book

Practical Cloud Native Security with Falco

by Loris Degioanni, Leonardo Grasso

August 2022

Intermediate to advanced

224 pages

5h 38m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who Is This Book For?OverviewPart I: The BasicsPart II: The Architecture of FalcoPart III: Running Falco in ProductionPart IV: Extending FalcoConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgmentsLeonardoLoris
I. The Basics
1. Introducing Falco
Falco in a NutshellSensorsData SourcesRulesData EnrichmentOutput ChannelsContainers and MoreFalco’s Design PrinciplesSpecialized for RuntimeSuitable for ProductionIntent-Free InstrumentationOptimized to Run at the EdgeAvoids Moving and Storing a Ton of DataScalableTruthfulRobust Defaults, Richly ExtensibleSimpleWhat You Can Do with FalcoWhat You Cannot Do with FalcoBackground and HistoryNetwork Packets: BPF, libpcap, tcpdump, and WiresharkSnort and Packet-Based Runtime SecurityThe Network Packets CrisisSystem Calls as a Data Source: sysdigFalco
2. Getting Started with Falco on Your Local Machine
Running Falco on Your Local MachineDownloading and Installing the Binary PackageInstalling the DriverStarting FalcoGenerating EventsInterpreting Falco’s OutputCustomizing Your Falco InstanceRules FilesOutput ChannelsConclusion
II. The Architecture of Falco
3. Understanding Falco’s Architecture
Falco and the Falco Libraries: A Data-Flow ViewDriversPluginslibscapManaging Data SourcesSupporting Trace FilesCollecting System StatelibsinspState EngineEvent ParsingFilteringOutput FormattingOne More Thing About libsinspRule EngineConclusion
4. Data Sources
System CallsExamplesObserving System CallsCapturing System CallsAccuracyPerformanceScalabilitySo What About Stability and Security?Kernel-Level Instrumentation ApproachesThe Falco DriversWhich Driver Should You Use?Capturing System Calls Within ContainersRunning the Falco DriversKernel ModuleeBPF ProbeUsing Falco in Environments Where Kernel Access Is Not Available: pdigRunning Falco with pdigFalco PluginsPlugin Architecture ConceptsHow Falco Uses PluginsConclusion
5. Data Enrichment
Understanding Data Enrichment for SyscallsOperating System MetadataContainer MetadataKubernetes MetadataData Enrichment with PluginsConclusion
6. Fields and Filters
What Is a Filter?Filtering Syntax ReferenceRelational OperatorsLogical OperatorsStrings and QuotingFieldsArgument Fields Versus Enrichment FieldsMandatory Fields Versus Optional FieldsField TypesUsing Fields and FiltersFields and Filters in FalcoFields and Filters in sysdigFalco’s Most Useful FieldsGeneralProcessesFile DescriptorsUsers and GroupsContainersKubernetesCloudTrailKubernetes Audit LogsConclusion
7. Falco Rules
Introducing Falco Rules FilesAnatomy of a Falco Rules FileRulesMacrosListsRule TaggingDeclaring the Expected Engine VersionReplacing, Appending to, and Disabling RulesReplacing Macros, Lists, and RulesAppending to Macros, Lists, and RulesDisabling RulesConclusion

8. The Output Framework
Falco’s Output ArchitectureOutput FormattingOutput ChannelsStandard OutputSyslog OutputFile OutputProgram OutputHTTP OutputgRPC OutputOther Logging OptionsConclusion
III. Running Falco in Production
9. Installing Falco
Choosing Your SetupInstalling Directly on the HostUsing a Package ManagerWithout Using a Package ManagerManaging the DriverRunning Falco in a ContainerSyscall Instrumentation ScenarioPlugin ScenarioDeploying to a Kubernetes ClusterUsing HelmUsing ManifestsConclusion
10. Configuring and Running Falco
Configuring FalcoDifferences Among Installation MethodsHost InstallationContainersKubernetes DeploymentsCommand-Line Options and Environment VariablesConfiguration SettingsInstrumentation Settings (Syscalls Only)Data Enrichment Settings (Syscalls Only)Ruleset SettingsOutput SettingsOther Settings for Debugging and TroubleshootingConfiguration FileRulesetLoading Rules FilesTuning the RulesetUsing PluginsChanging the ConfigurationConclusion
11. Using Falco for Cloud Security
Why Falco for AWS Security?Falco’s Architecture and AWS SecurityDetection ExamplesConfiguring and Running Falco for CloudTrail SecurityReceiving Log Files Through an SQS QueueReading Events from an S3 Bucket or the Local FilesystemExtending Falco’s AWS RulesetWhat About Other Clouds?Conclusion
12. Consuming Falco Events
Working with Falco Outputsfalco-exporterFalcosidekickObservability and AnalysisGetting NotifiedResponding to ThreatsConclusion
IV. Extending Falco
13. Writing Falco Rules
Customizing the Default Falco RulesWriting New Falco RulesOur Rule Development MethodThings to Keep in Mind When Writing RulesPrioritiesNoisePerformanceTaggingConclusion
14. Falco Development
Working with the CodebaseThe falcosecurity/falco RepositoryThe falcosecurity/libs RepositoryBuilding Falco from SourceExtending Falco Using the gRPC APIExtending Falco with PluginsPreparing a Plugin in GoPlugin State and InitializationAdding Event Sourcing CapabilityAdding Field Extraction CapabilityFinalizing the PluginBuilding a Plugin Written in GoUsing Plugins While DevelopingConclusion
15. How to Contribute
What Does It Mean to Contribute to Falco?Where Should I Start?Contributing to Falcosecurity ProjectsIssuesPull RequestsConclusion
Index
About the Authors

Content preview from Practical Cloud Native Security with Falco

Chapter 12. Consuming Falco Events

At this point, you’ve learned how to run and configure Falco. You understand how Falco can be used for runtime and cloud security and how it can detect a vast spectrum of threats. Now, it’s time to focus on what you can do with Falco’s detections. Consuming Falco’s output is the final piece of the puzzle and the subject of this chapter.

Alerts generated by Falco are helpful for observing and securing your production system, and we will give you some advice on how to use those alerts proficiently. The first part of the chapter is about tools that help you consume Falco’s outputs effectively. We will teach you how to get notified immediately when Falco detects a security threat, so your security team can react as soon as possible and take appropriate countermeasures. Finally, we’ll show you a mechanism for automatically responding to threats to speed up response times.

Working with Falco Outputs

A minimal Falco installation outputs a simple textual log that you can store for later consultation, but this is not very useful. Fortunately, more intelligent tools allow you to work with Falco’s outputs and expand its possibilities, and these are an important part of integrating Falco into your ecosystem.

This section will talk in detail about two tools that we have already mentioned in the book. The first, falco-exporter, is a tool designed to do one thing and do it well: produce metrics from Falco’s detected events. The second, Falcosidekick, is the ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Cloud Native DevOps with Kubernetes, 2nd Edition

Publisher Resources

ISBN: 9781098118563Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Practical Cloud Native Security with Falco

by Loris Degioanni, Leonardo Grasso

Chapter 12. Consuming Falco Events

Working with Falco Outputs

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.