book

Practical Cloud Native Security with Falco

by Loris Degioanni, Leonardo Grasso

August 2022

Intermediate to advanced

224 pages

5h 38m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who Is This Book For?OverviewPart I: The BasicsPart II: The Architecture of FalcoPart III: Running Falco in ProductionPart IV: Extending FalcoConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgmentsLeonardoLoris
I. The Basics
1. Introducing Falco
Falco in a NutshellSensorsData SourcesRulesData EnrichmentOutput ChannelsContainers and MoreFalco’s Design PrinciplesSpecialized for RuntimeSuitable for ProductionIntent-Free InstrumentationOptimized to Run at the EdgeAvoids Moving and Storing a Ton of DataScalableTruthfulRobust Defaults, Richly ExtensibleSimpleWhat You Can Do with FalcoWhat You Cannot Do with FalcoBackground and HistoryNetwork Packets: BPF, libpcap, tcpdump, and WiresharkSnort and Packet-Based Runtime SecurityThe Network Packets CrisisSystem Calls as a Data Source: sysdigFalco
2. Getting Started with Falco on Your Local Machine
Running Falco on Your Local MachineDownloading and Installing the Binary PackageInstalling the DriverStarting FalcoGenerating EventsInterpreting Falco’s OutputCustomizing Your Falco InstanceRules FilesOutput ChannelsConclusion
II. The Architecture of Falco
3. Understanding Falco’s Architecture
Falco and the Falco Libraries: A Data-Flow ViewDriversPluginslibscapManaging Data SourcesSupporting Trace FilesCollecting System StatelibsinspState EngineEvent ParsingFilteringOutput FormattingOne More Thing About libsinspRule EngineConclusion
4. Data Sources
System CallsExamplesObserving System CallsCapturing System CallsAccuracyPerformanceScalabilitySo What About Stability and Security?Kernel-Level Instrumentation ApproachesThe Falco DriversWhich Driver Should You Use?Capturing System Calls Within ContainersRunning the Falco DriversKernel ModuleeBPF ProbeUsing Falco in Environments Where Kernel Access Is Not Available: pdigRunning Falco with pdigFalco PluginsPlugin Architecture ConceptsHow Falco Uses PluginsConclusion
5. Data Enrichment
Understanding Data Enrichment for SyscallsOperating System MetadataContainer MetadataKubernetes MetadataData Enrichment with PluginsConclusion
6. Fields and Filters
What Is a Filter?Filtering Syntax ReferenceRelational OperatorsLogical OperatorsStrings and QuotingFieldsArgument Fields Versus Enrichment FieldsMandatory Fields Versus Optional FieldsField TypesUsing Fields and FiltersFields and Filters in FalcoFields and Filters in sysdigFalco’s Most Useful FieldsGeneralProcessesFile DescriptorsUsers and GroupsContainersKubernetesCloudTrailKubernetes Audit LogsConclusion
7. Falco Rules
Introducing Falco Rules FilesAnatomy of a Falco Rules FileRulesMacrosListsRule TaggingDeclaring the Expected Engine VersionReplacing, Appending to, and Disabling RulesReplacing Macros, Lists, and RulesAppending to Macros, Lists, and RulesDisabling RulesConclusion

8. The Output Framework
Falco’s Output ArchitectureOutput FormattingOutput ChannelsStandard OutputSyslog OutputFile OutputProgram OutputHTTP OutputgRPC OutputOther Logging OptionsConclusion
III. Running Falco in Production
9. Installing Falco
Choosing Your SetupInstalling Directly on the HostUsing a Package ManagerWithout Using a Package ManagerManaging the DriverRunning Falco in a ContainerSyscall Instrumentation ScenarioPlugin ScenarioDeploying to a Kubernetes ClusterUsing HelmUsing ManifestsConclusion
10. Configuring and Running Falco
Configuring FalcoDifferences Among Installation MethodsHost InstallationContainersKubernetes DeploymentsCommand-Line Options and Environment VariablesConfiguration SettingsInstrumentation Settings (Syscalls Only)Data Enrichment Settings (Syscalls Only)Ruleset SettingsOutput SettingsOther Settings for Debugging and TroubleshootingConfiguration FileRulesetLoading Rules FilesTuning the RulesetUsing PluginsChanging the ConfigurationConclusion
11. Using Falco for Cloud Security
Why Falco for AWS Security?Falco’s Architecture and AWS SecurityDetection ExamplesConfiguring and Running Falco for CloudTrail SecurityReceiving Log Files Through an SQS QueueReading Events from an S3 Bucket or the Local FilesystemExtending Falco’s AWS RulesetWhat About Other Clouds?Conclusion
12. Consuming Falco Events
Working with Falco Outputsfalco-exporterFalcosidekickObservability and AnalysisGetting NotifiedResponding to ThreatsConclusion
IV. Extending Falco
13. Writing Falco Rules
Customizing the Default Falco RulesWriting New Falco RulesOur Rule Development MethodThings to Keep in Mind When Writing RulesPrioritiesNoisePerformanceTaggingConclusion
14. Falco Development
Working with the CodebaseThe falcosecurity/falco RepositoryThe falcosecurity/libs RepositoryBuilding Falco from SourceExtending Falco Using the gRPC APIExtending Falco with PluginsPreparing a Plugin in GoPlugin State and InitializationAdding Event Sourcing CapabilityAdding Field Extraction CapabilityFinalizing the PluginBuilding a Plugin Written in GoUsing Plugins While DevelopingConclusion
15. How to Contribute
What Does It Mean to Contribute to Falco?Where Should I Start?Contributing to Falcosecurity ProjectsIssuesPull RequestsConclusion
Index
About the Authors

Content preview from Practical Cloud Native Security with Falco

Chapter 2. Getting Started with Falco on Your Local Machine

Now that you’re acquainted with the possibilities that Falco offers, what better way to familiarize yourself with it than to try it? In this chapter, you will discover how easy it is to install and run Falco on a local machine. We’ll walk you through the process step-by-step, introducing and analyzing the core concepts and functions. We will generate an event that Falco will detect for us by simulating a malicious action, and show you how to read Falco’s notification output. We’ll finish the chapter by presenting some manageable approaches to customizing your installation.

Running Falco on Your Local Machine

Although Falco is not a typical application, installing and running it on a local machine is quite simple—all you need is a Linux host or a virtual machine and a terminal. There are two components to install: the user space program (named falco) and a driver. The driver is needed to collect system calls, which are one possible data source for Falco. For simplicity, we will focus only on system call capture in this chapter.

Note

You will learn more about the available drivers and why we need them to instrument the system in Chapter 3 and explore alternative data sources in Chapter 4. For the moment, you only need to know that the default driver, which is implemented as a Linux kernel module, is enough to collect system calls and start using Falco.

Several methods are available to install these components, as you ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Cloud Native DevOps with Kubernetes, 2nd Edition

Publisher Resources

ISBN: 9781098118563Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design