What is Falco?
We can hear a lot of attacks on Linux systems almost every day. Hackers, intruders, people who intents to gain benefit by hacking some systems, or by doing just for to harm. To avoid this kind of attack, to guard our systems well we need to use some security tools like Falco.
Falco is a genus name in taxonomy, scientific classification. Falco is Late Latin meaning a falcon from falx, falcis which is meaning “a sickle” referring to the claws of the bird. Falco’s logo is a falcon obviously :)
For example, spawning a shell in a container is most likely not required and could be an attack.
Falco is a cloud-native runtime security project which is built by sysdig inc. It’s mainly focused on the Kubernetes threat detection engine.
Falco is the first runtime security project to join CNCF (Cloud Native Computing Foundation) as an incubation-level project. Falco acts as a security camera continuously detecting unexpected behavior, configuration changes, intrusions, and data theft in real-time.
What does Falco do?
Falco uses system calls to secure and monitor a system, by:
- Parsing the Linux system calls from the kernel at runtime
- Asserting the stream against a powerful rule engine
- Alerting when a rule is violated
Why do we need Falco?
A standard Kubernetes cluster does not provide any mechanisms for monitoring such events; a tool like Falco is therefore required.
Falco makes it possible to monitor such events directly inside the cluster. The events may include:
- Outgoing connections to specific IPs or domains
- Use or mutation of sensitive files such as /etc/passwd
- Execution of system binaries such as su
- Privilege escalation or changes to the namespace
- Modifications in certain folders such as /sbin
Falco Architecture
How to Install Falco
Debian/Ubuntu
Install as a Package
curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
echo “deb https://download.falco.org/packages/deb stable main” | tee -a /etc/apt/sources.list.d/falcosecurity.list
apt-get update -y
apt-get -y install linux-headers-$(uname -r)
apt-get install -y falco
Install as a DaemonSet
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco
Run Falco as a Service
If you installed Falco by using the DEB or the RPM package, you can start the service by running:
systemctl enable falco
systemctl start falco
You can view logs using journalctl. This command will allow us to inspect events that are generated by Falco. -u flag will maintain the new events are continuously printed on the screen.
journalctl -fu falco
Falco Rules Examples
Example Usage
Reference Links
https://blog.ti8m.com/Falco.html
https://falco.org/docs/getting-started/
https://www.cncf.io/online-programs/getting-started-with-container-runtime-security-using-falco/
https://github.com/falcosecurity/charts/tree/master/falco