Practical Cloud Native Security with Falco: Risk and Threat Detection for Containers, Kubernetes, and Cloud

✍ Scribed by Loris Degioanni, Leonardo Grasso

Publisher: O'Reilly Media
Year: 2022
Tongue: English
Leaves: 227
Edition: 1
Category: Library

No coin nor oath required. For personal study only.

✦ Synopsis

As more and more organizations migrate their applications to the cloud, cloud native computing has become the dominant way to approach software development and execution. Protecting modern, cloud native applications from threats requires the ability to defend them at runtime, when they're most vulnerable to attacks.

This practical guide introduces you to Falco, the open source standard for continuous risk and threat detection across Kubernetes, containers, and the cloud. Falco creator Loris Degioanni and core maintainer Leonardo Grasso bring you up to speed on threat detection and show you how to get Falco up and running, plus advanced topics such as deploying Falco in production and writing your own security rules.

You'll learn how to:
• Leverage runtime security in cloud native environments
• Detect configuration changes and unexpected behavior in the cloud
• Protect containers, Kubernetes, and cloud applications using Falco
• Run, deploy, and customize Falco
• Deploy, configure, and maintain Falco in a production environment
• Improve your compliance

✦ Table of Contents

Cover
Copyright
Table of Contents
Preface
Who Is This Book For?
Overview
Part I: The Basics
Part II: The Architecture of Falco
Part III: Running Falco in Production
Part IV: Extending Falco
Conventions Used in This Book
Using Code Examples
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Leonardo
Loris
Part I. The Basics
Chapter 1. Introducing Falco
Falco in a Nutshell
Sensors
Data Sources
Rules
Data Enrichment
Output Channels
Containers and More
Falco’s Design Principles
Specialized for Runtime
Suitable for Production
Intent-Free Instrumentation
Optimized to Run at the Edge
Avoids Moving and Storing a Ton of Data
Scalable
Truthful
Robust Defaults, Richly Extensible
Simple
What You Can Do with Falco
What You Cannot Do with Falco
Background and History
Network Packets: BPF, libpcap, tcpdump, and Wireshark
Snort and Packet-Based Runtime Security
The Network Packets Crisis
System Calls as a Data Source: sysdig
Falco
Chapter 2. Getting Started with Falco on Your Local Machine
Running Falco on Your Local Machine
Downloading and Installing the Binary Package
Installing the Driver
Starting Falco
Generating Events
Interpreting Falco’s Output
Customizing Your Falco Instance
Rules Files
Output Channels
Conclusion
Part II. The Architecture of Falco
Chapter 3. Understanding Falco’s Architecture
Falco and the Falco Libraries: A Data-Flow View
Drivers
Plugins
libscap
Managing Data Sources
Supporting Trace Files
Collecting System State
libsinsp
State Engine
Event Parsing
Filtering
Output Formatting
One More Thing About libsinsp
Rule Engine
Conclusion
Chapter 4. Data Sources
System Calls
Examples
Observing System Calls
Capturing System Calls
Accuracy
Performance
Scalability
So What About Stability and Security?
Kernel-Level Instrumentation Approaches
The Falco Drivers
Which Driver Should You Use?
Capturing System Calls Within Containers
Running the Falco Drivers
Kernel Module
eBPF Probe
Using Falco in Environments Where Kernel Access Is Not Available: pdig
Running Falco with pdig
Falco Plugins
Plugin Architecture Concepts
How Falco Uses Plugins
Conclusion
Chapter 5. Data Enrichment
Understanding Data Enrichment for Syscalls
Operating System Metadata
Container Metadata
Kubernetes Metadata
Data Enrichment with Plugins
Conclusion
Chapter 6. Fields and Filters
What Is a Filter?
Filtering Syntax Reference
Relational Operators
Logical Operators
Strings and Quoting
Fields
Argument Fields Versus Enrichment Fields
Mandatory Fields Versus Optional Fields
Field Types
Using Fields and Filters
Fields and Filters in Falco
Fields and Filters in sysdig
Falco’s Most Useful Fields
General
Processes
File Descriptors
Users and Groups
Containers
Kubernetes
CloudTrail
Kubernetes Audit Logs
Conclusion
Chapter 7. Falco Rules
Introducing Falco Rules Files
Anatomy of a Falco Rules File
Rules
Macros
Lists
Rule Tagging
Declaring the Expected Engine Version
Replacing, Appending to, and Disabling Rules
Replacing Macros, Lists, and Rules
Appending to Macros, Lists, and Rules
Disabling Rules
Conclusion
Chapter 8. The Output Framework
Falco’s Output Architecture
Output Formatting
Output Channels
Standard Output
Syslog Output
File Output
Program Output
HTTP Output
gRPC Output
Other Logging Options
Conclusion
Part III. Running Falco in Production
Chapter 9. Installing Falco
Choosing Your Setup
Installing Directly on the Host
Using a Package Manager
Without Using a Package Manager
Managing the Driver
Running Falco in a Container
Syscall Instrumentation Scenario
Plugin Scenario
Deploying to a Kubernetes Cluster
Using Helm
Using Manifests
Conclusion
Chapter 10. Configuring and Running Falco
Configuring Falco
Differences Among Installation Methods
Host Installation
Containers
Kubernetes Deployments
Command-Line Options and Environment Variables
Configuration Settings
Instrumentation Settings (Syscalls Only)
Data Enrichment Settings (Syscalls Only)
Ruleset Settings
Output Settings
Other Settings for Debugging and Troubleshooting
Configuration File
Ruleset
Loading Rules Files
Tuning the Ruleset
Using Plugins
Changing the Configuration
Conclusion
Chapter 11. Using Falco for Cloud Security
Why Falco for AWS Security?
Falco’s Architecture and AWS Security
Detection Examples
Configuring and Running Falco for CloudTrail Security
Receiving Log Files Through an SQS Queue
Reading Events from an S3 Bucket or the Local Filesystem
Extending Falco’s AWS Ruleset
What About Other Clouds?
Conclusion
Chapter 12. Consuming Falco Events
Working with Falco Outputs
falco-exporter
Falcosidekick
Observability and Analysis
Getting Notified
Responding to Threats
Conclusion
Part IV. Extending Falco
Chapter 13. Writing Falco Rules
Customizing the Default Falco Rules
Writing New Falco Rules
Our Rule Development Method
Things to Keep in Mind When Writing Rules
Priorities
Noise
Performance
Tagging
Conclusion
Chapter 14. Falco Development
Working with the Codebase
The falcosecurity/falco Repository
The falcosecurity/libs Repository
Building Falco from Source
Extending Falco Using the gRPC API
Extending Falco with Plugins
Preparing a Plugin in Go
Plugin State and Initialization
Adding Event Sourcing Capability
Adding Field Extraction Capability
Finalizing the Plugin
Building a Plugin Written in Go
Using Plugins While Developing
Conclusion
Chapter 15. How to Contribute
What Does It Mean to Contribute to Falco?
Where Should I Start?
Contributing to Falcosecurity Projects
Issues
Pull Requests
Conclusion
Index
About the Authors
Colophon

