github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-30 16:42:14 +00:00
Code Issues Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Jorge Salamero Sanz 2018-07-10 18:08:54 +02:00 committed by GitHub
parent 66ba09ea3b
commit 19d251ef4b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
kubernetes-response-engine/README.md
View File

@ -1,27 +1,18 @@
# Kubernetes Response Engine for Sysdig Falco # Kubernetes Response Engine for Sysdig Falco
The goal of this project is to create a response engine for Kubernetes which is A response engine for Falco that allows to process security events executing playbooks to respond to security threats.
able to execute playbooks to different types of security threats in our
cointainer fleet alerted by Falco.
There are several principles which guides our decisions (in no particular order): ## Architecture
* Real time responses to a security threat: We need to react as soon as possible. * *[Falco](https://sysdig.com/opensource/falco/)* monitors containers and processes behavior to alert when something outside our policy takes place.
* Deployment independence: Each playbook is independent of others. * *falco-nats* forwards the alert to a message broker service into a topic compound by `falco.<severity>.<rule_name_slugified>`.
* Open Source Software: We want to use and promote OSS. * *[NATS](https://nats.io/)*, our message broker, delivers the alert to any subscribers to the different topics.
* Write rock solid code: Each playbook is tested. * *[Kubeless](https://kubeless.io/)*, a FaaS framework that runs in Kubernetes, receives the security events and executes the configured playbooks.
## Alert lifecycle outline
An alert travels by our system, these are the typical stages for an alert:
1. *Falco* detects an alert in one container which belongs to our fleet
2. *Falco* sends the alert to *NATS* using a topic compound by "falco.<severity>.<rule_name_slugified>"
3. *NATS* delivers message to its subscribers through *Kubeless* infrastructure
4. *Kubeless* receives the alert and pass it to inner *Playbook*
6. *Playbook* performs its inner action: Stopping the container, Sending an alert to Slack ...
## Glossary ## Glossary
* *Alert*: Falco sends alerts * *Security event*: Alert sent by Falco when a configured rule matches the behaviour on that host.
* *Playbook*: Each piece of Python code which is run when an alert is received * *Playbook*: Each piece code executed when an alert is received to respond to that threat in an automated way, some examples include:
- sending an alert to Slack
- stop the pod killing the container
- taint the specific node where the pod is running