Setup Falco Security (IDS) in Kubernetes

Manoj Deshmukh
4 min readNov 10, 2023

--

Overview:

This article gives you an extensive view of how to set up falcosecurity in a Kubernetes cluster.

What is Falcosecurity?

Falco is an open source runtime security solution for hosts, containers, Kubernetes, and the cloud. Get real-time visibility into unusual behaviors as well as potential security threats, intrusions, data theft, or compliance violations.

Basically, you create the rule. For example, the rule will activate and provide you with a real-time notification if somebody logs into your pods without authority.

We have two ways to install falcosecurity.

  1. If you have one application running in Ubuntu, you can run Falco as a service.
  2. You can run Falco through the helm charts if you have several services operating on Kubernetes, and it needs to check for rules in every pod inside the cluster.

Installation of falcosecurity

Here we are adding falco’s helm repository and updating our local repository.

helm repo add falcosecurity https://falcosecurity.github.io/charts

helm repo update

Now we need to create the namespace for falco

kubectl create namespace falcosecurtity

Now lets install falcosecurity pods

helm install falcosecurtity -n falcosecurtity— set driver.kind=ebpf — set tty=true falcosecurity/falco

When you hit this, you will get the output shown below:

Image

Here, three different pods will be created.

  1. Falco — Pods responsible for creating alerts
  2. Falcosidekick — pods responsible for getting the alert message
  3. Falcosidekick-ui — pods responsible for showing alert messages

In the above command, it just created the pods, but we need them to connect falco pods with falcosidekick and UI. We then need to enable audit logs, JSON output, file output, Slack/Google Chat webhook integration, and user login for webUI.

helm upgrade falcosecurtity -n falcosecurtity — set driver.kind=ebpf — set tty=true falcosecurity/falco — set falcosidekick.enabled=true — set falcosidekick.webui.enabled=true — set auditLog.enabled=true — set falco.jsonOutput=true — set falco.fileOutput.enabled=true — set falcosidekick.webui.user=”<username>:<password>” — set falcosidekick.config.slack.webhookurl=”<webhooklink>” — set falcosidekick.config.googlechat.webhookurl=”<webhooklink>”

How do I create a webhook link?

Slack:

  1. Go to Slack, click on Add Channels, and create a new channel

2. Go to Settings and click on Intigation.

3. Click on Add an app, find Incoming Webhook, and click on Install.

4. Now it will redirect to browser and you can click on Add to slack

5. Select the channel where you need to get alerts.

6. Now you will get the slack webhook

How to check alerts generated

All the alerts will be sent to your Slack and Google chats.

Alerts recived at Slack
Alerts recived at Google chat

Chek Alerts in WebUI

Install Gcloud on your local PC and run the command; don't close the command prompt.

kubectl port-forward svc/falcosecurity-falcosidekick-ui 2802:2802 — namespace falcosecurity

Go to browser and run

http://127.0.0.1:2802/

Enter username and password and click on login

Now you can see the pictorial graph generated by the falco whowing alerts received.

At the top, click on Events, where it shows all the alerts created.

How to add custom rules to falcosecurity

Note: Falco will create alerts, there will be default rules, and you will get alerts.

After some time, when you see the enormous alerts and there are some alerts created by GCP or some other service for which you don't want to get alerts, you need to change the default rules.

create the file custom-rules.yaml

Paste the default rules inside the file, like (Note: Check for Indentations.)

and make changes to the rules.

Example: I was getting 100 alerts from “File below/etc opened for writing.” When I checked the alert, it was created by hproxy, and I didn’t want that alert to receive it, so I added the line.

not proc.cmdline startswith “haproxy-ingress — with-s6-overlay”

You can customize the alerts and stop the ones that are automatically generated.

Okay, you created the custom rule, and how do you apply the rules?

helm upgrade falcosecurtity -n falcosecurtity — set driver.kind=ebpf — set tty=true falcosecurity/falco — set falcosidekick.enabled=true — set falcosidekick.webui.enabled=true — set auditLog.enabled=true — set falco.jsonOutput=true — set falco.fileOutput.enabled=true — set falcosidekick.webui.user=”<username>:<password>” — set falcosidekick.config.slack.webhookurl=”<webhooklink>” — set falcosidekick.config.googlechat.webhookurl=”<webhooklink>” -f custom-rules.yaml

Now that you have successfully implemented falco in your Kubernetes account, it's time to monitor the alerts

--

--

Manoj Deshmukh

4+ Years’ Experience in Cybersecurity, VAPT, Cloud and Kubernetes Security, Cyber Forensics. CySA+ & CEH Practicals