book

Practical Cloud Native Security with Falco

by Loris Degioanni, Leonardo Grasso

August 2022

Intermediate to advanced

224 pages

5h 38m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who Is This Book For?OverviewPart I: The BasicsPart II: The Architecture of FalcoPart III: Running Falco in ProductionPart IV: Extending FalcoConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgmentsLeonardoLoris
I. The Basics
1. Introducing Falco
Falco in a NutshellSensorsData SourcesRulesData EnrichmentOutput ChannelsContainers and MoreFalco’s Design PrinciplesSpecialized for RuntimeSuitable for ProductionIntent-Free InstrumentationOptimized to Run at the EdgeAvoids Moving and Storing a Ton of DataScalableTruthfulRobust Defaults, Richly ExtensibleSimpleWhat You Can Do with FalcoWhat You Cannot Do with FalcoBackground and HistoryNetwork Packets: BPF, libpcap, tcpdump, and WiresharkSnort and Packet-Based Runtime SecurityThe Network Packets CrisisSystem Calls as a Data Source: sysdigFalco
2. Getting Started with Falco on Your Local Machine
Running Falco on Your Local MachineDownloading and Installing the Binary PackageInstalling the DriverStarting FalcoGenerating EventsInterpreting Falco’s OutputCustomizing Your Falco InstanceRules FilesOutput ChannelsConclusion
II. The Architecture of Falco
3. Understanding Falco’s Architecture
Falco and the Falco Libraries: A Data-Flow ViewDriversPluginslibscapManaging Data SourcesSupporting Trace FilesCollecting System StatelibsinspState EngineEvent ParsingFilteringOutput FormattingOne More Thing About libsinspRule EngineConclusion
4. Data Sources
System CallsExamplesObserving System CallsCapturing System CallsAccuracyPerformanceScalabilitySo What About Stability and Security?Kernel-Level Instrumentation ApproachesThe Falco DriversWhich Driver Should You Use?Capturing System Calls Within ContainersRunning the Falco DriversKernel ModuleeBPF ProbeUsing Falco in Environments Where Kernel Access Is Not Available: pdigRunning Falco with pdigFalco PluginsPlugin Architecture ConceptsHow Falco Uses PluginsConclusion
5. Data Enrichment
Understanding Data Enrichment for SyscallsOperating System MetadataContainer MetadataKubernetes MetadataData Enrichment with PluginsConclusion
6. Fields and Filters
What Is a Filter?Filtering Syntax ReferenceRelational OperatorsLogical OperatorsStrings and QuotingFieldsArgument Fields Versus Enrichment FieldsMandatory Fields Versus Optional FieldsField TypesUsing Fields and FiltersFields and Filters in FalcoFields and Filters in sysdigFalco’s Most Useful FieldsGeneralProcessesFile DescriptorsUsers and GroupsContainersKubernetesCloudTrailKubernetes Audit LogsConclusion
7. Falco Rules
Introducing Falco Rules FilesAnatomy of a Falco Rules FileRulesMacrosListsRule TaggingDeclaring the Expected Engine VersionReplacing, Appending to, and Disabling RulesReplacing Macros, Lists, and RulesAppending to Macros, Lists, and RulesDisabling RulesConclusion

8. The Output Framework
Falco’s Output ArchitectureOutput FormattingOutput ChannelsStandard OutputSyslog OutputFile OutputProgram OutputHTTP OutputgRPC OutputOther Logging OptionsConclusion
III. Running Falco in Production
9. Installing Falco
Choosing Your SetupInstalling Directly on the HostUsing a Package ManagerWithout Using a Package ManagerManaging the DriverRunning Falco in a ContainerSyscall Instrumentation ScenarioPlugin ScenarioDeploying to a Kubernetes ClusterUsing HelmUsing ManifestsConclusion
10. Configuring and Running Falco
Configuring FalcoDifferences Among Installation MethodsHost InstallationContainersKubernetes DeploymentsCommand-Line Options and Environment VariablesConfiguration SettingsInstrumentation Settings (Syscalls Only)Data Enrichment Settings (Syscalls Only)Ruleset SettingsOutput SettingsOther Settings for Debugging and TroubleshootingConfiguration FileRulesetLoading Rules FilesTuning the RulesetUsing PluginsChanging the ConfigurationConclusion
11. Using Falco for Cloud Security
Why Falco for AWS Security?Falco’s Architecture and AWS SecurityDetection ExamplesConfiguring and Running Falco for CloudTrail SecurityReceiving Log Files Through an SQS QueueReading Events from an S3 Bucket or the Local FilesystemExtending Falco’s AWS RulesetWhat About Other Clouds?Conclusion
12. Consuming Falco Events
Working with Falco Outputsfalco-exporterFalcosidekickObservability and AnalysisGetting NotifiedResponding to ThreatsConclusion
IV. Extending Falco
13. Writing Falco Rules
Customizing the Default Falco RulesWriting New Falco RulesOur Rule Development MethodThings to Keep in Mind When Writing RulesPrioritiesNoisePerformanceTaggingConclusion
14. Falco Development
Working with the CodebaseThe falcosecurity/falco RepositoryThe falcosecurity/libs RepositoryBuilding Falco from SourceExtending Falco Using the gRPC APIExtending Falco with PluginsPreparing a Plugin in GoPlugin State and InitializationAdding Event Sourcing CapabilityAdding Field Extraction CapabilityFinalizing the PluginBuilding a Plugin Written in GoUsing Plugins While DevelopingConclusion
15. How to Contribute
What Does It Mean to Contribute to Falco?Where Should I Start?Contributing to Falcosecurity ProjectsIssuesPull RequestsConclusion
Index
About the Authors

Content preview from Practical Cloud Native Security with Falco

Chapter 14. Falco Development

Extending Falco is the best way to ensure that it perfectly fits your unique requirements. This chapter will show you three approaches to Falco development. We’ll begin with an overview of Falco’s codebase and a quick guide to building Falco from the source, which allows you to work with Falco’s code directly. This first approach gives you more freedom but is more difficult and perhaps less convenient than the other two. The second approach lets you build an application that processes Falco notifications in the desired way by interfacing with the gRPC API. The third is the standard and easiest way of extending Falco: writing your own plugin.

For the last two approaches, we will teach you by using examples. We use the Go programming language in these code snippets, so some familiarity with it will be helpful, but it’s not strictly required. This chapter also assumes that you have read Part II of this book. If you are concerned that this material may be too difficult, don’t be scared: we think you’ll find it understandable and interesting even if you are not a developer.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Cloud Native DevOps with Kubernetes, 2nd Edition

Publisher Resources

ISBN: 9781098118563Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Practical Cloud Native Security with Falco

by Loris Degioanni, Leonardo Grasso

Chapter 14. Falco Development

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.