SlideShare una empresa de Scribd logo

Docker Runtime Security

Sysdig
Sysdig

While there have been many improvements around securing containers, there is still a large gap in monitoring the behaviour of containers in production. Sysdig Falco is an open source behavioural activity monitor for containerized environments. Sysdig Falco can detect and alert on anomalous behaviour at the application, file, system, and network level. In this session get a deep dive into Falco: How does behavioural security differ from existing security solutions like image scanning, seccomp, SELinux or AppArmor? What can Sysdig Falco detect? Building and customizing rules for your Docker and Kubernetes apps. Forensics analysis with Sysdig Inspect even when the container doesn't exist anymore! Read more on: https://sysdig.com/blog/docker-runtime-security/ https://sysdig.com/blog/runtime-security-kubernetes-sysdig-falco/

Ingeniería
1 de 40
Descargar para leer sin conexión
Docker Runtime Security looking inside your containers Jorge Salamero - @bencerillo - Sysdig Docker Meetup London Docker Meetup CGN
Docker Security – Security is hard – containers are an opportunity for better security – DevSecOps – You should use this new awesome Cloud Native tool! https://sysdig.com/blog/7-docker-security-vulnerabilities/
Come on...
Jorge Salamero Tech Marketing aka container gamer @ Sysdig github.com/bencer @bencerillo OSS fan Monitoring, security, containers, IoT/home-automation, motorsport About me
Docker Security Tools process – CI/CD pipeline to rebuild your containers – An images registry – Static scanning for known vulnerabilities • CoreOS Red Hat Clair • Anchore • Red Hat OpenScap • Vuls.io • Other commercial vendors https://sysdig.com/blog/20-docker-security-tools/
No, really, all the new cool stuff – RBAC – docker-bench, kube-bench – Augeas – Kubernetes ValidatingAdmissionWebhook – Kubernetes PodSecurity Policy – Kubernetes Network Policy https://sysdig.com/blog/kubernetes-security-guide/
Even in Mordor you can find... – 0-day vulnerabilities – Wrong configuration – Weak/leaked credentials – Internal (malicious) activity – how knows?
Runtime security – Network, file system, all the things inspection – Threat detection – Privilege escalation – Post-mortem analysis and forensics https://sysdig.com/blog/docker-runtime-security/
Docker Runtime tools – capabilities – seccomp – AppArmor / SELinux – Falco – Sysdig Inspect
Seccomp - Application syscall sandboxing - Create filter (BPF) with allowed syscalls - Failures-> log / error return / kill - Docker runsprocess under a seccomp profile - Notable disallowed syscalls
MAC: SELinux / AppArmor - Kernel-level interception/filtering - features++ && complexity++ - Higher level: - Actors (process) - Actions (read/write on files/sockets) - Targets (files, IPs, ports) https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/
Sysdig Falco A behavioral activity monitor •Detects suspicious activity defined by a set of rules •Uses Sysdig’s flexible and powerful filtering expressions With full support for containers/orchestration •Utilizes Sysdig’s container & orchestrator support And flexible notification methods •Alert to files, standard output, syslog, programs Open Source •Anyone can contribute rules or improvements
System call tracing
System calls for observability? – clone() and execve() give you insight into process creation and command execution. – open(), close(), and the FD read and write functions offer visibility on disk I/O. – socket(), connect(), and accept() give insight into network activity.
A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = create or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
Falco architecture falco_probe kernel module eBPF magic! Kernel User syscalls Sysdig libraries events alerting Falco Rules suspicious events file syslog stdout filter expression shell process
Falco Rules 25 common rules available OOTB Focused on common container best practices: ■ Writing files in bin or etc directories ■ Reading sensitive files ■ Binaries being executed other than CMD/ENTRYPOINT Default rules for most popular images (next week!)
Falco rules .yaml file containing Macros, Lists, and Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
Falco rules Rules • name: used to identify rule • desc: description of rule • condition: filter expression, can contain macro references • output: message to emit when rule triggers, can contain formatted info from event • priority: severity of rule (WARNING, INFO, etc.) Macros • name: text to use in later rules • condition: filter expression snippet Lists • name: text to use later • items: list of items
Falco rules Filtering Expressions • Use the same format as sysdig • Full container, Kubernetes, Mesos, Docker Swarm support Rule Execution Order • Falco rules are combined into one giant filtering expression, joined by ors • Each rule must contain at least one evt.type expression • i.e. evt.type=open and … • Allows for very fast filtering of events
Sysdig Filter Expressions Based on Field Classes: fd - File Descriptors process - Processes evt - System Events user - Users group - Groups syslog - Syslog messages container - Container info fdlist - FD poll events k8s - Kubernetes events mesos - Mesos events span - Start/Stop markers evtin - Filter based on Spans
Alerts and outputs Sending Alerts • Events matching filter expression result in alerts • Rule’s output field used to format event into alert message • Falco configuration used to control where alert message is sent Any combination of.. • Syslog • File • Standard Output • Shell (e.g. mail -s "Falco Notification" someone@example.com)
A Custom Falco Rule - rule: Node Container Runs Node desc: Detect a process that’s not node started in a Node container. condition: evt.type = execve and container.image startswith node and proc.name != node output: Node container started other process (user=%user.name command=%proc.cmdline %container.info) priority: INFO tags: [container, apps]
A Custom Falco Rule - rule: Node Container Runs Node desc: Detect a process that’s not node started in a Node container. condition: evt.type = execve and container.image startswith node and proc.name != node output: Node container started other process (user=%user.name command=%proc.cmdline %container.info) priority: INFO tags: [container, apps] Something is executing a program In a container based on the Node image And the process name isn’t node
- macro: proc_is_new condition: proc.duration <= 5000000000 - rule: Read secret file after startup desc: > an attempt to read any secret file (e.g. files containing user/password/authentication information) Processes might read these files at startup, but not afterwards. condition: fd.name startswith /etc/secrets and open_read and not proc_is_new output: > Sensitive file opened for reading after startup (user=%user.name command=%proc.cmdline file=%fd.name) priority: WARNING Falco real cool rule example.
Active Security Falco, NATS, and kubeless Falco NATS kubeless Detects abnormal event, Publishes alert to NATS Subscribers receive Falco alert through NATS server kubeless receives Falco alert, firing a function to delete the offending Kubernetes Pod
Functions for security operations - Easily write simple functions to react to monitoring events - Multiple subscribers can take multiple actions - One function to kill/stop/pause/delete a pod - One function to setup a Kubernetes network policy - One function to notify teams - One function to log events - One function to trigger a Sysdig capture - Small, reusable components
Installing Falco • Debian Package • apt-get -y install falco • Redhat Package • yum -y install falco • Installation Script • curl -s https://s3.amazonaws.com/download.draios.com/stable/install-falco | sudo bash • Docker container • docker pull sysdig/falco • Full instructions • https://github.com/draios/falco/wiki/How-to-Install-Falco-for-Linux
Installing Falco on Kubernetes • Install Falco as Kubernetes daemonSet • https://github.com/draios/falco/tree/dev/examples/k8s-using-daemonset • Configuration stored in Kubernetes ConfigMaps • Conditions in a Falco rule can leverage Kubernetes metadata to trigger events • Falco events can include Kubernetes metadata to give notification context: • name, id, labels for pods, replicationController, replicaSet, deployment, service, and namespace • Helm Chart WIP here: https://github.com/nestorsalceda/charts/tree/falco/stable/falco
Running Falco • As a service • $ service falco start • alerts to syslog • By hand • $ sudo falco -r <rules file> -c <config file> • alerts to syslog, stdout • Using Docker • docker run -i -t --name falco --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/falco • Full Instructions • https://github.com/draios/falco/wiki/Running-Falco
Join the community • Website •http://www.sysdig.org/falco • Public Slack •https://sysdig.slack.com/messages/falco • Blog •https://sysdig.com/blog/tag/falco/ • Sysdig Secure •http://sysdig.com/product/secure
Learn more Github • https://github.com/draios/falco • Pull Requests welcome! Wiki • https://github.com/draios/falco/wiki Docker Hub • https://hub.docker.com/r/sysdig/falco/
Post-mortem and forensics. What? Where? Who? Why? logs? SSH into prod? and start messing around?
How we did this in the past?.
Sysdig Inspect https://github.com/draios/sysdig-inspect
Thank you! Jorg Salamero - @bencerillo - Sysdig Thank You

Recomendados

Continuous Security
Continuous SecurityContinuous Security
Continuous Security
Sysdig
 
Wordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccionWordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccion
Sysdig
 
15 kubernetes failure points you should watch
15 kubernetes failure points you should watch15 kubernetes failure points you should watch
15 kubernetes failure points you should watch
Sysdig
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
Delve Labs
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical Deployments
DevOps.com
 
Lessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersLessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containers
Ben Hall
 
Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...
Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...
Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...
Docker, Inc.
 
