Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Puppet module fixes #546

Merged

Conversation

Projects
None yet
2 participants
@JPLachance
Copy link
Contributor

commented Mar 1, 2019

Greetings,

We created a simple class that calls the falco class:

# == Class: profile::security::falco::install
#
# Installs Falco with some custom configuration
#
class profile::security::falco::install (
  $log_level       = 'info',
  $package_ensure  = 'installed',
  $service_ensure  = 'running',
  $service_enable  = true,
  $service_restart = true,
) {
  $falco_config_folder = '/etc/falco'

  Class [ '::falco' ]
  -> File [ "$falco_config_folder/falco_rules.local.yaml" ]
  ~> Service['falco']

  class { '::falco':
    log_level       => $log_level,
    log_stderr      => false,
    json_output     => true,
    syslog_output   => {
      'enabled' => false
    },
    file_output     => {
      'enabled'    => true,
      'keep_alive' => true,
      'filename'   => '/var/log/falco-events.log'
    },
    stdout_output   => {
      'enabled' => false
    },
    package_ensure  => $package_ensure,
    service_ensure  => $service_ensure,
    service_enable  => $service_enable,
    service_restart => $service_restart,
  }

  file { "$falco_config_folder/falco_rules.local.yaml":
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => template('profile/security/falco/falco_rules.local.yaml.erb')
  }

  filebeat::prospector { 'falco':
    paths             => [
      '/var/log/falco-events.log'
    ],
    doc_type          => 'json',
    fields            => {
      'ES_INDEX' => 'falco'
    },
    json              => {
      keys_under_root => true,
      message_key     => 'output'
    },
    max_bytes         => 524288,
    fields_under_root => true,
  }
}

We then encoutered multiple bugs and this PR fixes them!

Changes:
! Make sure we add the Sysdig repo and call an update before trying to install Falco
! Remove the require in the service class to fix a dependencies loop
* Bump the version to 0.4.0

The module now installs Falco on dozens of Ubuntu hosts without any issue! :famouslastwords: 馃槃

falco-CLA-1.0-contributing-entity: Coveo Solutions Inc.
falco-CLA-1.0-signed-off-by: Jean-Philippe Lachance jplachance@coveo.com

Puppet module fixes
! Make sure we add the Sysdig repo and call an update before trying to install Falco
! Remove the require in the service class to fix a dependencies loop
* Bump the version to 0.4.0

falco-CLA-1.0-contributing-entity: Coveo Solutions Inc.
falco-CLA-1.0-signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>

@mstemm mstemm self-requested a review Mar 1, 2019

@mstemm

mstemm approved these changes Mar 1, 2019

@mstemm mstemm merged commit e486af6 into falcosecurity:dev Mar 1, 2019

1 check passed

Travis CI - Pull Request Build Passed
Details

@JPLachance JPLachance deleted the JPLachance:fix/puppet-falco-install-issues branch Mar 7, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can鈥檛 perform that action at this time.