falco icon indicating copy to clipboard operation
falco copied to clipboard
verified publisher icon falcosecurity

Documenting all system dependencies (capabilities, mounts, etc.)

Open danmx opened this issue 6 years ago • 29 comments

What to document

Falco is touching critical parts of the operating system. It would be extremely useful to have a list of system dependencies like:

  • mandatory host mounts
  • required Linux capabilities
  • seccomp filter
  • SELinux/Apparmor profiles

for:

  • stand alone Falco deployment without probes
  • Falco using eBPF probe
  • Falco using kernel module
  • probe-loader for kernel module
  • probe-loader for eBPF

So we could create least privileged Falco deployments.

danmx avatar Mar 25 '20 12:03 danmx

/kind documentation

danmx avatar Mar 25 '20 12:03 danmx

What I got so far is:

  • for falco w/ eBPF to start it'll require:
    • CAP_SYS_RESOURCE
    • CAP_SYS_ADMIN
    • mounting debugfs in the host: mount -t debugfs nodev /sys/kernel/debug (https://github.com/falcosecurity/falco/issues/1071#issuecomment-599412372)
    • mounting /sys/kernel/debug as read-only in the container

danmx avatar Mar 25 '20 13:03 danmx

I agree that this will be a very important piece of our documentation once it’s done.

Moreover, I think we can be even more granular than the single capabilities by listing the specific privileged syscalls that falco needs to do, like the bpf syscall.

Good idea @danmx - this can help a lot and can open a lot of opportunities to help harden falco and its deployments

fntlnz avatar Mar 26 '20 21:03 fntlnz

Hey @danmx I strongly approve this idea! Would be raaad

Anyways, in issue #628 you could find some insights :)

leodido avatar May 09 '20 20:05 leodido

Also, I think this is a high priority task because it could clarify a lot of concerns about the security of a security tool :)

/priority high

leodido avatar May 09 '20 20:05 leodido

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed. Please refer to a maintainer to get such label added if you think this should be kept open.

stale[bot] avatar Jul 10 '20 00:07 stale[bot]

Recently, we updated the docs about this matter.

See https://falco.org/docs/running

leodido avatar Jul 10 '20 07:07 leodido

Should we close?

fntlnz avatar Jul 10 '20 08:07 fntlnz

It would be great if you could narrow the capabilities instead going for --privileged. Not many people will use kernels >= 5.8 any time soon.

danmx avatar Jul 12 '20 10:07 danmx

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed. Please refer to a maintainer to get such label added if you think this should be kept open.

stale[bot] avatar Sep 11 '20 02:09 stale[bot]

/help

leogr avatar Sep 11 '20 09:09 leogr

@leogr: This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Sep 11 '20 09:09 poiana

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Dec 10 '20 09:12 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Jan 09 '21 15:01 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Feb 08 '21 20:02 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Feb 08 '21 20:02 poiana

It would be great if you could narrow the capabilities instead going for --privileged. Not many people will use kernels >= 5.8 any time soon.

Is there any progress on that? We would need that as well and we don't want to use --privileged if there are alternatives to narrow down the capabilities

ylmig avatar Jan 21 '22 14:01 ylmig

/reopen

leogr avatar Jan 21 '22 16:01 leogr

@leogr: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Jan 21 '22 16:01 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Feb 20 '22 22:02 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Feb 20 '22 22:02 poiana

/remove-lifecycle rotten /reopen

jasondellaluce avatar Feb 21 '22 13:02 jasondellaluce

@jasondellaluce: Reopened this issue.

In response to this:

/remove-lifecycle rotten /reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Feb 21 '22 13:02 poiana

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar May 22 '22 18:05 poiana

/remove-lifecycle stale

leogr avatar May 23 '22 07:05 leogr

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Aug 21 '22 09:08 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Sep 20 '22 09:09 poiana

/remove-lifecycle rotten

leogr avatar Sep 21 '22 12:09 leogr

/milestone 1.0.0

leogr avatar Sep 21 '22 12:09 leogr