{"id":21392212,"url":"https://github.com/sysdiglabs/falco-workshop","last_synced_at":"2026-03-13T04:34:20.504Z","repository":{"id":49721418,"uuid":"315916877","full_name":"sysdiglabs/falco-workshop","owner":"sysdiglabs","description":null,"archived":false,"fork":false,"pushed_at":"2021-10-21T12:59:23.000Z","size":84,"stargazers_count":8,"open_issues_count":0,"forks_count":3,"subscribers_count":11,"default_branch":"master","last_synced_at":"2023-03-02T17:22:39.954Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sysdiglabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-11-25T11:21:45.000Z","updated_at":"2023-02-16T15:23:30.000Z","dependencies_parsed_at":"2022-09-12T07:20:37.283Z","dependency_job_id":null,"html_url":"https://github.com/sysdiglabs/falco-workshop","commit_stats":null,"previous_names":[],"tags_count":null,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Ffalco-workshop","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Ffalco-workshop/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Ffalco-workshop/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Ffalco-workshop/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sysdiglabs","download_url":"https://codeload.github.com/sysdiglabs/falco-workshop/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225908373,"owners_count":17543475,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-22T13:39:36.821Z","updated_at":"2026-03-13T04:34:15.466Z","avatar_url":"https://github.com/sysdiglabs.png","language":"Shell","readme":"# Falco Workshop help files\n\n## Introduction\n\n**Falco** is a runtime security tool that allows you to monitor kernel system calls and kubernetes audit log commands to detect risky and malicious behaviour. It comes with a big set of detection rules created and curated by the Falco's developers that cover a lot of cases to help you strength your infrastructure security posture.\n\nThis repository contain Vagrant boxes to test Falco installation, as well as boxes with Falco preinstalled to jump in writting new rules.\n\nYou can look for more information about all things Falco at their [website](https://falco.org/), [GitHub's repo](https://github.com/falcosecurity/falco), and follow on Twitter [@falco_org](https://twitter.com/falco_org)\n\n## Software you need\n\n* Any operating system: Linux, Windows, MacOs\n* [VirtualBox](https://www.virtualbox.org) (required by Vagrant)\n* [Vagrant](https://www.vagrantup.com/)\n* Any code editor\n\n### Using a Vagrant box\n\nFalco runs only on a Linux kernel, so we will all use a Vagrant virtual machine for an standard way for anyone to follow the workshop following the same set of instructions. \n\nTo use one of the boxes (virtual machines), use:\n```bash\n# go to the folder of the box\ncd box1\n# start virtual machine\nvagrant up\n# log into virtual machine\nvagrant ssh\n# to run a command with sudo, the password for the user 'vagrant' is 'vagrant'\n\n# to use 'su', set a password for root (not set by default)\nsudo passwd root\n\n# or use it with sudo\nsudo su\n\n# exit Vagrant box\nexit\n\n# Halt Vagrant box\nvagrant halt\n\n# Completely destroy Vagrant box content\nvagrant destroy -f\n```\n### Shared directories in the Vagrant boxes\n\nUsing box2 onwards, each box syncs the main folder where you cloned the repo with `/workshop` in the Virtual Machine using NFS. To be able to do so, it might require administrative priviledges on your computer, and it will prompt for your password. Remember it's not asking for Vagrant password, but for the password of your current user in your machine to start the sync process.\n\n### Connect Visual Studio Code to the Vagrant box\n\nIf you want to connect your Visual Studio Code to the Vagrant box, follow these instructions:\nhttps://medium.com/@lopezgand/connect-visual-studio-code-with-vagrant-in-your-local-machine-24903fb4a9de\n\n### Boxes\n\n**box1**: A clean Debian 10 installation\n\n**box2**: \n * Debian 10\n * NFS shared folder /workshop\n * Falco installed\n\n**box3**: \n* Debian 10 \n* NFS shared folder /workshop\n* Docker\n* Script to install Falco using Docker at: /workshop/box3/install_falco_using_docker.sh\n\n**box4**\n * 8 Gb memory for VM\n * Debian 10\n * NFS shared folder /workshop\n * Docker\n * Kubectl\n * Helm\n * Minikube\n * Minikube cluster started using native host\n\n**box5**\n * 8 Gb memory for VM\n * Debian 10\n * NFS shared folder /workshop\n * Docker\n * Kubectl\n * Helm\n * Minikube\n * Minikube cluster started using native host\n * Falco kernel module loaded in the vm host using Docker\n * Script to install Falco in Minikube with Kubernetes audit log enabled at: /workshop/box4/install_helm_falco.sh\n\n## Install Falco\n\n```bash\nsudo apt-get update\nsudo apt-get -y install gpg curl\ncurl -o install-falco.sh -s \\\n  https://s3.amazonaws.com/download.draios.com/stable/install-falco\n\nsudo bash install-falco.sh\n```\n\n## Test Falco is working\n\nEdit `falco.yaml` configuration file:\n\n```bash\nsudo nano /etc/falco/falco.yaml\n```\n\nChange:\n\n```yaml\nfile_output:\n  enabled: false\n  keep_alive: false\n  filename: ./events.txt\n```\n\nTo:\n\n```yaml\nfile_output:\n  enabled: true\n  keep_alive: false\n  filename: /var/log/falco.log\n```\n\nRestart Falco to get new configuration:\n\n```bash\nsudo /etc/init.d/falco restart\n```\n\nWrite a test file to `/etc` folder so it triggers a security event:\n\n```bash\nsudo touch /etc/test\n```\n\nRead Falco logs to see all security events:\n\n```bash\ncat /var/log/falco.log\n```\n## History\n\n* Virtual session for HackMadrid at July 4th 2020 by [Vicente Herrera](https://twitter.com/vicen_herrera).\n  * Watch it at [HackMadrid's YouTube channel (in Spanish)](https://www.youtube.com/channel/UCSfK57ch6tQHzUuc1_-YbcA).\n  * [Slides (in English)](https://bit.ly/falcoworkshop), with a lot of information about Falco.\n* Falco course for Quantika14 security course videos (Spanish), launched November 25th 2020, by [Vicente Herrera](https://twitter.com/vicen_herrera).\n* Demo for the \"OnTheNubs\" Twitch channel (Spanish) https://twitter.com/OnTheNubs [@onthenubs](https://twitter.com/OnTheNubs).\n* Talk for Kubernetes Community Days Spain: [Detecting cryptomining with Falco](https://community.cncf.io/events/details/cncf-kcd-spain-presents-kubernetes-community-days-spain/)\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Ffalco-workshop","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsysdiglabs%2Ffalco-workshop","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Ffalco-workshop/lists"}