Falco Basics
Falco is an open-source, cloud-native runtime security project designed to detect unexpected application behavior and alert on threats in real time.
By default, Falco has 5 outputs for its events: stdout, file, gRPC, shell and http.
These can be integrated with other components using falcosidekick, a daemon that extends that number of possible outputs.
Key Points about Falco:
- Runtime Security: It continuously monitors your applications, containers, and hosts at runtime to detect abnormal activities.
- Container Visibility: It provides complete visibility into containerized environments using a single lightweight sensor.
- Rules-Based Detection: Falco uses a rich set of rules to define what is considered abnormal. When these rules are violated, alerts are triggered.
Examples of what Falco can detect by default:
- A shell being run inside a container (which could indicate a breach).
- A server process spawning an unexpected type of child process.
- An attempt to read sensitive files, like /etc/shadow.
Falco Installation
kubectl create namespace falco
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco \
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=true \
-n falco
# falco → release name
# falcosecurity/falco → chart
# -n falco --create-namespace → installs Falco in a separate falco namespace
# check that the Falco pods are running:
kubectl get pods -n falco
Test Using Falco UI
kubectl run nginx --image=nginx -n falco --restart=Never -- sleep infinity
kubectl exec -it nginx -n falco -- bash
# user: admin , password: admin
kubectl port-forward --address=0.0.0.0 svc/falco-falcosidekick-ui 3000:2802
# go to events tab
Falco Slack Notifications
Follow these steps to create and test a Slack Incoming Webhook for Falco alerts:
Channels => Create => Create Channel => Channel Name => Falco
-
Create an App
- Click Create New App
- Go to Slack API Apps
- Choose From Scratch
- Enter App Name: Falco Slack App
- Pick a workspace to develop your app: Test
- Click Create App
-
Enable Incoming Webhooks
- From the left sidebar → click Incoming Webhooks
- Switch Activate Incoming Webhooks → ON
-
Add a Webhook to Workspace
- Scroll down and click Add New Webhook to Workspace
- Select a channel: #falco
- Click Allow
-
Copy and Test the Sample Curl URL Request
-
Run the sample Curl URL request in your terminal:
curl -X POST -H 'Content-type: application/json' \ --data '{"text":"Hello, World!"}' \ https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
-
Open your Slack #falco channel,You should see: Hello, World!
Copy the Webhook URL Provided and use it below:
helm upgrade falco falcosecurity/falco \
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=true \
--set falcosidekick.config.slack.webhookurl="https://hooks.slack.com/services/XXXX" \
--set falcosidekick.config.customfields="environment:production\,datacenter:egypt" \
-n falco
# check the revision number
helm ls -n falco
# attach a terminal in a container
kubectl run nginx --image=nginx -n falco --restart=Never -- sleep infinity
kubectl exec -it nginx -n falco -- bash
Top comments (0)