Falco - kamialie/knowledge_corner GitHub Wiki
Falco
Detects and notifies runtime security violations across hosts, containers,
Kubernetes and cloud environments, e.g. privilege escalation, namespace changes,
reading/writing from well-known locations like /etc, /usr/bin, etc.
# Run falco for 45 seconds
$ sudo falco -M45 -r rules.yml
Rules
falco --list outputs a list of fields known to falco that can be utilized in
condition and/or output properties of a rule.
Rule example:
- rule: write_below_etc
desc: Detect attempts to write to any file within /etc or subdirectories
condition: >
(evt.type in (open, openat, openat2) and evt.is_open_write=true and fd.typechar="f" and fd.num>=0) and
fd.name startswith /etc and
not container.image.repository in (trusted_images)
output: >
File below /etc opened for writing (user=%user.name user_id=%user.uid
process=%proc.name parent=%proc.pname command=%proc.cmdline file=%fd.name
container=%container.id image=%container.image.repository)
priority: ERROR
tags: [filesystem, mitre_persistence, T1517.001]
- list: trusted_images
items: [busybox]
- rule: curl_with_a_bearer_token
desc: Detect usage of curl with a bearer token in Authorization header
condition: >
proc.name = "curl" and
evt.args contains "Authorization: Bearer"
output: >
Detected curl using bearer token (user=%user.name command=%proc.cmdline)
priority: WARNING
tags: [network, bearer, curl, token]
- rule: unauthorized_configmap_access
desc: Detect unauthorized access to sensitive ConfigMaps
condition: >
kevt and k8s_audit and
(ka.verb in (get, list)) and
ka.target.resource=configmaps and
ka.target.labels.sensitive=true and
not ka.user.name in (admin, kube-system, trusted-user) and
not ka.user.groups contains "system:masters"
output: >
Unauthorized access to sensitive ConfigMaps detected. (user=%ka.user.name verb=%ka.verb namespace=%ka.target.namespace)
priority: CRITICAL
source: k8s_audit
- rule: spawned_processes_in_example_container
desc: Detect processes spawned in example container
condition: container.name = "example" and evt.type = execve
output: "%evt.time,%container.id,%container.image,%user.uid,%proc.name"
priority: NOTICE
fd.num>=0 filters out invalid or uninitiated sockets. tags indicate what
the given rule is related to; ka refers to Kubernetes API.
kevt indicates a Kubernetes event, k8s_audit specifies that the event comes
from Kubernetes audit logs. ConfigMaps are filtered by sensitive=true label.
Output all spawn processes in a specific container:
- rule: newly_spawned_processes
desc: Detect new processes
condition: container.name = "nginx" and evt.type = execve
output: "%evt.time,%proc.name,%user.uid,%container.id,%container.name,%container.image"
priority: WARNING