Hari 40: Falco Custom Rules — SecureBank Detection
5 min read

Hari 40: Falco Custom Rules — SecureBank Detection

4 custom Falco rules untuk SecureBank: shell detection, sensitive file read, network tool, K8s API access. Helm values.yaml untuk reproducible upgrades. 29 rules total, schema validation OK.

devsecops
kubernetes
falco
custom rules
runtime security
Share

Day 39 install Falco dengan 25 default rules. Default rules generic — berlaku untuk semua container. Hari ini buat 4 custom rules khusus untuk SecureBank: shell detection, sensitive file read, network tool, dan K8s API access.

Kenapa Custom Rules?

Default rules bagus, tapi tidak tahu context app kamu. SecureBank pakai distroless image — tidak punya shell. Kalau shell muncul di SecureBank container, itu sangat suspicious (attacker dapat RCE atau image di-tamper). Default rules akan alert untuk shell di container mana saja — custom rules scope ke container.image.repository contains "securebank" saja.

4 Custom Rules

Rule 1: Shell spawned in SecureBank (WARNING)

- rule: Shell spawned in SecureBank container
  desc: Detect shell execution in securebank containers.
        Distroless pods have no shell — if shell appears, it's suspicious.
  condition: >
    spawned_process and
    container and
    container.image.repository contains "securebank" and
    proc.name in (bash, sh, ash, zsh)
  priority: WARNING
  tags: [securebank, shell, mitre_execution]

Distroless pods tidak punya shell. Kalau bash/sh/ash/zsh muncul = something is very wrong.

Rule 2: Sensitive file read in SecureBank (CRITICAL)

- rule: Sensitive file read in SecureBank
  condition: >
    open_read and
    container and
    container.image.repository contains "securebank" and
    (fd.name startswith /etc/shadow or
     fd.name startswith /etc/passwd or
     fd.name startswith /proc/self/environ or
     fd.name startswith /root/.ssh or
     fd.name startswith /var/run/secrets)
  priority: CRITICAL
  tags: [securebank, filesystem, mitre_credential_access]

Tutorial cuma cek 3 path. Aku tambah /root/.ssh (SSH keys) dan /var/run/secrets (K8s mounted secrets). /var/run/secrets relevan karena Day 38 set automountServiceAccountToken: false — kalau ada akses ke path ini, attacker mencoba baca K8s secrets.

Rule 3: Network tool in SecureBank (NOTICE)

- rule: Network tool in SecureBank container
  condition: >
    spawned_process and
    container and
    container.image.repository contains "securebank" and
    proc.name in (nc, ncat, nmap, wget, curl, dig, nslookup, socat)
  priority: NOTICE
  tags: [securebank, network, mitre_discovery]

Tutorial cek 6 tools. Aku tambah nslookup (DNS recon) dan socat (reverse shell / port forwarding). Network tools di distroless = potential lateral movement atau data exfiltration.

Rule 4: K8s API access from SecureBank (WARNING) — BONUS

- rule: K8s API access from SecureBank
  desc: >
    Detect contact to K8s API server from securebank containers.
    automountServiceAccountToken: false means no token mounted —
    any API server contact is suspicious.
  condition: >
    evt.type=connect and
    (fd.typechar=4 or fd.typechar=6) and
    container and
    container.image.repository contains "securebank" and
    k8s_api_server
  priority: WARNING
  tags: [securebank, k8s, mitre_discovery]

Rule ini tie ke Day 38 RBAC work: automountServiceAccountToken: false = tidak ada token. Kalau Pod contact K8s API server, attacker mungkin telah menemukan credentials secara lain.

Helm Values File: Reproducible Upgrades

Day 39 install pakai 3 --set flags. Kalau upgrade tanpa values.yaml, harus re-type semua. Solution: falco-values.yaml — semua config di satu file, committed ke repo.

# securebank-api/security/falco-values.yaml
driver:
  kind: modern_ebpf
falcosidekick:
  enabled: true
  webui:
    enabled: true
customRules:
  securebank-rules.yaml: |-
    <inline rules content>
helm upgrade falco falcosecurity/falco \
  --namespace falco \
  --values security/falco-values.yaml

Satu command, reproducible, version-controlled.

