Difficulty: medium
Estimated Time: 20 minutes

Sysdig Falco is an open source, behavioral monitoring software designed to detect anomalous activity. Sysdig Falco works as a intrusion detection system on any Linux host. It also support kubernetes-specific context like k8s.deployment.name, or namespaces for its rules.

If you have not done it yet, it's a good idea to complete the Sysdig Falco: Container security monitoring scenario before this one.

In this lab you will learn the basics of Sysdig Falco and how to use it along with a Kubernetes cluster to detect anomalous behavior.

This scenario will cover the following security threats:

  • Unauthorized process
  • Write to non authorized directory
  • Processes opening unexpected connections to the Internet

You will play both the attacker and defender (sysadmin) roles, verifying that the intrusion attempt has been detected by Sysdig Falco, and then deploying playbooks that will be automatically run to respond a threat.

Based on Sysdig Blog articles: https://sysdig.com/blog/.

In this course you experimented with the basic of Sysdig Falco and its operation on a Kubernetes cluster. You learned how to trigger alerts using Kubernetes-specific metadata.

This time we just used a simple file output, but you can also configure a custom programmatic output to send notifications to event and alerting systems in your organization.

We also set up a response engine, that automatically responds to security threats taking appropriate actions.

Eager to learn more? These are some recommended further steps:

Sysdig Falco: Forensics example

Step 1 of 6

Step 1 - Install Falco on Kubernetes

We have already set up a Kubernetes cluster just for you, so you just have to make sure it is up and running by executing launch.sh

Once Kubernetes is ready, we join node01 to the cluster running the script join.sh.

Then we can run kubectl get nodes on the master to see the nodes in the cluster and check they are ready.

We will install Falco using Helm, a package manager for Kubernetes. We can download and install Helm with these commands:

curl -Lo /tmp/helm-linux-amd64.tar.gz https://storage.googleapis.com/kubernetes-helm/helm-v2.13.1-linux-amd64.tar.gz tar zxf /tmp/helm-linux-amd64.tar.gz -C /tmp/ chmod a+x /tmp/linux-amd64/helm sudo mv /tmp/linux-amd64/helm /usr/local/bin kubectl create -f helm-account.yaml helm init --service-account tiller helm repo update

We have also initialized Helm and installed Tiller (the Helm server side component), and made sure our chart database is up-to-date. To learn more about Helm, please visit WordPress in Kubernetes: The Perfect Setup on our blog.

We can view the current status of our cluster using the command kubectl get pod -n kube-system

We can now deploy Sysdig Falco in a few seconds, as it only takes a simple command: helm install --name falco -f custom_rules.yaml stable/falco

This will result in a Falco Pod being deployed to each node, and thus the ability to monitor any running containers for abnormal behavior. kubectl get pods

Terminal Host 2