Skip to content

Latest commit

 

History

History
80 lines (53 loc) · 3.67 KB

sample-events.md

File metadata and controls

80 lines (53 loc) · 3.67 KB
Raw
title description linktitle weight
Generating sample events
Test your Falco deployment by generating sample events under controlled circumstances
Generating sample events
70

If you'd like to check if Falco is working properly, we have the {{< glossary_tooltip text="event-generator" term_id="event-generator" >}} tool that can perform an activity for both our {{< glossary_tooltip text="syscalls" term_id="syscalls" >}} and {{< glossary_tooltip text="k8s audit" term_id="kubernetes-audit-log" >}} related rules.

The tool provides a command to run either some or all sample events.

event-generator run [regexp]

Without arguments it runs all actions, otherwise only those actions matching the given regular expression.

The full command line documentation is here.

Downloads

Artifacts Version
binaries download link Release
container images docker pull falcosecurity/event-generator:latest Docker Image Version (latest semver)

Sample events

{{% pageinfo color="warning" %}} WARNING

Since some commands might alter your system, we strongly recommend that you run the program within a container (see below).
For example, some actions modify files and directories below /bin, /etc, /dev, etc. {{% /pageinfo %}}

System Call Activity

The syscall collection performs a variety of suspect actions that are detected by the default Falco ruleset.

docker run -it --rm falcosecurity/event-generator run syscall --loop

The above command loops forever, incessantly generating a sample event each second.

Kubernetes Auditing Activity

The k8saudit collection generates activity that matches the k8s audit event ruleset.

event-generator run k8saudit --loop

The above command loops forever, creating resources in the current namespace and deleting them after each iteration. Use the --namespace option to choose a different namespace.

Running the Event Generator in K8s

We've also provided a helm chart that make it easy to run the event generator in K8s Clusters.

First thing, we need to add the falcosecurity charts repository:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Once you have the helm repo configured, you can run the following to create the necessary objects in the event-generator namespace and then generate events continuously:

helm install event-generator falcosecurity/event-generator \
  --namespace event-generator \
  --create-namespace \
  --set config.loop=false \
  --set config.actions=""

The above command applies to the event-generator namespace. Use the --namespace option to deploy in a different namespace. Events will be generated in the same namespace.

You can also find more examples in the event-generator and charts repositories.