Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Review the Falco signal handler #791

Closed
krisnova opened this issue Aug 27, 2019 · 2 comments · Fixed by #822
Closed

Review the Falco signal handler #791

krisnova opened this issue Aug 27, 2019 · 2 comments · Fixed by #822

Comments

@krisnova
Copy link
Contributor

What would you like to be added:

I noticed that on my system sending a SIGINT to the Falco process took a few seconds for our signal handler to respond. This isn't a deal breaker because we have 30 seconds by default in Kubernetes to respond. But we should be more responsive with signals passed to Falco.

Why is this needed:

Output from a SIGINT signal sent to Falco

[nova nova]# time falco
Tue Aug 27 07:22:38 2019: Falco initialized with configuration file /home/nova/go/src/github.com/falcosecurity/falco/falco.yaml
Tue Aug 27 07:22:38 2019: Loading rules from file /etc/falco/falco_rules.yaml:
Tue Aug 27 07:22:38 2019: Loading rules from file /etc/falco/falco_rules.local.yaml:
Tue Aug 27 07:22:38 2019: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Tue Aug 27 07:22:38 2019: Loading rules from file /etc/falco/rules.d/falco_rules.local.yaml:
Tue Aug 27 07:22:39 2019: Loading rules from file /etc/falco/rules.d/falco_rules.yaml:
Tue Aug 27 07:22:39 2019: Starting internal webserver, listening on port 8765
^CTue Aug 27 07:22:45 2019: SIGHUP Received, restarting...
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:
Syscall event drop monitoring:
   - event drop detected: 0 occurrences
   - num times actions taken: 0

real	0m7.135s
user	0m0.523s
sys	0m0.218s

Note: I executed the program, then immediately sent ctl+c

@krisnova
Copy link
Contributor Author

Also I noticed we seem to be logging SIGHUP whenever Falco receives SIGINT

[nova nova]# falco
Tue Aug 27 07:37:19 2019: Falco initialized with configuration file /home/nova/go/src/github.com/falcosecurity/falco/falco.yaml
Tue Aug 27 07:37:19 2019: Loading rules from file /etc/falco/falco_rules.yaml:
Tue Aug 27 07:37:19 2019: Loading rules from file /etc/falco/falco_rules.local.yaml:
Tue Aug 27 07:37:19 2019: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Tue Aug 27 07:37:20 2019: Loading rules from file /etc/falco/rules.d/falco_rules.local.yaml:
Tue Aug 27 07:37:20 2019: Loading rules from file /etc/falco/rules.d/falco_rules.yaml:
Tue Aug 27 07:37:20 2019: Starting internal webserver, listening on port 8765
Tue Aug 27 07:38:00 2019: SIGHUP Received, restarting...
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:
Syscall event drop monitoring:
   - event drop detected: 0 occurrences
   - num times actions taken: 0

And in another terminal

[nova nova]# ps aux | grep falco
root     17430  8.3  0.0 395700 44336 pts/0    Rl+  07:37   0:00 falco
root     17438  0.0  0.0   6268  2212 pts/2    S+   07:37   0:00 grep --colour=auto falco
[nova nova]# kill -s SIGINT 17430

@krisnova krisnova changed the title Review SIGINT with Falco Review the Falco signal handler Aug 27, 2019
@krisnova
Copy link
Contributor Author

Fairly new code - developed for dynamic configuration and our use case was the operator.

leodido added a commit that referenced this issue Sep 16, 2019
leodido added a commit that referenced this issue Sep 16, 2019
leodido added a commit that referenced this issue Sep 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant