Install Falco Rules On-Premises

Periodically, Sysdig releases new Falco Rules that provide additional coverage for new behaviors and adds exceptions for known good behaviors. This topic helps you install Falco Rules as a container in an on-prem deployment. For air-gapped deployments, the instructions slightly differ given the security measures employed in the isolated setup.

Sysdig provides a container image on the Docker hub to install Falco Rules on the Sysdig Platform.

This container image allows easy installation and upgrades of the Falco rules files for Sysdig Secure. The file contains the following:

  • The rule files.

  • The latest version of Falco.

  •  The sysdig-sdk-python wrappers that deploy the rule files to a Sysdig platform deployment.

The image is tagged with new versions as new sets of rules files are released, and the latest tag is always pointed to the latest version.

When a container is run with this image, it does the following:

  • Validates the rules.

  • Fetches the custom rules file and verifies compatibility with the to-be-deployed default Falco rules file.

  • Deploys the rules to the configured Sysdig Platform backend component.

Example

Non-Airgapped Environment

This section assumes that the installation machine has network access to pull the image from the Docker hub.

  1. Download the container image:

    # docker pull sysdig/falco_rules_installer:latest
  2. Use the docker run to install the Falco Rules. For example:

    # docker run --rm --name falco-rules-installer -it -e DEPLOY_HOSTNAME=https://my-sysdig-backend.com -e DEPLOY_USER_NAME=test@sysdig.com -e DEPLOY_USER_PASSWORD=<my password> -e VALIDATE_RULES=yes -e DEPLOY_RULES=yes -e CREATE_NEW_POLICIES=no -e SDC_SSL_VERIFY=True sysdig/falco_rules_installer:latest

Airgapped Environment

This section assumes that the installation machine does not have the network access to pull the image from the Docker hub.

  1. Download the container image on a machine that is connected to the network:

    # docker pull sysdig/falco_rules_installer:latest
    
  2. Create an archive file for the image:

    # docker save sysdig/falco_rules_installer:latest -o falco_rules_installer.tar
  3. Transfer the tar file to the air-gapped machine.

  4. Untar the image file:

    # docker load -i file.tar

    It restores both images and tags.

  5. Use the docker run to install the Falco Rules. For example:

    # docker run --rm --name falco-rules-installer -it -e DEPLOY_HOSTNAME=https://my-sysdig-backend.com -e DEPLOY_USER_NAME=test@sysdig.com -e DEPLOY_USER_PASSWORD=<my password> -e VALIDATE_RULES=yes -e DEPLOY_RULES=yes -e CREATE_NEW_POLICIES=no -e SDC_SSL_VERIFY=True sysdig/falco_rules_installer:latest

Usage

You can run this container from any host that has access to the server that hosts the Sysdig backend API endpoint. The hostname is specified in the DEPLOY_HOSTNAME variable. The container need not run on the hosts where the Sysdig Platform backend components are running.

To run, the container depends on the following environment variables:

Variables

Description

DEPLOY_HOSTNAME

The server that hosts the Sysdig API endpoints. The default is https://secure.sysdig.com.

DEPLOY_USER_NAME

The username for the account that has the admin-level access to the Sysdig API endpoints. The value defaults to a meaningless user, nobody@nobody.com.

DEPLOY_USER_PASSWORD

The password for the admin user. The value defaults to a meaningless password nopassword.

VALIDATE_RULES

If set to yes, ensure that the rules file is compatible with your user rules file. Otherwise, skip this validation step. The value defaults to yes.

DEPLOY_RULES

If set to yes, the falco rules file is deployed. Otherwise, skip deploying the falco rules file. The value defaults to yes.

CREATE_NEW_POLICIES

If set to yes, create new policies for any Falco rules that do not map to a policy. The value defaults is no.

SDC_SSL_VERIFY

If set to false, allow certificate validation failures when deploying the rules. The value defaults to true.

See Docker hub for the latest information about the image and usage.