This repository provides a minimal example of using Falco for detection and analysis. If you follow the instructions below, you will have Falco running, an Web UI to consume the Falco alerts and the Falco alert generator.
- Ubuntu/debian based OS
- Docker installed (with docker tools for building images)
This is for learning and not production use. Encryption/authentication is not enabled.
curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
echo "deb https://download.falco.org/packages/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list
apt-get update -y
apt-get -y install linux-headers-$(uname -r)
apt-get install -y falco
# Open /etc/falco/falco.yaml
# Find the section that starts with `program_output` and it should look like below.
# Be sure to replace your IP address (private) within the curl command
program_output:
enabled: true
keep_alive: false
program: "jq '{event: .}' | curl --header 'Content-Type: application/json' -d @- -X POST http://your-ip:5000/events"
falco -pc
git clone https://github.com/bmarsh9/rc-falco.git
docker build -t rc-falco .
docker run -p 5000:5000 rc-falco
git clone https://github.com/bmarsh9/rc-falco.git
pip3 install -r requirements.txt
python3 app.py
Now browse to http://your-ip:5000 and you should see the UI
docker pull falcosecurity/event-generator:latest
docker run falcosecurity/event-generator run
Back in the UI - you should see events populated