Install Falco with a cluster management project
Introduced in GitLab 14.0.
GitLab Container Host Security Monitoring uses Falco as a runtime security tool that listens to the Linux kernel using eBPF. Falco parses system calls and asserts the stream against a configurable rules engine in real-time. For more information, see Falco's Documentation.
Assuming you already have a Cluster management project created from a
management project template, to install Falco you should
uncomment this line from your helmfile.yaml
:
- path: applications/falco/helmfile.yaml
You can customize Falco's Helm variables by defining the
applications/falco/values.yaml
file in your cluster
management project. Refer to the
Falco chart
for the available configuration options.
WARNING:
By default eBPF support is enabled and Falco uses an
eBPF probe
to pass system calls to user space. If your cluster doesn't support this, you can
configure it to use Falco kernel module instead by adding the following to
applications/falco/values.yaml
:
ebpf:
enabled: false
In rare cases where probe installation on your cluster isn't possible and the kernel/probe
isn't pre-compiled, you may need to manually prepare the kernel module or eBPF probe with
driverkit
and install it on each cluster node.
By default, Falco is deployed with a limited set of rules. To add more rules, add
the following to applications/falco/values.yaml
(you can get examples from
Cloud Native Security Hub):
customRules:
file-integrity.yaml: |-
- rule: Detect New File
desc: detect new file created
condition: >
evt.type = chmod or evt.type = fchmod
output: >
File below a known directory opened for writing (user=%user.name
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
priority: ERROR
tags: [filesystem]
- rule: Detect New Directory
desc: detect new directory created
condition: >
mkdir
output: >
File below a known directory opened for writing (user=%user.name
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
priority: ERROR
tags: [filesystem]
By default, Falco only outputs security events to logs as JSON objects. To set it to output to an
external API
or application,
add the following to applications/falco/values.yaml
:
falco:
programOutput:
enabled: true
keepAlive: false
program: mail -s "Falco Notification" someone@example.com
httpOutput:
enabled: true
url: http://some.url
You can check these logs with the following command:
kubectl -n gitlab-managed-apps logs -l app=falco