Skip to content

Latest commit

 

History

History
executable file
·
270 lines (174 loc) · 8.17 KB

File metadata and controls

executable file
·
270 lines (174 loc) · 8.17 KB

Lab - Use Falco to detect threats

  • Take me to the Lab

Solutions for Lab - Use Falco to detect threats:

  1. Is Falco installed on the controlplane node?

    Inspect the status of the falco service.

    Reveal
    systemctl status falco
    
  2. How is falco installed in this cluster?
    • As package on the node (since we examined it with systemctl)
  3. What is the status of the Falco service running on controlplane?

    Refer to the output of Q1, or run the command again

    Reveal
    • Running
  4. How can you check for the events generated by falco in this set up?
    • Since falco is running as a service, we can make use of journalctl -u falco to inspect the events generated.
  5. Information - follow the given instructions

  6. Which file does falco rely on to function?

    You can inspect the beginning of falco's log to find this. In the first terminal run

    `journalctl -u falco`
    

    to see the beginning of the log. Hit q when done.

    Reveal
    • /etc/falco/falco.yaml
  7. Information - follow the given instructions

  8. Which of the following rule files have NOT been declared in the falco configuration file?

    Inspect the included rules files in /etc/falco/falco.yaml

    Reveal

    this is the section you need to look at:

    rules_file:
      - /etc/falco/falco_rules.yaml
      - /etc/falco/falco_rules.local.yaml
      - /etc/falco/rules.d

    Note that /etc/falco/custom_rules.yaml is not present

  9. In which format is an event logged currently?

    Inspect /etc/falco/falco.yaml again

    Reveal

    Find the json_output property which is a boolean. true - JSON, false - text. XML and YAML are not options.

  10. If the same rule is configured on all rule files defined in the rules_file list, which one will take precedence?

    Rules are read in the order of files in the list. If the same rule is present in all the files, the one in the last file overrides the others.

    Reveal

    Thus the answer is The Rule defined in the file that comes last in the list

  11. We just created a few new pods on this Kubernetes cluster. Identify the name of the pod that is running operations that falco considers to be suspicious.

    Once identified, save the name of the pod in to the file /root/compromised_pods.txt in the controlplane. The format used should be as follows:

    namespace,podname

    Note: - It may take a few mins to get reflected on the logs.

    Reveal

    The log message looks like this:

    Nov 29 19:54:01 controlplane falco[25038]: 19:54:01.752959791: Error Package management process launched in container (user=<NA> user_loginuid=-1 command=apt update pid=26294 container_id=b94bf4bfe82c container_name=simple-webapp-1 image=docker.io/library/nginx:latest namespace=critical-apps)
    

    ...and from this you can determine both the container and the namepace. Now save to the given file

    echo "critical-apps,simple-webapp-1" > /root/compromised_pods.txt

    Strictly speaking however, falco gives you the container name and its ID, not the pod name so this could catch you out in the exam if the name of the container in the pod is not the same as the name of the pod!

    What you should do is to take the container_id from the log and use crictl to determine the actual pod name.

    crictl ps | grep b94bf4bfe82c

    and it will tell you the pod name in the output, which in this case is also simple-webapp-1

  12. What was the priority set for the event that was generated for the previous question?

    This is also part of the message in the log output.

    Reveal
    • Error
  13. What was the command run on the simple-webapp-1 pod that caused this error?

    This is also part of the message in the log output.

    Reveal
    • command=apt update, therefore apt update
  14. What is the name of the rule that triggered this output?

    For this question, you will have to inspect the output logged for the event and then check the name of the rule associated with this output in one of the falco rules file under /etc/falco

    Reveal
    1. Take the rule description - Package management process launched in container

    2. Search for it in the rules file...

       grep -B 15 'Package management process launched in container' /etc/falco/falco_rules.yaml
      

      Use "lines before" (-B) to grep to get lines before the matching text - enough lines until you can see - rule:, and then you can get its name

      • Launch Package Management Process in Container
  15. Which file was this rule configured in?

    Now you may be tempted to say /etc/falco/falco_rules.yaml, because that's how you answered the previous question, but if you examine the output section of that rule, the fields being printed are not what you are seeing in the log. It doesn't have namespace for a start. This means it must be redefined in one of the other files under rules_file:.

    Inspect them to find the redefinition.

    Reveal
    • /etc/falco/falco_rules.local.yaml
  16. Now, let us update this rule by making minor changes to the way the output is logged.

    Change the output so that it now prints the events in the following sample format as shown below:

    Error Package Management Tools Executed (user_loginuid=-1 command=apt update container_name=simple-webapp-1)
    

    To update, edit the rule in /etc/falco/falco_rules.local.yaml. Then reload the Falco configuration and restart the engine without restarting the service.

    Finally, try running kubectl exec simple-webapp-1 -- apt update on the controlplane node and see if the changed rule is seen in the falco logs.

    Reveal
    1. vi /etc/falco/falco_rules.local.yaml

    2. Edit it to be

      - rule: Launch Package Management Process in Container
        desc: Package management process ran inside container
        condition: >
          spawned_process
          and container
          and user.name != "_apt"
          and package_mgmt_procs
          and not package_mgmt_ancestor_procs
          and not user_known_package_manager_in_container
        output: >
          Package Management Tools Executed (user_loginuid=%user.loginuid command=%proc.cmdline container_name=%container.name )
        priority: ERROR
        tags: [process, mitre_persistence]
    3. Save and exit vi

    4. Hot-reload falco

      kill -i $(pidof falco)
    5. Test, then observe falco log

      kubectl exec simple-webapp-1 -- apt update