Falco 是一個雲原生運行時安全系統,可與容器和原始 Linux 主機一起使用。它由 Sysdig 開發,是 Cloud Native Computing Foundation(雲原生計算基金會)的一個沙箱項目。Falco 的工作方式是查看文件更改、網絡活動、進程表和其他數據是否存在可疑行為,然后通過可插拔后端發送警報。通過內核模塊或擴展的 BPF 探測器在主機的系統調用級別檢查事件。Falco 包含一組豐富的規則,您可以編輯這些規則以標記特定的異常行為,並為正常的計算機操作創建允許列表。
在本教程中,您將學習如何在 IBM Cloud 上的 Kubernetes 集群上安裝和設置 Falco、如何創建合成安全事件以及如何在 Falco 中查看事件。最后,將 Falco 連接起來,在運行時向 Slack 發送安全警報。本教程適用於標准 Kubernetes 和 Red Hat OpenShift on IBM Cloud。
您需要獲取此處的源代碼:
git clone https://gitlab.com/nibalizer/falco-iks cd falco-iks
使用 Kubernetes daemonset配置 Falco
由於 Kubernetes 1.12 環境,本教程使用 k8s-with-rbac 文件。Falco 需要設置幾個文件:用於運行 Falco daemonset 的 Kubernetes 配置與針對 daemonset 本身的配置的組合。
1
:查看 Falco 文件
Falco 使用 Kubernetes 中的服務帳戶來訪問 Kubernetes API。falco-account.yaml 規范設置了一種基於角色的通用訪問控制三重方法:ServiceAccount、ClusterRole 和 ClusterRoleBinding。ClusterRole 包含關於所授予的訪問權限的信息。如果您在這些文件中沒有進行任何更改,那么 Falco 守護進程只能讀取和列示,而不能修改 Kubernetes API 中的任何對象。
$ ls -l total 20 -rw-r--r-- 1 nibz nibz 931 Mar 29 15:46 falco-account.yaml drwxr-xr-x 2 nibz nibz 4096 Mar 29 15:51 falco-config/ -rw-r--r-- 1 nibz nibz 2138 Mar 29 15:48 falco-daemonset-configmap.yaml -rw-r--r-- 1 nibz nibz 196 Mar 29 15:45 falco-service.yaml -rw-r--r-- 1 nibz nibz 13 Mar 29 15:27 Readme.md
2
:配置基於角色的訪問控制 (RBAC)
kubectl apply -f falco-account.yaml serviceaccount/falco-account created clusterrole.rbac.authorization.k8s.io/falco-cluster-role created clusterrolebinding.rbac.authorization.k8s.io/falco-cluster-role-binding created
3
:應用 Falco 服務對象
$ kubectl apply -f falco-service.yaml
service/falco-service created
4
:創建 falco-config ConfigMap
Falco 的配置被分成幾個文件。falco.yaml 是指守護進程配置的細節:輸出類型、端口等。其他 *_rules.yaml 文件包含 Falco 會針對其進行觸發的檢查(正在打開的 shell、正在修改的文件等)。通過將 --from-file 自變量與目錄一起使用,將所有這些文件組合到單個 ConfigMap 中:
kubectl create configmap falco-config --from-file=falco-config configmap/falco-config created
5
:啟動 Falco DaemonSet
最后,運行 Falco 應用程序。它作為 DaemonSet 運行,使您可以在每個節點上運行一個:
kubectl apply -f falco-daemonset-configmap.yaml
daemonset.extensions/falco-daemonset created
6
:檢查 pod 是否正確啟動
kubectl get pod NAME READY STATUS RESTARTS AGE falco-daemonset-99p8j 1/1 Running 0 26s falco-daemonset-wf2lf 1/1 Running 0 26s falco-daemonset-wqrwm 1/1 Running 0 26s
7
:檢查日志並讀取 DKMS 消息
kubectl logs falco-daemonset-wf2lf * Setting up /usr/src links from host * Unloading falco-probe, if present * Running dkms install for falco Kernel preparation unnecessary for this kernel. Skipping... Building module: cleaning build area... make -j2 KERNELRELEASE=4.4.0-148-generic -C /lib/modules/4.4.0-148-generic/build M=/var/lib/dkms/falco/0.1.2780dev/build.... cleaning build area... DKMS: build completed. falco-probe.ko:
Falco 正在運行並且正在記錄事件。
查看 Falco 的配置
1
:檢查 DaemonSet 配置
運行以下命令,以告知 DaemonSet 使用您先前設置的服務帳戶和權限來運行:
cat falco-daemonset-configmap.yaml | grep serviceAcc
serviceAccount: falco-account
查看 falco-account.yaml 以獲取詳細信息。此配置提供對 Kubernetes API 服務器中幾乎所有內容的讀取訪問權限。
您將許多重要的目錄從 Kubernetes 主機安裝到 Falco pod 中:
cat falco-daemonset-configmap.yaml | grep -A 11 volumes: volumes: - name: containerd-socket hostPath: path: /run/containerd/containerd.sock - name: dev-fs hostPath: path: /dev - name: proc-fs hostPath: path: /proc - name: boot-fs hostPath:
此步驟使 Falco 可以與容器運行時環境進行交互,以提取容器元數據(例如,容器名稱和底層鏡像名稱),查詢主機的進程表以發現進程名稱。另需注意,此示例將映射 containerd-socket,而不是 docker-socket。
