Falco has solidified its holding in the cloud native security space featuring detection of events that can give you visibility into your clusters operations. It’s likely your organization uses a medium to communicate to incident response or security operations teams that allows alerts to be routed or disseminated in a fashion with some quick context that your analyst can make the determination as far as concern or false positive. Where does Azure Events hub fit in? As a messaging queue service offering in Azure this can be one of the many integrations you can use that can route your message to use along with AWS SQS/SNS/Kinesis are supported as well.
Pre-requisites if you’d like to follow along (I encourage this if you want to learn)
- AKS Cluster (3 Nodes – Preferred)
- Helm (Package will be installing through this)
Accessing our cluster via shell
az loginYou’ll be prompted with the login screen to authenticate this will give you access to azure via the CLI so we can programmatically use the CLI to access our cluster.
az aks get-credentials --resource-group falco-sec --name falco-secFor this demo I’ve created a resource group named falco-sec and also named my AKS cluster falco-sec for simplicity.
So after we are authenticated to our cluster via the CLI we can now run the following commands to get up and running with Falco.
We will be working out of the following github repo
https://github.com/falcosecurity/falcosidekickFalco Sidekick is a daemon for connecting Falco to your chosen ecosystem this takes Falco events and forwards them to different outputs in a fan-out way.
Following along we will install with helm
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=trueWe should see this output as far as the update is completed.
Running on our pods should have some changes let’s run the following command
kubectl get pods -n default
If you want to route to another messaging service this is how you can input it into helm with the example below – if you messed up like I did prior to this you can run a helm uninstall falco.
helm install falco falcosecurity/falco --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true --set falcosidekick.config.azure.eventHub.name="sugar" --set falcosidekick.config.azure.eventHub.namespace="falco-sec" --set falcosidekick.config.azure.eventHub.minimumpriority="emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug"This should be all the values from our event hub notice they are prefixed with the Falcosidekick prior to .config so ensure you follow this nomenclature if you are following along.
I ran into some issues on forwarding to event hub that will require some offline troubleshooting however the sidekick UI is provided we can use the kubectl proxy-forward command
kubectl proxy-forward pod/falco-falcosidekick-ui-5448d6cc4c-pf8ts 8080:2802Falcosidekick UI
Navigate to your local browser
http://localhost:8080
This doesn’t have a Username/Password you can put in admin/admin
This will then bypass that screen and show the sources, priorities, tags.
We will then select Events
Let’s zoom in further to see the information provided by Falco’s detection engine
Monitoring system calls is vital to understanding if the underlying containers have operations that are are needed for further investigation depending on the context as we can see the default rules have a order we can edit this further in the /etc/falco folder.
Summary
Falco is a powerful runtime security tool that can be used to detect and alert on abnormal behavior in a Kubernetes cluster. It works by monitoring system calls and other events in real-time, and comparing them against a set of customizable rules. If a rule is triggered, Falco can send an alert to a designated recipient, such as an email address or a messaging service like Slack.
One of the key benefits of using Falco in Kubernetes is that it provides visibility into the behavior of containers and other components running in the cluster. By monitoring system calls and other events, Falco can detect potential security threats or violations of organizational policies. For example, Falco can detect when a container attempts to access a resource it shouldn’t, or when a privileged container is spawned. This makes it a valuable tool for ensuring the security and compliance of a Kubernetes environment. Additionally, Falco is highly customizable, allowing users to create their own rules based on their specific security requirements. This means that users can tailor Falco to their own needs, and configure it to detect and alert on the events that are most relevant to their environment. If you plan on sitting for the CKS exam you’ll uncover that this tool is known as the de facto standard for runtime security. Sysdig has done really well in providing detailed documentation as far as operations go and getting the lay of the land with the customization. Feel free to contribute as open-source is only as thriving for the community that continuously supports it.