使用GKE尝试使用Falco
尝试使用GKE来使用Falco
Falco简介
Falco是在Sysdig公司开发的开源安全工具。
它已捐赠给CNCF,并成为孵化项目。
大致来说,可以进行容器入侵检测。可以预先定义不允许的规则,并检测是否存在意外行为。如果容器受到漏洞利用并遭到入侵,也可以通过追踪来了解被执行的操作等信息,对法证取证非常有帮助。
在Falco中,其机制是通过分析Linux系统调用从内核传来的信息,然后通过预先定义的规则引擎进行检查。
※ 引自https://falco.org/ja/docs/getting-started/
虽然下方也已经写明,但默认规则如下。
默认情况下,Falco包含了一组成熟的规则集。
通过特权容器使用特权升级。
使用像setns这样的工具来更改命名空间。
读写常见目录如/etc,/usr/bin和/usr/sbin等。
创建符号链接。
更改所有权和权限。
意外的网络连接或套接字变异。
通过execve调用Spawn进程。
执行诸如sh,bash,csh,zsh等的shell二进制文件。
执行SSH二进制文件ssh,scp,sftp等。
变异Linux的coreutils执行文件。
变异登录二进制。
变异shadowutil或passwd执行文件。
例如,shadowconfig,pwck,chpasswd,getpasswd,change,useradd等等。
如果存在很多噪声或者需要检测的项目,可以通过修改以下的yaml文件来更改规则。
默认情况下,有很多项目(超过3000行),因此最好按照默认规则进行操作,并逐步完善配置文件。
创造环境
创建GKE集群
这次使用的是 GKE 版本 1.20.12-gke.1500。
同时也启用了 Dataplane v2。
将helm仓库添加到注册表中。
将Falco安装在主机(GKE节点)上被认为是运行最安全的方法,原因在于Falco本身与Kubernetes分离。
在GKE中,通常使用COS(Container-Optimized OS)作为节点的镜像,因此希望尽量避免创建自定义镜像。
首先,COS已经加强了安全性,并且无法插入用于Falco处理系统调用的内核模块。
然而,对于COS,可以使用eBPF来提供系统调用流给Falco的功能,从而实现这一点。
在头盔中进行导航。
~ helm repo add falcosecurity https://falcosecurity.github.io/charts
~ helm repo update
~ helm repo list | grep falco
falcosecurity https://falcosecurity.github.io/charts
需要一份中国语的原生版本:
安装Falco
~ helm install falco falcosecurity/falco --set ebpf.enabled=true
NAME: falco
LAST DEPLOYED: Fri Dec 17 11:19:02 2021
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Falco agents are spinning up on each node in your cluster. After a few
seconds, they are going to start monitoring your containers looking for
security issues.
No further action should be required.
Tip:
You can easily forward Falco events to Slack, Kafka, AWS Lambda and more with falcosidekick.
Full list of outputs: https://github.com/falcosecurity/charts/falcosidekick.
You can enable its deployment with `--set falcosidekick.enabled=true` or in your values.yaml.
See: https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml for configuration values.
Pod已启动。
~ kubectl get pod
NAME READY STATUS RESTARTS AGE
falco-cpmbq 1/1 Running 0 11m
falco-j6nmt 1/1 Running 0 11m
kubectl get configmap
NAME DATA AGE
falco 5 29m
看看会打印出什么样的日志
启动pod
启动Nginx并尝试在其中进行测试。
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2 #
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.21.4
ports:
- containerPort: 80
~ kubectl apply -f deploy_nginx.yml
deployment.apps/nginx-deployment created
由于Falco的日志输出到标准输出, 所以我们可以使用stern来查看。
stern falco
通过ssh进行连接
通过SSH连接到nginx容器
~ kubectl exec -it nginx-deployment-6b689c98c5-nbz7r -- sh
违反以下规定。
- rule: Terminal shell in container
desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
condition: >
spawned_process and container
and shell_procs and proc.tty != 0
and container_entrypoint
and not user_expected_terminal_shell_in_container_conditions
output: >
A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info
shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)
priority: NOTICE
tags: [container, shell, mitre_execution]
Falco已经记录了以下日志。
falco-cpmbq falco 09:25:27.022956239: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=nginx-deployment-6b689c98c5-2vmhk container=d003af23ea19 shell=sh parent=runc cmdline=sh terminal=34816 container_id=d003af23ea19 image=docker.io/library/nginx) k8s.ns=default k8s.pod=nginx-deployment-6b689c98c5-2vmhk container=d003af23ea19
添加文件
尝试在Nginx容器中添加文件。
touch /etc/sakon.conf
遭遇以下规定的限制。
- rule: Write below etc
desc: an attempt to write to any file below /etc
condition: write_etc_common
output: "File below /etc opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)"
priority: ERROR
tags: [filesystem, mitre_persistence]
Falco记录了以下日志。