2
:檢查 Falco 配置文件
ls falco-config/
falco_rules.local.yaml falco_rules.yaml falco.yaml k8s_audit_rules.yaml
3
:查看 Falco 值
該規則監視可能有害的 Netcat 命令,並在發現其處於 WARNING 級別時發出警報。
cat falco-config/falco_rules.yaml | grep -A 12 'Netcat Remote' - rule: Netcat Remote Code Execution in Container desc: Netcat Program runs inside container that allows remote code execution condition: > spawned_process and container and ((proc.name = "nc" and (proc.args contains "-e" or proc.args contains "-c")) or (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec")) ) output: > Netcat runs inside container that allows remote code execution (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: WARNING tags: [network, process]
觀察 Falco 的實際應用
現在讓我們看看 Falco 的實際應用。您將跟蹤一個終端中的日志,然后在另一終端中綜合創建一些事件,並觀察事件是否記錄到日志。
1
:跟蹤第一個終端中的日志
kubectl get pod NAME READY STATUS RESTARTS AGE falco-daemonset-99p8j 1/1 Running 0 112m falco-daemonset-wf2lf 1/1 Running 0 112m falco-daemonset-wqrwm 1/1 Running 0 112m $ kubectl logs -f falco-daemonset-99p8j * Setting up /usr/src links from host * Unloading falco-probe, if present * Running dkms install for falco Kernel preparation unnecessary for this kernel. Skipping... Building module: cleaning build area... make -j2 KERNELRELEASE=4.4.0-148-generic -C /lib/modules/4.4.0-148-generic/build M=/var/lib/dkms/falco/0.1.2780dev/build.... cleaning build area... DKMS: build completed. falco-probe.ko: Running module version sanity check. - Original module - No original module exists within this kernel - Installation - Installing to /lib/modules/4.4.0-148-generic/kernel/extra/ mkdir: cannot create directory '/lib/modules/4.4.0-148-generic/kernel/extra': Read-only file system cp: cannot create regular file '/lib/modules/4.4.0-148-generic/kernel/extra/falco-probe.ko': No such file or directory depmod... DKMS: install completed. * Trying to load a dkms falco-probe, if present falco-probe found and loaded in dkms Wed May 29 14:55:36 2019: Falco initialized with configuration file /etc/falco/falco.yaml Wed May 29 14:55:36 2019: Loading rules from file /etc/falco/falco_rules.yaml: Wed May 29 14:55:37 2019: Loading rules from file /etc/falco/falco_rules.local.yaml: Wed May 29 14:55:37 2019: Loading rules from file /etc/falco/k8s_audit_rules.yaml: Wed May 29 14:55:38 2019: Starting internal webserver, listening on port 8765 {"output":"00:00:00.020155776: Informational Container with sensitive mount started (user=<NA> command=container:9d56002def78 k8s.ns=<NA> k8s.pod=<NA> container=9d56002def78 image=docker.io/falcosecurity/falco:dev mounts=/run/containerd/containerd.sock:/host/run/containerd/containerd.sock::true:private,/dev:/host/dev::true:private,/proc:/host/proc::false:private,/boot:/host/boot::false:private,/lib/modules:/host/lib/modules::false:private,/usr:/host/usr::false:private,/etc:/host/etc/::false:private,/var/data/kubelet/pods/c0a1a131-8221-11e9-b9cf-c68b81a15994/volumes/kubernetes.io~configmap/falco-config:/etc/falco::false:private,/var/data/kubelet/pods/c0a1a131-8221-11e9-b9cf-c68b81a15994/volumes/kubernetes.io~secret/falco-account-token-jlddc:/var/run/secrets/kubernetes.io/serviceaccount::false:private,/var/data/kubelet/pods/c0a1a131-8221-11e9-b9cf-c68b81a15994/etc-hosts:/etc/hosts::true:private,/var/data/kubelet/pods/c0a1a131-8221-11e9-b9cf-c68b81a15994/containers/falco/cb0bed6e:/dev/termination-log::true:private) k8s.ns=<NA> k8s.pod=<NA> container=9d56002def78","priority":"Informational","rule":"Launch