Falco by danpopnyc June CNCF Canada Meetup

Transcript

1. Runtime Security is like making Nanaimo Bars you need the

   right ingredients Cloud Native Canada 1

2. @danpopnyc Your First Ingredient...Syscalls

3. @danpopnyc KERNEL the interesting stuff... OS KUBERNETES APPLICATIONS When you

   run a program you are making system calls. System calls are how a program enters the kernel to perform some task. • processes • network • file IO • much more... Why Syscalls?

4. @danpopnyc “The system call is the fundamental interface between an

   application and the Linux kernel.” — man syscalls 2

5. @danpopnyc Second Ingredient...eBPF / Falco Project

6. @danpopnyc eBPF: Safe, Efficient Linux Kernel Access • Run programs

   in the Linux kernel without changing the kernel code or loading a module. • Access kernel activity without risking system stability or security. • Useful for security, monitoring and troubleshooting Filesystem Kubernetes App 1 App 2 App 3 App n KERNEL syscalls Host metrics statsd/jmx Security events Prometheus Host EBPF probe / kernel module

7. @danpopnyc eBPF / Falco Project What is Falco? What does

   Falco do? CNCF cloud-native runtime security incubating project ◦ Created by Sysdig in 2016 Detects unexpected application behavior and alerts on threats at runtime THE de facto Kubernetes threat detection engine * WIDE ADOPTION * 27 Million Docker Pulls/ 6x Contribution Growth! * Up for Graduation Falco uses system calls to secure and monitor a system, by: ◦ parsing the Linux system calls from the kernel at runtime ◦ asserting the stream against a powerful rules engine ◦ alerting when a rule is violated

8. @danpopnyc Syscalls from Falco eBPF probe

9. @danpopnyc FALCO Sidekick FILTER EXPRESSION LIBINSP LINSCAP FALCO_PROBE KERNEL MODULE

   / eBPF ALERTING FALCO RULES WEB SERVER EVENTS AUDIT LOGS & METADATA SUSPICIOUS EVENTS SHELL STDOUT FILE SYSLOG HTTPS gRPC Falco Architecture

10. @danpopnyc • Falco ships with a default set of rules

    that check for unusual behavior such as: Falco Rules ◦ Privilege escalation using privileged containers ◦ Namespace changes using tools like setns ◦ Read/Writes to well-known directories such as /etc, /usr/bin, /usr/sbin, etc. ◦ Creating symlinks ◦ Ownership and Mode changes ◦ Unexpected network connections or socket mutations ◦ Spawned processes using execve ◦ Executing shell binaries such as sh, bash, csh, zsh, etc. ◦ Executing SSH binaries such as ssh, scp, sftp, etc. ◦ Mutating Linux coreutils executables ◦ Mutating login binaries ◦ Mutating shadowutil or passwd executables such as shadowconfig, pwck, chpasswd, getpasswd, change, useradd, etc, and others

11. What is Falcosidekick Connect Falco to your ecosystem (and many

    more outputs and features) 11 github.com/falcosecurity/falcosidekick

12. @danpopnyc Third Ingredient...Practical Knowledge

13. @danpopnyc Show me a Real-World Example (Demo) Cookie Recipe Thief?

14. Respond to threats 14

15. Falco Playground… in less than a minute 15 helm repo

    add falcosecurity https://falcosecurity.github.io/charts helm install falco falcosecurity/falco \ --set falcosidekick.enabled=true \ --set falcosidekick.webui.enabled=true \ -n falco --create-namespace

16. @danpopnyc • Get started in Falco.org. • Check out the

    Falco project in GitHub. • Get involved in the Falco community. • Meet the maintainers on the Falco Slack. • Follow @falco_org on Twitter. Contribute to Falco!

17. @danpopnyc Questions?