Falco is a runtime security tool that allows you to monitor kernel system calls and kubernetes audit log commands to detect risky and malicious behaviour. It comes with a big set of detection rules created and curated by the Falco's developers that cover a lot of cases to help you strength your infrastructure security posture.
This repository contain Vagrant boxes to test Falco installation, as well as boxes with Falco preinstalled to jump in writting new rules.
You can look for more information about all things Falco at their website, GitHub's repo, and follow on Twitter @falco_org
- Any operating system: Linux, Windows, MacOs
- VirtualBox (required by Vagrant)
- Vagrant
- Any code editor
Falco runs only on a Linux kernel, so we will all use a Vagrant virtual machine for an standard way for anyone to follow the workshop following the same set of instructions.
To use one of the boxes (virtual machines), use:
# go to the folder of the box
cd box1
# start virtual machine
vagrant up
# log into virtual machine
vagrant ssh
# to run a command with sudo, the password for the user 'vagrant' is 'vagrant'
# to use 'su', set a password for root (not set by default)
sudo passwd root
# or use it with sudo
sudo su
# exit Vagrant box
exit
# Halt Vagrant box
vagrant halt
# Completely destroy Vagrant box content
vagrant destroy -fUsing box2 onwards, each box syncs the main folder where you cloned the repo with /workshop in the Virtual Machine using NFS. To be able to do so, it might require administrative priviledges on your computer, and it will prompt for your password. Remember it's not asking for Vagrant password, but for the password of your current user in your machine to start the sync process.
If you want to connect your Visual Studio Code to the Vagrant box, follow these instructions: https://medium.com/@lopezgand/connect-visual-studio-code-with-vagrant-in-your-local-machine-24903fb4a9de
box1: A clean Debian 10 installation
box2:
- Debian 10
- NFS shared folder /workshop
- Falco installed
box3:
- Debian 10
- NFS shared folder /workshop
- Docker
- Script to install Falco using Docker at: /workshop/box3/install_falco_using_docker.sh
box4
- 8 Gb memory for VM
- Debian 10
- NFS shared folder /workshop
- Docker
- Kubectl
- Helm
- Minikube
- Minikube cluster started using native host
box5
- 8 Gb memory for VM
- Debian 10
- NFS shared folder /workshop
- Docker
- Kubectl
- Helm
- Minikube
- Minikube cluster started using native host
- Falco kernel module loaded in the vm host using Docker
- Script to install Falco in Minikube with Kubernetes audit log enabled at: /workshop/box4/install_helm_falco.sh
sudo apt-get update
sudo apt-get -y install gpg curl
curl -o install-falco.sh -s \
https://s3.amazonaws.com/download.draios.com/stable/install-falco
sudo bash install-falco.shEdit falco.yaml configuration file:
sudo nano /etc/falco/falco.yamlChange:
file_output:
enabled: false
keep_alive: false
filename: ./events.txtTo:
file_output:
enabled: true
keep_alive: false
filename: /var/log/falco.logRestart Falco to get new configuration:
sudo /etc/init.d/falco restartWrite a test file to /etc folder so it triggers a security event:
sudo touch /etc/testRead Falco logs to see all security events:
cat /var/log/falco.log- Virtual session for HackMadrid at July 4th 2020 by Vicente Herrera.
- Watch it at HackMadrid's YouTube channel (in Spanish).
- Slides (in English), with a lot of information about Falco.
- Falco course for Quantika14 security course videos (Spanish), launched November 25th 2020, by Vicente Herrera.
- Demo for the "OnTheNubs" Twitch channel (Spanish) https://twitter.com/OnTheNubs @onthenubs.
- Talk for Kubernetes Community Days Spain: Detecting cryptomining with Falco