Install Falco + Falcosidekick + UI + Talon

Install Falco Talon

git clone https://github.com/falco-talon/falco-talon.git``
cd falco-talon/deployment/helm

cat <<EOF > rules.yaml
- action: Terminate Pod
  actionner: kubernetes:terminate
  parameters:
    ignore_daemonsets: true
    ignore_statefulsets: true
    grace_period_seconds: 0

- action: Labelize Pod as Suspicious
  actionner: kubernetes:labelize
  parameters:
    labels:
      suspicious: "true"
- action: Labelize Pod as Pwned
  actionner: kubernetes:labelize
  parameters:
    labels:
      pwned: "true"
      suspicious: ""
- rule: Terminal shell in container
  match:
    rules:
      - Terminal shell in container
    output_fields:
      - k8s.ns.name!=kube-system, k8s.ns.name!=falco
  actions:
    - action: Labelize Pod as Suspicious
- rule: Launch Package Management Process in Container
  match:
    rules:
      - Launch Package Management Process in Container
    output_fields:
      - k8s.ns.name!=kube-system, k8s.ns.name!=falco
  actions:
    - action: Labelize Pod as Pwned
- rule: Write below etc
  match:
    rules:
      - Write below etc
  actions:
    - action: Open file
      actionner: kubernetes:script
      parameters:
        shell: sh
        script: |
          echo "-- ls --"
          ls -l ${FD_NAME}
          echo "-- cat ${FD_NAME} --
          cat ${FD_NAME}
- rule: Suspicious outbound connection
  match:
    rules:
      - Outbound Connection to Suspicious IPs
  actions:
    - action: Terminate Pod
      parameters:
        grace_period_seconds: 0
EOF

helm install falco-talon -n falco --create-namespace .

Install Falco + Falcosidekick + UI

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco \
  --namespace falco \
  --create-namespace \
  --set tty=true --set \
  --set driver.kind=modern_ebpf \
  --set falcosidekick.enabled=true \
  --set falcosidekick.webui.enabled=true \
  --set falcosidekick.config.webhook.address=http://falco-talon:2803

Issif/install_falco_and_co.md