Adding Custom Rules to Falco
Before attacking the web application we will add a few custom rules to Falco. These rules will be explained shortly:
helm upgrade falco stable/falco -f custom_rules.yaml
The Falco pod has to be created anew, so wait until it reaches Running
state:
kubectl get po
SQL Injection attack
It turns out our web application is faulty and susceptible to SQL injection attacks:

kubectl exec client -n ping -- curl -F "s=OK" -F "user=bad" -F "passwd=wrongpasswd' OR 'a'='a" -F "ipaddr=localhost" -X POST http://ping/ping.php
An attacker can bypass the authentication mechanism and use the application withoug knowing the password!
Not only that, he can even execute arbitrary commands:

kubectl exec client -n ping -- curl -F "s=OK" -F "user=bad" -F "passwd=wrongpasswd' OR 'a'='a" -F "ipaddr=localhost; ps aux" -X POST http://ping/ping.php
The attacker could easily get the source code for our ping app, which contains the database credentials:
kubectl exec client -n ping -- curl -F "s=OK" -F "user=bad" -F "passwd=wrongpasswd' OR 'a'='a" -F "ipaddr=localhost; cat /var/www/html/ping.php" -X POST http://ping/ping.php
Detection with Falco
Falco helps us detect this kind of attacks thanks to this custom rule:
- rule: Unauthorized process
desc: There is a running process not described in the base template
condition: spawned_process and container and k8s.ns.name=ping and k8s.deployment.name=ping and not proc.name in (apache2, sh, ping)
output: Unauthorized process (%proc.cmdline) running in (%container.id)
priority: ERROR
tags: [process]
In the rule condition, you already know spawned_process
, container
and proc.name
from our previous scenario.
Notice how this time we make use of Kubernetes metadata:
k8s.ns.name=ping and k8s.deployment.name=ping
You can find all the available fields in the documentation.
Take a look at the logs generated by Falco:
kubectl logs --selector app=falco | grep Error
You should see something like:
18:37.06.570052961: Error Unauthorized process (cat /var/www/html/ping.php) running in (f34f277537e4) k8s.ns=ping k8s.pod=ping-5dffbc654-qrr6m container=f34f277537e4
You could configure a custom programmatic output to send notifications to event and alerting systems in your organization.