Behavioural activity monitoring on CoreOS with Sysdig Falco
1 like•1,046 views
This document contains instructions and configuration details for monitoring Linux systems and containers using Falco. It includes commands to install necessary packages like Falco and its dependencies. It also provides examples of Falco rules to generate alerts for suspicious activities like modifying files in critical directories or accessing devices like cameras without the proper applications. The rules leverage conditions, macros and lists to define what behaviors to flag for further review.
![•
- macro: bin_dir
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
- list: package_mgmt_binaries
items: [dpkg, dpkg-preconfigu, rpm, rpmkey, yum, frontend]
- rule: write_binary_dir
desc: an attempt to write to any file below a set of binary directories
condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs
output: "File below a known binary directory opened for writing
(user=%user.name command=%proc.cmdline file=%fd.name)"
priority: WARNING](https://image.slidesharecdn.com/behaviouralactivitymonitoringoncoreoswithsysdigfalco-170301073901/85/Behavioural-activity-monitoring-on-CoreOS-with-Sysdig-Falco-24-320.jpg)
Behavioural activity monitoring on CoreOS with Sysdig Falco
- 2. (htop, vmstat, netstat, lsof, tcpdump…)
- 3. • • •
- 6. • •
- 7. RUN apt-get install -y wget build-essential python python-dev python-pip python-virtualenv RUN wget http://nodejs.org/dist/node-latest.tar.gz RUN tar xvzf node-latest.tar.gz RUN cd node-v* && ./configure && CXX="g++ -Wno-unused-local-typedefs" make && CXX="g++ -Wno-unused-local-typedefs" make install • •
- 8. • •
- 9. • • •
- 10. • • •
- 11. • • •
- 12. • • •
- 13. • • • • •
- 14. • • • • • •
- 17. • • • # Alert whenever anyone performs an unlink() for a file below /usr/bin -a always,exit -S unlink -S unlinkat -F dir=/usr/bin -F success=1 # Watch any invocation of /usr/bin/passwd -w /usr/bin/passwd -p x -k passwd_mgmt
- 19. Kernel Docker Container 1 Container 2 Container 3 App App rkt LXC Kernel module Instrumentation
- 21. • • • • • •
- 22. • • • • •
- 23. container.id != host and proc.name = bash fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write evt.type = setns and not proc.name in (docker, sysdig) (evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
- 24. • - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: package_mgmt_binaries items: [dpkg, dpkg-preconfigu, rpm, rpmkey, yum, frontend] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
- 25. • • output • • • • • mail -s "Falco Notification" [email protected]) •
- 27. ● ● ○ ○ ● ●