3 main areas for Falco: Events (introduced by Kernel, SysCalls interceptions, ..) Powerful Rules Engine where the stream of events is asserted And Alerts are triggered when a rule is violated
Falco Rules ( Complete list here https://github.com/falcosecurity/rules/blob/main/rules_inventory/rules_overview.md)
Falco is all based on rules. Example rules could be:
- Installation of packages, libraries inside any container
- Creation, deletion, rename and modification of files and folders inside the container after it starts running
- Execution of binaries like bash, ssh, docker binary, debian binaries, vpn client, mail binaries
- Unusual outbound traffic
- Any ssh connection to/from container
- Change of container files from host machine
- Detect an attempt to start a pod with a container image outside of a list of allowed images.
- Detect an attempt to start a pod with a privileged container
- Attempt to attach/exec to a pod
- Creation of new namespace etc.
- Write Below root
helm install falco falco/ -n falco --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true
a. Falco has a webserver that captures K8S events
kubectl exec -it "$container" -- curl -s localhost:8765/healthz; echo
b. Check with source of events is configured
$ kubectl logs -n falco -l "app.kubernetes.io/name=falco" -c falco-driver-loader --tail=-1 | grep "* Running falco-driver-loader with"
- Running falco-driver-loader with: driver=module, compile=yes, download=yes
- Running falco-driver-loader with: driver=module, compile=yes, download=yes
- Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
- Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
$ kubectl logs -n falco -l "app.kubernetes.io/name=falco" -c falco-driver-loader --tail=-1 | grep -A 5 "* Success"
$ export POD_NAME=$(kubectl get pods --namespace falco -l "app.kubernetes.io/name=falco" -o jsonpath="{.items[0].metadata.name}")
$ kubectl -n falco exec ${POD_NAME} -- find /root -name "id_rsa"
$ kubectl logs -n falco -l "app.kubernetes.io/name=falco" | grep Warning
If you’d like to check if Falco is working properly, we have the event-generator tool that can perform an activity for both our syscall and k8s audit related rules.
helm install event-generator event-generator -f event-generator/values.yaml --namespace event-generator
We have falcosidekick ui service which is clusterIP. You can change it to Nodeport or LoadBalancer to access it from outside the cluster
kubectl -n falco port-forward service/falco-falcosidekick-ui 2802:2802