Advanced usage

Enabling debugging logs

Falco

By default, the debug log level is used.

Falcosidekick

By default, the debug logging for Falcosidekick is disabled.

To enable debugging logging, set the spec.settings.debugLogging parameter to true:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: runtime-audit-engine
spec:
  version: 1
  enabled: true
  settings:
    debugLogging: true

Viewing metrics

You can use the PromQL query falcosecurity_falcosidekick_falco_events_total{} to get metrics:

d8 k -n d8-monitoring exec -it prometheus-main-0 prometheus -- \
  curl -s "http://127.0.0.1:9090/api/v1/query?query=falcosecurity_falcosidekick_falco_events_total" | jq

We will add Grafana dashboard in the future for viewing metrics.

Emulating a Falco event

You can use the event-generator CLI utility to generate Falco events.

event-generator can generate a variety of suspicious actions (such as syscalls, Kubernetes audit events, etc.).

Use the following command to run a testing set of events in the Kubernetes cluster:

d8 k run falco-event-generator --image=falcosecurity/event-generator run

The event-generator image is included with the platform.
To determine its path, run the following command:

kubectl -n d8-system exec svc/deckhouse-leader -- bash -c "echo \$(deckhouse-controller module values runtime-audit-engine | yq '.registry.base')/runtime-audit-engine@\$(cat /deckhouse/downloaded/modules/900-runtime-audit-engine/images_digests.json | jq -r '.eventGenerator')"

For security reasons, this image is created without additional dependencies and is designed to extract the binary file and execute it on the host. To extract the binary, run the following commands:

kubectl run falco-event-generator --image=$(kubectl -n d8-system exec svc/deckhouse-leader -- bash -c "echo \$(deckhouse-controller module values runtime-audit-engine | yq '.registry.base')/runtime-audit-engine@\$(cat /deckhouse/downloaded/modules/900-runtime-audit-engine/images_digests.json | jq -r '.eventGenerator')") --command -- /event-generator run
kubectl wait --for=jsonpath='{.status.phase}'=Running pod/falco-event-generator
kubectl cp falco-event-generator:event-generator ./event-generator 
kubectl delete pod falco-event-generator

To correctly run all types of event tests, the following packages or their equivalents, appropriate for the specific operating system, must be installed on the host:

policykit-1 libcap-dev e2fsprogs openssh-client openssh-server nmap netcat-openbsd wget

If you need to implement an action, use this guide.

Emulating a Falcosidekick event

You can use the Falcosidekick /test HTTP endpoint to send a test event.

• Create a debug event by executing a command:

  nsenter -t $(pidof falcosidekick) curl -X POST -H "Content-Type: application/json" -H "Accept: application/json" http://localhost:2801/test
  

• Check a debug event metric:

  d8 k -n d8-monitoring exec -it prometheus-main-0 prometheus -- \
    curl -s "http://127.0.0.1:9090/api/v1/query?query=falcosecurity_falcosidekick_falco_events_total" \
    | jq '.data.result.[] | select (.metric.priority_raw == "debug")'
  

• Example of the output part:

  {
    "metric": {
      "__name__": "falcosecurity_falcosidekick_falco_events_total",
      "container": "kube-rbac-proxy",
      "hostname": "falcosidekick",
      "instance": "192.168.208.7:4212",
      "job": "runtime-audit-engine",
      "node": "dev-master-0",
      "priority": "1",
      "priority_raw": "debug",
      "rule": "Test rule",
      "source": "internal",
      "tier": "cluster"
    },
    "value": [
      1744234729.799,
      "1"
    ]
  }