Sensitive Mount Container","time":"1970-01-01T00:00:00.020155776Z", "output_fields": {"container.id":"9d56002def78","container.image.repository":"docker.io/falcosecurity/falco","container.image.tag":"dev","container.mounts":"/run/containerd/containerd.sock:/host/run/containerd/containerd.sock::true:private,/dev:/host/dev::true:private,/proc:/host/proc::false:private,/boot:/host/boot::false:private,/lib/modules:/host/lib/modules::false:private,/usr:/host/usr::false:private,/etc:/host/etc/::false:private,/var/data/kubelet/pods/c0a1a131-8221-11e9-b9cf-c68b81a15994/volumes/kubernetes.io~configmap/falco-config:/etc/falco::false:private,/var/data/kubelet/pods/c0a1a131-8221-11e9-b9cf-c68b81a15994/volumes/kubernetes.io~secret/falco-account-token-jlddc:/var/run/secrets/kubernetes.io/serviceaccount::false:private,/var/data/kubelet/pods/c0a1a131-8221-11e9-b9cf-c68b81a15994/etc-hosts:/etc/hosts::true:private,/var/data/kubelet/pods/c0a1a131-8221-11e9-b9cf-c68b81a15994/containers/falco/cb0bed6e:/dev/termination-log::true:private","evt.time":20155776,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"container:9d56002def78","user.name":null}}
2
:在第二個終端中創建安全事件
export KUBECONFIG=/home/nibz/.bluemix/plugins/container-service/clusters/yourcluster.yml $ kubectl get pod NAME READY STATUS RESTARTS AGE falco-daemonset-99p8j 1/1 Running 0 3h2m falco-daemonset-wf2lf 1/1 Running 0 3h2m falco-daemonset-wqrwm 1/1 Running 0 3h2m nibz@shockley:~/projects/falco/install-falco-iks/git-repo$ kubectl exec -it falco-daemonset-99p8j /bin/bash root@falco-daemonset-99p8j:/# echo "I'm in!" I'm in! root@falco-daemonset-99p8j:/#
在第一個終端中,您可以看到事件:
{"output":"17:58:28.064781208: Notice A shell was spawned in a container with an attached terminal (user=root k8s.ns=default k8s.pod=falco-daemonset-99p8j container=9d56002def78 shell=bash parent=<NA> cmdline=bash terminal=34816) k8s.ns=default k8s.pod=falco-daemonset-99p8j container=9d56002def78","priority":"Notice","rule":"Terminal shell in container","time":"2019-05-29T17:58:28.064781208Z", "output_fields": {"container.id":"9d56002def78","evt.time":1559152708064781208,"k8s.ns.name":"default","k8s.pod.name":"falco-daemonset-99p8j","proc.cmdline":"bash","proc.name":"bash","proc.pname":null,"proc.tty":34816,"user.name":"root"}}
3
:使用 jq 處理事件
當您使用 jq 處理事件時,Falco 會提供有關安全事件以及事件的完整 Kubernetes 上下文的有用信息,例如 pod 名稱和名稱空間:
echo '{"output":"17:58:28.064781208: Notice A shell was spawned in a container with an attached terminal (user=root k8s.ns=default k8s.pod=falco-daemonset-99p8j container=9d56002def78 shell=bash parent=<NA> cmdline=bash terminal=34816) k8s.ns=default k8s.pod=falco-daemonset-99p8j container=9d56002def78","priority":"Notice","rule":"Terminal shell in container","time":"2019-05-29T17:58:28.064781208Z", "output_fields": {"container.id":"9d56002def78","evt.time":1559152708064781208,"k8s.ns.name":"default","k8s.pod.name":"falco-daemonset-99p8j","proc.cmdline":"bash","proc.name":"bash","proc.pname":null,"proc.tty":34816,"user.name":"root"}} > ' | jq '.' { "output": "17:58:28.064781208: Notice A shell was spawned in a container with an attached terminal (user=root k8s.ns=default k8s.pod=falco-daemonset-99p8j container=9d56002def78 shell=bash parent=<NA> cmdline=bash terminal=34816) k8s.ns=default k8s.pod=falco-daemonset-99p8j container=9d56002def78", "priority": "Notice", "rule": "Terminal shell in container", "time": "2019-05-29T17:58:28.064781208Z", "output_fields": { "container.id": "9d56002def78", "evt.time": 1559152708064781300, "k8s.ns.name": "default", "k8s.pod.name": "falco-daemonset-99p8j", "proc.cmdline": "bash", "proc.name": "bash", "proc.pname": null, "proc.tty": 34816, "user.name": "root" } }
現在您可以觸發早前顯示的 Netcat 規則:
nc -l 4444
kubectl logs falco-daemonset-99p8j
...
{"output":"18:00:41.530249297: Notice Network tool launched in container (user=root command=nc -l 4444 container_id=9d56002def78 container_name=falco image=docker.io/falcosecurity/falco:dev) k8s.ns=default k8s.pod=falco-daemonset-99p8j container=9d56002def78 k8s.ns=default k8s.pod=falco-daemonset-99p8j container=9d56002def78","priority":"Notice","rule":"Lauch Suspicious Network Tool in Container","time":"2019-05-29T18:00:41.530249297Z", "output_fields": {"container.id":"9d56002def78","container.image.repository":"docker.io/falcosecurity/falco","container.image.tag":"dev","container.name":"falco","evt.time":1559152841530249297,"k8s.ns.name":"default","k8s.pod.name":"falco-daemonset-99p8j","proc.cmdline":"nc -l 4444","user.name":"root"}}
...
$ echo '{"output":"18:00:41.530249297: Notice Network tool launched in container (user=root command=nc -l 4444 contain er_id=9d56002def78 container_name=falco image=docker.io/falcosecurity/falco:dev) k8s.ns=default k8s.pod=falco- daemonset-99p8j container=9d56002def78 k8s.ns=default k8s.pod=falco-daemonset-99p8j container=9d56002def78","priority":"Notice","rule":"Lauch Suspicious Network Tool in Container","time":"2019-05-29T18:00:41.530249297Z", "output_fields": {"container.id":"9d56002def78","container.image.repository":"docker.io/falcosecurity/falco", "container.image.tag":"dev","container.name":"falco","evt.time":1559152841530249297,"k8s.ns.name":"default","k 8s.pod.name":"falco-daemonset-99p8j","proc.cmdline":"nc -l 4444","user.name":"root"}}' | jq '.'
{
"output": "18:00:41.530249297: Notice Network tool launched in container (user=root command=nc -l 4444 contain er_id=9d56002def78 container_name=falco image=docker.io/falcosecurity/falco:dev) k8s.ns=default k8s.pod=falco- daemonset-99p8j container=9d56002def78 k8s.ns=default k8s.pod=falco-daemonset-99p8j container=9d56002def78",
"priority": "Notice",
"rule": "Lauch Suspicious Network Tool in Container",
"time": "2019-05-29T18:00:41.530249297Z",
"output_fields": {
"container.id": "9d56002def78",
"container.image.repository": "docker.io/falcosecurity/falco",
"container.image.tag": "dev",
"container.name": "falco",
"evt.time": 1559152841530249200,
"k8s.ns.name": "default",
"k8s.pod.name": "falco-daemonset-99p8j",
"proc.cmdline": "nc -l 4444",
"user.name": "root"
}
}您已看到 Falco 可以發現什么樣的事件以及如何進行配置。
摘自
https://developer.ibm.com/zh/tutorials/installing-and-using-sysdig-falco/