Introduction To Sysdig Falco

About Me

  • Red Hat Architect
  • Utah Cyber Protection Team
  • 10+ years Linux administration

Overview

  • Introduction
  • Falco Rules
  • Demo

Introduction

What is Sysdig?

“Sysdig is open source, system-level exploration: capture system state and activity from a running Linux instance, then save, filter and analyze.”

strace + tcpdump + htop + iftop + lsof +
transaction tracing + awesome sauce.

What is Sysdig Falco?

  • A behavioral activity monitor designed to detect anomalous activity in your applications.
  • Powered by sysdig’s system call capture infrastructure.
  • Continuously monitor and detect container, application, host, and network activity.

Falco Rules

Rules


- rule: run_shell_in_container
  desc: a shell was spawned in a container.
  condition: container.id != host and proc.name = bash
  output: "Shell spawned in a container"
  priority: WARNING
  tags: [container]
						

Macros


- macro: in_container
  condition: container.id != host
						

Lists


- list: shell_binaries
  items: [bash, csh, ksh, sh, tcsh, zsh, dash]

- list: userexec_binaries
  items: [sudo, su]

- list: known_binaries
  items: [shell_binaries, userexec_binaries]

- macro: safe_procs
  condition: proc.name in (known_binaries)
						

Combined Example


- macro: in_container
  condition: container.id != host

- list: shell_binaries
  items: [bash, csh, ksh, sh, tcsh, zsh, dash]

- rule: run_shell_in_container
  desc: a shell was spawned in a container.
  condition: in_container and proc.name in (shell_binaries)
  output: "Shell spawned in a container"
  priority: WARNING
  tags: [container]
						

Demo

Resources

@GarrettHyde

https://sysdig.com/opensource/falco/

https://github.com/draios/falco