Install Falco with a cluster management project

Introduced in GitLab 14.0.

GitLab Container Host Security Monitoring uses Falco as a runtime security tool that listens to the Linux kernel using eBPF. Falco parses system calls and asserts the stream against a configurable rules engine in real-time. For more information, see Falco's Documentation.

Assuming you already have a Cluster management project created from a management project template, to install Falco you should uncomment this line from your helmfile.yaml:

  - path: applications/falco/helmfile.yaml

You can customize Falco's Helm variables by defining the applications/falco/values.yaml file in your cluster management project. Refer to the Falco chart for the available configuration options.

WARNING: By default eBPF support is enabled and Falco uses an eBPF probe to pass system calls to user space. If your cluster doesn't support this, you can configure it to use Falco kernel module instead by adding the following to applications/falco/values.yaml:

ebpf:
  enabled: false

In rare cases where probe installation on your cluster isn't possible and the kernel/probe isn't pre-compiled, you may need to manually prepare the kernel module or eBPF probe with driverkit and install it on each cluster node.

By default, Falco is deployed with a limited set of rules. To add more rules, add the following to applications/falco/values.yaml (you can get examples from Cloud Native Security Hub):

customRules:
  file-integrity.yaml: |-
    - rule: Detect New File
      desc: detect new file created
      condition: >
        evt.type = chmod or evt.type = fchmod
      output: >
        File below a known directory opened for writing (user=%user.name
        command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
      priority: ERROR
      tags: [filesystem]
    - rule: Detect New Directory
      desc: detect new directory created
      condition: >
        mkdir
      output: >
        File below a known directory opened for writing (user=%user.name
        command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
      priority: ERROR
      tags: [filesystem]

By default, Falco only outputs security events to logs as JSON objects. To set it to output to an external API or application, add the following to applications/falco/values.yaml:

falco:
  programOutput:
    enabled: true
    keepAlive: false
    program: mail -s "Falco Notification" someone@example.com

  httpOutput:
    enabled: true
    url: http://some.url

You can check these logs with the following command:

kubectl -n gitlab-managed-apps logs -l app=falco