1。法尔科是什么?Falco是Sysdig贡献给CNCF的一个云原生运行时安全相关的项目。Falco实现了一套可扩展的事件规则过滤引擎,可以通过获取事件、匹配安全规则、产生告警通知等一系列操作来发现系统中的安全问题。里面的事件来自于系统调用,也支持ebpfprobes。这些规则是开源的[1],您可以定义自己的扩展[2]。其架构如下图所示:Falco能够检测到的典型事件包括:以特权形式运行shell的容器读取敏感数据,例如/etc/shadow容器挂载宿主机出网连接的敏感路径2.生成证书Falco的gRPC需要双向TLS身份验证[3]。Falcoexporter通过gRPC暴露相关事件,自研系统也可以直接通过gRPC集成Falco。以下步骤用于生成交互所需的证书。Falco的官方文档有点过时,有些操作会报错。创建证书目录mkdir/root/falcocd/root/falco创建CA证书opensslgenrsa-outca.key4096opensslreq-x509-new-nodes-sha512-days3650\-subj"/C=CN/ST=Beijing/L=北京/O=example/OU=Personal/CN=dev.chenshaowen.com"\-keyca.key\-outca.crt创建服务器证书opensslgenrsa-outserver.key4096opensslreq-sha512-new\-keyserver.key\-outserver.csr\-subj"/C=SP/ST=Italy/L=Ornavasso/O=Test/OU=Server/CN=localhost"opensslx509-req-sha512\-days3650\-CAca.crt\-CAkeyca.key\-inserver.csr\-outserver.crt\-set_serial01创建客户端证书opensslgenrsa-outclient.key4096opensslreq-sha512-new\-keyclient.key\-outclient.csr\-subj"/C=SP/ST=Italy/L=Ornavasso/O=Test/OU=client/CN=localhost"opensslx509-req-sha512\-days3650\-CAca.crt\-CAkeyca.key\-inclient.csr\-outclient.crt\-set_serial01查看全部生成的证书ls/root/falcoca.crtca.keyclient.crtclient.csrclient.keyserver.crtserver.csrserver.key3.在Kubernetes上安装Falco添加Helm源helmrepoaddfalcosecurityhttps://falcosecurity.github.io/chartshelmrepo更新安装falco[4]helminstallfalcofalcosecurity/falco\--namespacefalco--create-namespace\--version3.0.0\--set-filecerts.ca.crt=/root/falco/ca.crt,certs.server.key=/root/falco/server.key,certs.server.crt=/root/falco/server.crt\--setebpf.enabled=true\--setfalco.grpc.enabled=true\--setfalco.grpc_output.enabled=true\--setfalcosidekick.enabled=true\--setfalcosidekick.webui.enabled=true\--setfalcosidekick.webui.user="admin:admin"\--setfalco.grpc.unixSocketPath=""installfalco-exporterhelminstallfalco-exporterfalcosecurity/falco-exporter\--namespacefalco--create-namespace\--version0.9.1\--setfalco.grpcTimeout=3m--set-filecerts.ca.crt=/root/falco/ca.crt,certs.client.key=/root/falco/client.key,certs.client.crt=/root/falco/client.crt查看服务运行时会请求ghcr.io下载默认规则falco_rules.yaml.tar.gz。在受限网络环境下,下载可能会失败kubectl-nfalcogetpod-wNAMEREADYSTATUSRESTARTSAGEfalco-5bbl62/2运行0152sfalco-exporter-26gfz1/1运行0124sfalco-falcosidekick-5c8bf5d7fb-kx7781/1运行0111sfalco-falcosidekick-ui-5b56bbwd7wlcb-51/1运行3111s...[可选]卸载Falcohelmuninstallfalco--namespacefalcohelmuninstallfalco-exporter--namespacefalco4。使用Grafana面板查看Falco事件数据通过查看falco-exportersvc可以看到它已经添加了metricsExposedtoPrometheus。kubectl-nfalcogetsvcfalco-exporter-oyamlapiVersion:v1kind:Servicemetadata:annotations:prometheus.io/port:"9376"prometheus.io/scrape:"true"name:falco-exporternamespace:falcospec:ports:-名称:metricsport:9376protocol:TCPtargetPort:9376selector:app.kubernetes.io/instance:falco-exporterapp.kubernetes.io/name:falco-exporter接下来,只需添加Grafana面板。导入11914,即https://grafana.com/grafana/dashboards/11914-falco-dashboard/。查看数据如下图所示:但是Metrics暴露的信息比较有限。在Prometheus中查询falco_events{rule="Readsensitivefileuntrusted"}得到结果falco_events{app_kubernetes_io_instance="falco-exporter",app_kubernetes_io_managed_by="Helm",app_kubernetes_io_name="falco-exporter",app_kubernetes_io_versinotallow="0.8.0",helm_sh_chart="falco-exporter-0.9.1",hostname="falco-h57xg",instance="1.1.1.1:9376",job="kubernetes-service-endpoints",k8s_ns_name="
