While there have been many improvements around improving containers, there is still a large gap in securing the behavior of containers in production. Enter sysdig falco, the behavioral activity monitor for containerized environments. It can detect and alert on anomalous behavior at the application, file, system, and network level. In this session get a deep dive into falco and learn: - How does behavioral security differ from existing security solutions like image scanning? - How does falco work? What can it detect? - How do you build and customize rules for falco?
2. Information presented is confidential
Home Security Analogy
• Home Security Prevents Intrusion
• Door locks
• Window sensors
• Bars on ground floor windows
• Exterior cameras
• …And Detects Intrusion
• Motion sensors
3. Information presented is confidential
Computer System Security
• Prevents Intrusion
• Passwords
• Two-factor authentication
• Fixing software vulnerabilities
• Firewalls
• Detects Intrusion
• Sysdig Falco!
• Both methods essential for full protection
4. Information presented is confidential
What is Sysdig Falco
• A behavioral activity monitor
• Detects suspicious activity defined by a set of rules
• Uses sysdig’s flexible and powerful filtering
expressions
• With full support for containers
• Utilizes sysdig’s container support
• And flexible notification methods
• Alert to files, standard output, syslog, programs
• Open Source
• Anyone can contribute rules or improvements
5. Information presented is confidential
Quick Examples
A shell is run in a container container.id != host and proc.name = bash
Overwrite system binaries
fd.directory in (/bin, /sbin, /usr/bin,
/usr/sbin) and write
Container namespace change
evt.type = setns and not proc.name in
(docker, sysdig)
Non-device files written in /dev
(evt.type = creat or evt.arg.flags contains
O_CREAT) and proc.name != blkid and
fd.directory = /dev and fd.name != /dev/null
Process tries to access camera
evt.type = open and fd.name = /dev/video0
and not proc.name in (skype, webex)
6. Information presented is confidential
Falco Architecture
sysdig_probe
Kernel
Module
Kernel
User
Syscalls
Sysdig Libraries
`
Events
Alerting
Falco Rules
Suspicious
Events File
Syslog
Stdout
Filter Expression
Shell
7. Information presented is confidential
Falco Rules
• .yaml file containing Macros, Lists, and Rules
• Example:
- macro: bin_dir
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
- list: shell_binaries
items: [bash, csh, ksh, sh, tcsh, zsh, dash]
- rule: write_binary_dir
desc: an attempt to write to any file below a set of binary directories
condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs
output: "File below a known binary directory opened for writing (user=%user.name
command=%proc.cmdline file=%fd.name)"
priority: WARNING
8. Information presented is confidential
Falco Rules
• Macros
• name: text to use in later rules
• condition: filter expression snippet
• List
• name: text to use later
• items: list of items
• Rules
• name: used to identify rule
• desc: description of rule
• condition: filter expression, can contain macro references
• output: message to emit when rule triggers, can contain
formatted info from event
• priority: severity of rule (WARNING, INFO, etc.)
9. Information presented is confidential
Falco Rules
• Filtering Expressions
• Use the same format as sysdig
• Full container/k8s/mesos/etc support
• Falco rules are combined into one giant
filtering expression, joined by ORs
• Each rule must contain at least one
evt.type expression
• i.e. evt.type=open and …
• Allows for very fast filtering of events.
10. Information presented is confidential
Alerts And Outputs
• Events that match filter expression result in alerts
• Rule’s output field used to format event into alert
message
• Falco configuration used to control where alert
message is sent.
• Any combination of
• Syslog
• File
• Standard Output
• Shell (e.g. mail -s "Falco Notification"
someone@example.com)
11. Information presented is confidential
Installing Falco
• Debian Package
• apt-get -y install falco
• Redhat Package
• yum -y install falco
• Installation Script
• curl -s
https://s3.amazonaws.com/download.draios.com/
stable/install-falco | sudo bash
• More on making this safe in the demo!
• Docker container
• docker pull sysdig/falco
• Full instructions: https://github.com/draios/falco/wiki/How-to-
Install-Falco-for-Linux
12. Information presented is confidential
Running Falco
• As a service
• $ service falco start
• alerts to syslog
• By hand
• $ sudo falco -r <rules file> -c <config file>
• alerts to syslog, stdout
• Using docker
• docker run -i -t --name falco --privileged -v
/var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v
/proc:/host/proc:ro -v /boot:/host/boot:ro -v
/lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/falco
• Full Instructions: https://github.com/draios/falco/wiki/Running-
Falco
14. Information presented is confidential
What we’re going to show you
• Falco installation using docker
• Overview of rules file
• Walkthrough of simple attacks
• Writing to files below /bin
• Running bash inside container
• Synthetic event generator
• Exploiting a bad REST API
• Misbehaving Containers
• Receiving Falco Events in Sysdig Cloud!
15. Information presented is confidential
Join The Community
• Website
• http://www.sysdig.org/falco/
• Mailing List
• https://groups.google.com/forum/#!forum/falco
• Public Slack
• https://sysdig.slack.com/messages/falco/
• Blog
• https://sysdig.com/blog/tag/falco/
16. Information presented is confidential
Learn More
• Github
• https://github.com/draios/falco
• Pull Requests welcome!
• Wiki
• https://github.com/draios/falco/wiki
• Docker Hub
• https://hub.docker.com/r/sysdig/falco/
<hi thanks for joining…>
I’ll start with a really quick introduction and then I’d love to learn a little bit more about you and your environment, and why you’re interested in Sysdig Cloud.
But to first set the stage… Sysdig Cloud. There are a million other monitoring tools out there – why does the world need another? Well with Sysdig Cloud, we set out to create the
first and onlycomprehensive, container-nativemonitoring solution
Ground up
Clean sheet of paper
Container native
Ground up
Clean sheet of paper
Container native
Ground up
Clean sheet of paper
Container native
Ground up
Clean sheet of paper
Container native
Ground up
Clean sheet of paper
Container native
Ground up
Clean sheet of paper
Container native
Ground up
Clean sheet of paper
Container native
Ground up
Clean sheet of paper
Container native
Ground up
Clean sheet of paper
Container native
Ground up
Clean sheet of paper
Container native
Ground up
Clean sheet of paper
Container native
Ground up
Clean sheet of paper
Container native
Ground up
Clean sheet of paper
Container native
Ground up
Clean sheet of paper
Container native
<hi thanks for joining…>
I’ll start with a really quick introduction and then I’d love to learn a little bit more about you and your environment, and why you’re interested in Sysdig Cloud.
But to first set the stage… Sysdig Cloud. There are a million other monitoring tools out there – why does the world need another? Well with Sysdig Cloud, we set out to create the
first and onlycomprehensive, container-nativemonitoring solution