Home

Awesome

Falco Workshop virtual machines

Introduction

Falco is a runtime security tool that allows you to monitor kernel system calls and kubernetes audit log commands to detect risky and malicious behaviour. It comes with a big set of detection rules created and curated by the Falco's developers that cover a lot of cases to help you strength your infrastructure security posture.

It requires a Kernel driver or eBPF module that have some requirements like having the Linux kernel header and some compiling tools in specific directories for it to start working. The Falco team works hard on making sure it works well on any cloud provider default VM and Kubernetes node, but it doesn't play well on local development machines.

If you use MacOs or Windows, Docker and Kubernetes / Minikube are using a VM that may not have a standard kernel for which it's practical to find headers, and it may even lack a package manager to install it. Also using a very recent version of Linux can be problematic (my problem with Debian 11 at time of writing this).

This repository contain Vagrant boxes (virtual machines) to learn and test Falco installation locally no matter the operating system of your desktop or laptop, as well as boxes with Falco preinstalled to help writting new rules. The idea is to use it in a workshop, so if students miss some step they can jump in the specific box of the topic being explained.

Additional information

This repository only tries to provide the virtual machines, not information about how to use Falco. To learn more about that, check these references:

Software you need

Using Vagrant boxes

Falco runs only on a Linux kernel, so we will all use a Vagrant virtual machine for an standard way for anyone to follow the workshop following the same set of instructions.

To use one of the boxes (virtual machines), use:

# go to the folder of the box
cd box1
# start virtual machine
vagrant up
# log into virtual machine
vagrant ssh

If you need to execute commands as root, use:

# To run a command with sudo, the password for the user 'vagrant' is 'vagrant'

# To use 'su', set a password for root (not set by default)
sudo passwd root

# or use it with sudo
sudo su

Exit, halt and destroy the Vagrant box with:

# exit Vagrant box
exit

# Halt Vagrant box
vagrant halt

# Completely destroy Vagrant box content
vagrant destroy -f

Shared directories in the Vagrant boxes

Any vagrant box has once started a /vagrant folder where you will find a read-only copy of all the content on the directory from where you started it. To have a folder that is synced back to the host, read further at the end of this document.

Connect Visual Studio Code to the Vagrant box

If you want to connect your Visual Studio Code to the Vagrant box, follow these instructions: https://medium.com/@lopezgand/connect-visual-studio-code-with-vagrant-in-your-local-machine-24903fb4a9de

Boxes

box1

Use this box to familiarize with Vagrant and to practice installing Falco.

box2

Use this box to practice triggering single rules and modifying Falco rules.

box3

Use this box to practice installing Falco using Docker and using Falco event generator to trigger many Falco rules.

box4

Use this box to practice using Minikube and Kubernetes in general.

To use Kubectl from the host without having to SSH into the VM, after starting it, execute on the host:

# Execute this no the host
./cp_kubeconfig.sh
KUBECONFIG=$(pwd)/kubeconfig
kubectl get nodes

This is a similar box to the next one, without Falco content for those who only want to use Minikube in Vagrant.

box5

This is a similar box to the previous one; use also cp_kubeconfig.sh to use kubectl from the host as described in box4.

Using Falco

Here are brief instructions about how to install and test Falco at host level. Go to the refered documentation in the introduction for more information.

Install Falco at host level

sudo apt-get update
sudo apt-get -y install gpg curl
curl -o install-falco.sh -s \
  https://s3.amazonaws.com/download.draios.com/stable/install-falco

sudo bash install-falco.sh

Test Falco is working

Edit falco.yaml configuration file:

sudo nano /etc/falco/falco.yaml

Change:

file_output:
  enabled: false
  keep_alive: false
  filename: ./events.txt

To:

file_output:
  enabled: true
  keep_alive: false
  filename: /var/log/falco.log

Restart Falco to get new configuration:

sudo /etc/init.d/falco restart

Write a test file to /etc folder so it triggers a security event:

sudo touch /etc/test

Read Falco logs to see all security events:

cat /var/log/falco.log

Possible modifications to Vagrantfile

There are several useful ways to modify the Vagrantfile provided:

Enable folder synchronization

This option was enabled by default before but proved problematic in some Windows environments.

To enable this, uncomment:

config.vm.network "private_network", ip: "192.168.33.99" 
config.vm.synced_folder "../", "/workshop", nfs: true

When you run vagrant up, you may need to enter administrative credentials for the NFS driver to be loaded. Then after VM creation, its /workshop folder will be two-way synced with your local folder of this repository on the host machine (/vagrant folder will continue to have a readonly copy of the content upon VM creation).

Modify memory assignation for the VM

Depending on your situation, you may want to use less memory for the VM (if your host machine is limited), or increase it if you want to launch more demanding workloads on it.

To do so, uncomment and modify these lines:

config.vm.provider "virtualbox" do |vb|
   vb.memory = "8192"
end

Forward ports to localhost on host machine

If you want to redirect ports to use at localhost of the host machine (for example to use kubectl proxy), add a line like this to the Vagrant file:

config.vm.network "forwarded_port", guest: 8080, host: 8080, auto_correct: true

The 'auto_correct: true` parameter will ensure that if the host port is already in use, an automatic different one will be assigned (look at the output when the VM is started).

Solve problems with Windows and WSL2

You can use Vagrant on Windows natively. But you can also use it from within WSL2 in a Linux distribution running on Windows, but it's... complicated.

After doing all that, if this repository files live in the WSL2 filesystem and not in a native Windows folder, because an incompatibility you may need to disable folder synchronization:

config.vm.synced_folder '.', '/vagrant', disabled: true

Use with Sysdig Agent

Sysdig is the enterprise Monitoring and Security platform that originally created Falco. The Sysdig agent has a similar installation than Falco, and some of its capabilities is to provide runtime security with Falco rules.

But to install Sysdig agent on any of these boxes, you have to perform additional steps described here.

History of usage on events

Please, if you use this repo in training or an event, send a PR updating this list!