Verify: 29 Rules Loaded

=== Schema validation (all 3 pods) ===
falco-dqg5b:  /etc/falco/rules.d/securebank-rules.yaml | schema validation: ok
falco-hrtlv:  /etc/falco/rules.d/securebank-rules.yaml | schema validation: ok
falco-jnl7w:  /etc/falco/rules.d/securebank-rules.yaml | schema validation: ok

=== Rule count ===
Default rules: 25
Custom rules:  4
Total:         29 rules

Custom rules di-mount ke /etc/falco/rules.d/ directory via ConfigMap. Falco config sudah set rules_files untuk include rules.d directory — tidak perlu modify default rules file.

Test Trigger: Simulated Attacker

# Tag busybox as securebank image (has shell, matches rule condition)
docker tag busybox:latest securebank:test
k3d image import securebank:test -c securebank

# Create Gatekeeper-compliant test pod
# command: sh -c "cat /etc/passwd && sleep 30"
# Should trigger: Rule 1 (shell) + Rule 2 (sensitive file /etc/passwd)
kubectl apply -f test-attacker-pod.yaml

Test pod Running di k3d-securebank-server-0. Falco pod di node yang sama: falco-jnl7w.

Test Result: k3d Tracepoint Limitation

Rules did NOT trigger. Root cause:

$ docker exec k3d-securebank-server-0 ls /sys/kernel/tracing/events/syscalls/
No such file or directory

k3d nodes (Docker containers dengan linuxkit kernel) tidak expose /sys/kernel/tracing/events/syscalls/ — tracepoint filesystem tidak mounted. Modern eBPF probe loaded, tapi tidak bisa attach ke syscall tracepoints. spawned_process butuh execve tracepoint, open_read butuh openat — keduanya unavailable.

Ini k3d limitation, bukan Falco atau rules issue:

  • Rules schema validation: OK (3/3 pods)
  • Rule conditions syntactically correct
  • Production dengan real kernel: rules akan trigger

Before vs After

Aspek Before (Day 39) After (Day 40)
Rules 25 default only 29 (25 + 4 custom)
Helm config --set flags falco-values.yaml (committed)
App-specific ❌ Generic ✅ SecureBank-targeted
MITRE tags Default + execution, credential_access, discovery

Falco Priority Levels

Priority Custom Rule
CRITICAL Sensitive file read
WARNING Shell spawned, K8s API access
NOTICE Network tool

Priority menentukan alert routing — Day 42 akan route CRITICAL → Slack #security-alerts.

Pelajaran Hari Ini

Custom rules = app-specific detection. Default rules generic. Custom rules scope ke app tertentu dengan container.image.repository contains "securebank". Distroless pods tidak punya shell — kalau "Shell spawned" trigger, something is very wrong.

rules.d/ directory untuk custom rules. Falco load dari multiple files: falco_rules.yaml (default) + rules.d/ (custom). Helm customRules ConfigMap di-mount ke rules.d/. Tidak perlu modify default rules.

values.yaml > --set flags. Reproducible, version-controlled, self-documenting. helm upgrade --values falco-values.yaml = satu command.

Rule ties ke RBAC work. Rule 4 (K8s API access) relevan karena Day 38 set automountServiceAccountToken: false. Custom rules bisa tie ke security decisions dari hari-hari sebelumnya.

Repo

Semua code dan dokumentasi ada di: https://github.com/stayrelevantid/chalange-devsecops

Kesimpulan

4 custom Falco rules untuk SecureBank: shell (WARNING), sensitive file (CRITICAL), network tool (NOTICE), K8s API access (WARNING). Helm values.yaml untuk reproducible upgrades. 29 total rules, schema validation OK. k3d tracepoint limitation block test trigger — rules valid, production dengan real kernel akan work. Besok Day 41 — Falco attack simulation.

Enjoyed this article? Share it!

Share

Diskusi & Komentar

Artikel Terkait