Detecting anomalies using Falco

Falco detects a variety of suspicious behavior. In this recipe, we will produce some activities that would be suspicious on a normal production cluster. 

Let's perform the following steps to produce activities that would trigger a syscall event drop:

  1. First, we need to review the full rules before we test some of the behaviors. Falco has two rules files. The default rules are located at /etc/falco/falco_rules.yaml, while the local rules file is located at /etc/falco/falco_rules.local.yaml. Your custom rules and modifications should be in the falco_rules.local.yaml file:
$ cat config/falco_rules.yaml
$ cat config/falco_rules.local.yaml
  1. You will see a long list of default rules and macros. Some of them are as follows:
- rule: Disallowed SSH Connection
- rule: Launch Disallowed Container
- rule: Contact K8S API Server From Container
- rule: Unexpected K8s NodePort Connection
- rule: Launch Suspicious Network Tool in Container
- rule: Create Symlink Over Sensitive Files
- rule: Detect crypto miners using the Stratum protocol
  1. Let's test that Falco is working by getting a bash shell into one of the Falco pods and view the logs afterward. List the Falco pods:
$ kubectl get pods | grep falco-daemonset
falco-daemonset-94p8w 1/1 Running 0 2m34s
falco-daemonset-c49v5 1/1 Running 0 2m34s
falco-daemonset-htrxw 1/1 Running 0 2m34s
falco-daemonset-kwms5 1/1 Running 0 2m34s
  1. Get bash shell access to one of the Falco pods from the output of the preceding command and view the logs:
$ kubectl exec -it falco-daemonset-94p8w bash
$ kubectl logs falco-daemonset-94p8w
  1. In the logs, you will see that Falco detects our shell access to the pods:
{"output":"00:58:23.798345403: Notice A shell was spawned in a container with an attached terminal (user=root k8s.ns=default k8s.pod=falco-daemonset-94p8w container=0fcbc74d1b4c shell=bash parent=docker-runc cmdline=bash terminal=34816 container_id=0fcbc74d1b4c image=falcosecurity/falco) k8s.ns=default k8s.pod=falco-daemonset-94p8w container=0fcbc74d1b4c k8s.ns=default k8s.pod=falco-daemonset-94p8w container=0fcbc74d1b4c","priority":"Notice","rule":"Terminal shell in container","time":"2019-11-13T00:58:23.798345403Z", "output_fields": {"container.id":"0fcbc74d1b4c","container.image.repository":"falcosecurity/falco","evt.time":1573606703798345403,"k8s.ns.name":"default","k8s.pod.name":"falco-daemonset-94p8w","proc.cmdline":"bash","proc.name":"bash","proc.pname":"docker-runc","proc.tty":34816,"user.name":"root"}}

With that, you've learned how to use Falco to detect anomalies and suspicious behavior.