Skip to content

Instantly share code, notes, and snippets.

@Rafisto

Rafisto/README.md

Last active June 25, 2024 16:39
Show Gist options
  • Save Rafisto/46b26d603d1ece03e17fa8debf081ac0 to your computer and use it in GitHub Desktop.
Save Rafisto/46b26d603d1ece03e17fa8debf081ac0 to your computer and use it in GitHub Desktop.
Download ZIP
A brief look at falcosecurity
Raw
README.md

Falco Quickstart Guide

Falco is an open-source runtime security tool specifically designed for Kubernetes environments.

Key Features of Falco:

  • Runtime Security Monitoring: Observes system calls to detect and alert on unexpected behavior.
  • Kubernetes Native: Integration (via kmod/eBPF) with OS, container environments and kubernetes. Specific rules available.
  • Alerting: Push to alerting systems like Slack

Installation and Management of Falco on Kubernetes

Downloading the Helm Chart

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Installing the Falco Chart

See chart configuration

helm install falco -n falco --set driver.kind=ebpf --set tty=true falcosecurity/falco

Kernel Version Compatibility

To install Falco successfully, it is crucial to have a compatible kernel version on the nodes. The error logs indicated issues with downloading a prebuilt driver:

2024-04-03 06:34:20 INFO  Trying to download a driver.
2024-04-03T06:34:21.076347658Z └ url: https://download.falco.org/driver/7.0.0%2Bdriver/x86_64/falco_almalinux_4.18.0-348.12.2.el8_5.x86_64_1.ko
2024-04-03T06:34:21.076356135Z 2024-04-03 06:34:21 WARN  Non-200 response from url. code: 404
2024-04-03 06:34:21 WARN  unable to find a prebuilt driver
[...]
Please install the linux-headers-4.18.0-348.12.2.el8_5.x86_64 package or use the --kernelsourcedir option to tell DKMS where it's located.

This indicates that the kernel version 4.18.0-348.12.2.el8_5.x86_64 may be deprecated, and the prebuilt drivers are no longer available. The solution is to reinstall the OS on nodes with a newer kernel version to ensure compatibility.

Enabling HTTP Output in Falco

Falco supports HTTP output for sending alerts to an external system. To enable HTTP output, modify the Falco configuration file:

http_output:
    enabled: true # change here from false to true

Configuration allows to specify push url and mTLS settings.

Example of Detecting Suspicious Activity

To demonstrate Falco's capabilities, let's simulate suspicious activity in a Kubernetes environment.

Running a Suspicious Pod

kubectl run alpine-000 -n rv-jump --image alpine -- sh -c "sleep infinity"

Executing Multiple Commands in the Suspicious Pod

for i in {1..10}; do
    kubectl exec -it alpine-000 -n rv-jump -- sh -c "uptime"
done

Falco Logs

Example critical execute:

Critical Executing binary not part of base image proc_exe=.

Example shell spawn:

Notice A shell was spawned in a container with an attached terminal (user=. user_uid=. user_loginuid=. process=. proc_exepath=/. parent=. command=. terminal=. exe_flags=. container_id=. container_image=. container_image_tag=. container_name=. k8s_ns=. k8s_pod_name=.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment