Falco - Technological watch
Introduction
Falco is an open-source tool designed to detect threats across any Linux system. It is particularly well-suited for implementation with Kubernetes.
Falco was incubated by the Linux Foundation and is driven by the community. Its creation is credited to the same minds behind Wire Shark, further establishing its credibility in the field.
Unlike tools that analyze images, Falco operates at runtime. This makes it an essential tool for those preparing for the Certified Kubernetes Security Specialist (CKS) exam.
Runtime security focuses on protecting processes (which could be within containers) during their execution. For instance, if a user executes the kubectl exec
command in a production environment, Falco can detect it.
Falco works by capturing syscalls. Syscalls are essentially requests made by processes for services from the kernel. These services could include accessing the hard disk, network, RAM, or communicating with other processes. In this sense, the kernel acts as an orchestrator.
Falco is based on the Linux Kernel or on eBPF Probe.
Functionnalities
Rules
Falco rules are powerful and flexible, allowing you to define the conditions that trigger alerts. Here are some examples derived from the Falco documentation and rule examples:
In this example, we first define a list of shell binaries and then create three macros (shell_procs, container, spawned_process). These macros are used in the shell_in_container rule to detect when a shell is used within a container. If the rule’s conditions are met, Falco will log the event.
You can find more default rules in the Falco documentation:
With Falco, you can trace everything happening on your system. For instance, if user “Alex” attaches to a running Pod, executes a shell, and then uses apt
or apk
to install curl
and ping the Kubernetes API, Falco can detect and log these actions.
Falcosidekick
Falcosidekick is a simple yet powerful tool that complements Falco’s detection capabilities with its notification features.
While Falco is responsible for detecting threats, Falcosidekick takes on the role of notifying. It can send notifications through various channels, including chat platforms like Slack, Teams, or Discord. It also integrates with observability tools like Prometheus, alerting systems like Grafana, log tools like Elasticsearch, and even Function as a Service (FaaS) platforms like AWS Lambda.
You can get the full list here : https://github.com/falcosecurity/falcosidekick?tab=readme-ov-file#outputs
This combination of detection and notification allows for proactive response to events. For example, if someone executes a shell in a Pod, Falcosidekick can trigger an action to kill and restart the Pod. This immediate response can help mitigate potential threats and maintain the security of your system.
Falcosidekick UI
Falcosidekick UI is a user-friendly interface that provides real-time visibility into your cluster’s activities.
Whether you’re troubleshooting an issue or simply keeping an eye on your system’s performance, Falcosidekick UI makes it easy to stay informed in real time.
Falco plugins
With Falco, you can create plugins that can be plugged into any system or platform that generates events.
Here are some examples of how you can use Falco plugins:
- GitHub Webhooks: GitHub sends webhooks for various events happening on your repositories. You can create a Falco plugin to listen to these webhooks.
- Amazon EKS Events: Amazon EKS generates events related to the state and health of your Kubernetes clusters.
- Kubernetes Events: Kubernetes itself generates a multitude of events related to the state of the pods, nodes, and other resources. Falco can tap into this event stream for real-time threat detection and response.
- Docker Events: Docker generates events related to the lifecycle of containers.
- Twitter (X) Events: Even platforms like Twitter, which generate events related to social media interactions, can be monitored using Falco.
Test Falco
Installation
Links:
- https://falco.org/docs/getting-started/falco-kubernetes-quickstart/
- https://falco.org/docs/install-operate/installation/
- https://falco.org/docs/install-operate/deployment/
- https://falco.org/blog/rules-helm-chart-3-0-0/
- https://www.storagefreak.net/2023/02/how-to-set-up-falco-on-kubernetes-a-guide-to-improving-your-container-security
Let’s install Falco with Helm:
Custom rules should be written like this:
You can see the rules with:
Note: depending of your configuration, you may need to add tty: true
to your daemonset.
Let’s simulate suspicious activity
Link:
Let’s create a pod and run a command in it.
Let’s see if Falco logged anything:
Conclusion
In conclusion, Falco, along with its companions Falcosidekick and Falcosidekick UI, provides a comprehensive and robust solution for runtime security. Its ability to detect threats at runtime, coupled with the flexibility of creating plugins for virtually any event-generating platform, makes it a powerful tool in the arsenal of any system administrator or DevOps professional.
Falco can help ensure the security and integrity of your systems. Its open-source nature and active community support further enhance its appeal, making it a go-to choice for runtime security.
Thank you for reading my post, happy clustering! 😊🚀
Atomic design - Technological watch
Learn what is the atomic design in less than 5 minutes !
Redis - Technological watch
Learn what is Redis in less than 5 minutes !
Svelte - Technological watch
Learn what is Svelte in less than 5 minutes !
Jenkins - Technological watch
Learn what is Jenkins in less than 5 minutes !
PicoCSS - Technological watch
Learn what is PicoCSS in less than 5 minutes !
OpenAPI / Swagger - Technological watch
Learn what is OpenAPI / Swagger in less than 5 minutes !
HashiCorp Vault - Technological watch
Learn what is HashiCorp Vault in less than 5 minutes !
RabbitMQ - Technological watch
Learn what is RabbitMQ in less than 5 minutes !