Motivation:
I was looking into Implementing Runtime security on Kubernetes Cluster(GKE Platform in this case) and landed upon a really interesting tool called Falco which is part of CNCF Graduated Project.
What is Falco ?
It’s a Rule based Runtime Security Engine that Uses ebpf technology to detect runtime anomalies and alert on them.
Falco comes with more than 80+Rules out of box but also allows Custom rules to be created.
The Rules are designed and updated regularly by the Community.
It also provides a proxy forwarder tool called FalcoSidekick which can be used to send parallelly the detected and evaluated events/anomalies to multiple notable platforms for Inspection and Alerting purposes.(Example being SIEM Platform: Splunk, Logging Platform: Loki etc..)
There are Out Of the Box rules that are designed to support MITTR Attack Framework.
Falco can be used as a companion to achieve few of the sub-controls from PCI/DSS compliance
High Level Diagram:
Above diagram can be summarized as below:
Falco when deployed on a k8’s cluster installs epbf Probe Module/kernel Module(depending on kernel version) in the kernel space.
Any communications done by K8s application workload goes to the kernel and post installation of Falco the epbf probe would capture syscalls, thus tracking any kernel level activity.
Probed events are passed via Ring Buffer to User space to Falco Rule engine that evaluates the Raw event against the Rules.
Events are then matched with based on Rules Config and sent as output to FalcoSidekick.
The Sidekick based on the routing configured passes the events to Long term events storage engine(Loki).
To Visualize the Received Events and make Runtime Security Dashboards Opensource tool Grafana can be used.