Learn basic ansible using docker
Learn basic ansible using dockerLearn basic ansible using docker
Learn basic ansible using docker
Larry Cai
 

Recomendados

Continuous Security
Continuous SecurityContinuous Security
Continuous Security
Sysdig
 
Wordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccionWordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccion
Sysdig
 
15 kubernetes failure points you should watch
15 kubernetes failure points you should watch15 kubernetes failure points you should watch
15 kubernetes failure points you should watch
Sysdig
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
Delve Labs
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical Deployments
DevOps.com
 
Lessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersLessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containers
Ben Hall
 
Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...
Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...
Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...
Docker, Inc.
 
Learn basic ansible using docker
Learn basic ansible using dockerLearn basic ansible using docker
Learn basic ansible using docker
Larry Cai
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
Anis LARGUEM
 
Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js Applications
Ben Hall
 
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorThe top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitor
Sysdig
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
Salman Baset
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
Sreenivas Makam
 
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, Docker
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, DockerUnder the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, Docker
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, Docker
Docker, Inc.
 
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerRunning High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Sematext Group, Inc.
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Docker, Inc.
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
Омские ИТ-субботники
 
Docker up and running
Docker up and runningDocker up and running
Docker up and running
Victor S. Recio
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
Jim Barlow
 
IaC and Immutable Infrastructure with Terraform, Сергей Марченко
IaC and Immutable Infrastructure with Terraform, Сергей МарченкоIaC and Immutable Infrastructure with Terraform, Сергей Марченко
IaC and Immutable Infrastructure with Terraform, Сергей Марченко
Sigma Software
 
Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016
Ben Hall
 
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
Docker, Inc.
 
From Monolith to Docker Distributed Applications
From Monolith to Docker Distributed ApplicationsFrom Monolith to Docker Distributed Applications
From Monolith to Docker Distributed Applications
Carlos Sanchez
 
Scaling Next-Generation Internet TV on AWS With Docker, Packer, and Chef
Scaling Next-Generation Internet TV on AWS With Docker, Packer, and ChefScaling Next-Generation Internet TV on AWS With Docker, Packer, and Chef
Scaling Next-Generation Internet TV on AWS With Docker, Packer, and Chef
bridgetkromhout
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current Status
Sreenivas Makam
 
Kubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of KubernetesKubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of Kubernetes
Mike Splain
 
The How and Why of Windows containers
The How and Why of Windows containersThe How and Why of Windows containers
The How and Why of Windows containers
Ben Hall
 
CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
CI and CD at Scale: Scaling Jenkins with Docker and Apache MesosCI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
Carlos Sanchez
 
Securing your Kubernetes applications
Securing your Kubernetes applicationsSecuring your Kubernetes applications
Securing your Kubernetes applications
Néstor Salceda
 
Container Runtime Security with Falco, by Néstor Salceda
Container Runtime Security with Falco, by Néstor SalcedaContainer Runtime Security with Falco, by Néstor Salceda
Container Runtime Security with Falco, by Néstor Salceda
Cloud Native Day Tel Aviv
 

Más contenido relacionado

La actualidad más candente

The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Docker, Inc.
 
From Monolith to Docker Distributed Applications
From Monolith to Docker Distributed ApplicationsFrom Monolith to Docker Distributed Applications
From Monolith to Docker Distributed Applications
Carlos Sanchez
 
CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
CI and CD at Scale: Scaling Jenkins with Docker and Apache MesosCI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
Carlos Sanchez
 

La actualidad más candente (20)

Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
 
Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js Applications
 
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorThe top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitor
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
 
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, Docker
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, DockerUnder the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, Docker
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, Docker
 
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerRunning High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
 
Docker up and running
Docker up and runningDocker up and running
Docker up and running
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
IaC and Immutable Infrastructure with Terraform, Сергей Марченко
IaC and Immutable Infrastructure with Terraform, Сергей МарченкоIaC and Immutable Infrastructure with Terraform, Сергей Марченко
IaC and Immutable Infrastructure with Terraform, Сергей Марченко
 
Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016
 
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
 
From Monolith to Docker Distributed Applications
From Monolith to Docker Distributed ApplicationsFrom Monolith to Docker Distributed Applications
From Monolith to Docker Distributed Applications
 
Scaling Next-Generation Internet TV on AWS With Docker, Packer, and Chef
Scaling Next-Generation Internet TV on AWS With Docker, Packer, and ChefScaling Next-Generation Internet TV on AWS With Docker, Packer, and Chef
Scaling Next-Generation Internet TV on AWS With Docker, Packer, and Chef
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current Status
 
Kubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of KubernetesKubernetes Boston — Custom High Availability of Kubernetes
Kubernetes Boston — Custom High Availability of Kubernetes
 
The How and Why of Windows containers
The How and Why of Windows containersThe How and Why of Windows containers
The How and Why of Windows containers
 
CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
CI and CD at Scale: Scaling Jenkins with Docker and Apache MesosCI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
 

Similar a Docker Runtime Security

Securing your Kubernetes applications
Securing your Kubernetes applicationsSecuring your Kubernetes applications
Securing your Kubernetes applications
Néstor Salceda
 
Automating Security Response with Serverless
Automating Security Response with ServerlessAutomating Security Response with Serverless
Automating Security Response with Serverless
Michael Ducy
 
David container security-with_falco
David container security-with_falcoDavid container security-with_falco
David container security-with_falco
Lorenzo David
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Néstor Salceda
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
Michael Ducy
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Néstor Salceda
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 

Similar a Docker Runtime Security (20)

Securing your Kubernetes applications
Securing your Kubernetes applicationsSecuring your Kubernetes applications
Securing your Kubernetes applications
 
Container Runtime Security with Falco, by Néstor Salceda
Container Runtime Security with Falco, by Néstor SalcedaContainer Runtime Security with Falco, by Néstor Salceda
Container Runtime Security with Falco, by Néstor Salceda
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Automating Security Response with Serverless
Automating Security Response with ServerlessAutomating Security Response with Serverless
Automating Security Response with Serverless
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
David container security-with_falco
David container security-with_falcoDavid container security-with_falco
David container security-with_falco
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure Containers
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Containerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationContainerization Is More than the New Virtualization
Containerization Is More than the New Virtualization
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 

Más de Sysdig

Más de Sysdig (15)

What Prometheus means for monitoring vendors
What Prometheus means for monitoring vendorsWhat Prometheus means for monitoring vendors
What Prometheus means for monitoring vendors
 
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorThe top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitor
 
Behavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoBehavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig Falco
 
How to Monitor Microservices
How to Monitor MicroservicesHow to Monitor Microservices
How to Monitor Microservices
 
Trace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsTrace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdmins
 
You're monitoring Kubernetes Wrong
You're monitoring Kubernetes WrongYou're monitoring Kubernetes Wrong
You're monitoring Kubernetes Wrong
 
The Dark Art of Container Monitoring - Spanish
The Dark Art of Container Monitoring - SpanishThe Dark Art of Container Monitoring - Spanish
The Dark Art of Container Monitoring - Spanish
 
Building Trustworthy Containers
Building Trustworthy ContainersBuilding Trustworthy Containers
Building Trustworthy Containers
 
A brief history of system calls
A brief history of system callsA brief history of system calls
A brief history of system calls
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
 
Extending Sysdig with Chisel
Extending Sysdig with ChiselExtending Sysdig with Chisel
Extending Sysdig with Chisel
 
Intro to sysdig in 15 minutes
Intro to sysdig in 15 minutesIntro to sysdig in 15 minutes
Intro to sysdig in 15 minutes
 
Troubleshooting Kubernetes
Troubleshooting KubernetesTroubleshooting Kubernetes
Troubleshooting Kubernetes
 
Find the Hacker
Find the HackerFind the Hacker
Find the Hacker
 
Sysdig Meetup - San Francisco, December 2014
Sysdig Meetup - San Francisco, December 2014Sysdig Meetup - San Francisco, December 2014
Sysdig Meetup - San Francisco, December 2014
 

Último

(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
roncy bisnoi
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
Kamal Acharya
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Call Girls in Nagpur High Profile
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
SUHANI PANDEY
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Christo Ananth
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
ranjana rawat
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
Asst.prof M.Gokilavani
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
ankushspencer015
 

Último (20)

(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 

Docker Runtime Security

  • 1. Docker Runtime Security looking inside your containers Jorge Salamero - @bencerillo - Sysdig Docker Meetup London Docker Meetup CGN
  • 2. Docker Security – Security is hard – containers are an opportunity for better security – DevSecOps – You should use this new awesome Cloud Native tool! https://sysdig.com/blog/7-docker-security-vulnerabilities/
  • 4. Jorge Salamero Tech Marketing aka container gamer @ Sysdig github.com/bencer @bencerillo OSS fan Monitoring, security, containers, IoT/home-automation, motorsport About me
  • 5. Docker Security Tools process – CI/CD pipeline to rebuild your containers – An images registry – Static scanning for known vulnerabilities • CoreOS Red Hat Clair • Anchore • Red Hat OpenScap • Vuls.io • Other commercial vendors https://sysdig.com/blog/20-docker-security-tools/
  • 6. No, really, all the new cool stuff – RBAC – docker-bench, kube-bench – Augeas – Kubernetes ValidatingAdmissionWebhook – Kubernetes PodSecurity Policy – Kubernetes Network Policy https://sysdig.com/blog/kubernetes-security-guide/
  • 7.
  • 8. Even in Mordor you can find... – 0-day vulnerabilities – Wrong configuration – Weak/leaked credentials – Internal (malicious) activity – how knows?
  • 9.
  • 10. Runtime security – Network, file system, all the things inspection – Threat detection – Privilege escalation – Post-mortem analysis and forensics https://sysdig.com/blog/docker-runtime-security/
  • 11. Docker Runtime tools – capabilities – seccomp – AppArmor / SELinux – Falco – Sysdig Inspect
  • 12. Seccomp - Application syscall sandboxing - Create filter (BPF) with allowed syscalls - Failures-> log / error return / kill - Docker runsprocess under a seccomp profile - Notable disallowed syscalls
  • 13. MAC: SELinux / AppArmor - Kernel-level interception/filtering - features++ && complexity++ - Higher level: - Actors (process) - Actions (read/write on files/sockets) - Targets (files, IPs, ports) https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/
  • 14. Sysdig Falco A behavioral activity monitor •Detects suspicious activity defined by a set of rules •Uses Sysdig’s flexible and powerful filtering expressions With full support for containers/orchestration •Utilizes Sysdig’s container & orchestrator support And flexible notification methods •Alert to files, standard output, syslog, programs Open Source •Anyone can contribute rules or improvements
  • 16. System calls for observability? – clone() and execve() give you insight into process creation and command execution. – open(), close(), and the FD read and write functions offer visibility on disk I/O. – socket(), connect(), and accept() give insight into network activity.
  • 17.
  • 18. A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = create or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
  • 19. Falco architecture falco_probe kernel module eBPF magic! Kernel User syscalls Sysdig libraries events alerting Falco Rules suspicious events file syslog stdout filter expression shell process
  • 20. Falco Rules 25 common rules available OOTB Focused on common container best practices: ■ Writing files in bin or etc directories ■ Reading sensitive files ■ Binaries being executed other than CMD/ENTRYPOINT Default rules for most popular images (next week!)
  • 21. Falco rules .yaml file containing Macros, Lists, and Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
  • 22. Falco rules Rules • name: used to identify rule • desc: description of rule • condition: filter expression, can contain macro references • output: message to emit when rule triggers, can contain formatted info from event • priority: severity of rule (WARNING, INFO, etc.) Macros • name: text to use in later rules • condition: filter expression snippet Lists • name: text to use later • items: list of items
  • 23. Falco rules Filtering Expressions • Use the same format as sysdig • Full container, Kubernetes, Mesos, Docker Swarm support Rule Execution Order • Falco rules are combined into one giant filtering expression, joined by ors • Each rule must contain at least one evt.type expression • i.e. evt.type=open and … • Allows for very fast filtering of events
  • 24. Sysdig Filter Expressions Based on Field Classes: fd - File Descriptors process - Processes evt - System Events user - Users group - Groups syslog - Syslog messages container - Container info fdlist - FD poll events k8s - Kubernetes events mesos - Mesos events span - Start/Stop markers evtin - Filter based on Spans
  • 25. Alerts and outputs Sending Alerts • Events matching filter expression result in alerts • Rule’s output field used to format event into alert message • Falco configuration used to control where alert message is sent Any combination of.. • Syslog • File • Standard Output • Shell (e.g. mail -s "Falco Notification" someone@example.com)
  • 26. A Custom Falco Rule - rule: Node Container Runs Node desc: Detect a process that’s not node started in a Node container. condition: evt.type = execve and container.image startswith node and proc.name != node output: Node container started other process (user=%user.name command=%proc.cmdline %container.info) priority: INFO tags: [container, apps]
  • 27. A Custom Falco Rule - rule: Node Container Runs Node desc: Detect a process that’s not node started in a Node container. condition: evt.type = execve and container.image startswith node and proc.name != node output: Node container started other process (user=%user.name command=%proc.cmdline %container.info) priority: INFO tags: [container, apps] Something is executing a program In a container based on the Node image And the process name isn’t node
  • 28. - macro: proc_is_new condition: proc.duration <= 5000000000 - rule: Read secret file after startup desc: > an attempt to read any secret file (e.g. files containing user/password/authentication information) Processes might read these files at startup, but not afterwards. condition: fd.name startswith /etc/secrets and open_read and not proc_is_new output: > Sensitive file opened for reading after startup (user=%user.name command=%proc.cmdline file=%fd.name) priority: WARNING Falco real cool rule example.
  • 29. Active Security Falco, NATS, and kubeless Falco NATS kubeless Detects abnormal event, Publishes alert to NATS Subscribers receive Falco alert through NATS server kubeless receives Falco alert, firing a function to delete the offending Kubernetes Pod
  • 30. Functions for security operations - Easily write simple functions to react to monitoring events - Multiple subscribers can take multiple actions - One function to kill/stop/pause/delete a pod - One function to setup a Kubernetes network policy - One function to notify teams - One function to log events - One function to trigger a Sysdig capture - Small, reusable components
  • 31. Installing Falco • Debian Package • apt-get -y install falco • Redhat Package • yum -y install falco • Installation Script • curl -s https://s3.amazonaws.com/download.draios.com/stable/install-falco | sudo bash • Docker container • docker pull sysdig/falco • Full instructions • https://github.com/draios/falco/wiki/How-to-Install-Falco-for-Linux
  • 32. Installing Falco on Kubernetes • Install Falco as Kubernetes daemonSet • https://github.com/draios/falco/tree/dev/examples/k8s-using-daemonset • Configuration stored in Kubernetes ConfigMaps • Conditions in a Falco rule can leverage Kubernetes metadata to trigger events • Falco events can include Kubernetes metadata to give notification context: • name, id, labels for pods, replicationController, replicaSet, deployment, service, and namespace • Helm Chart WIP here: https://github.com/nestorsalceda/charts/tree/falco/stable/falco
  • 33. Running Falco • As a service • $ service falco start • alerts to syslog • By hand • $ sudo falco -r <rules file> -c <config file> • alerts to syslog, stdout • Using Docker • docker run -i -t --name falco --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/falco • Full Instructions • https://github.com/draios/falco/wiki/Running-Falco
  • 34. Join the community • Website •http://www.sysdig.org/falco • Public Slack •https://sysdig.slack.com/messages/falco • Blog •https://sysdig.com/blog/tag/falco/ • Sysdig Secure •http://sysdig.com/product/secure
  • 35. Learn more Github • https://github.com/draios/falco • Pull Requests welcome! Wiki • https://github.com/draios/falco/wiki Docker Hub • https://hub.docker.com/r/sysdig/falco/
  • 36. Post-mortem and forensics. What? Where? Who? Why? logs? SSH into prod? and start messing around?
  • 37. How we did this in the past?.
  • 38.
  • 40. Thank you! Jorg Salamero - @bencerillo - Sysdig Thank You