Runtime Detection
info
This page only presents a POC.
Falco from Sysdigâ
Quick POC - Install Falco on Ubuntu VMâ
tip
Set up to test custom rules without having to wait CloudWatch.
Install falco on the host.
curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
echo "deb https://download.falco.org/packages/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list
apt-get update -y
apt-get -y install linux-headers-$(uname -r)
apt-get install -y falco
systemctl enable falco
systemctl start falco
Run Falco in a container using Docker with the principle of least privilege.
docker pull falcosecurity/falco-no-driver:latest
docker run --rm -i -t \
-e HOST_ROOT=/ \
--cap-add SYS_PTRACE --pid=host $(ls /dev/falco* | xargs -I {} echo --device {}) \
-v /var/run/docker.sock:/var/run/docker.sock \
falcosecurity/falco-no-driver:latest
Check the logs.
journalctl -fu falco
Falco running on EKS EC2 with Fluent Bit and CloudWatchâ
# Create EKS cluster
eksctl create cluster --name falco --region eu-west-1
# Grabe the IAM Role of your cluster via the GUI
## eksctl-falco-nodegroup-ng-94172f0-NodeInstanceRole-HERAVPIP9PZ7
# Send Logs to CloudWatch
git clone https://github.com/sysdiglabs/falco-aws-firelens-integration
aws iam create-policy --policy-name EKS-CloudWatchLogs --policy-document file://./falco-aws-firelens-integration/eks/fluent-bit/aws/iam_role_policy.json
aws iam attach-role-policy --role-name eksctl-falco-nodegroup-ng-94172f0-NodeInstanceRole-HERAVPIP9PZ7 --policy-arn `aws iam list-policies | jq -r '.[][] | select(.PolicyName == "EKS-CloudWatchLogs") | .Arn'`
# Deploy Fluent Bit daemonSet - configmap.yaml, daemonset.yaml and service-account.yaml will be applied
kubectl apply -f falco-aws-firelens-integration/eks/fluent-bit/kubernetes
# Set up the Falco Helm repository
git clone https://github.com/falcosecurity/charts.git; helm repo add falcosecurity https://falcosecurity.github.io/charts
# The jsonOutput property is false in values.yaml by default. Set to true for json formatted output via fluent-bit.
nano charts/falco/values.yaml
# Install helm chart
helm install falco -f charts/falco/values.yaml falcosecurity/falco
# Upgrade after change
helm upgrade falco -f charts/falco/values.yaml falcosecurity/falco
Below is the deployment.yaml file.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx2
labels:
app: nginx2
spec:
replicas: 3
selector:
matchLabels:
app: nginx2
template:
metadata:
labels:
app: nginx2
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- arm64
containers:
- name: nginx
image: nginx:1.19.2
ports:
- containerPort: 80
kubectl apply -f deployment.yaml
kubectl get deployments --all-namespaces
kubectl get pods --all-namespaces
kubectl exec -it nginx2-78848c9dcb-5955n -- /bin/bash
cat /etc/shadow
From AWS console, go to Cloudwatch > Log groups > falco > alerts
# Delete the cluster
eksctl delete cluster --name falco --region eu-west-1
Custom rulesâ
nano /etc/falco/falco_rules.local.yaml
systemctl restart falco
- rule: Reverse shell
desc: Detect reverse shell established remote connection
condition: evt.type=dup and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6")
output: Reverse shell connection (user=%user.name %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tt>
priority: WARNING
tags: [container, shell, mitre_execution]
append: false