CKs Falco

Author: saiyam1814

falco/falcohost/Readme.md

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: demo3
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: demo3
+  template:
+    metadata:
+      labels:
+        app: demo3
+    spec:
+      nodeName: cplane-01
+      containers:
+      - name: busybox
+        image: busybox
+        command: ["/bin/sh", "-c", "while true; do cat /dev/mem; sleep 10; done"]
+        securityContext:
+          privileged: true

falco/falcohost/deploy.yaml

@@ -0,0 +1,10 @@
+- list: memoryfile
+  items: [/dev/mem]
+- rule: mem
+  desc: mem
+  condition: >
+    fd.name=memoryfile
+  output: >
+    Shell (%fd.name,%container.id)
+  priority: WARNING
+  tags: [security]

falco/falcohost/rule.yaml

@@ -0,0 +1,55 @@
+## Install Falco 
+```
+helm repo add falcosecurity https://falcosecurity.github.io/charts
+helm repo update
+helm install falco falcosecurity/falco -n falco --create-namespace
+```
+
+## Cutom Falco Rule `custom-falco-rules.yaml`
+```
+- rule: Detect /dev/mem Access
+  desc: Detect processes that attempt to read /dev/mem
+  condition: (evt.type=open or evt.type=openat) and fd.name=/dev/mem
+  output: "Process %proc.name accessed /dev/mem (command=%proc.cmdline user=%user.name container=%container.id image=%container.image.repository)"
+  priority: WARNING
+  tags: [security]
+
+```
+## Apply the rule
+
+```
+kubectl create configmap falco-custom-rules --from-file=custom-falco-rules.yaml -n falco
+kubectl patch daemonset falco -n falco --type='json' -p='[
+  {
+    "op": "add",
+    "path": "/spec/template/spec/volumes/-",
+    "value": {
+      "name": "custom-rules",
+      "configMap": {
+        "name": "falco-custom-rules"
+      }
+    }
+  }
+]'
+
+kubectl patch daemonset falco -n falco --type='json' -p='[
+  {
+    "op": "add",
+    "path": "/spec/template/spec/containers/0/volumeMounts/-",
+    "value": {
+      "name": "custom-rules",
+      "mountPath": "/etc/falco/rules.d/custom-falco-rules.yaml",
+      "subPath": "custom-falco-rules.yaml"
+    }
+  }
+]'
+kubectl rollout restart daemonset falco -n falco
+
+```
+
+## check Falco logs
+
+```
+kubectl logs -n falco -l app.kubernetes.io/name=falco --tail=50 -f
+
+```

falco/newrule/Readme.md

@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: demo1
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: demo1
+  template:
+    metadata:
+      labels:
+        app: demo1
+    spec:
+      containers:
+      - name: busybox
+        image: busybox
+        command: ["/bin/sh", "-c", "sleep 3600"]
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: demo2
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: demo2
+  template:
+    metadata:
+      labels:
+        app: demo2
+    spec:
+      containers:
+      - name: busybox
+        image: busybox
+        command: ["/bin/sh", "-c", "sleep 3600"]
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: demo3
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: demo3
+  template:
+    metadata:
+      labels:
+        app: demo3
+    spec:
+      containers:
+      - name: busybox
+        image: busybox
+        command: ["/bin/sh", "-c", "while true; do cat /dev/mem; sleep 10; done"]
+        securityContext:
+          privileged: true
+

falco/newrule/deploy.yaml

@@ -0,0 +1,16 @@
+## Install Falco 
+```
+curl -L -O https://download.falco.org/packages/bin/x86_64/falco-0.40.0-x86_64.tar.gz
+tar -xvf falco-0.40.0-x86_64.tar.gz
+cp -R falco-0.40.0-x86_64/* /
+apt update -y
+apt install -y dkms make linux-headers-$(uname -r)
+# If you use falcoctl driver loader to build the eBPF probe locally you need also clang toolchain
+apt install -y clang llvm
+```
+### Run shell inside a container 
+```
+docker run --name ubuntu bash --rm -i -t ubuntu bash
+```
+### Change Falco Rules 
+`output: "[%evt.time][%container.id] [%container.name]"`