-
Notifications
You must be signed in to change notification settings - Fork 876
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update program_output example #507
Conversation
This PR needs to be against |
I think it wouldn't be very likely that you would want to run the normal falco container with a program output that could send mail directly. You'd probably need email server configuration that also configured an outbound mail gateway and probably credentials to contact that gateway. You could always create a new image that started with falco using Of course, when running directly on the host, say via debian or rpm packages, you could rely on the host's configuration for mail servers, etc. |
For k8s env, i think it is possible to send mail from container, and in production env it should be default action i think. By the way, in https://github.com/falcosecurity/falco/blob/dev/falco.yaml, send mail is default action. As you said, maybe add a comment here is better. If so, i would add comment about mail part. |
Sending mail is not a default action, it’s an example and as mark points out it you would probably never want to do this. We should remove the example in favor of the slack example. To expand on this, depending on how noisy you have falco configured you might get lots of mails per second. If your use case is to create an audit trail then mail is not the best option. Also, mail wouldn’t be the best way to have action immediately taken if your use case was incident response. Functions (severless) and a pub/sub service would be better. |
falco-CLA-1.0-signed-off-by: Xiang Dai <764524258@qq.com>1
@mfdii hi, any input? |
So now the only change in the PR is that the example program output command line refers to jq and curl, right? That's the change you intended? |
yes, since that mail from container directly is not good enough, why show this example, change it is better, right? |
falco-CLA-1.0-signed-off-by: Xiang Dai <764524258@qq.com>1
I see that the PR was still based against the master branch. I cherry-picked the commit onto a PR targeted towards the dev branch (#541). |
Fix below issue:
when config with mail:
If not, falco can not send mail.
falco-CLA-1.0-signed-off-by: Xiang Dai 764524258@qq.com