Falco - Runtime Security for Containers.

Security plays a vital role in today’s software applications, where applications are developing and releasing, similarly various types of security tools are also releasing to monitor threats and vulnerabilities for an applications.

While running an applications in various type of systems like bare metal or in containerized applications, such as kubernetes cluster which consists of more number of containers and its too hard to track what’s going on every container inside in it. Still now as per my knowledge there are monitoring tools such as EFK, datadog, prometheus-grafana etc, which monitors the containers and its logs, but don’t know what is happening inside the container and doesn’t tracks what is installed and when is exec into the container.

Falco :-
Falco is an open source runtime security tool developed by Sysdig and it has been CNCF Project since 2018.

Falco uses system calls to secure and monitor a system by parsing the linux system calls from kernal at runtime, it consists of powerful rules engine and alerts when rules are violated.

Falco provides the information mainly on what happens inside the containers, such as when user exec’s inside the container, is any installations were done in containers, any files inside containers are created or removed etc, if any malicious process runs in a container, such information sending as an alert notifications to integrated apps (example Slack, Teams, Google-chat etc.,), Simply it is like a security camera for a containers.

Falco Rules:
Falco rules are written in yaml file and it consists of three types of elements.

Rules: Conditions to generate an alerts and that is accompanied with an output string that is sent with an alert. we can also add our own rules.
Macros: It provides shortcuts for common scenarios and can be used in any user defined rule sets.
Lists: Collection of an items which to be included in macros, rules and other lists. Where lists cannot be parsed as filtering expressions.

Falco Alert: Alerts are configurable downstream that can be as simple as logging to STDOUT. Falco sends an alerts to Syslog, HTTP[s] end point, STDOUT and client through the gRPC API.

Sample rule format:

Example: rule format view.

Falco checks for:

Falco launches with default rules that checks the kernel for unusual behaviour such as:

  • Unexpected network connections or socket mutations
  • SSH connections from one container to other container.
  • Ownership and Mode changes
  • Executing binaries likes shells such as bash, sh etc.
  • Creating files, renaming, deletion of files.
  • Executing secure copy protocol(scp) of files to any container.
  • Deletion of pods/containers and exec into containers.
  • New namespace creation etc.

Rules Priorities:
Every rule has a priority depends on how serious a rule violoations are. Some of the priorities are:
EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFORMATIONAL, DEBUG.

Falco operates at the user space and kernel space, major components are,
Driver, Policy engine, Libraries and Falco rules.

Lets have a look on setting up Falco :
We can install the falco with packages as well as via helm., In this section will install with helm.

Driver : Is used to send a stream of system call data, we cannot run falco without installing a falco-driver. Installation of Driver:

Debian/Ubuntu :
1.
Add the falco GPG key, configure the apt repository and apt update :

curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
echo "deb https://download.falco.org/packages/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list
apt-get update -y

2. Install kernel headers:

apt-get -y install linux-headers-$(uname -r)

3. Install Falco:

apt-get install -y falco

4. Uninstall Falco:

apt-get remove falco

After installing falco driver, now we are ready to install falco helm chart with required flags enable to integrate with other apps for alert messages, for falco user-interface etc.,

Add helm repository:

helm repo add falcosecurity https://falcosecurity.github.io/chartshelm repo update

Now install the chart with required set flags .

helm upgrade -i falco falcosecurity/falco \
- set falcosidekick.enabled=true \
- set falcosidekick.webui.enabled=true \
- set auditLog.enabled=true \
- set falco.jsonOutput=true \
- set falco.fileOutput.enabled=true \
- set falcosidekick.config.slack.webhookurl="<<web-hook-url>>"

The above helm command is used to install falco chart with falco release name, and it is integrated with slack to send the alert notifications.

Here we provided flags that enables falco webui, auditLogs, output stream format and slack endpoint url to send notifications.

Now installation is done and ready to view the falco web-UI,

To view the web-ui, port-forward the service falcosidekick-ui of port 2802 to localhost.

Falco Dashboard

Falco consists of events which logs all the container runtime process, I have integrated falco with slack, it should send and alert when i exec into container. Lets test that.

Slack Notification

Notified with some information such as rule, priority, when tried to exec into a pod/container and similarly same logs can be seen in web-ui as well.

events of containers in falco web-ui

In the above image, we are able to observe Notice (when exec into container) and Error (when created a file).

Conclusion: Falco is a Linux security tool that uses system calls to secure and monitor a system. which helps us in securing of containers from unauthorised access, alerts when exec inside containers, if any malicious process runs, etc…

Thanks for reading!

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

For more information about Falco, Please refer: https://falco.org/docs/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store