If you’d like to check if Falco is working properly, we have the
event-generator tool that can perform an activity for both our syscall and k8s audit related rules.
The tool provides a command to run either some or all sample events.
event-generator run [regexp]
Without arguments it runs all actions, otherwise only those actions matching the given regular expression.
The full command line documentation is here.
System Call Activity
syscall collection performs a variety of suspect actions that are detected by the default Falco ruleset.
docker run -it --rm falcosecurity/event-generator run syscall --loop
The above command loops forever, incessantly generating a sample event each second.
Kubernetes Auditing Activity
k8saudit collection generates activity that matches the k8s audit event ruleset.
event-generator run k8saudit --loop
The above command loops forever, creating resources in the current namespace and deleting them after each iteration. Use the
--namespace option to choose a different namespace.
Running the Event Generator in K8s
We’ve also provided K8s resource object files that make it easy to run the event generator in K8s Clusters:
role-rolebinding-serviceaccount.yamlcreates a Service Account, Cluster Role, and Role that allows a service account
event-generator.yamlcreates a deployment that runs all sample events in a loop.
run-as-job.yamlcreates a job that runs all sample events once.
For example, you can run the following to create the necessary objects in the current namespace and then generate events continuously:
kubectl apply -f deployment/role-rolebinding-serviceaccount.yaml \ -f deployment/event-generator.yaml
The above command applies to the default namespace. Use the
--namespace option to deploy in a different namespace. Events will be generated in the same namespace.
You can also find more examples in the repository documentation.
Table of contents