Open in app

Sign in

Write

Sign in

Express Guide Sysdig Falco — install and config

Ivan Piskunov
6 min readJul 25, 2022

Sysdig Falco — a tool for detecting anomalies and monitoring system activity. It works both on the host and in containers, if required.

Falco consists of two parts — the falco_probe kernel module, and the daemon itself, which processes the collected information, generates reports, and so on.yaml files. We will look at Falco in the framework of this note in CentOS 7.

Installation and basic configuration.

To install, run one command. In the process, the script will install the kernel headers required for building the packages module, build the kernel module, and launch it.:

# curl -s https://s3.amazonaws.com/download.draios.com/stable/install-falco | sudo bash

As soon as the process is completed, we make sure that the module is working:

# lsmod | grep falco
falco_probe 614337 0

Next, let’s look at the main configuration file — /etc/falco/falco. yaml Here we can specify which files with rules should be used for monitoring, in what format to display notifications, where to display them, and with what priority. By default, notifications are sent to stderr, stdout, and syslog. If we want to set up recording notifications in a separate log, pay attention to the section:

file_output:
enabled: false
keep_alive: false
filename: ./events.txt

To set up email notifications, go down to the bottom of the config and find the appropriate option there:

program_output:
enabled: false
keep_alive: false
program: mail -s "Falco Notification" someone1@myexample.com

We make the necessary changes, if necessary, and save the file. For this note, I didn’t change anything, leaving the default settings.

Sysdig Falco rules.

Let’s immediately look at a simple example-a rule for monitoring the network activity of system binaries:

- rule: system_binaries_network_activity
 desc: network activity by system binaries that are not expected generate any network traffic
 condition: ((inbound or outbound) and (fd.sockfamily = ip)) and (fd.name != '')
 output: "Binary generate network traffic by (user=%user.name command=%proc.cmdline connection=%fd.name type=%evt.type)"
 priority: WARNING
 tags: [filesystem, network]
  • The rule starts with rule, then specifies the name that will be used by falco during processing.
  • desc — free form description of the rule.
  • condition — condition for triggering the rule. Written using the sysdig syntax.
  • output-a string that will be written to the log.
  • priority — priority for the rule.
  • tags — tags for the rule.

Monitoring network activity.

When installing Falco on the server, in the /etc/falco/falco_rules file.yaml already has a certain number of rules, so you should take a look there before writing something of your own. We will write our custom rules in /etc/falco / falco_rules. local. yaml.

Save the above rule and restart the service:

# systemctl restart falco

Now just ping any domain, and then check /var/log/messages. There we will find the following:

213.82.11.98:53 type=connect) " data-translation="Oct 11 12:59:50 centos-2gb-hel1-1 falco: 12:59:50.343148030: Warning Binary generate network traffic by (user=root command=ping -c1 ya.ru connection=95.216.162.218:32820->213.133.98.98:53 type=connect) " data-ch="0" data-type="trSpan" style="box-sizing: inherit; font-size: inherit !important; min-height: 0px; min-width: 0px;">Oct 11 12:59:50 centos-2gb-hel1-1 falco: 12:59:50.343148030: Warning Binary generate network traffic by (user=root command=ping -c1 ya.ru connection=95.216.162.218:32820->213.133.98.98:53 type=connect)
213.82.11.98:53 type=sendto) " data-translation="Oct 11 12:59:50 centos-2gb-hel1-1 falco: 12:59:50.343197498: Warning Binary generate network traffic by (user=root command=ping -c1 ya.ru connection=95.216.162.218:32820->213.133.98.98:53 type=sendto) " data-ch="0" data-type="trSpan" style="box-sizing: inherit; font-size: inherit !important; min-height: 0px; min-width: 0px;">Oct 11 12:59:50 centos-2gb-hel1-1 falco: 12:59:50.343197498: Warning Binary generate network traffic by (user=root command=ping -c1 ya.ru connection=95.216.162.218:32820->213.133.98.98:53 type=sendto)
213.133.98.98:53 type=ioctl) " data-translation="Oct 11 12:59:50 centos-2gb-hel1-1 falco: 12:59:50.345198065: Warning Binary generate network traffic by (user=root command=ping -c1 ya.ru connection=95.216.162.218:32820->213.133.98.98:53 type=ioctl) " data-ch="0" data-type="trSpan" style="box-sizing: inherit; font-size: inherit !important; min-height: 0px; min-width: 0px;">Oct 11 12:59:50 centos-2gb-hel1-1 falco: 12:59:50.345198065: Warning Binary generate network traffic by (user=root command=ping -c1 ya.ru connection=95.216.162.218:32820->213.133.98.98:53 type=ioctl)
213.133.98.98:53 type=recvfrom)" data-translation="Oct 11 12:59:50 centos-2gb-hel1-1 falco: 12:59:50.345205363: Warning Binary generate network traffic by (user=root command=ping -c1 ya.ru connection=95.216.162.218:32820->213.133.98.98:53 type=recvfrom)" data-ch="0" data-type="trSpan" style="box-sizing: inherit; font-size: inherit !important; min-height: 0px; min-width: 0px;">Oct 11 12:59:50 centos-2gb-hel1-1 falco: 12:59:50.345205363: Warning Binary generate network traffic by (user=root command=ping -c1 ya.ru connection=95.216.162.218:32820->213.133.98.98:53 type=recvfrom)

File system monitoring.

