Practical Cloud Native Security with Falco

Practical Cloud Native Security with Falco

by Loris Degioanni, Leonardo Grasso
Released August 2022
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781098118570

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Buy on Amazon Buy on ebooks.com
Start your free trial

Book description

As more and more organizations migrate their applications to the cloud, cloud native computing has become the dominant way to approach software development and execution. Protecting modern, cloud native applications from threats requires the ability to defend them at runtime, when they're most vulnerable to attacks.

This practical guide introduces you to Falco, the open source standard for continuous risk and threat detection across Kubernetes, containers, and the cloud. Falco creator Loris Degioanni and core maintainer Leonardo Grasso bring you up to speed on threat detection and show you how to get Falco up and running, plus advanced topics such as deploying Falco in production and writing your own security rules.

You'll learn how to:

  • Leverage runtime security in cloud native environments
  • Detect configuration changes and unexpected behavior in the cloud
  • Protect containers, Kubernetes, and cloud applications using Falco
  • Run, deploy, and customize Falco
  • Deploy, configure, and maintain Falco in a production environment
  • Improve your compliance

Table of contents

  1. Preface
    1. Who Is This Book For?
    2. Overview
      1. Part I: The Basics
      2. Part II: The Architecture of Falco
      3. Part III: Running Falco in Production
      4. Part IV: Extending Falco
    3. Conventions Used in This Book
    4. Using Code Examples
    5. O’Reilly Online Learning
    6. How to Contact Us
    7. Acknowledgments
      1. Leonardo
      2. Loris
  2. I. The Basics
  3. 1. Introducing Falco
    1. Falco in a Nutshell
      1. Sensors
      2. Data Sources
      3. Rules
      4. Data Enrichment
      5. Output Channels
      6. Containers and More
    2. Falco’s Design Principles
      1. Specialized for Runtime
      2. Suitable for Production
      3. Intent-Free Instrumentation
      4. Optimized to Run at the Edge
      5. Avoids Moving and Storing a Ton of Data
      6. Scalable
      7. Truthful
      8. Robust Defaults, Richly Extensible
      9. Simple
    3. What You Can Do with Falco
    4. What You Cannot Do with Falco
    5. Background and History
      1. Network Packets: BPF, libpcap, tcpdump, and Wireshark
      2. Snort and Packet-Based Runtime Security
      3. The Network Packets Crisis
      4. System Calls as a Data Source: sysdig
      5. Falco
  4. 2. Getting Started with Falco on Your Local Machine
    1. Running Falco on Your Local Machine
      1. Downloading and Installing the Binary Package
      2. Installing the Driver
      3. Starting Falco
    2. Generating Events
    3. Interpreting Falco’s Output
    4. Customizing Your Falco Instance
      1. Rules Files
      2. Output Channels
    5. Conclusion
  5. II. The Architecture of Falco
  6. 3. Understanding Falco’s Architecture
    1. Falco and the Falco Libraries: A Data-Flow View
    2. Drivers
    3. Plugins
    4. libscap
      1. Managing Data Sources
      2. Supporting Trace Files
      3. Collecting System State
    5. libsinsp
      1. State Engine
      2. Event Parsing
      3. Filtering
      4. Output Formatting
      5. One More Thing About libsinsp
    6. Rule Engine
    7. Conclusion
  7. 4. Data Sources
    1. System Calls
      1. Examples
      2. Observing System Calls
    2. Capturing System Calls
      1. Accuracy
      2. Performance
      3. Scalability
      4. So What About Stability and Security?
      5. Kernel-Level Instrumentation Approaches
    3. The Falco Drivers
      1. Which Driver Should You Use?
      2. Capturing System Calls Within Containers
    4. Running the Falco Drivers
      1. Kernel Module
      2. eBPF Probe
      3. Using Falco in Environments Where Kernel Access Is Not Available: pdig
      4. Running Falco with pdig
    5. Falco Plugins
      1. Plugin Architecture Concepts
      2. How Falco Uses Plugins
    6. Conclusion
  8. 5. Data Enrichment
    1. Understanding Data Enrichment for Syscalls
      1. Operating System Metadata
      2. Container Metadata
      3. Kubernetes Metadata
    2. Data Enrichment with Plugins
    3. Conclusion
