|
| 1 | +# Gardener Falco Extension - Managed Falco in shoot clusters |
| 2 | + |
| 3 | +## Introduction |
| 4 | + |
| 5 | +This extension deploys and manages Falco in shoot clusters in a Gardener native |
| 6 | +way, offering options to persist runtime events for further processing. Users |
| 7 | +may enable it by adding an extension configuration to the shoot manifest. |
| 8 | + |
| 9 | +Falco is a cloud-native runtime security tool for Linux, designed to detect |
| 10 | +and alert on abnormal behavior and potential security threats in real-time |
| 11 | +([falco.org](https://falco.org/)). |
| 12 | +In our Gardener landscapes, it effectively detects unusual runtime events, |
| 13 | +such as debugging activities, host configuration changes, or software |
| 14 | +installations in containers. If not detected as part of legitimate debugging |
| 15 | +activity, these events likely indicate malicious behavior. |
| 16 | + |
| 17 | +Falco is a powerful runtime threat detection engine but comes with limited |
| 18 | +means to deploy on many Kubernetes clusters or sophisticated event analysis |
| 19 | +and visualization for many clusters. These features are usually provided by |
| 20 | +commercial products: some of them rely on Falco as the threat detection |
| 21 | +engine, for example from [Sysdig](https://sysdig.com/products/platform/) and |
| 22 | +[Trend Micro](https://www.trendmicro.com/en_us/business/products/one-platform.html). |
| 23 | + |
| 24 | +## Getting Started |
| 25 | + |
| 26 | +For the most basic setup add the following default configuration in `.spec.extensions` |
| 27 | +to the shoot manifest. It is sufficient to deploy Falco: |
| 28 | + |
| 29 | +```yaml |
| 30 | +spec: |
| 31 | + extensions: |
| 32 | + - type: shoot-falco-service |
| 33 | +``` |
| 34 | +
|
| 35 | +Based on this extension configuration the Falco extension will deploy the |
| 36 | +latest Falco version configured as `supported` and ensure it is kept |
| 37 | +up to date by always updating it to the latest available Falco version configured |
| 38 | +for the landscape. The ruleset will be managed by Gardener and will provide |
| 39 | +[standard rules](https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml) |
| 40 | +which are designed to offer basic detection capabilities. |
| 41 | +This is a tradeoff between sophisticated detection capabilities and the |
| 42 | +number of false positive events. More rules mean |
| 43 | +better threat detection capabilities but potentially tens of thousands of |
| 44 | +false-positive events. The standard Falco ruleset has been optimized not to emit |
| 45 | +any false positive events in an empty cluster managed by Gardener. Depending on |
| 46 | +the workload, rule exceptions may need to be defined. |
| 47 | + |
| 48 | +To verify functionality, generate sample events by running the following command |
| 49 | +within the shoot cluster: |
| 50 | + |
| 51 | +``` bash |
| 52 | +$ kubectl run sample-events -it --rm --image falcosecurity/event-generator -- run syscall --all |
| 53 | +
|
| 54 | +If you don't see a command prompt, try pressing enter. |
| 55 | +INFO action executed action=syscall.KubernetesClientToolLaunchedInContainer |
| 56 | +INFO sleep for 100ms action=syscall.ReadSshInformation |
| 57 | +INFO action executed action=syscall.ReadSshInformation |
| 58 | +INFO sleep for 100ms action=syscall.FindAwsCredentials |
| 59 | +INFO action executed action=syscall.FindAwsCredentials |
| 60 | +INFO sleep for 100ms action=syscall.DetectCryptoMinersUsingTheStratumProtocol |
| 61 | +INFO action executed action=syscall.DetectCryptoMinersUsingTheStratumProtocol |
| 62 | +INFO sleep for 100ms action=syscall.PotentialLocalPrivilegeEscalationViaEnvironmentVariablesMisuse |
| 63 | +INFO action executed action=syscall.PotentialLocalPrivilegeEscalationViaEnvironmentVariablesMisuse |
| 64 | +INFO sleep for 100ms action=syscall.DbProgramSpawnedProcess |
| 65 | +INFO spawn as "mysqld" action=syscall.DbProgramSpawnedProcess args="^helper.ExecLs$" |
| 66 | +INFO sleep for 100ms action=helper.ExecLs as=mysqld |
| 67 | +INFO action executed action=helper.ExecLs as=mysqld |
| 68 | +INFO sleep for 100ms action=syscall.WriteBelowRpmDatabase |
| 69 | +INFO action executed action=syscall.WriteBelowRpmDatabase |
| 70 | +INFO sleep for 100ms action=syscall.LaunchRemoteFileCopyToolsInContainer |
| 71 | +INFO sleep for 100ms action=syscall.LaunchIngressRemoteFileCopyToolsInContainer |
| 72 | +[...] |
| 73 | +``` |
| 74 | + |
| 75 | +Once messages appear, let it run for a few seconds, and then end it with Ctrl+C. |
| 76 | + |
| 77 | +By default, events are forwarded to the cluster logging stack and stored in the |
| 78 | +Vali database. Query the database via Plutono using [LogQL queries](https://grafana.com/docs/loki/latest/query/), |
| 79 | +such as: |
| 80 | + |
| 81 | +``` |
| 82 | +{rule=~".+", tags=~".+", source=~".+"} |
| 83 | +``` |
| 84 | + |
| 85 | +## Further Details |
| 86 | + |
| 87 | +This minimal configuration can be customized further. Users can select specific |
| 88 | +Falco versions, select from 3 rule files provided by the Falco community, add |
| 89 | +custom rules and specify event destinations. A full description of |
| 90 | +configuration options is available [here](falco-configuration.md). |
| 91 | + |
| 92 | +[Falco profiles](falco-profile.md) contain information on available Falco |
| 93 | +versions and their support status. |
0 commit comments