3 main areas for Falco: Events (introduced by Kernel, SysCalls interceptions, ..) Powerful Rules Engine where the stream of events is asserted And Alerts are triggered when a rule is violated

Falco is all based on rules. Example rules could be:

1. Installation of packages, libraries inside any container
2. Creation, deletion, rename and modification of files and folders inside the container after it starts running
3. Execution of binaries like bash, ssh, docker binary, debian binaries, vpn client, mail binaries
4. Unusual outbound traffic
5. Any ssh connection to/from container
6. Change of container files from host machine
7. Detect an attempt to start a pod with a container image outside of a list of allowed images.
8. Detect an attempt to start a pod with a privileged container
9. Attempt to attach/exec to a pod
10. Creation of new namespace etc.
11. Write Below root

   helm install falco falco/  -n falco --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true

a. Falco has a webserver that captures K8S events

  kubectl exec -it "$container" -- curl -s localhost:8765/healthz; echo

b. Check with source of events is configured

$ kubectl logs -n falco -l "app.kubernetes.io/name=falco" -c falco-driver-loader --tail=-1 | grep "* Running falco-driver-loader with"

• Running falco-driver-loader with: driver=module, compile=yes, download=yes
• Running falco-driver-loader with: driver=module, compile=yes, download=yes

• Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
• Running falco-driver-loader with: driver=bpf, compile=yes, download=yes

  $ kubectl logs -n falco -l "app.kubernetes.io/name=falco" -c falco-driver-loader --tail=-1 | grep -A 5 "* Success"

  $ export POD_NAME=$(kubectl get pods --namespace falco -l "app.kubernetes.io/name=falco" -o jsonpath="{.items[0].metadata.name}")
  $ kubectl -n falco exec ${POD_NAME} -- find /root -name "id_rsa"

  $ kubectl logs -n falco -l "app.kubernetes.io/name=falco" | grep Warning

If you’d like to check if Falco is working properly, we have the event-generator tool that can perform an activity for both our syscall and k8s audit related rules.

helm install event-generator event-generator -f event-generator/values.yaml --namespace event-generator

We have falcosidekick ui service which is clusterIP. You can change it to Nodeport or LoadBalancer to access it from outside the cluster

kubectl -n falco port-forward service/falco-falcosidekick-ui 2802:2802