Difficulty: medium
Estimated Time: 20 minutes

Sysdig Falco is an open source, behavioral monitoring software designed to detect anomalous activity. Sysdig Falco works as a intrusion detection system on any Linux host, although it is particularly useful when using Docker since it supports container-specific context like container.id, container.image or namespaces for its rules.

If you have not done it yet, it's a good idea to complete the Sysdig: container troubleshooting and visibility scenario before this one.

Sysdig Falco is an auditing tool as opposed to enforcement tools like Seccomp or AppArmor. Falco runs in user space, using a kernel module to intercept system calls, while other similar tools perform system call filtering/monitoring at the kernel level. One of the benefits of a user space implementation is being able to integrate with external systems like Docker orchestration tools. SELinux, Seccomp, Sysdig Falco, and you: A technical discussion discusses the similarities and differences of these related security tools.

In this lab you will learn the basics of Sysdig Falco and how to use it along with Docker to detect anomalous container behavior.

This scenario will cover the following security threats:

  • Container running an interactive shell
  • Unauthorized process
  • Write to non user-data directory
  • Sensitive mount by container

You will play both the attacker and defender (sysadmin) roles, verifying that the intrusion attempt has been detected by Sysdig Falco.

Based on Sysdig Blog articles: https://sysdig.com/blog/.

In this course you experimented with the basic of Sysdig Falco and its operation on Docker-based deployments. Starting off from kernel system calls and events, Linux namespaces and container-specific metadata you can configure security alerts without ever having to modify or instrument the Docker images.

This time we just used a simple file output in order to focus on the rule syntax, but you can also configure a custom programmatic output to send notifications to event and alerting systems in your organization.

Eager to learn more? These are some recommended further steps:

Docker runtime security with Falco

Step 1 of 6

Sysdig Falco installation

First, we will put some working configuration files built for this course and place them under /etc/falco:

sudo -s mkdir /etc/falco cp falco.yaml falco_rules.yaml /etc/falco touch /var/log/falco_events.log

As you can guess:

  • falco.yaml configures the Falco service
  • falco_rules.yaml contains the threat detection patterns
  • falco_events.log will be used as the events log file.

Then, we can pull and launch the Sysdig Falco container, mounting the configuration files we defined previously:

docker pull sysdig/falco docker run -d --name falco --privileged \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /dev:/host/dev \ -v /proc:/host/proc:ro \ -v /boot:/host/boot:ro \ -v /lib/modules:/host/lib/modules:ro \ -v /usr:/host/usr:ro \ -v /etc/falco/falco.yaml:/etc/falco/falco.yaml \ -v /etc/falco/falco_rules.yaml:/etc/falco/falco_rules.yaml \ -v /var/log/falco_events.log:/var/log/falco_events.log \ sysdig/falco

Note: if you accidentally terminate the container or want to reload the configuration files, you can always docker restart falco from the host.