Play by Play Security with Sysdig and Falco

Hello Folks,

As a part of Cloud-Native Blog Series, I would like to share my thoughts on Pure Security and Open Source Delicacies viz. Falco and Sysdig Projects.

We have already discussed how container security is utmost important and we will discuss some great container runtime security tools today.

DevOps companies like HashiCorp, VMWare already solved infrastructure problems around Kubernetes.

As far as CNCF landscape goes, most of the members have solved infrastructure security problems.
What it comes to runtime security , Anomaly Detection (means something bad which is not expected to happen), Forensics is critical to understand underpinning problems and patterns.

Let’s discuss the title of this blog,

There are Three Actors : Sysdig — evolution of Wireshark , Falco (CNCF Project) and analyses based upon factor below:
1.TCP packet — source of truth,

2. Cognitive process running on process namespace.
3. Philosophy in the kernel, sysdig has enriched strace tool and ran to work to send events to user namespace.

4. Kernel metrics , docker or crio context , also audit logs from Kubernetes

Based upon these security axioms, Multiple object layer Secirity depicts the story hoe Falco is evolved.

Falco Engine is written to parse libscap and libsinsp written in C++, and later donated to CNCF by sysdig.

Falco also have Handy API in C++ and also implementaion in Golang and Python is supported.

Falco is mainly compiled and contains support as below

1. Kernel Tracing is achieved by Falco it calls using User space : syscall streams go to Falco and gRPC endpoint to application

2.Ring Buffer : 16MB memory of info by Kernel

3.Kernel module OR eBPF probe : tracing syslog approach to userland from Kernel Version 4.14 onwards

Falco Components

Input : syscall events, container contextm kernel meta/audit
Output, TLS gRPC client, WebHook , stdout /filesystem

Falco Rules can take action to http API and C++ engineers can work on stdout

Fundamentals of Security :
1. Lock the door when malicious thief enters, Reactive
2. Catastophe strikes and Forensic
3. Prevention : SE_Linux, RBAC , OPA but there is no perfect lock

How Falco solves using system tracing:

1.LD_PRELOAD : glibc, fundamental changes your app unknown ways.

2.Sidecars : same system space as shared networking and processes and cgroups

3.Kernel Modules : crash the kernel, total system visibility, scary custom logic to Linux System.