Setup Falco Security (IDS) in Kubernetes
Overview:
This article gives you an extensive view of how to set up falcosecurity in a Kubernetes cluster.
What is Falcosecurity?
Falco is an open source runtime security solution for hosts, containers, Kubernetes, and the cloud. Get real-time visibility into unusual behaviors as well as potential security threats, intrusions, data theft, or compliance violations.
Basically, you create the rule. For example, the rule will activate and provide you with a real-time notification if somebody logs into your pods without authority.
We have two ways to install falcosecurity.
- If you have one application running in Ubuntu, you can run Falco as a service.
- You can run Falco through the helm charts if you have several services operating on Kubernetes, and it needs to check for rules in every pod inside the cluster.
Installation of falcosecurity
Here we are adding falco’s helm repository and updating our local repository.
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
Now we need to create the namespace for falco
kubectl create namespace falcosecurtity
Now lets install falcosecurity pods
helm install falcosecurtity -n falcosecurtity— set driver.kind=ebpf — set tty=true falcosecurity/falco
When you hit this, you will get the output shown below:
Image
Here, three different pods will be created.
- Falco — Pods responsible for creating alerts
- Falcosidekick — pods responsible for getting the alert message
- Falcosidekick-ui — pods responsible for showing alert messages
In the above command, it just created the pods, but we need them to connect falco pods with falcosidekick and UI. We then need to enable audit logs, JSON output, file output, Slack/Google Chat webhook integration, and user login for webUI.
helm upgrade falcosecurtity -n falcosecurtity — set driver.kind=ebpf — set tty=true falcosecurity/falco — set falcosidekick.enabled=true — set falcosidekick.webui.enabled=true — set auditLog.enabled=true — set falco.jsonOutput=true — set falco.fileOutput.enabled=true — set falcosidekick.webui.user=”<username>:<password>” — set falcosidekick.config.slack.webhookurl=”<webhooklink>” — set falcosidekick.config.googlechat.webhookurl=”<webhooklink>”
How do I create a webhook link?
Slack:
- Go to Slack, click on Add Channels, and create a new channel
2. Go to Settings and click on Intigation.
3. Click on Add an app, find Incoming Webhook, and click on Install.
4. Now it will redirect to browser and you can click on Add to slack
5. Select the channel where you need to get alerts.
6. Now you will get the slack webhook
How to check alerts generated
All the alerts will be sent to your Slack and Google chats.
Chek Alerts in WebUI
Install Gcloud on your local PC and run the command; don't close the command prompt.
kubectl port-forward svc/falcosecurity-falcosidekick-ui 2802:2802 — namespace falcosecurity
Go to browser and run
Enter username and password and click on login
Now you can see the pictorial graph generated by the falco whowing alerts received.
At the top, click on Events, where it shows all the alerts created.
How to add custom rules to falcosecurity
Note: Falco will create alerts, there will be default rules, and you will get alerts.
After some time, when you see the enormous alerts and there are some alerts created by GCP or some other service for which you don't want to get alerts, you need to change the default rules.
create the file custom-rules.yaml
Paste the default rules inside the file, like (Note: Check for Indentations.)
and make changes to the rules.
Example: I was getting 100 alerts from “File below/etc opened for writing.” When I checked the alert, it was created by hproxy, and I didn’t want that alert to receive it, so I added the line.
not proc.cmdline startswith “haproxy-ingress — with-s6-overlay”
You can customize the alerts and stop the ones that are automatically generated.
Okay, you created the custom rule, and how do you apply the rules?
helm upgrade falcosecurtity -n falcosecurtity — set driver.kind=ebpf — set tty=true falcosecurity/falco — set falcosidekick.enabled=true — set falcosidekick.webui.enabled=true — set auditLog.enabled=true — set falco.jsonOutput=true — set falco.fileOutput.enabled=true — set falcosidekick.webui.user=”<username>:<password>” — set falcosidekick.config.slack.webhookurl=”<webhooklink>” — set falcosidekick.config.googlechat.webhookurl=”<webhooklink>” -f custom-rules.yaml
Now that you have successfully implemented falco in your Kubernetes account, it's time to monitor the alerts