18.0](https://github.com/falcosecurity/falco/releases/t The current APIs are: -- [schema definition](outputs): get or subscribe to Falco output events. -- [schema definition](version): retrieve the Falco version. +- [schema definition](/docs/developer-guide/grpc/outputs): get or subscribe to Falco output events. +- [schema definition](/docs/developer-guide/grpc/version): retrieve the Falco version. In order to interact with these APIs, the The Falco Project provides a [Golang SDK](/docs/grpc/client-go). diff --git a/content/en/docs/getting-started/kubernetes-quickstart.md b/content/en/docs/getting-started/kubernetes-quickstart.md index 989574b51..447b210cf 100644 --- a/content/en/docs/getting-started/kubernetes-quickstart.md +++ b/content/en/docs/getting-started/kubernetes-quickstart.md @@ -157,7 +157,7 @@ kubectl exec -it $(kubectl get pods --selector=app=nginx -o name) -- cat /etc/sh You should see an event appearing in the Falcosidekick UI -![Falcosidekick Event](../images/falcosidekick-event.png) +![Falcosidekick Event](/docs/getting-started/images/falcosidekick-event.png) The Falcosidekick UI can be used to quickly display events but most likely on a production system you will want to forward events to a centralized location. Falcosidekick supports more than 60 integrations. You can find an example below but you can refer to [the forwarding documentation](/docs/outputs/forwarding/) to learn more. @@ -174,7 +174,7 @@ helm upgrade --namespace falco falco falcosecurity/falco \ If Slack is configured correctly, when an event is triggered you should receive a message like the following: -![Slack output](../images/slack-output.png) +![Slack output](/docs/getting-started/images/slack-output.png) ## Cleanup diff --git a/content/en/docs/metrics/performance.md b/content/en/docs/metrics/performance.md index bd84b31e7..fd6c158ca 100644 --- a/content/en/docs/metrics/performance.md +++ b/content/en/docs/metrics/performance.md @@ -19,7 +19,7 @@ The Falco Project provides guidance on some of these aspects, and there are ongo ## Resource Utilization and System Impact -The Falco Project provides native support for measuring resource utilization and statistics, including event drop counters, kernel tracepoint invocation counters, timeouts, and internal state handling. More detailed information is given in the [Falco Metrics](../falco-metrics/) Guide. +The Falco Project provides native support for measuring resource utilization and statistics, including event drop counters, kernel tracepoint invocation counters, timeouts, and internal state handling. More detailed information is given in the [Falco Metrics](/docs/metrics/) Guide. ### CPU and Memory Utilization @@ -36,7 +36,7 @@ Top metrics: Beyond monitoring the tool's utilization, check if your applications perform as before. This evaluation could include overall network, I/O, or general contention metrics. -Read [Falco Metrics](../falco-metrics/) next. +Read [Falco Metrics](/docs/metrics) next. ### Server Load and Falco Event Drops diff --git a/content/en/docs/setup/container.md b/content/en/docs/setup/container.md index 9752544b0..0ad223589 100644 --- a/content/en/docs/setup/container.md +++ b/content/en/docs/setup/container.md @@ -11,7 +11,7 @@ weight: 20 {{% pageinfo color="primary" %}} Falco consumes streams of events and evaluates them against a set of security {{< glossary_tooltip text="rules" term_id="rules" >}} to detect abnormal behavior. By default, Falco is preconfigured to consume events from the Linux Kernel. This scenario requires Falco to be privileged, and depending on the kernel version installed on the node, a {{< glossary_tooltip text="driver" term_id="drivers" >}} will be installed on the node. Since orchestration systems like Kubernetes are out of scope for this section, it's up to the user to manage the container lifecycle and deployment across the nodes. -For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the [Plugins](docs/plugins/) section. +For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the [Plugins](/docs/concepts/plugins/) section. {{% /pageinfo %}} ## Install diff --git a/content/en/docs/setup/kubernetes.md b/content/en/docs/setup/kubernetes.md index 8e8a00d00..61adb7958 100644 --- a/content/en/docs/setup/kubernetes.md +++ b/content/en/docs/setup/kubernetes.md @@ -12,7 +12,7 @@ weight: 10 {{% pageinfo color="primary" %}} Falco consumes streams of events and evaluates them against a set of security {{< glossary_tooltip text="rules" term_id="rules" >}} to detect abnormal behavior. By default, Falco is preconfigured to consume events from the Linux Kernel. This default installation scenario will add Falco to all nodes in your cluster using a [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/). This scenario requires Falco to be privileged, and depending on the kernel version installed on the node, a {{< glossary_tooltip text="driver" term_id="drivers" >}} will be installed on the node. -For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the [Plugins](docs/plugins/) section. +For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the [Plugins](/docs/concepts/plugins/) section. {{% /pageinfo %}} The recommended way to deploy Falco on a Kubernetes cluster is to use the provided Helm chart. The official Falco charts repository is hosted at: diff --git a/content/en/docs/setup/packages.md b/content/en/docs/setup/packages.md index cd48cdec7..493718d00 100644 --- a/content/en/docs/setup/packages.md +++ b/content/en/docs/setup/packages.md @@ -11,7 +11,7 @@ weight: 30 {{% pageinfo color="primary" %}} Falco consumes streams of events and evaluates them against a set of security {{< glossary_tooltip text="rules" term_id="rules" >}} to detect abnormal behavior. By default, Falco is preconfigured to consume events from the Linux Kernel. This scenario requires Falco to be privileged, and depending on the kernel version installed on the host, a {{< glossary_tooltip text="driver" term_id="drivers" >}} needs to be installed. -For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the [Plugins](docs/plugins/) section. +For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the [Plugins](/docs/concepts/plugins/) section. {{% /pageinfo %}} There are two main methods to install Falco on your host using the [released Falco packages](/docs/download): diff --git a/content/en/docs/setup/tarball.md b/content/en/docs/setup/tarball.md index bdf475028..8b70ee43b 100644 --- a/content/en/docs/setup/tarball.md +++ b/content/en/docs/setup/tarball.md @@ -7,7 +7,7 @@ weight: 40 {{% pageinfo color="primary" %}} Falco consumes streams of events and evaluates them against a set of security {{< glossary_tooltip text="rules" term_id="rules" >}} to detect abnormal behavior. By default, Falco is preconfigured to consume events from the Linux Kernel. This scenario requires Falco to be privileged, and depending on the kernel version installed on the host, a {{< glossary_tooltip text="driver" term_id="drivers" >}} needs to be installed. -For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the [Plugins](docs/plugins/) section. +For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the [Plugins](/docs/concepts/plugins/) section. {{% /pageinfo %}} There are two main methods to install Falco on your host using the [released Falco packages](/docs/download):