book

Practical Cloud Native Security with Falco

by Loris Degioanni, Leonardo Grasso

August 2022

Intermediate to advanced

224 pages

5h 38m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who Is This Book For?OverviewPart I: The BasicsPart II: The Architecture of FalcoPart III: Running Falco in ProductionPart IV: Extending FalcoConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgmentsLeonardoLoris
I. The Basics
1. Introducing Falco
Falco in a NutshellSensorsData SourcesRulesData EnrichmentOutput ChannelsContainers and MoreFalco’s Design PrinciplesSpecialized for RuntimeSuitable for ProductionIntent-Free InstrumentationOptimized to Run at the EdgeAvoids Moving and Storing a Ton of DataScalableTruthfulRobust Defaults, Richly ExtensibleSimpleWhat You Can Do with FalcoWhat You Cannot Do with FalcoBackground and HistoryNetwork Packets: BPF, libpcap, tcpdump, and WiresharkSnort and Packet-Based Runtime SecurityThe Network Packets CrisisSystem Calls as a Data Source: sysdigFalco
2. Getting Started with Falco on Your Local Machine
Running Falco on Your Local MachineDownloading and Installing the Binary PackageInstalling the DriverStarting FalcoGenerating EventsInterpreting Falco’s OutputCustomizing Your Falco InstanceRules FilesOutput ChannelsConclusion
II. The Architecture of Falco
3. Understanding Falco’s Architecture
Falco and the Falco Libraries: A Data-Flow ViewDriversPluginslibscapManaging Data SourcesSupporting Trace FilesCollecting System StatelibsinspState EngineEvent ParsingFilteringOutput FormattingOne More Thing About libsinspRule EngineConclusion
4. Data Sources
System CallsExamplesObserving System CallsCapturing System CallsAccuracyPerformanceScalabilitySo What About Stability and Security?Kernel-Level Instrumentation ApproachesThe Falco DriversWhich Driver Should You Use?Capturing System Calls Within ContainersRunning the Falco DriversKernel ModuleeBPF ProbeUsing Falco in Environments Where Kernel Access Is Not Available: pdigRunning Falco with pdigFalco PluginsPlugin Architecture ConceptsHow Falco Uses PluginsConclusion
5. Data Enrichment
Understanding Data Enrichment for SyscallsOperating System MetadataContainer MetadataKubernetes MetadataData Enrichment with PluginsConclusion
6. Fields and Filters
What Is a Filter?Filtering Syntax ReferenceRelational OperatorsLogical OperatorsStrings and QuotingFieldsArgument Fields Versus Enrichment FieldsMandatory Fields Versus Optional FieldsField TypesUsing Fields and FiltersFields and Filters in FalcoFields and Filters in sysdigFalco’s Most Useful FieldsGeneralProcessesFile DescriptorsUsers and GroupsContainersKubernetesCloudTrailKubernetes Audit LogsConclusion
7. Falco Rules
Introducing Falco Rules FilesAnatomy of a Falco Rules FileRulesMacrosListsRule TaggingDeclaring the Expected Engine VersionReplacing, Appending to, and Disabling RulesReplacing Macros, Lists, and RulesAppending to Macros, Lists, and RulesDisabling RulesConclusion

8. The Output Framework
Falco’s Output ArchitectureOutput FormattingOutput ChannelsStandard OutputSyslog OutputFile OutputProgram OutputHTTP OutputgRPC OutputOther Logging OptionsConclusion
III. Running Falco in Production
9. Installing Falco
Choosing Your SetupInstalling Directly on the HostUsing a Package ManagerWithout Using a Package ManagerManaging the DriverRunning Falco in a ContainerSyscall Instrumentation ScenarioPlugin ScenarioDeploying to a Kubernetes ClusterUsing HelmUsing ManifestsConclusion
10. Configuring and Running Falco
Configuring FalcoDifferences Among Installation MethodsHost InstallationContainersKubernetes DeploymentsCommand-Line Options and Environment VariablesConfiguration SettingsInstrumentation Settings (Syscalls Only)Data Enrichment Settings (Syscalls Only)Ruleset SettingsOutput SettingsOther Settings for Debugging and TroubleshootingConfiguration FileRulesetLoading Rules FilesTuning the RulesetUsing PluginsChanging the ConfigurationConclusion
11. Using Falco for Cloud Security
Why Falco for AWS Security?Falco’s Architecture and AWS SecurityDetection ExamplesConfiguring and Running Falco for CloudTrail SecurityReceiving Log Files Through an SQS QueueReading Events from an S3 Bucket or the Local FilesystemExtending Falco’s AWS RulesetWhat About Other Clouds?Conclusion
12. Consuming Falco Events
Working with Falco Outputsfalco-exporterFalcosidekickObservability and AnalysisGetting NotifiedResponding to ThreatsConclusion
IV. Extending Falco
13. Writing Falco Rules
Customizing the Default Falco RulesWriting New Falco RulesOur Rule Development MethodThings to Keep in Mind When Writing RulesPrioritiesNoisePerformanceTaggingConclusion
14. Falco Development
Working with the CodebaseThe falcosecurity/falco RepositoryThe falcosecurity/libs RepositoryBuilding Falco from SourceExtending Falco Using the gRPC APIExtending Falco with PluginsPreparing a Plugin in GoPlugin State and InitializationAdding Event Sourcing CapabilityAdding Field Extraction CapabilityFinalizing the PluginBuilding a Plugin Written in GoUsing Plugins While DevelopingConclusion
15. How to Contribute
What Does It Mean to Contribute to Falco?Where Should I Start?Contributing to Falcosecurity ProjectsIssuesPull RequestsConclusion
Index
About the Authors

Content preview from Practical Cloud Native Security with Falco

Chapter 1. Introducing Falco

The goal of this first chapter of the book is to explain what Falco is. Don’t worry, we’ll take it easy! We will first look at what Falco does, including a high-level view of its functionality and an introductory description of each of its components. We’ll explore the design principles that inspired Falco and still guide its development today. We’ll then discuss what you can do with Falco, what is outside its domain, and what you can better accomplish with other tools. Finally, we’ll provide some historical context to put things into perspective.

Falco in a Nutshell

At the highest level, Falco is pretty straightforward: you deploy it by installing multiple sensors across a distributed infrastructure. Each sensor collects data (from the local machine or by talking to some API), runs a set of rules against it, and notifies you if something bad happens. Figure 1-1 shows a simplified diagram of how it works.

You can think of Falco like a network of security cameras for your infrastructure: you place the sensors in key locations, they observe what’s going on, and they ping you if they detect harmful behavior. With Falco, bad behavior is defined by a set of rules that the community created and maintains for you and that you can customize or extend for your needs. The alerts generated by your fleet of Falco sensors ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Cloud Native DevOps with Kubernetes, 2nd Edition

Publisher Resources

ISBN: 9781098118563Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Practical Cloud Native Security with Falco

by Loris Degioanni, Leonardo Grasso

Chapter 1. Introducing Falco

Falco in a Nutshell

Figure 1-1. Falco’s high-level architecture

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.