The rise of internet applications has evolved hand in hand with strong cybersecurity software that has kept the war against spam, attacks and other unscrupulous behaviour ongoing and effective. Security is an important pillar of modern internet applications and as users will realize, is always treated as a major component on the same lines as development and deployment.
One of the best cloud native applications participating in this fight against cybersecurity threats and attacks is Falco. Inducted into the Cloud Native Computing Foundation’s(CNCF) as the first runtime security project at an incubation level, it was created by Sysdig in 2016. Falco’s primary strength touches on tracking and detecting unexpected occurrences with applications, alerting users and responding with appropriate mitigation measures.
Kubernetes security only grows more complex as it becomes adopted throughout the internet. Security measures for such applications can be grouped under the preventive of detective categories. One of the bigger reasons for this complexity is the presence of multiple moving layers in a cloud native stack, resulting in operators neglecting security early on during development.
Another reason may be the lack of security in some distributions of Kubernetes by default, contrary to what operators assume. Falco shines through in resolving these issues by detecting and alerting any behaviour that makes Linux system calls. This system of alerting rules is made possible with the use of Sysdig’s filtering expressions to detect potentially suspicious activity. Users can also specify alerts for specific calls, arguments related to the calls and through the properties of the calling process.
This makes for some interesting methods such as a shell unit being created inside a container, a container being made to run in privileged mode, or scheduling a disk scan with sensitive files. Falco also allows detection apps to run simultaneously with social channels, platforms and tools such as Slack, Fluentd, and NATS.
Falco also provides intrusion and abnormality detection for platforms and brings cutting edge solutions bridging the defense gap left in Kubernetes clusters. Some of its larger applications include monitoring events directly in clusters including:-
- Outgoing connections to specific IPs or domains.
- Instances or events that use or mutate sensitive files such as /etc/passwd.
- Events where system binary files are executed such as su.
- Occurrences where file access privileges are escalated or changed to the namespace.
- Major modifications in certain folders such as /sbin
Falco utilizes open source Linux kernel instrumentation to monitor the stream of system calls generated by operations and applications through the kernel. Since the system operates in a typical user-space, it has the capabilities to amplify the data it tracks from the streams along with other input streams such as container runtime metrics and Kubernetes metrics.
In the following example, we can see how Falco uses an attrition filter that can be applied to each system call, thus monitoring all attempts and changes that occur in the kernel:-
- rule: shell_in_container desc: notice shell activity within a container condition: container.id != host and proc.name = bash output: shell in a container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline) priority: WARNING
Falco also uses a system of rules contained within macros to apply changes for file access and monitoring. Users can use these methods to declare reusable expression snippets within multiple kernels and track instances as required. Macros can later be referenced by name within conditions and even copied on future kernels. Lists are also a supported syntax type that Falco supports and uses for monitoring changes.
Falco is a mammoth of the industry that has shown its merits to defend kernel applications across many industries. It’s no surprise that it’s one of the favored choices for defending and monitoring crypto-applications online along with financial exchange networks and identity logs for user protection. The community has, over time, given the platform an edge by improving upon compatibility issues and plugins for newer systems. It recently applied changes for gRPC compatibility and even released light weight versions that can be run on the most complex of systems. This has given Falco, an almost ‘plug and play’ kind of utilization where users simply need to run a few commands to run it with their current kernels and let the system do its work.
Where Falco does falter currently is from the same pitfalls that most microservice applications suffer from. For one, plugin support for heavier applications with on time processing and abnormality detection is still a far reality but one that the community keeps working on. Users have also in the past also brought to attention, potentials for kernel manipulation and response times against suspicious behavior. All this may stand out as a sore thumb but given the open source nature, means that dealing with errors and issues among the community may not be as expedient, compared to paid applications.
Falco uses Linux at its core and for controlling kernels. It uses its own system of drivers to track system calls and operational changes made by the applications. This is created with the purpose of keeping users well informed about any change that generates a system call and respond in time before serious attacks take effect.
Since containers usually share a kernel together, it is possible to monitor system calls by all the containers that are created or linked through a host. It is important to remind users that such applications cannot be fully realized in the case of more isolated container hosts that lack the ability to share kernels or use different runtimes. This brings us to the major components to keep in minding when running Falco for the first time on a typical Kubernetes Cluster:-
Kernel module (the default)
This is the major user experience interface that consists of a kernel module where users can compile instances and operations for the kernel where Falco will run and monitor changes.
A sandbox styled application to run kernels on virtual servers as opposed to more streamlined local computers. Users do not need to load the main kernel module, but it requires a newer kernel that supports eBPF. Not supported on several currently managed services.
An direct application built in the userspace to check for log files, instances, metadata and other information gathered from kernels. This is where users will interact with plugins and apply changes to nodes that receive alerts for suspicious or strange behavior.
A juggernaut of the industry that has yet much to learn and apply from the greats, Falco’s benefits and accomplishments should not be completely forgotten, especially within the context of the CNCF. It’s a well celebrated defensive platform with a ‘swiss army knife’ level of knick-knacks and gadgets for users to protect their applications against spam, malware, hackers and suspicious elements.
Some users may be put off by the sudden jump in learning curves once they begin to master Falco but the payoff is all worth the struggle. As always, check out the community and look through the documentation to get a clearer understanding of how Falco can help you. Tune in again as we discuss some more applications in future editions. Tune into the Hands-on labs to play around and learn Falco.