☸️ K8s 生态全景

主题

Falco 运行时安全

什么是 Falco

Falco 是 CNCF 的运行时安全工具,通过 eBPF/内核模块监控系统调用,检测异常行为。

安装

bash
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \
  --namespace falco \
  --create-namespace \
  --set driver.kind=ebpf \
  --set falcosidekick.enabled=true \
  --set falcosidekick.config.slack.webhookurl=https://hooks.slack.com/xxx

规则示例

yaml
# /etc/falco/falco_rules.yaml

# 检测容器内 shell 执行
- rule: Terminal shell in container
  desc: 检测到在容器内启动 shell
  condition: >
    spawned_process and container
    and shell_procs and proc.tty != 0
    and container_entrypoint
  output: >
    Shell spawned in a container (user=%user.name %container.info
    shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)
  priority: WARNING
  tags: [container, shell, mitre_execution]

# 检测敏感文件读取
- rule: Read sensitive file untrusted
  desc: 检测到读取敏感文件
  condition: >
    open_read and sensitive_files
    and not proc.name in (trusted_programs)
    and not container.image.repository in (trusted_images)
  output: >
    Sensitive file opened for reading (user=%user.name
    command=%proc.cmdline file=%fd.name)
  priority: WARNING

# 检测特权容器
- rule: Launch Privileged Container
  desc: 检测到启动特权容器
  condition: >
    container_started and container
    and container.privileged=true
    and not falco_privileged_containers
  output: >
    Privileged container started (user=%user.name
    image=%container.image.repository:%container.image.tag)
  priority: WARNING

# 检测加密货币挖矿
- rule: Detect crypto miners
  desc: 检测到加密货币挖矿进程
  condition: >
    spawned_process and
    (proc.name in (crypto_miners) or
     proc.cmdline contains "stratum+tcp" or
     proc.cmdline contains "xmrig")
  output: >
    Crypto miner process detected (user=%user.name
    command=%proc.cmdline container=%container.id)
  priority: CRITICAL

告警集成

yaml
# Falcosidekick 配置
config:
  slack:
    webhookurl: https://hooks.slack.com/xxx
    minimumpriority: warning
  pagerduty:
    routingkey: xxx
    minimumpriority: critical
  elasticsearch:
    hostport: http://elasticsearch:9200
    index: falco

常用操作

bash
# 查看 Falco 告警
kubectl logs -n falco daemonset/falco

# 测试规则(触发告警)
kubectl exec -it my-pod -- bash  # 触发 "Terminal shell in container"

# 查看规则
kubectl exec -n falco falco-xxx -- falco --list

# 热更新规则
kubectl create configmap falco-rules --from-file=custom_rules.yaml -n falco --dry-run=client -o yaml | kubectl apply -f -

本站内容由 褚成志 整理编写,仅供学习参考

Copyright © 2024-present 褚成志 · All Rights Reserved