testing falco

Author: jegathintelops

.github/workflows/scsctl_test.yml

@@ -34,7 +34,16 @@ jobs:
         kubectl get pods --all-namespaces
 
         helm version
-        helm list
+
+        helm repo add pyroscope-io https://pyroscope-io.github.io/helm-chart
+        helm install pyroscope pyroscope-io/pyroscope
+        kubectl get pods
+
+        sleep 10
+
+        curl http://localhost:4040
+
+        # helm install falco -f custom-rules.yaml --set "falco.rules_file={/etc/falco/falco_rules.local.yaml,/etc/falco/rules.d}" --set falcoctl.artifact.install.enabled=false --set falcoctl.artifact.follow.enabled=false --set falco.json_output=true --set falco.file_output.enabled=true falcosecurity/falco
 
 
     # - name: Install a python cli tool from test pypi  and run it

custom-rules.yaml

@@ -0,0 +1,14 @@
+customRules:
+  falco_rules.yaml: |-
+    - rule: File Opened in Container
+      desc: Detect any file opened in container
+      condition: open_file_in_container
+      output: file - %fd.name type - %evt.type Deplyment name - %k8s.deployment.name time - %evt.time.iso8601
+      priority: INFO
+      tags:
+        - scsctl
+    - macro: open_file_in_container
+      condition: >
+        fd.name endswith ".py" and
+        k8s.deployment.name startswith "app" and
+        evt.type = "openat"