Skip to content
/ siem-falco-wazuh Public

Basic simple integration around falco and wazuh into k8s cluster with daemonset deployment.

7 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

zeinoux/siem-falco-wazuh

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
agent
agent
 
 
dotfile
dotfile
 
 
k8
k8
 
 
wazuh-rules
wazuh-rules
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 

Repository files navigation

feat

Cloud Native Runtime Security.

Table of Contents

  1. Overview
  2. Description - What the module does and why it is useful
  3. File Information - include configuration and scripts
  4. Installation & Setup - Configuration options and additional functionality

Overview

Falco-Wazuh Integration service, support with k8s v1.21.*+

Description

Basic simple integration around falco and wazuh into k8s cluster with daemonset deployment, is adopted from https://github.com/Stuxend/falco-wazuh projects.

List important file information

  • Files to deploy daemonset and service account
 k8/
├── deployment_cri_k8s.yaml
├── rbac-falco-wazuh_k8s_admin.yaml
└── README.md

3 files
  • Wazuh server rules, import it into wazuh manager
 wazuh-rules/
├── 0485-falco.xml (__*this is decoders file*__)
├── 0685-falco_rules.xml (__*this is rules file*__)
├── old
│   ├── 0485-falco.xml
│   └── 0685-falco_rules.xml
└── README.md

1 directory, 5 files
  • Agent files, docker entrypoint script, and default wazuh rules
agent
├── entrypoint.sh
├── falcolog
├── falco_rules.yaml
├── falco.yaml
├── ossec.conf
└── rootchecks
    ├── cis_apache2224_rcl.txt
    ├── cis_debian_linux_rcl.txt
    ├── cis_mysql5-6_community_rcl.txt
    ├── cis_mysql5-6_enterprise_rcl.txt
    ├── cis_rhel5_linux_rcl.txt
    ├── cis_rhel6_linux_rcl.txt
    ├── cis_rhel7_linux_rcl.txt
    ├── cis_rhel_linux_rcl.txt
    ├── cis_sles11_linux_rcl.txt
    ├── cis_sles12_linux_rcl.txt
    ├── cis_win2012r2_domainL1_rcl.txt
    ├── cis_win2012r2_domainL2_rcl.txt
    ├── cis_win2012r2_memberL1_rcl.txt
    ├── cis_win2012r2_memberL2_rcl.txt
    ├── rootkit_files.txt
    ├── rootkit_trojans.txt
    ├── system_audit_rcl.txt
    ├── system_audit_ssh.txt
    ├── win_applications_rcl.txt
    ├── win_audit_rcl.txt
    └── win_malware_rcl.txt
    
1 directory, 28 files

Installation and setup

  1. Please make sure to create wazuh namespace first, and apply serviceAccount via k8/rbac-falco-wazuh_k8s_admin.yaml
  2. Before applying deployment file please edit this section :
        - name: wazuh_token
          valueFrom:
            secretKeyRef:
              name: wazuh-admin-token-8zzhf
              key: token
        - name: wazuh_cert
          valueFrom:
            secretKeyRef:
              name: wazuh-admin-token-8zzhf
              key: ca.crt

*NB: Please matching created secrets, for ex: wazuh-admin-token-xxxxx

  1. After editing token section, we can apply the deployment project vi k8/deployment_cri_k8s.yaml

That's all hope will be help,
Thank You

Regards,
@zeinoux

About

Basic simple integration around falco and wazuh into k8s cluster with daemonset deployment.

Topics

security security-audit siem k8s-cluster security-tools devsecops security-auditing-tool security-info k8s-security k8s-audit-log devsecops-tools

Resources

Readme
Activity

Stars

7 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages