Falco by sysdig

Earlier this week the guys over at sysdig↗ announced the availability of Falco, a behavioral security service which is built on top of their core Open Source sysdig engine. As is always the case when I try new things, I launched a Digital Ocean↗ Droplet running CentOS 7.2. Once the Droplet was available I ran the command to get the basics configured on the droplet; Falco by sysdig 1/6 c u r l - f s S h t t p s : / / r a w . g i t h u b u s e r c o n t e n t . c o m / r u s s m c k e n d r i c k / D O B o o t s t r a p / m a s t e r / d o - b o o t s t r a p . s h | b a s h Once the Droplet was configured I installed Falco using the repo provided by sysdig by running the following commands; Falco by sysdig 2/6 r c y y p u u u m r m m l — - - - y y i s m i i p n n o s s r t t t / a a e l l h t l l t c t / k f p y e a s u r l : m n c / . e o r l s e - 3 p d . o e a s v m . e a d l z - d $ n r ( a a u w i n s o a . s m c . e o r m e - / p r d o ) o w h n t l t o p a : d . / d d r o a w i n o l s o . a c d o . m d / r D a R i A o I s O . S c - o G m P / G s - t K a E b Y l . e p / u r b p l m i / c d r a i o s . r e p o With Falco installed, I started it up with the following command; Falco by sysdig 3/6 s e r v i c e f a l c o s t a r t and checked that everything was running as expected; Falco by sysdig 4/6 [ f L A D P C └ M M M M M M M M [ r a o c o r G ─ a a a a a a a a r o l a t c o r 2 y y y y y y y y o o c d i s c o 2 o t o e v : e u 0 2 2 2 2 2 2 2 2 t @ . d e s p 2 2 2 2 2 2 2 2 2 @ s s : : m s : 4 s e e a : 1 1 1 1 1 1 1 1 e r r l a n / / 2 2 2 2 2 2 2 2 r v v o c : 2 s u : : : : : : : : v e i a t s 2 y s 2 2 2 2 2 2 2 2 e r c d i y 0 s r 7 7 7 7 7 7 7 7 r e e v s 1 t / : : : : : : : : ~ d e t 9 e b 2 2 2 2 2 2 2 4 ~ ] — e m i 8 9 9 9 9 9 9 8 ] # ( m E . n # L / r d x s / s s s s s s s s s S e u - e l f e e e e e e e e e B t n s c i a r r r r r r r r r : c n y S c l v v v v v v v v v / i s t e c e e e e e e e e i F r n v a / o r r r r r r r r c a c g - r f . . . . . . . . e l . ) g t a — m m m m m m m m c d e = l c c c c c c c c f o / s n / c d k k k k k k k k a i i e e o a e e e e e e e e l s n n r t . e n n n n n n n n c y i c a c s m d d d d d d d d o s t e t e o r r r r r r r r c . r r n i i i i i i i i s a d S r c v c c c c c c c c t l / u ( . i — k k k k k k k k a l f n 8 d c . . . . . . . . t a ) / e p i i i i i i i i u m l 2 i i o o o o o o o o s o c 0 n d n o 1 i f s f f f f f s s i ) 6 t i y a a a a a y y t – . l s l l l l l s s o 0 d e t c c c c c t t r 5 / = e o o o o o e e i – f / m [ [ [ [ [ m m n 2 a v d 2 2 2 2 2 d d g 2 l a [ 2 2 2 2 2 [ [ c r 1 0 0 0 0 0 1 1 a 1 o / ] 2 1 2 1 1 ] ] g 2 r : 1 9 1 9 9 : : e : s u ] ] ] ] ] n 2 t n S : : : : : S S t 7 a / t t t : r f a F S P S [ a a 2 t a r a t a u r r 9 l t l a r n O t t ( c i c r s K e e B c o n o t e M d d S o . g i d a ] T d p i n y L L ; e i L n g r S S = d S i u 2 B B 2 e B t f l 2 : : 2 x : i a e s i a l s 1 F F t F l c 2 a a a e a i o f : l l g d l z : r 2 c c o , c e o 7 o o o d S m : s u 2 s s t s w n f 9 y y a y i i s s t s t M l 2 c c u c h a e 0 a a s a y 1 l l = l c / 6 l l 0 l o 2 e : / n 2 t m m S m f c P o o U o i 1 / a n n C n g 2 f r i i C i u : a s t t E t r 2 l e o o S o a 7 c d r r S r t : o i i ) i i 2 _ r n n n o 9 r u g g g n u l 2 l e a a a f 0 e s g g g i 1 s e e e l 6 . f n n n e : y r t t t a o . . … / F m m e a l t l f c c i / o l f e a i l n / c i e o t t . i c y a / a l f m i a l z l e c d o _ w r i u t l h e s c . o y n a f m i l g u r a t i o n f i l e / e t c / f a l c o . y a m l As you can, it was really straight forward to install. Next up I wanted to trigger a rule, looking through the default ruleset↗ I noticed the following; Falco by sysdig 5/6 - c - d c o p o e o u r m n r s n t i a d u c d p o c i l : i u r r t e t t i o i : a i : t : o c o y n u t n “ : a : s i : U d e v s W d p r i s e A u r _ t p r R s o m y a N e c g w m I r . m b n a N _ n t y _ n G b a _ p a i m b a r g n e i n o e a n y c m r i a e e i n r p s n e i r s t s ( e o a s g a b d r n i d a d n u m a s s n r e o y r t t , h c a p o d t r m e o m l c c a u a . n s n n d e a r m m r , a e u n n a a i d g n o d e u g ( t r u s s o s u i u e , d p r e , s s , u o d d f e p o l a ) c g s o r s a n o w n t u o d a p r i ) d n n s o e , t r o c ( r o u n s p t e e a r r i = m n % i e u s r s s e i a r o n . n d n s a . ( m a e s d u d c d u o o s m e m a r a n _ n d b d i = s n % u a p r r a i o r e c e s . c e o m x r d c l l l i u o n d g e e i ) d n ” . _ b A i c n t a i r v i i e t s y o i r n p c a o s n s t w a d i _ n b e i r n s a r i i s e s a l o s r o s e h x a c d l o u w d u e t d i l — s _ s b o i m n e a r c i o e n s t ) a i n e r s c r e a t e c u s t o m u s e r s o n t o p o f a b a s e l i n u x d i s t r i b u t i o n a t s t a r t u p . So I added a user, as you can see it triggered the rule; Falco by sysdig 6/6 [ [ M M r r a a o o y y o o t t 2 2 @ @ 2 2 s s e e 0 0 r r 8 8 v v : : e e 0 0 r r 6 6 : : ~ ~ 5 5 ] ] 8 8 # # d d a t i i d a g g d i i i u l t t s a a e - l l r 2 o o c c w m e e i e a a b s n n b s l a f f e g a a e l l s c c o o : : U S s e e n r s i m t a i n v a e g e f m i e l n e t o b p i e n n a e r d y f c o o r m m r a e n a d d i r n u g n b o y u t n s o i n d - e t r o u f s t c e o d n t p a r i o n g e r r a m ( u ( s u e s r e = r r = o r o o t o t c o c m o m m a m n a d n = d a = d a d d u d s u e s r e r w i w b i b b l b e l ) e f i l e = / e t c / s h a d o w ) After this really quick installation and five minutes of messing about with the rules I can already think of several use cases for Falco and will be keeping a close eye on it. You can find the GitHub repo for Falco at https://github.com/draios/falco↗ and also the announcement post here↗ .