✦ Subjects

Amazon Web Services; Cloud Computing; Security; Network Security; Kubernetes; Falco; Data Enrichment

📜 SIMILAR VOLUMES

Practical Cloud Native Security with Fal

📁 Practical Cloud Native Security with Falco: Risk and Threat Detection for Containers, Kubernetes, and Cloud. Early Release

✍ Loris Degioanni, Leonardo Grasso 📂 Library 📅 2022 🏛 O'Reilly Media 🌐 English

As more and more organizations migrate their applications to the cloud, cloud native computing has become the dominant way to approach software development and execution. In the meantime, security threats are growing more sophisticated and widespread every day. Protecting your applications

Cloud Native with Kubernetes: Deploy, co

📁 Cloud Native with Kubernetes: Deploy, configure, and run modern cloud native applications on Kubernetes

✍ Alexander Raul 📂 Library 📅 2021 🏛 Packt Publishing 🌐 English

Kubernetes is a modern cloud native container orchestration tool and one of the most popular open source projects worldwide. In addition to the technology being powerful and highly flexible, Kubernetes engineers are in high demand across the industry. This book is a comprehensive guide to deployi

Cloud Native with Kubernetes: Deploy, co

📁 Cloud Native with Kubernetes: Deploy, configure, and run modern cloud native applications on Kubernetes

✍ Alexander Raul 📂 Library 📅 2021 🏛 Packt Publishing 🌐 English

Cloud Native with Kubernetes: Deploy, co

📁 Cloud Native with Kubernetes: Deploy, configure, and run modern cloud native applications on Kubernetes

✍ Alexander Raul 📂 Library 📅 2021 🏛 Packt Publishing 🌐 English

Kubernetes Security and Observability: A

📁 Kubernetes Security and Observability: A Holistic Approach to Securing Containers and Cloud Native Applications

✍ Brendan Creane 📂 Library 📅 2021 🏛 O'Reilly Media 🌐 English

Securing, observing, and troubleshooting containerized workloads on Kubernetes can be daunting. It requires a range of considerations, from infrastructure choices and cluster configuration to deployment controls and runtime and network security. With this practical book, you'll learn how to adopt

Kubernetes Security and Observability: A

📁 Kubernetes Security and Observability: A Holistic Approach to Securing Containers and Cloud Native Applications

✍ Brendan Creane, Amit Gupta 📂 Library 📅 2021 🏛 O'Reilly Media 🌐 English

Securing, observing, and troubleshooting containerized workloads on Kubernetes can be daunting. It requires a range of considerations, from infrastructure choices and cluster configuration to deployment controls and runtime and network security. With this practical book, you'll learn how to