Background
falco is a tool to monitoring system security events, we can define different security rules to monitoring events we want. it provides three different ways to realize the function, kernel module, ebpf, modern_ebpf. Among them all, modern_ebpf is the simplest way and indeed its the default way.
My issues
Although falco is adopted widely, but on our platform its broken for some months. The reason is that falco is in lack of rhel support. Once redhat keeps doing its own changes, falco will break some time.we have idenetified two issues.
https://github.com/falcosecurity/falco/issues/3196
https://github.com/falcosecurity/falco/issues/3276
This is the risk we can foresee. But for now, we can still manage even though we have to wait for its release to fix this issue.
So our request is that we have to make falco work in two different places(on-prem and cloud), among them two different OS, centos and rhel.
Well, we do will make centos gone since its already EOL but now we have to deal with it.
So the solution above for cloud is, we can go with modern_ebpf since it requires the least dependencies on kernel. just kernel version above 5.8 should be enough. Cloud image has that satisfied but not centos.
The problem is centos and rhel, we choose kernel module(because long time ago, we use this way we dont want to break something), this make rhel really not easy to use. it always crashs something. But now we can make it run and we expect no more issues. We package the kernel-devel to OS and let falco build it locally.
Eventually, when our platforms all switches to rhel, then modern_ebpf would be the only way we use.
But falco really needs rhel support I think
Lesson learned
When we talk about make falco run, not just to check its status running. check logs to see if errors happen. check dependencies to see if it affects, check the receiver of falco since it will eventually sends something to it.
Leave a Reply