events! May 2016 Accepted as a CNCF incubation level hosted project Jan 2020 Sysdig Inc. donated Falco to the CNCF Oct 2018 2 May 2019 Falco Community Calls start! @leodido
process by preventing syscalls from succeeding (also killing the process sometimes). DETECTION Use policies to monitor the behavior of a process and notify when its behavior steps outside the policy. PREVENTION @leodido
SELinux • AppArmor AUDITING behavioral monitoring, intrusion & anomaly detection, forensics • auditd • Falco • ... • a lot still to be done in this space! ENFORCEMENT PREVENTION IS NOT ENOUGH. COMPLEMENTARY, NOT MUTUALLY EXCLUSIVE APPROACHES @leodido
and an alarm, but she alerts me when things aren’t going right, when little bro is misbehaving or if there’s someone suspicious outside or nearby. She detects runtime anomalies in my life at home. Runtime Security
OS KUBERNETES APPLICATIONS When you run a program you are making system calls. System calls are how a program enters the kernel to perform some task. • processes • network • file IO • much more... @leodido
event originated in a container? What’s the container name and ID? What’s the container image? ORCHESTRATOR In which cluster it is running? On which node? What’s the container runtime interface in use? @leodido
panics, not always suitable EBPF PROBE Pros: program the kernel without risking to break it Cons: newer kernels PDIG Pros: (almost) unprivileged Cons: really hackish, ~20% slower Other methods? Future inputs/drivers? 13 How to get syscalls to userspace? @leodido
pod with certain built-in volume types (GlusterFS, Quobyte, StorageFS, ScaleIO) or permissions to create a StorageClass can cause kube-controller-manager to make GET or POST requests from the master’s host network. kube-controller-manager < 1.15.11 / 1.16.0 - 1.16.8 / 1.17.0 - 1.17.4 / 1.18.0 How to detect? Write two Falco rules using Kubernetes audit logs as input to: 1. detect if the StorageClass object is created with one of the volume types 2. detect if pods are created using one of the volume types Learn how to detect it step-by-step with Falco. @leodido
❏ CVE-2020-8557 (medium, Jul.) ❏ Detect it with Falco, mitigate with AppArmor [link] Root access from unprivileged local process Triggering a memory corruption in the packet socket facility in the Linux kernel to hijack data and resources ❏ CVE-2020-14386 (high, Sept.) ❏ Detecting with Falco [link] Kubelet DoS