ecccb9f26c
While testing, I found a case when creating a pod where: 1) the first container had no securityContext value 2) the second container had a security context with privileged=true and this did not match the default rule Create Privileged Pod, when it should match. The rule Create Privileged Pod uses the field ka.req.pod.containers.privileged, which in turn uses json_event_filter_check::def_extract(). def_extract() iterates over a set of json_pointers, potentially expanding arrays as they are returned. Many k8s audit fields use this extract function. For ka.req.pod.containers.privileged, the first json_pointer is /requestObject/spec/containers to find the list of containers, and the second is /securityContext/privileged to extract the privileged property out of the securityContext object. What's returned is an array of true/false noting if each container is privileged. The problem is that def_extract() aborts when iterating over arrays if extracting a pointer from an array can't be done. In this case, the first pointer extracts the array of containers, and then when iterating over the array of containers, the security context pointer doesn't extract, causing the whole filter field to abort and return ::no_value. The fix is to not abort when iterating over arrays, but use ::no_value for that array item's value instead. This allows def_extract() to extract the privileged value out of the second container. Signed-off-by: Mark Stemm <mark.stemm@gmail.com> |
||
|---|---|---|
| .circleci | ||
| .github | ||
| audits | ||
| brand | ||
| cmake | ||
| docker | ||
| proposals | ||
| rules | ||
| scripts | ||
| test | ||
| tests | ||
| userspace | ||
| .clang-format | ||
| .cmake-format | ||
| .gitignore | ||
| .luacheckrc | ||
| .yamllint.conf | ||
| ADOPTERS.md | ||
| CHANGELOG.md | ||
| CMakeLists.txt | ||
| COPYING | ||
| falco.yaml | ||
| OWNERS | ||
| README.md | ||
| RELEASE.md | ||
Cloud Native Runtime Security.
Want to talk? Join us on the #falco channel in the Kubernetes Slack.
Latest releases
Read the change log.
| development | stable | |
|---|---|---|
| rpm |  |
 |
| deb |  |
 |
| binary |  |
 |
The Falco Project, originally created by Sysdig, is an incubating CNCF open source cloud native runtime security tool. Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native. If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.
Installing Falco
If you would like to run Falco in production please adhere to the official installation guide.
Kubernetes
| Tool | Link | Note |
|---|---|---|
| Helm | Chart Repository | The Falco community offers regular helm chart releases. |
| Minikube | Tutorial | The Falco driver has been baked into minikube for easy deployment. |
| Kind | Tutorial | Running Falco with kind requires a driver on the host system. |
| GKE | Tutorial | We suggest using the eBPF driver for running Falco on GKE. |
Developing
Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
Falco has a gRPC endpoint and an API defined in protobuf. The Falco Project supports various SDKs for this endpoint.
SDKs
| Language | Repository |
|---|---|
| Go | client-go |
| Rust | client-rs |
| Python | client-py |
What can Falco detect?
Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:
- A shell is running inside a container or pod in Kubernetes.
- A container is running in privileged mode, or is mounting a sensitive path, such as
/proc, from the host. - A server process is spawning a child process of an unexpected type.
- Unexpected read of a sensitive file, such as
/etc/shadow. - A non-device file is written to
/dev. - A standard system binary, such as
ls, is making an outbound network connection. - A privileged pod is started in a Kubernetes cluster.
Documentation
The Official Documentation is the best resource to learn about Falco.
Join the Community
To get involved with The Falco Project please visit the community repository to find more.
How to reach out?
- Join the #falco channel on the Kubernetes Slack
- Join the Falco mailing list
- Read the Falco documentation
Contributing
See the CONTRIBUTING.md.
Security Audit
A third party security audit was performed by Cure53, you can see the full report here.
Reporting security vulnerabilities
Please report security vulnerabilities following the community process documented here.
License Terms
Falco is licensed to you under the Apache 2.0 open source license.