Real-time threat detection with Falco

Ali Anjo

In this blog in IntoDevOps, we’ll focus on Real-time security detection, so stay tuned.

What is a real-time security detection?

Falco provides streaming detection of unexpected behavior, configuration changes, and attacks.

  • Runtime detection is a fundamental layer of defense against security blind spots and zero-day bugs in your software supply chain.
  • The streaming approach enables real-time response while minimizing storage costs and complexity.
  • Ready out-of-the-box with rules, which you can customize for your environment.

Install Falco on Kubernetes

Prerequisites

  • Kubectl
  • Helm
  • Kubernetes cluster

Steps

Add repoes of Falco helm

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Create namespace for Falco deployment

kubectl create ns falco

Install Falco in Falco namespace

helm install falco -n falco --set driver.kind=ebpf --set tty=true falcosecurity/falco

Note that we are using ebpf driver to get the Kernel-level notifications.

Check all the pods are up and running

kubectl get pods -n falco -w

Verify Falco is running properly

In this section we will Run an alpine image and do some suspicious activity to see if Falco is working as we expect.

First, open one tab for logs:

This command will show all the logs of falco container inside all the pods across the cluster.

kubectl logs -l app.kubernetes.io/name=falco -n falco -c falco -f

While you have the above command running open another terminal or split your terminal into two sections and run an Nginx image like this:

kubectl run alpine --image alpine -- sh -c 'tail -f /dev/null'

Try to open a shell:

kubectl exec -it alpine -- sh

Now you see a new log is being added like this :

Notice A shell was spawned in a container with an attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=containerd-shim command=sh terminal=34816 exe_flags=EXE_WRITABLE container_id=f15fe6d07479 container_image=docker.io/library/alpine container_image_tag=latest container_name=alpine k8s_ns=default k8s_pod_name=alpine)

Resources

  • To read more check Falco’s official website.

Leave a Reply

Your email address will not be published. Required fields are marked *