Add sending alerts to one or more email addresses

[finid]

Be awesome if Falco could be configured to send email alerts to one ro more configured email addresses.

[mstemm]

Thanks for the suggestion. Maybe the best way to do this is to allow piping an alert to a configurable program, at which point you could pipe to the mailer of your choice.

[ikoniaris]

Hi @mstemm, does this really work and how can I debug it?

For example, testing the program_output as so:

program_output:
  enabled: true
  program: logger -t falco-test

doesn't seem to do anything.

[ikoniaris]

Actually it seems that it depends on the program, e.g. mail/mailx work, logger doesn't. A custom binary that can take stdin and write to Kafka also doesn't work. Any info/help @mstemm?

[mstemm]

I'll see if I can take a look. I'm traveling this week and next so may be a bit slow to respond but I'll keep it on my todo list.

[mstemm]

For me, program output was working using falco 0.3.0, installed via apt-get, and Ubuntu 16.04.1 LTS. Here's the contents of my falco.yaml file:

# File containing Falco rules, loaded at startup.
rules_file: /etc/falco_rules.yaml

# Whether to output events in json or text
json_output: false

# Send information logs to stderr and/or syslog Note these are *not* security
# notification logs! These are just Falco lifecycle (and possibly error) logs.
log_stderr: true
log_syslog: true


# Where security notifications should go.
# Multiple outputs can be enabled.

syslog_output:
  enabled: true

file_output:
  enabled: false
  filename: ./events.txt

stdout_output:
  enabled: true

program_output:
  enabled: true
  program: logger -t falco-test

If I start falco using /etc/init.d/falco start, and then run sudo touch /bin/hack, I see the following in /var/log/messages:

Aug 23 14:45:16 ubuntu falco: File below a known binary directory opened for writing (user=root command=touch /bin/hack file=/bin/hack)
Aug 23 14:45:16 ubuntu falco-test: 14:45:16.156642562: Warning File below a known binary directory opened for writing (user=root command=touch /bin/hack file=/bin/hack)

The first line is from the syslog output method, and the second line is from the program output method.

So there's probably some way my configuration differs from yours. Can you provide more details on the configuration you were using and what you were doing to trigger the falco notification?

[mstemm]

I haven't heard an update, so I'll close this for now. Feel free to reopen if you're still running into this problem and we'll figure out the differences.

[ikoniaris]

Our only difference seems to be the distro version. Let me try on trusty/xenial and come back to you.

[ikoniaris]

I tried with Trusty, same thing. mailx works, logger doesn't. Not sure where the problem lies. Do you think I might be missing some lua-related libraries @mstemm? Is falco self-contained?

[mstemm]

I created a new github issue to track this problem, so we don't piggyback on this issue, which was really about adding the feature: #127. Let's continue the discussion there.

[mstemm]

Hi, we'd like to send an end-of-year present to everyone who contributed to Falco this year. If you'd like some schwag, could you send me your email address to mark.stemm@sysdig.com? Thanks again!