falco icon indicating copy to clipboard operation
falco copied to clipboard
verified publisher icon falcosecurity

Guidance on using Falco in AWS ECS Fargate

Open vennemp opened this issue 4 years ago • 2 comments

I am looking into running Falco on AWS Fargate. Is the only way to bake falco into the actual application container? Wouldn't the falco logs co-mingle with the application logs then?

Are there any examples of running Falco as a sidecar in Fargate? I am attempting that now but am getting this - using image falcosecurity/falco:master - yes I added the LinuxCapability SYS_PTRACE

That is running into an issue...

  • Setting up /usr/src links from host
  • Running falco-driver-loader for: falco version=0.31.1-62+65435d4, driver version=caa0e4d0044fdaaebab086592a97f0c7f32aeaa9
  • Running falco-driver-loader with: driver=module, compile=yes, download=yes
  • Unloading falco module, if present
  • Looking for a falco module locally (kernel 4.14.268-205.500.amzn2.x86_64)
  • Detected an unsupported target system, please get in touch with the Falco community
  • 2022-04-13T23:39:33+0000: Falco version 0.31.1-62+65435d4 (driver version caa0e4d0044fdaaebab086592a97f0c7f32aeaa9)
  • 2022-04-13T23:39:33+0000: Falco initialized with configuration file /etc/falco/falco.yaml
  • 2022-04-13T23:39:33+0000: Loading rules from file /etc/falco/falco_rules.yaml:
  • 2022-04-13T23:39:34+0000: Loading rules from file /etc/falco/falco_rules.local.yaml:
  • 2022-04-13T23:39:35+0000: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
  • 2022-04-13T23:39:36+0000: Unable to load the driver.
  • 2022-04-13T23:39:36+0000: Runtime error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco module is loaded.. Exiting.

vennemp avatar Apr 14 '22 00:04 vennemp

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jul 13 '22 03:07 poiana

also interested

/remove-lifecycle stale

denis-yuen avatar Jul 13 '22 14:07 denis-yuen

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Oct 11 '22 15:10 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Nov 10 '22 21:11 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Dec 10 '22 21:12 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Dec 10 '22 21:12 poiana