  9. 6. Fields and Filters
    1. What Is a Filter?
    2. Filtering Syntax Reference
      1. Relational Operators
      2. Logical Operators
      3. Strings and Quoting
    3. Fields
      1. Argument Fields Versus Enrichment Fields
      2. Mandatory Fields Versus Optional Fields
      3. Field Types
    4. Using Fields and Filters
      1. Fields and Filters in Falco
      2. Fields and Filters in sysdig
    5. Falco’s Most Useful Fields
      1. General
      2. Processes
      3. File Descriptors
      4. Users and Groups
      5. Containers
      6. Kubernetes
      7. CloudTrail
      8. Kubernetes Audit Logs
    6. Conclusion
  10. 7. Falco Rules
    1. Introducing Falco Rules Files
    2. Anatomy of a Falco Rules File
      1. Rules
      2. Macros
      3. Lists
      4. Rule Tagging
      5. Declaring the Expected Engine Version
    3. Replacing, Appending to, and Disabling Rules
      1. Replacing Macros, Lists, and Rules
      2. Appending to Macros, Lists, and Rules
      3. Disabling Rules
    4. Conclusion
  11. 8. The Output Framework
    1. Falco’s Output Architecture
    2. Output Formatting
    3. Output Channels
      1. Standard Output
      2. Syslog Output
      3. File Output
      4. Program Output
      5. HTTP Output
      6. gRPC Output
      7. Other Logging Options
    4. Conclusion
  12. III. Running Falco in Production
  13. 9. Installing Falco
    1. Choosing Your Setup
    2. Installing Directly on the Host
      1. Using a Package Manager
      2. Without Using a Package Manager
      3. Managing the Driver
    3. Running Falco in a Container
      1. Syscall Instrumentation Scenario
      2. Plugin Scenario
    4. Deploying to a Kubernetes Cluster
      1. Using Helm
      2. Using Manifests
    5. Conclusion
  14. 10. Configuring and Running Falco
    1. Configuring Falco
    2. Differences Among Installation Methods
      1. Host Installation
      2. Containers
      3. Kubernetes Deployments
    3. Command-Line Options and Environment Variables
      1. Configuration Settings
      2. Instrumentation Settings (Syscalls Only)
      3. Data Enrichment Settings (Syscalls Only)
      4. Ruleset Settings
      5. Output Settings
      6. Other Settings for Debugging and Troubleshooting
    4. Configuration File
    5. Ruleset
      1. Loading Rules Files
      2. Tuning the Ruleset
    6. Using Plugins
    7. Changing the Configuration
    8. Conclusion
  15. 11. Using Falco for Cloud Security
    1. Why Falco for AWS Security?
    2. Falco’s Architecture and AWS Security
      1. Detection Examples
    3. Configuring and Running Falco for CloudTrail Security
      1. Receiving Log Files Through an SQS Queue
      2. Reading Events from an S3 Bucket or the Local Filesystem
    4. Extending Falco’s AWS Ruleset
    5. What About Other Clouds?
    6. Conclusion
  16. 12. Consuming Falco Events
    1. Working with Falco Outputs
      1. falco-exporter
      2. Falcosidekick
    2. Observability and Analysis
    3. Getting Notified
    4. Responding to Threats
    5. Conclusion
  17. IV. Extending Falco
  18. 13. Writing Falco Rules
    1. Customizing the Default Falco Rules
    2. Writing New Falco Rules
      1. Our Rule Development Method
    3. Things to Keep in Mind When Writing Rules
      1. Priorities
      2. Noise
      3. Performance
      4. Tagging
    4. Conclusion
  19. 14. Falco Development
    1. Working with the Codebase
      1. The falcosecurity/falco Repository
      2. The falcosecurity/libs Repository
      3. Building Falco from Source
    2. Extending Falco Using the gRPC API
    3. Extending Falco with Plugins
      1. Preparing a Plugin in Go
      2. Plugin State and Initialization
      3. Adding Event Sourcing Capability
      4. Adding Field Extraction Capability
      5. Finalizing the Plugin
      6. Building a Plugin Written in Go
      7. Using Plugins While Developing
    4. Conclusion
  20. 15. How to Contribute
    1. What Does It Mean to Contribute to Falco?
    2. Where Should I Start?
    3. Contributing to Falcosecurity Projects
      1. Issues
      2. Pull Requests
    4. Conclusion
  21. Index
  22. About the Authors

Product information

  • Title: Practical Cloud Native Security with Falco
  • Author(s): Loris Degioanni, Leonardo Grasso
  • Release date: August 2022
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781098118570