falco-cpmbq falco 09:30:22.522301023: Error File below /etc opened for writing (user=root user_loginuid=-1 command=touch /etc/sakon.conf parent=sh pcmdline=sh file=/etc/sakon.conf program=touch gparent=<NA> ggparent=<NA> gggparent=<NA> container_id=d003af23ea19 image=docker.io/library/nginx) k8s.ns=default k8s.pod=nginx-deployment-6b689c98c5-2vmhk container=d003af23ea19 k8s.ns=default k8s.pod=nginx-deployment-6b689c98c5-2vmhk container=d003af23ea19
安装软件包
# apt update
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Get:2 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [39.4 kB]
Get:4 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [99.5 kB]
Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8180 kB]
Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [2592 B]
Fetched 8481 kB in 2s (4443 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Falco的记录中包含以下日志
falco-cpmbq falco 04:21:47.738779670: Error Package management process launched in container (user=root user_loginuid=-1 command=apt update container_id=a041c1608bbd container_name=nginx image=docker.io/library/nginx:1.21.4) k8s.ns=default k8s.pod=nginx-deployment-6b689c98c5-nbz7r container=a041c1608bbd k8s.ns=default k8s.pod=nginx-deployment-6b689c98c5-nbz7r container=a041c1608bbd
安装Vim
# apt install vim
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libgpm2 vim-common vim-runtime xxd
Suggested packages:
gpm ctags vim-doc vim-scripts
The following NEW packages will be installed:
libgpm2 vim vim-common vim-runtime xxd
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 8173 kB of archives.
After this operation, 36.9 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Falco的记录中包含了以下日志。
falco-cpmbq falco 04:22:54.512922215: Error Package management process launched in container (user=root user_loginuid=-1 command=apt install vim container_id=a041c1608bbd container_name=nginx image=docker.io/library/nginx:1.21.4) k8s.ns=default k8s.pod=nginx-deployment-6b689c98c5-nbz7r container=a041c1608bbd k8s.ns=default k8s.pod=nginx-deployment-6b689c98c5-nbz7r container=a041c1608bbd
我违反了以下规则。
- rule: Launch Package Management Process in Container
desc: Package management process ran inside container
condition: >
spawned_process
and container
and user.name != "_apt"
and package_mgmt_procs
and not package_mgmt_ancestor_procs
and not user_known_package_manager_in_container
output: >
Package management process launched in container (user=%user.name user_loginuid=%user.loginuid
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: ERROR
tags: [process, mitre_persistence]
尝试使用falcosidekick
Falco可以添加用于连接到falcosidekick的各种生态系统的守护程序功能。
可以连接到用户界面,并发送通知到Slack、Teams、Google Chat等平台,还可以将指标发送到Datadog或Prometheus。
还可以将流式数据发送到Kafka、GCP的Pub/Sub、AWS SQS、SNS等平台。
引用自“https://falco.org/blog/extend-falco-outputs-with-falcosidekick/”。
启用falcosidekick
helm upgrade falco falcosecurity/falco \
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=true \
--set falcosidekick.config.slack.webhookurl="https://hooks.slack.com/services/XXXXXXXX" \
--set ebpf.enabled=true
POD正在增多,同时也有新的服务正在开展。
~ kubectl get pod
NAME READY STATUS RESTARTS AGE
falco-2dn9w 1/1 Running 0 7m3s
falco-falcosidekick-c6fcc8d5c-24hc9 1/1 Running 0 9m47s
falco-falcosidekick-c6fcc8d5c-q9wds 1/1 Running 0 9m47s
falco-falcosidekick-ui-7cb9856769-z4qxp 1/1 Running 0 9m47s
falco-k7dfq 1/1 Running 0 7m41s
nginx-deployment-6b689c98c5-2vmhk 1/1 Running 1 19h
nginx-deployment-6b689c98c5-62gdl 1/1 Running 0 19h
~ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
falco-falcosidekick ClusterIP 10.108.6.189 <none> 2801/TCP 10m
falco-falcosidekick-ui ClusterIP 10.108.12.65 <none> 2802/TCP 10m
kubernetes ClusterIP 10.108.0.1 <none> 443/TCP 2d4h
查看Slack通知
请尝试使用touch命令创建一个与之前相同的文件。
touch /etc/sakon2.conf
以下是通知的发送方式。
连接到UI
kubectl port-forward svc/falco-falcosidekick 2801
可以通过浏览器访问的链接是 http://localhost:2802/ui/#/。
