Falco
Hi everyone, it’s me again😌. I am here with the Falco structure, which we have heard frequently in recent times. Today I will talk about Falco tool for you and “What is Falco?”, “Where do we use it in our business life?”, “How can it help us in the DevOps field?” I will answer for you like these questions. Then I will show you how to integrate it into our local environment with Hands-on operation. Are you ready? Let’s get started 😊
What is Falco?
Falco is an open source security tool that helps us secure various environments. It is also the “threat detection” engine for the Kubernetes structure that we use frequently in the field of Cloud Engineering. Falco was created by Sysdig in 2016. Falco detects runtime unexpected application behavior in the Kubernetes cluster and issues alerts about threats.
Why Falco?
As you know, we are looking for best practice solutions while working in Kubernetes cluster. Of course, we also need to provide this solution on the Security side. Because applications are running on the cluster and we must be aware of every dangerous operation to be done on the pods here. Because we need to have the right log in order to best inform our customers about cluster based problems, not applications. We do logging meticulously in order to increase customer satisfaction. Falco helps us check Linux kernel, container, Kubernetes and other logs and raise alerts for dangerous usage. It allows us to protect the security of containers, especially in the Kubernetes environment. It even offers us services on “thread detection” in the Kubernetes environment. In the Kubernetes container, the runtime uses Kubernetes audit logs to capture threat findings and raises alerts on the results it receives. In this way, we can view who is logging into the cluster and what dangerous operations they are doing there, and we can integrate these alarms into the Slack channel so that everyone is aware of these activities. Therefore, Falco can be preferred to log every dangerous step on the pod and generate an alarm. Falco can be easily integrated into our work environment and is very simple to use.
Now let’s take a closer look at which subjects we can detect using the Falco tool:
1- Login to the container
2- Performing volume mount operations on the host path
3- Reading or editing important files like /etc/shadow
making transactions
4- Installing a new package
5- The process of creating a new port on the network side
to be done
6- etc.
Hands-On
In order to install Falco, first of all, Helm must be installed.
1- helm repo add falcosecurity
https://falcosecurity.github.io/charts
Output: “falcosecurity” has been added to your repositories2- helm repo update
Output: Hang tight while we grab the latest from your chart
repositories…
…Successfully got an update from the “falcosecurity” chart
repository
Update Complete. ⎈Happy Helming!⎈3- helm install falco falcosecurity/falco
Output:
NAME: falco
LAST DEPLOYED: Fri Oct 16 07:06:24 2020
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:Falco agents are spinning up on each node in your cluster. After a few seconds, they are going to start monitoring your containers looking for security issues. No further action should be required.4- kubectl get pod -o wide
Output:
falco-cgvxc 1/1 Running 0 6m53s kind-control-plane
falco-f9526 1/1 Running 0 6m53s kind-worker2
falco-rx2gj 1/1 Running 0 6m53s kind-worker
We have successfully installed Falco. Now, we need to complete the following steps for test our tool.
TEST:
In order to start testing, we need to set up an pod like nginx.
1- kubectl run nginx — image=nginx
Output:
nginx 1/1 Running 0 2m kind-worker
Now, when we log in to the pod we created in nginx type and when we do the dangerous steps mentioned above, it will log in the falco pods. We can check the logs this way.
Creating alarm
To create an alarm in Falco, we first need to determine the type of output and accordingly, we can easily create an alarm by enabling the necessary places in falco.yaml.
We need to do these steps in falco.yaml for standard output.
stdout_output:
enabled: true
Output: 10:20:05.408091526: Warning Sensitive file opened for reading by
non-trusted program (user=root command=cat /etc/shadow file=/etc/shadow)
For file:
file_output:
enabled: true
keep_alive: false
filename: ./events.txt
This way we can write the results to a file.
For sending email:
program_output:
enabled: true
keep_alive: false
program: mail -s “Falco Notification” someone@example.com
For sending notification to Slack channel:
# Whether to output events in json or text
json_output: true
…
program_output:
enabled: true
program: “jq ‘{text: .output}’ | curl -d @- -X POST
https://hooks.slack.com/services/XXX"
After adding the information of the Slack channel, we will be able to receive an alarm as below.
Reference
Falco: https://falco.org/
Falco Alert: https://falco.org/docs/alerts/
Today I tried to explain the Falco structure step by step for you. I hope it has been an article that you will enjoy reading. Enjoyable readings already… 😊