The standard set of rules includes conditions that allow monitoring changes in the /etc directory.:

- rule: Write below etc
 desc: an attempt to write to any file below /etc
 condition: write_etc_common
 output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"
 priority: ERROR
 tags: [filesystem]

To check its performance, you can, for example, modify /etc/resolv. conf, and then check /var/log/messages, where the record will settle:

Oct 11 13:16:46 centos-2gb-hel1-1 falco: 13:16:46.994403084: Error File below /etc opened for writing (user=root command=nano -w /etc/resolv.conf parent=bash pcmdline=bash file=/etc/resolv.conf program=nano gparent=sshd ggparent=sshd gggparent=systemd)
Oct 11 13:16:48 centos-2gb-hel1-1 falco: 13:16:48.967124902: Error File below /etc opened for writing (user=root command=nano -w /etc/resolv.conf parent=bash pcmdline=bash file=/etc/resolv.conf program=nano gparent=sshd ggparent=sshd gggparent=systemd)

Monitoring of work in the container

For this note, I work on a test server, so we install Docker, and run a simple container with CentOS:

# yum install docker
# systemctl restart docker
# docker pull centos

Let’s take the above rule and slightly modify it to monitor network activity in the container:

- rule: system_binaries_network_activity_docker
 desc: network activity by system binaries that are not expected generate any network traffic in container
 condition: ((inbound or outbound) and (fd.sockfamily = ip)) and fd.name != '' and container
 output: "Binary generate network traffic from container %container.id by (user=%user.name command=%proc.cmdline connection=%fd.name type=%evt.type)"
 priority: WARNING
 tags: [container, network]

Adding the rule to /etc/falco/falco_rules. local.yaml, save the changes, and restart the service.

# systemctl restart falco

Now just go to the container, popinguem ya.ru and exit back to the host OS.

# docker run --rm -it centos /bin/bash
[root@0a6ed013ee29 /]# ping -c1 ya.ru
...
[root@0a6ed013ee29 /]# exit
exit
#

Once again, we will check /var/log/messages, where warnings will be available according to the rule we specified:

213.133.98.98:53 type=sendto) " data-translation="Oct 11 13:43:58 centos-2gb-hel1-1 falco: 13:43:58.887939368: Warning Binary generate network traffic from container 0a6ed013ee29 by (user=root command=ping -c1 ya.ru connection=172.17.0.2:49217->213.133.98.98:53 type=sendto) " data-ch="0" data-type="trSpan" style="box-sizing: inherit; font-size: inherit !important; min-height: 0px; min-width: 0px;">Oct 11 13:43:58 centos-2gb-hel1-1 falco: 13:43:58.887939368: Warning Binary generate network traffic from container 0a6ed013ee29 by (user=root command=ping -c1 ya.ru connection=172.17.0.2:49217->213.133.98.98:53 type=sendto)
213.133.98.98:53 type=ioctl) " data-translation="Oct 11 13:43:58 centos-2gb-hel1-1 falco: 13:43:58.888361623: Warning Binary generate network traffic from container 0a6ed013ee29 by (user=root command=ping -c1 ya.ru connection=172.17.0.2:49217->213.133.98.98:53 type=ioctl) " data-ch="0" data-type="trSpan" style="box-sizing: inherit; font-size: inherit !important; min-height: 0px; min-width: 0px;">Oct 11 13:43:58 centos-2gb-hel1-1 falco: 13:43:58.888361623: Warning Binary generate network traffic from container 0a6ed013ee29 by (user=root command=ping -c1 ya.ru connection=172.17.0.2:49217->213.133.98.98:53 type=ioctl)
213.133.98.98:53 type=recvfrom)" data-translation="Oct 11 13:43:58 centos-2gb-hel1-1 falco: 13:43:58.888382571: Warning Binary generate network traffic from container 0a6ed013ee29 by (user=root command=ping -c1 ya.ru connection=172.17.0.2:49217->213.133.98.98:53 type=recvfrom)" data-ch="0" data-type="trSpan" style="box-sizing: inherit; font-size: inherit !important; min-height: 0px; min-width: 0px;">Oct 11 13:43:58 centos-2gb-hel1-1 falco: 13:43:58.888382571: Warning Binary generate network traffic from container 0a6ed013ee29 by (user=root command=ping -c1 ya.ru connection=172.17.0.2:49217->213.133.98.98:53 type=recvfrom)

This way, quite simply, we can take control of almost any action in the system, both on the host and in containers.

--

--

Ivan Piskunov

Written by Ivan Piskunov

5 Followers

DevSecOps expert, Security Evangelist, Researcher, Speaker, Book’s author

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams