Néstor Salceda, Integrations Engineer LibreCon Bilbao, Nov 22th 2018 Securing your Kubernetes applications

@nestorsalceda • Open Source enthusiast • Security and Monitoring passionate • I work at Sysdig • Daddy of twins • Kubernetes member: Maintainer of Sysdig and Falco Helm charts • Top 3 Contributor to Falco • Judo, Aikido and other Gendai Budo martial arts lover and practicioner

Anomaly Detection in run-time: Falco Active Security: Kubernetes Response Engine Forensics: Sysdig Inspect Current challenges of Container Security Agenda Layers of Container Security

• Container Security Challenges

Breaches may extend for days or weeks before detected Attacks are changing to abuse activities rather than data exfiltration (crypto mining) Ephemeral nature of containers means that in the event of a security breach you may never know Many security paradigms are still reactive Main Challenges

• Layers of Container Security

Which layers? Runtime Build Infrastructure

Networking: Filtering, Istio, Calico ... Cluster Security: RBAC, Audit Events, Security Policies, Affinity, Network Policies ... Container Runtime: SELinux, AppArmor, CIS Benchmarks, InSpec ... Host Security: SecComp, SELinux, AppArmor, Resource Constraints ... Infrastructure

Vulnerability Management: ● Image Scanning: Sysdig Secure, Anchore, Clair ● Upstream OS ● Application Vulnerabilities Image / Software Origin: ● Signed Images / Layers ● Artifact Signing ● Trusted Registries Build

Secure Secrets: How secrets are stored or used? Anomaly Detection: Someone altered my runtime environment? Forensics: What happened if compromised? Service / Container Admission: What is allowed to run? Runtime

Processes are “scoped” as to what’s expected Container images are immutable, runtime environments often aren’t How do you detect abnormal behavior? See containers like isolated processes Anomaly Detection

Containers are highly volatile: Imagine Grisom doing CSI stuff without the corpse What did happen inside the container? When a security incident has already happened Forensics

What is Falco?

• Detects suspicious activity defined by a set of rules • Uses Sysdig’s flexible and powerful filtering expressions Behavioral Activity Monitor • Uses Sysdig’s container and orchestrator support Full Support of Containers Orchestration Flexible Notification Methods Open Source Software • Files • STDOUT • Syslog • Execute other programs • And more ... • CNCF Sandbox Project • Welcome contributions • Transparency & Governance

falco_probe Kernel Module Kernel User Syscalls Sysdig Libraries Events Alerting Falco Rules Suspicious Events File Syslog Stdout Filter Expression Shell

Filter expressions A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = create or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)

Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING

More rules implemented in draios/falco-extras repository: ● Traefik ● Redis ● Nginx ● PostgreSQL ● ... Falco ships with a nice default ruleset for best practices: ● Writing files in bin or etc ● Reading sensitive files ● Terminal spawning in a container ● ... Batteries included

Requests made by anonymous user Attach to cluster-admin Role Service Account Created in Kube Namespace Create / Modify ConfigMaps which exposes secrets K8s Audit Events Support

Try it out! $ helm install --name sysdig-falco-1 --set fakeEventGenerator.enabled=true stable/falco

Active Security

No content

See it in action!

Start a capture Network isolate Demisto/Phantom integration Delete a pod Playbooks Available Forbid that a node schedules more pods Slack notification

Forensics

Correlate events to reconstruct the attack Blameless Post-Mortem incident report Capture system calls using Sysdig Forensics

The ephemeral nature of containers changes the rules Security offers us an opportunity to be proactive Containers add more infrastructure, layers and risks. But we have seen same security threats before: DDoS, Injections ... Just a quick summary

Do you want work with me? Monitoring / Security Open Source Remote

Blog https://www.sysdig.com/blog/tag/falco Sysdig Secure https://www.sysdig.com/product/secure Website https://www.sysdig.com/opensource/falco https://falco.org Join the community Public Slack https://slack.sysdig.com https://slack.sysdig.com/messages/falco

Docker Hub https://hub.docker.com/r/falcosecurity/falco GitHub https://github.com/falcosecurity/falco Learn more Wiki https://github.com/falcosecurity/falco/wiki Sysdig Docker Usage Report 2018 https://sysdig.com/blog/2018-docker-usage-report

Eskerrik Asko Questions? nestor.salceda@sysdig.com @nestorsalceda