Top Banner
Sysdig Falco Mark Stemm, Falco Engineer
17

How to Secure Containers

Apr 16, 2017

Download

Software

Sysdig
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: How to Secure Containers

Sysdig FalcoMark Stemm, Falco Engineer

Page 2: How to Secure Containers

Information presented is confidential

Home Security Analogy

• Home Security Prevents Intrusion• Door locks• Window sensors• Bars on ground floor windows• Exterior cameras

• …And Detects Intrusion• Motion sensors

Page 3: How to Secure Containers

Information presented is confidential

Computer System Security

• Prevents Intrusion• Passwords• Two-factor authentication• Fixing software vulnerabilities• Firewalls

• Detects Intrusion• Sysdig Falco!

• Both methods essential for full protection

Page 4: How to Secure Containers

Information presented is confidential

What is Sysdig Falco

• A behavioral activity monitor• Detects suspicious activity defined by a set of

rules• Uses sysdig’s flexible and powerful filtering

expressions• With full support for containers• Utilizes sysdig’s container support

• And flexible notification methods• Alert to files, standard output, syslog, programs

• Open Source• Anyone can contribute rules or improvements

Page 5: How to Secure Containers

Information presented is confidential

Quick Examples

A shell is run in a container container.id != host and proc.name = bash

Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write

Container namespace change evt.type = setns and not proc.name in (docker, sysdig)

Non-device files written in /dev (evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null

Process tries to access cameraevt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)

Page 6: How to Secure Containers

Information presented is confidential

Falco Architecture

sysdig_probe KernelModule

Kernel

User

Syscalls

Sysdig Libraries

`

Events

Alerting

Falco Rules

SuspiciousEvents File

Syslog

Stdout

Filter Expression

Shell

Page 7: How to Secure Containers

Information presented is confidential

Falco Rules

• .yaml file containing Macros, Lists, and Rules• Example:

- macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)

- list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash]

- rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING

Page 8: How to Secure Containers

Information presented is confidential

Falco Rules

• Macros• name: text to use in later rules• condition: filter expression snippet

• List• name: text to use later• items: list of items

• Rules• name: used to identify rule• desc: description of rule• condition: filter expression, can contain macro

references• output: message to emit when rule triggers, can contain

formatted info from event• priority: severity of rule (WARNING, INFO, etc.)

Page 9: How to Secure Containers

Information presented is confidential

Falco Rules

• Filtering Expressions• Use the same format as sysdig• Full container/k8s/mesos/etc support

• Falco rules are combined into one giant filtering expression, joined by ORs

• Each rule must contain at least one evt.type expression • i.e. evt.type=open and …• Allows for very fast filtering of events.

Page 10: How to Secure Containers

Information presented is confidential

Alerts And Outputs

• Events that match filter expression result in alerts

• Rule’s output field used to format event into alert message

• Falco configuration used to control where alert message is sent.

• Any combination of• Syslog• File• Standard Output• Shell (e.g. mail -s "Falco Notification" [email protected])

Page 11: How to Secure Containers

Information presented is confidential

Installing Falco

• Debian Package• apt-get -y install falco

• Redhat Package• yum -y install falco

• Installation Script• curl -s https://s3.amazonaws.com/download.draios.com/stable/install-falco | sudo bash

• More on making this safe in the demo!• Docker container• docker pull sysdig/falco

• Full instructions: https://github.com/draios/falco/wiki/How-to-Install-Falco-for-Linux

Page 12: How to Secure Containers

Information presented is confidential

Running Falco

• As a service• $ service falco start• alerts to syslog

• By hand• $ sudo falco -r <rules file> -c <config file>• alerts to syslog, stdout

• Using docker• docker run -i -t --name falco --privileged -v

/var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/falco

• Full Instructions: https://github.com/draios/falco/wiki/Running-Falco

Page 13: How to Secure Containers

Demo

Page 14: How to Secure Containers

Information presented is confidential

What we’re going to show you

• Falco installation using docker• Overview of rules file• Walkthrough of simple attacks• Writing to files below /bin• Running bash inside container• Synthetic event generator

• Exploiting a bad REST API• Misbehaving Containers• Receiving Falco Events in Sysdig Cloud!

Page 15: How to Secure Containers

Information presented is confidential

Join The Community

• Website• http://www.sysdig.org/falco/

• Mailing List• https://groups.google.com/forum/#!forum

/falco• Public Slack• https://sysdig.slack.com/messages/falco/

• Blog• https://sysdig.com/blog/tag/falco/

Page 16: How to Secure Containers

Information presented is confidential

Learn More

• Github• https://github.com/draios/falco• Pull Requests welcome!

• Wiki• https://github.com/draios/falco/wiki

• Docker Hub• https://hub.docker.com/r/sysdig/

falco/

Page 17: How to Secure Containers

Thank You!