falco: Falco service "active (exited)" on Ubuntu 16.04 (systemd)

Hello!

I am currently running Falco 0.14.0 on production instances and I noticed Falco stopped running on multiple Ubuntu 16.04 hosts.

root@some-host:/var/run# service falco status
● falco.service - LSB: Falco syscall activity monitoring agent
   Loaded: loaded (/etc/init.d/falco; bad; vendor preset: enabled)
   Active: active (exited) since Mon 2019-05-27 05:58:49 UTC; 4 days ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 0
   Memory: 0B
      CPU: 0

After discussing with @fntlnz, the issue is most likely caused by the lack of systemd Unit definition and systemd doesn’t know what he needs to do.

Issue #484 related to this one but in my case, Falco stopping and not restarting looks more like a bug. 🙂

Thanks for the help!

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 26 (16 by maintainers)

Most upvoted comments

Hello again!

The current systemd falco.service file (/run/systemd/generator.late/falco.service) content is:

# Automatically generated by systemd-sysv-generator

[Unit]
Documentation=man:systemd-sysv-generator(8)
SourcePath=/etc/init.d/falco
Description=LSB: Falco syscall activity monitoring agent
Before=multi-user.target
Before=multi-user.target
Before=multi-user.target
Before=graphical.target
Before=shutdown.target
After=remote-fs.target
After=systemd-journald-dev-log.socket
Conflicts=shutdown.target

[Service]
Type=forking
Restart=no
TimeoutSec=5min
IgnoreSIGPIPE=no
KillMode=process
GuessMainPID=no
RemainAfterExit=yes
ExecStart=/etc/init.d/falco start
ExecStop=/etc/init.d/falco stop

The one suggested by @juju4 is:

[Unit]
Description=Falco: Container Native Runtime Security

[Service]
Type=simple
User=root
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
UMask=0077
TimeoutSec=30
RestartSec=15s
#Restart=always
Restart=on-failure
PrivateTmp=true
NoNewPrivileges=yes
PrivateTmp=true
ProtectHome=read-only
ProtectSystem=full
ProtectKernelTunables=true
RestrictRealtime=true
#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictAddressFamilies=~AF_PACKET
SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @privileged
# FIXME!
#   PANIC: unprotected error in call to Lua API (runtime code generation failed, restricted kernel?)
#   ?https://www.freelists.org/post/luajit/luajit-crashes-with-grsec-kernel,1
#MemoryDenyWriteExecute=true
#PrivateMounts=true

[Install]
WantedBy=multi-user.target

The Type change (from Type=forking to Type=simple) and the Restart=on-failure should help!

+3
JPLachance on May 31, 2019
Read more comments on GitHub
← falco: Falco runtime error in k8s_replicationcontroller_handler_state for large k8s clusters (400+ nodes)
falco: Falco won't start on 0.36 - /sys/devices/system/cpu/cpu8/online: No such file or directory →