we need to talk to the kernel hence full-blown guest for once
as root
apt install build-essential gcc-12 /sbin/vboxconfig lsmod | grep vboxdrv
as user
#minikube delete --all grep ^proc /proc/cpuinfo minikube start --cpus=12 --driver=virtualbox # --driver=qemu git clone https://github.com/falcosecurity/charts.git cd charts/charts/falco/ mv -i values.yaml values.yaml.dist grep -vE '^$|^[[:space:]]*#' values.yaml.dist > values.yaml.clean grep -vE '^$|^[[:space:]]*#' values.yaml.dist > values.yaml
here’s an example of tuning a specific rule to skip a false-positive
– let’s say we don’t want to see the A shell was spawned in a container notice when ever it is DASH that is called (instead of BASH).
vi values-custom.yaml
tty: true
driver:
enabled: true
kind: modern-bpf
falco:
json_output: true
customRules:
false-positives.yaml: |-
- rule: Terminal shell in container
append: true
condition: >
and not proc.name = dash
now deploy the node set
helm dependency build
kubectx
kubens -c
helm uninstall falco-test
helm install --dry-run falco-test . --values=values-custom.yaml | less
helm install falco-test . --values=values-custom.yaml
helm upgrade falco-test . --values=values-custom.yaml
kubectl get nodes
kubectl get ds
kubectl get pods | grep ^falco-test
pods=`kubectl get pods | grep ^falco-test | awk '{print $1}'`
for pod in $pods; do kubectl logs $pod 2>&1 | grep -v ^Defaulted; done; unset pod
# --tail=5
==> you should see /etc/falco/rules.d/false-positives.yaml mentioned
#kubectl logs -l app.kubernetes.io/name=falco -f
kubectl logs -l app.kubernetes.io/instance=falco-test -f
# --all-containers
pod=`kubectl get pods | grep ^falco-test | awk '{print $1}' | head -1`
pod=`kubectl get pods | grep ^falco-test | awk '{print $1}' | tail -1`
kubectl exec -ti $pod -- bash
==> produces a shell spawn alert
kubectl exec -ti $pod -- dash
==> that one was excluded for testing and does not produce that alert
Unable to load the driver
==> probably no pre-compiled module for target kernel, use ebpf instead
https://falco.org/blog/falco-plugin-github/
https://falco.org/docs/install-operate/third-party/learning/
https://github.com/falcosecurity/plugins
https://github.com/falcosecurity/rules
https://falcosecurity.github.io/charts/
https://github.com/falcosecurity/charts/tree/master/charts/falco#loading-custom-rules
https://falco.org/docs/rules/appending/
https://falco.org/docs/rules/basic-elements/
https://falco.org/docs/rules/conditions/
https://falco.org/docs/rules/controlling-rules/
https://falco.org/docs/rules/custom-ruleset/
https://falco.org/docs/rules/default-custom/
https://falco.org/docs/rules/style-guide/
https://falco.org/docs/reference/rules/examples/
FW https://sysdig.com/blog/guidelines-reduce-noise-falco-rules/
FW https://sysdig.com/blog/day-2-falco-container-security-tuning-the-rules/
FW https://sysdig.com/blog/guidelines-reduce-noise-falco-rules/
https://falco.org/docs/rules/exceptions/
https://falco.org/blog/falco-rules-now-support-exceptions/
https://github.com/falcosecurity/falco/issues/2483 ==> load ebpf instead
https://stackoverflow.com/questions/63415220/bpf-ring-buffer-invalid-argument-22 ==> load kernel module instead
https://github.com/falcosecurity/charts/tree/master/falcosidekick
https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml
https://github.com/falcosecurity/falco/issues/1537
https://github.com/falcosecurity/falco/pull/1775