- Take me to the Lab
Solutions for Lab - Use Falco to detect threats:
-
Is Falco installed on the
controlplane
node?Inspect the status of the falco service.
Reveal
systemctl status falco
-
How is falco installed in this cluster?
- As package on the node (since we examined it with
systemctl
)
- As package on the node (since we examined it with
-
What is the status of the Falco service running on controlplane?
Refer to the output of Q1, or run the command again
Reveal
- Running
-
How can you check for the events generated by falco in this set up?
- Since falco is running as a service, we can make use of
journalctl -u falco
to inspect the events generated.
- Since falco is running as a service, we can make use of
-
Information - follow the given instructions
-
Which file does falco rely on to function?
You can inspect the beginning of falco's log to find this. In the first terminal run
`journalctl -u falco`
to see the beginning of the log. Hit
q
when done.Reveal
/etc/falco/falco.yaml
-
Information - follow the given instructions
-
Which of the following rule files have
NOT
been declared in thefalco
configuration file?Inspect the included rules files in
/etc/falco/falco.yaml
Reveal
this is the section you need to look at:
rules_file: - /etc/falco/falco_rules.yaml - /etc/falco/falco_rules.local.yaml - /etc/falco/rules.d
Note that
/etc/falco/custom_rules.yaml
is not present -
In which format is an event logged currently?
Inspect
/etc/falco/falco.yaml
againReveal
Find the
json_output
property which is a boolean.true
- JSON,false
- text. XML and YAML are not options. -
If the same rule is configured on all rule files defined in the
rules_file
list, which one will take precedence?Rules are read in the order of files in the list. If the same rule is present in all the files, the one in the last file overrides the others.
Reveal
Thus the answer is
The Rule defined in the file that comes last in the list
-
We just created a few new pods on this Kubernetes cluster. Identify the name of the pod that is running operations that falco considers to be suspicious.
Once identified, save the name of the pod in to the file /root/compromised_pods.txt in the controlplane. The format used should be as follows:
namespace,podname
Note: - It may take a few mins to get reflected on the logs.
Reveal
The log message looks like this:
Nov 29 19:54:01 controlplane falco[25038]: 19:54:01.752959791: Error Package management process launched in container (user=<NA> user_loginuid=-1 command=apt update pid=26294 container_id=b94bf4bfe82c container_name=simple-webapp-1 image=docker.io/library/nginx:latest namespace=critical-apps)
...and from this you can determine both the container and the namepace. Now save to the given file
echo "critical-apps,simple-webapp-1" > /root/compromised_pods.txt
Strictly speaking however, falco gives you the container name and its ID, not the pod name so this could catch you out in the exam if the name of the container in the pod is not the same as the name of the pod!
What you should do is to take the
container_id
from the log and usecrictl
to determine the actual pod name.crictl ps | grep b94bf4bfe82c
and it will tell you the pod name in the output, which in this case is also
simple-webapp-1
-
What was the priority set for the event that was generated for the previous question?
This is also part of the message in the log output.
Reveal
Error
-
What was the command run on the
simple-webapp-1
pod that caused this error?This is also part of the message in the log output.
Reveal
command=apt update
, thereforeapt update
-
What is the name of the rule that triggered this output?
For this question, you will have to inspect the output logged for the event and then check the name of the rule associated with this output in one of the falco rules file under
/etc/falco
Reveal
-
Take the rule description -
Package management process launched in container
-
Search for it in the rules file...
grep -B 15 'Package management process launched in container' /etc/falco/falco_rules.yaml
Use "lines before" (
-B
) to grep to get lines before the matching text - enough lines until you can see- rule:
, and then you can get its nameLaunch Package Management Process in Container
-
-
Which file was this rule configured in?
Now you may be tempted to say
/etc/falco/falco_rules.yaml
, because that's how you answered the previous question, but if you examine theoutput
section of that rule, the fields being printed are not what you are seeing in the log. It doesn't havenamespace
for a start. This means it must be redefined in one of the other files underrules_file:
.Inspect them to find the redefinition.
Reveal
/etc/falco/falco_rules.local.yaml
-
Now, let us update this rule by making minor changes to the way the output is logged.
Change the output so that it now prints the events in the following sample format as shown below:
Error Package Management Tools Executed (user_loginuid=-1 command=apt update container_name=simple-webapp-1)
To update, edit the rule in
/etc/falco/falco_rules.local.yaml
. Then reload the Falco configuration and restart the engine without restarting the service.Finally, try running
kubectl exec simple-webapp-1 -- apt update
on the controlplane node and see if the changed rule is seen in the falco logs.Reveal
-
vi /etc/falco/falco_rules.local.yaml
-
Edit it to be
- rule: Launch Package Management Process in Container desc: Package management process ran inside container condition: > spawned_process and container and user.name != "_apt" and package_mgmt_procs and not package_mgmt_ancestor_procs and not user_known_package_manager_in_container output: > Package Management Tools Executed (user_loginuid=%user.loginuid command=%proc.cmdline container_name=%container.name ) priority: ERROR tags: [process, mitre_persistence]
-
Save and exit
vi
-
Hot-reload falco
kill -i $(pidof falco)
-
Test, then observe falco log
kubectl exec simple-webapp-1 -- apt update
-