Reputation: 335
Falco node info
How do we get the node information from falco threats events response. According to current supported fields for conditions we do not get any information regarding the node name as such. https://falco.org/docs/rules/supported-fields/
Upvotes: 0
Views: 98
Answers (1)
Reputation: 16
For Falco to detect threats by using syscalls, it needs to run on the same host where the processes executing the syscalls run. Therefore it doesn't make sense to return information about the hostname since this information is only relevant when all the alerts are aggregated into some external service. In other words, it's the aggregator that adds the origin of the message when received.
However, if what you need to do is to distinguish whether the syscall was executed from inside a container, or from another process on the host, look at the container.id field. If it's set to host, the call didn't happen inside the container.
Upvotes: 0
Related Questions
- Kubernetes: Node NotReady
- Kubernetes: How do I know what node I'm on?
- Falco deployment in namespace
- Issue installing Falco on K3s (PopOS)
- Describe nodes api call in Kubernetes
- Describe the pod info
- Kubernetes: kubectl node01 notready
- kubernetes: Node description and resources
- How to know your on k8s master node?
- Kubernetes Node Details