book

Practical Cloud Native Security with Falco

by Loris Degioanni, Leonardo Grasso

August 2022

Intermediate to advanced

224 pages

5h 38m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who Is This Book For?OverviewPart I: The BasicsPart II: The Architecture of FalcoPart III: Running Falco in ProductionPart IV: Extending FalcoConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgmentsLeonardoLoris
I. The Basics
1. Introducing Falco
Falco in a NutshellSensorsData SourcesRulesData EnrichmentOutput ChannelsContainers and MoreFalco’s Design PrinciplesSpecialized for RuntimeSuitable for ProductionIntent-Free InstrumentationOptimized to Run at the EdgeAvoids Moving and Storing a Ton of DataScalableTruthfulRobust Defaults, Richly ExtensibleSimpleWhat You Can Do with FalcoWhat You Cannot Do with FalcoBackground and HistoryNetwork Packets: BPF, libpcap, tcpdump, and WiresharkSnort and Packet-Based Runtime SecurityThe Network Packets CrisisSystem Calls as a Data Source: sysdigFalco
2. Getting Started with Falco on Your Local Machine
Running Falco on Your Local MachineDownloading and Installing the Binary PackageInstalling the DriverStarting FalcoGenerating EventsInterpreting Falco’s OutputCustomizing Your Falco InstanceRules FilesOutput ChannelsConclusion
II. The Architecture of Falco
3. Understanding Falco’s Architecture
Falco and the Falco Libraries: A Data-Flow ViewDriversPluginslibscapManaging Data SourcesSupporting Trace FilesCollecting System StatelibsinspState EngineEvent ParsingFilteringOutput FormattingOne More Thing About libsinspRule EngineConclusion
4. Data Sources
System CallsExamplesObserving System CallsCapturing System CallsAccuracyPerformanceScalabilitySo What About Stability and Security?Kernel-Level Instrumentation ApproachesThe Falco DriversWhich Driver Should You Use?Capturing System Calls Within ContainersRunning the Falco DriversKernel ModuleeBPF ProbeUsing Falco in Environments Where Kernel Access Is Not Available: pdigRunning Falco with pdigFalco PluginsPlugin Architecture ConceptsHow Falco Uses PluginsConclusion
5. Data Enrichment
Understanding Data Enrichment for SyscallsOperating System MetadataContainer MetadataKubernetes MetadataData Enrichment with PluginsConclusion
6. Fields and Filters
What Is a Filter?Filtering Syntax ReferenceRelational OperatorsLogical OperatorsStrings and QuotingFieldsArgument Fields Versus Enrichment FieldsMandatory Fields Versus Optional FieldsField TypesUsing Fields and FiltersFields and Filters in FalcoFields and Filters in sysdigFalco’s Most Useful FieldsGeneralProcessesFile DescriptorsUsers and GroupsContainersKubernetesCloudTrailKubernetes Audit LogsConclusion
7. Falco Rules
Introducing Falco Rules FilesAnatomy of a Falco Rules FileRulesMacrosListsRule TaggingDeclaring the Expected Engine VersionReplacing, Appending to, and Disabling RulesReplacing Macros, Lists, and RulesAppending to Macros, Lists, and RulesDisabling RulesConclusion

8. The Output Framework
Falco’s Output ArchitectureOutput FormattingOutput ChannelsStandard OutputSyslog OutputFile OutputProgram OutputHTTP OutputgRPC OutputOther Logging OptionsConclusion
III. Running Falco in Production
9. Installing Falco
Choosing Your SetupInstalling Directly on the HostUsing a Package ManagerWithout Using a Package ManagerManaging the DriverRunning Falco in a ContainerSyscall Instrumentation ScenarioPlugin ScenarioDeploying to a Kubernetes ClusterUsing HelmUsing ManifestsConclusion
10. Configuring and Running Falco
Configuring FalcoDifferences Among Installation MethodsHost InstallationContainersKubernetes DeploymentsCommand-Line Options and Environment VariablesConfiguration SettingsInstrumentation Settings (Syscalls Only)Data Enrichment Settings (Syscalls Only)Ruleset SettingsOutput SettingsOther Settings for Debugging and TroubleshootingConfiguration FileRulesetLoading Rules FilesTuning the RulesetUsing PluginsChanging the ConfigurationConclusion
11. Using Falco for Cloud Security
Why Falco for AWS Security?Falco’s Architecture and AWS SecurityDetection ExamplesConfiguring and Running Falco for CloudTrail SecurityReceiving Log Files Through an SQS QueueReading Events from an S3 Bucket or the Local FilesystemExtending Falco’s AWS RulesetWhat About Other Clouds?Conclusion
12. Consuming Falco Events
Working with Falco Outputsfalco-exporterFalcosidekickObservability and AnalysisGetting NotifiedResponding to ThreatsConclusion
IV. Extending Falco
13. Writing Falco Rules
Customizing the Default Falco RulesWriting New Falco RulesOur Rule Development MethodThings to Keep in Mind When Writing RulesPrioritiesNoisePerformanceTaggingConclusion
14. Falco Development
Working with the CodebaseThe falcosecurity/falco RepositoryThe falcosecurity/libs RepositoryBuilding Falco from SourceExtending Falco Using the gRPC APIExtending Falco with PluginsPreparing a Plugin in GoPlugin State and InitializationAdding Event Sourcing CapabilityAdding Field Extraction CapabilityFinalizing the PluginBuilding a Plugin Written in GoUsing Plugins While DevelopingConclusion
15. How to Contribute
What Does It Mean to Contribute to Falco?Where Should I Start?Contributing to Falcosecurity ProjectsIssuesPull RequestsConclusion
Index
About the Authors

Content preview from Practical Cloud Native Security with Falco

Chapter 5. Data Enrichment

Falco’s architecture allows you to capture events from different data sources, as you’ve learned. This process delivers raw data, which can be very rich but isn’t very useful for runtime security unless paired with the right context. That’s why Falco first extracts and then enriches the raw data with contextual information, so that the rule author can comfortably use it. Typically, we refer to this information as the event metadata. Getting metadata can be a complex task, and getting it efficiently is even more complex.

You’ve already seen that the system-state collection capabilities in libscap and the state engine implemented by libsinsp (discussed in Chapter 3) are central to this activity, but there’s much more to discover. In this chapter, we’ll delve into the design aspects of the Falco stack to help you better understand how data enrichment works. In particular, we will show you libsinsp’s efficient layered approach to obtaining system, container, and Kubernetes metadata for system call (syscall) events. This is what enables you to access the information you need relating to different contexts (depending on your use case), such as a container’s ID or the name of a Pod where a suspicious event occurred. Finally, we’ll show you how plugins, Falco’s other main data source, can implement their own data enrichment mechanisms, opening up infinite possibilities.

Understanding Data Enrichment for Syscalls

Understanding how data enrichment works will ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Cloud Native DevOps with Kubernetes, 2nd Edition

Publisher Resources

ISBN: 9781098118563Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Practical Cloud Native Security with Falco

by Loris Degioanni, Leonardo Grasso

Chapter 5. Data Enrichment

Understanding Data Enrichment for Syscalls

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.