falco: http_output not working, libcurl error: Problem with the SSL CA cert (path? access rights?)

Describe the bug After installing Falco in a Kubernetes cluster using the official Helm chart, whenever I try to output the results in a JSON format to an HTTP endpoint, Falco gives me a SSL error. Isn’t this ca-certificate package supposed to come with the default installation?

How to reproduce it

  1. helm repo add falcosecurity https://falcosecurity.github.io/charts
  2. helm repo update
  3. helm install falco falcosecurity/falco
  4. exec into one of the pods running Falco.
  5. falco -o json_ouput=true http_output.enabled=true http_output.url=<REQUESTBIN_ADDRESS>
  6. exec into another pod (or even the same pod) to generate a Falco event.

Expected behaviour Falco sends an HTTP call to the endpoint containing the JSON of the syscall it just registered.

Screenshots

  1. Output when running curl <MY_REQUEST_BIN> from inside a pod running Falco:
{"about":"Pipedream is the fastest way to connects APIs. Build and run workflows with code-level control when you need it — and no code when you don't.","event_id":"2GfreizFr8I0hJjji77gNQEoP8Y","workflow_id":"p_LQCDnkR","owner_id":"u_KDh7vnG","deployment_id":"d_zqs7eNxx","timestamp":"2022-10-26T13:22:56.700Z","inspect":"https://pipedream.com/@/p_LQCDnkR","quickstart":"https://pipedream.com/quickstart/"}
  1. Output when Falco receives an event with json_output=true and http_output=true enabled to the same requestbin address:
Fri Oct 21 18:02:03 2022: libcurl error: Problem with the SSL CA cert (path? access rights?)
  1. Command we are running from within the pod: falco -o json_ouput=true -o http_output.enabled=true -o http_output.url=<MY_REQUEST_BIN_ADDRESS>

Environment

  • Falco version: 0.33.0 (x86_64)
  • System info: "machine":"x86_64","nodename":"falco-2tcqs","release":"5.13.0-1031-aws","sysname":"Linux","version":"#35~20.04.1-Ubuntu SMP Mon Jun 13 22:30:30 UTC 2022"
  • Cloud provider or hardware configuration:
  • OS: Debian GNU/Linux 11 (bullseye)
  • Kernel: Linux falco-2tcqs 5.13.0-1031-aws #35~20.04.1-Ubuntu SMP Mon Jun 13 22:30:30 UTC 2022 x86_64 GNU/Linux
  • Installation method: Official Helm Chart

Additional context TL;DR: We’re trying to use the built-in functionality of HTTP Output that comes with Falco to send JSON output about syscalls that Falco catches inside our containers. The main idea is to understand if this works or Sidekick is the only alternative.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 21 (12 by maintainers)

Most upvoted comments

Falco 0.34.1 is out. The patch release should solve this issue. Could you please check it out? cc @movd @exiett

+6
alacuku on Feb 20, 2023

Hi @PaulFurtado, thanks for testing and reporting this. We definitely need to make the CA/certs path configurable.

+1
alacuku on Mar 21, 2023

I’m working on that: #2412 . I’m gonna run some tests to make sure that solves the problem!

+1
alacuku on Feb 9, 2023

Sadly, even with 0.34 we face SSL issues https://github.com/falcosecurity/falco/issues/2395#issuecomment-1422635105

+1
Issif on Feb 8, 2023
Read more comments on GitHub
← falco: Following the documentation for minikube deployment doesn't work
falco: Incorrect event values for container.image.* when using image digests →