DKS
Docker and Kubernetes Security/Chapter 2
Chapter 2
4 min read

Exploring Container Security Tools

Falco

Falco is a cloud-native runtime security tool, developed by Sysdig Inc. It can be used to detect and alert on anomalous behavior in applications. It can also...

Falco is a cloud-native runtime security tool, developed by Sysdig Inc. It can be used to detect and alert on anomalous behavior in applications. It can also be used to detect known vulnerabilities in container images. Falco uses eBPF to monitor system calls, and is able to detect malicious behavior in real-time.

eBPF is a Linux kernel technology that allows running user-defined programs in the kernel. It's used by Falco to monitor system calls, and is also used by other tools like Cilium and Tracee.

Install Falco

Installing Falco is more tricky than the other tools, because it requires a Linux kernel that supports eBPF. If your host is a Linux machine, you can install Falco directly on it. We will use it with Docker here, but it won't work with Docker Desktop on Mac or Windows. On these machines, you should create a virtual machine with a Linux kernel that supports eBPF.

  • You can either create the virtual machine using VirtualBox, or Vagrant, which is a wrapper around VirtualBox. Vagrant enables you to create a virtual machine from a Vagrantfile, which is a text file that contains the configuration of the virtual machine. In this sense, Vagrant is similar to Docker.
  • If you are on a Mac with Apple Silicon, you can use Lima to create a virtual machine. Lima is a lightweight virtual machine manager for Apple Silicon and is a wrapper around Hypervisor.

After creating the virtual machine with a recent Linux on it, we can use Falco there in the following ways:

  • Natively on the host,
  • Inside a Docker container,
  • Inside a Kubernetes cluster.

For the rest of the chapter, I will assume that you are on a Linux machine (either a host or a virtual machine) with a recent Linux kernel that supports eBPF. For more information, please refer to the official documentation.

Run Falco in a Docker Container

To run Falco in a Docker container, you can use the following command:

$ sudo docker run --rm -i -t --name falco --privileged \
    -v /var/run/docker.sock:/host/var/run/docker.sock \
    -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro \
    -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro \
    falcosecurity/falco:0.40.0

The command runs a Docker container in privileged mode. The container has access to almost all the host's resources, including:

  • /var/run/docker.sock: The Docker socket,
  • /dev: The device on the host,
  • /proc: The processes,
  • /boot: The boot files,
  • /lib/modules: The kernel modules,
  • /usr: The user files,
  • /etc: The configuration files.

So it's essentially the same as running Falco natively—just more convenient. After running this command, Falco starts with a pre-configured set of rules, and starts monitoring the host for suspicious activity.

Trigger Falco Alerts

To trigger Falco, let's access a file in the /etc directory:

$ sudo cat /etc/shadow

Now check the Falco logs to see the alert:

Warning Sensitive file opened for reading by non-trusted program

Trigger Falco Alerts in Kubernetes

To trigger Falco alerts in Kubernetes, you need to install Falco on a Kubernetes cluster. You can use Helm package manager to install Falco on Kubernetes. First, add the Falco Helm repository:

$ helm repo add falcosecurity https://falcosecurity.github.io/charts
$ helm repo update

Then, install Falco on the Kubernetes cluster:

$ helm install --replace falco --namespace falco \
  --create-namespace --set tty=true falcosecurity/falco

To trigger Falco alerts, let's create a simple container application that sleeps forever on the Kubernetes cluster.

$ kubectl run alpine --image alpine -- sh -c "sleep infinity"

Return to the terminal prompt, and run the following command to execute a shell command in the container:

$ kubectl exec -it alpine -- sh -c "uptime"

You can check the Falco logs to see the alert:

$ kubectl logs -l app.kubernetes.io/name=falco -n falco -c falco | grep Notice

The output of the command will be similar to the following:

Notice A shell was spawned in a container with an attached terminal

You can install Falco Sidekick for example to send the alerts to a Slack channel or a webhook.

Exercises

  1. Create a virtual machine with the latest Ubuntu installed on it.
  2. Run Falco in a Docker container on the virtual machine, and try to trigger it.
  3. Install a K3s Kubernetes cluster on the virtual machine.
  4. Try to trigger Falco alerts in the Kubernetes cluster, by accessing a file in the /etc directory: 
    kubectl exec -it alpine -- sh -c "cat /etc/shadow"