❯ go run .
Falco Talon is a Response Engine for managing threats in Kubernetes
It enhances the solutions proposed by Falco community with a dedicated,
no-code solution. With easy rules, you can perform actions over compromised pods.
Usage:
falco-talon [command]
Available Commands:
actionners Manage the actionners
completion Generate the autocompletion script for the specified shell
help Help about any command
notifiers Manage the Notifiers
outputs Manage the Outputs
rules Manage Falco Talon rules
server Start Falco Talon server
version Print version of Falco Talon.
Flags:
-c, --config string Falco Talon Config File (default "/etc/falco-talon/config.yaml")
-h, --help help for falco-talon
-r, --rules stringArray Falco Talon Rules File (default [/etc/falco-talon/rules.yaml])
Use "falco-talon [command] --help" for more information about a command.
❯ go run . actionners list
--- kubernetes:terminate ---
name: terminate
category: kubernetes
description: Terminate a pod
source: syscalls
continue: false
use_context: false
allow_output: false
require_output: false
required_output_fields:
- k8s.ns.name
- k8s.pod.name
parameters:
grace_period_seconds: 0
ignore_daemonsets: false
ignore_statefulsets: false
min_healthy_replicas: ""
permissions: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: falco-talon
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- delete
- list
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
example: |
- action: Terminate the pod
actionner: kubernetes:terminate
parameters:
grace_period_seconds: 5
ignore_daemonsets: true
ignore_statefulsets: true
min_healthy_replicas: 33%
--- kubernetes:label ---
name: label
category: kubernetes
description: Add, modify or delete the labels of the pod
source: syscalls
continue: true
use_context: false
allow_output: false
require_output: false
required_output_fields:
- k8s.ns.name
- k8s.pod.name
parameters:
labels (required): {}
level: pod
permissions: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: falco-talon
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- update
- patch
- list
example: |
- action: Label the pod
actionner: kubernetes:label
parameters:
level: pod
labels:
suspicious: true
❯ go run . outputs list
--- local:file ---
name: file
category: local
description: Store on local file system
parameters:
destination (required): ""
example: |
- action: Get logs of the pod
actionner: kubernetes:download
parameters:
tail_lines: 200
output:
target: local:file
parameters:
destination: /var/logs/falco-talon/
--- minio:s3 ---
name: s3
category: minio
description: Store on Minio
parameters:
bucket (required): ""
prefix: ""
example: |
- action: Get logs of the pod
actionner: kubernetes:download
parameters:
tail_lines: 200
output:
target: minio:s3
parameters:
bucket: falco-talon
prefix: /files
❯ go run . notifiers list
--- ---
name: k8sevents
description: Create a Kubernetes Event
permissions: |
- apiGroups:
- ""
resources:
- events
verbs:
- get
- update
- patch
- create
--- ---
name: slack
description: Send a message to Slack
parameters:
footer: http://github.com/falco-talon/falco-talon
format: long
icon: https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg
username: Falco Talon
webhook_url (required): ""
example: |
notifiers:
slack:
webhook_url: "https://hooks.slack.com/services/XXXX"
icon: "https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg"
username: "Falco Talon"
footer: "https://github.com/Falco-Talon/falco-talon"
format: long