Skip to content

LivingInSyn/falco-cserver

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
.github/workflows
.github/workflows
 
 
.vscode
.vscode
 
 
rules
rules
 
 
test
test
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
auth.go
auth.go
 
 
auth_test.go
auth_test.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
rules.go
rules.go
 
 
rules_test.go
rules_test.go
 
 

Repository files navigation

security-falco-cserver

This project serves up falco rule sets over an HTTP(S) web service. It currently has 3 endpoints:

  • /
  • /ruleset
  • /sum

This service concatenates rule sets based on the ones requested.

Authentication

User config is defined in a file named: /secrets/auth.yml or as yaml passed via the FCS_AUTH environmental variable. If using a file it should be mounted by GCP secrets, a docker volume, or similar method. A sample user config file is in test/auth.yml. It is a yaml file that has a map of token->username

Requests should be authenticated by putting the user token in an X-Auth-Token header on the request.

Requests may also use basic authentication.

The health check (/) is always allowed without authentication.

Endpoints

/

This endpoint returns a 200 and is a basic health check

/ruleset

This API accepts GET requests in the form:

curl -H "X-Auth-Token: some_token_1" localhost:8080/ruleset?rulesets=test,other_test

rulesets is a comma separated list of rule sets that will be concatenated with the default rule set (_default.yml) and be returned to the user in the order requested. In this example the following rule sets will be concatenated: _default.yml+test.yml+other_test.yml.

note: in the request, do NOT include the yml or yaml extension. In the above sample we use test for test.yml in the rules directory.

/sum

This API accepts GET requests in the form:

curl -H "X-Auth-Token: some_token_1" localhost:8080/sum?ruletsets=sample

It returns the sha256 hash of the file generated by the equivilent /ruleset call.

Note: this API also supports basic auth as outlined in the Authentication section of this README

Docker

You can browse the published docker images here:

https://github.com/livinginsyn/falco-cserver/pkgs/container/falco-cserver

Or you can pull latest:

docker pull ghcr.io/livinginsyn/falco-cserver:latest

CI

The github action defined in .github\workflows\check-falco.yml will check all permutations of the rules files defined in the rules directory and ensure that they parse correctly by using the following command on each permutation:

docker run -v <some path>:/etc/falco/falco_rules.yaml -e SKIP_DRIVER_LOADER=1 falcosecurity/falco /usr/bin/falco -V /etc/falco/falco_rules.yaml

About

a simple falco rules server

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases 2

v1.1.0 Latest
Jan 4, 2023
+ 1 release

Packages 1

 

Languages