Falco on IT it's FUNhttps://mksit.sknt.ru/tags/falco/Recent content in Falco on IT it's FUNHugoruTue, 20 Jan 2026 00:00:00 +0000Falco - замена auditd. Интеграция с wazuhhttps://mksit.sknt.ru/posts/falco/Tue, 20 Jan 2026 00:00:00 +0000https://mksit.sknt.ru/posts/falco/<p>Это современная альтернатива auditd, перехватывает системные запросы ядра</p> <p><a href="https://wazuh.com/blog/cloud-native-security-with-wazuh-and-falco/" class="external-link" target="_blank" rel="noopener">https://wazuh.com/blog/cloud-native-security-with-wazuh-and-falco/</a> <a href="https://falco.org/docs/getting-started/falco-linux-quickstart/" class="external-link" target="_blank" rel="noopener">https://falco.org/docs/getting-started/falco-linux-quickstart/</a></p> <h2 id="установка-falco-на-серверах-с-wazuh-agent"> Установка falco на серверах с wazuh-agent <a class="heading-link" href="#%d1%83%d1%81%d1%82%d0%b0%d0%bd%d0%be%d0%b2%d0%ba%d0%b0-falco-%d0%bd%d0%b0-%d1%81%d0%b5%d1%80%d0%b2%d0%b5%d1%80%d0%b0%d1%85-%d1%81-wazuh-agent"> <i class="fa-solid fa-link" aria-hidden="true" title="Ссылка на заголовок"></i> <span class="sr-only">Ссылка на заголовок</span> </a> </h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="c1"># настраиваем репу</span> </span></span><span class="line"><span class="cl">curl -fsSL https://falco.org/repo/falcosecurity-packages.asc <span class="p">|</span> gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main&#34;</span> &gt; /etc/apt/sources.list.d/falcosecurity.list </span></span><span class="line"><span class="cl">apt update </span></span><span class="line"><span class="cl"><span class="c1"># зависимость для ответов установщика</span> </span></span><span class="line"><span class="cl">apt-get install -y dialog </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">apt install -y falco </span></span><span class="line"><span class="cl">systemctl status falco-modern-bpf </span></span><span class="line"><span class="cl"><span class="c1"># проверяем, провоцируем</span> </span></span><span class="line"><span class="cl">cat /etc/shadow &gt; /dev/null </span></span><span class="line"><span class="cl">journalctl <span class="nv">_COMM</span><span class="o">=</span>falco -p warning </span></span><span class="line"><span class="cl">grep Sensitive /var/log/syslog </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">systemctl restart wazuh-agent falco-modern-bpf </span></span></code></pre></div><h2 id="настройка-wazuh-server"> Настройка wazuh-server <a class="heading-link" href="#%d0%bd%d0%b0%d1%81%d1%82%d1%80%d0%be%d0%b9%d0%ba%d0%b0-wazuh-server"> <i class="fa-solid fa-link" aria-hidden="true" title="Ссылка на заголовок"></i> <span class="sr-only">Ссылка на заголовок</span> </a> </h2> <p>конфиг для агентов /var/ossec/etc/shared/default/agent.conf</p>