
Hari 40: Falco Custom Rules — SecureBank Detection
4 custom Falco rules untuk SecureBank: shell detection, sensitive file read, network tool, K8s API access. Helm values.yaml untuk reproducible upgrades. 29 rules total, schema validation OK.
Day 39 install Falco dengan 25 default rules. Default rules generic — berlaku untuk semua container. Hari ini buat 4 custom rules khusus untuk SecureBank: shell detection, sensitive file read, network tool, dan K8s API access.
Kenapa Custom Rules?
Default rules bagus, tapi tidak tahu context app kamu. SecureBank pakai distroless image — tidak punya shell. Kalau shell muncul di SecureBank container, itu sangat suspicious (attacker dapat RCE atau image di-tamper). Default rules akan alert untuk shell di container mana saja — custom rules scope ke container.image.repository contains "securebank" saja.
4 Custom Rules
Rule 1: Shell spawned in SecureBank (WARNING)
- rule: Shell spawned in SecureBank container
desc: Detect shell execution in securebank containers.
Distroless pods have no shell — if shell appears, it's suspicious.
condition: >
spawned_process and
container and
container.image.repository contains "securebank" and
proc.name in (bash, sh, ash, zsh)
priority: WARNING
tags: [securebank, shell, mitre_execution]
Distroless pods tidak punya shell. Kalau bash/sh/ash/zsh muncul = something is very wrong.
Rule 2: Sensitive file read in SecureBank (CRITICAL)
- rule: Sensitive file read in SecureBank
condition: >
open_read and
container and
container.image.repository contains "securebank" and
(fd.name startswith /etc/shadow or
fd.name startswith /etc/passwd or
fd.name startswith /proc/self/environ or
fd.name startswith /root/.ssh or
fd.name startswith /var/run/secrets)
priority: CRITICAL
tags: [securebank, filesystem, mitre_credential_access]
Tutorial cuma cek 3 path. Aku tambah /root/.ssh (SSH keys) dan /var/run/secrets (K8s mounted secrets). /var/run/secrets relevan karena Day 38 set automountServiceAccountToken: false — kalau ada akses ke path ini, attacker mencoba baca K8s secrets.
Rule 3: Network tool in SecureBank (NOTICE)
- rule: Network tool in SecureBank container
condition: >
spawned_process and
container and
container.image.repository contains "securebank" and
proc.name in (nc, ncat, nmap, wget, curl, dig, nslookup, socat)
priority: NOTICE
tags: [securebank, network, mitre_discovery]
Tutorial cek 6 tools. Aku tambah nslookup (DNS recon) dan socat (reverse shell / port forwarding). Network tools di distroless = potential lateral movement atau data exfiltration.
Rule 4: K8s API access from SecureBank (WARNING) — BONUS
- rule: K8s API access from SecureBank
desc: >
Detect contact to K8s API server from securebank containers.
automountServiceAccountToken: false means no token mounted —
any API server contact is suspicious.
condition: >
evt.type=connect and
(fd.typechar=4 or fd.typechar=6) and
container and
container.image.repository contains "securebank" and
k8s_api_server
priority: WARNING
tags: [securebank, k8s, mitre_discovery]
Rule ini tie ke Day 38 RBAC work: automountServiceAccountToken: false = tidak ada token. Kalau Pod contact K8s API server, attacker mungkin telah menemukan credentials secara lain.
Helm Values File: Reproducible Upgrades
Day 39 install pakai 3 --set flags. Kalau upgrade tanpa values.yaml, harus re-type semua. Solution: falco-values.yaml — semua config di satu file, committed ke repo.
# securebank-api/security/falco-values.yaml
driver:
kind: modern_ebpf
falcosidekick:
enabled: true
webui:
enabled: true
customRules:
securebank-rules.yaml: |-
<inline rules content>
helm upgrade falco falcosecurity/falco \
--namespace falco \
--values security/falco-values.yaml
Satu command, reproducible, version-controlled.
Verify: 29 Rules Loaded
=== Schema validation (all 3 pods) ===
falco-dqg5b: /etc/falco/rules.d/securebank-rules.yaml | schema validation: ok
falco-hrtlv: /etc/falco/rules.d/securebank-rules.yaml | schema validation: ok
falco-jnl7w: /etc/falco/rules.d/securebank-rules.yaml | schema validation: ok
=== Rule count ===
Default rules: 25
Custom rules: 4
Total: 29 rules
Custom rules di-mount ke /etc/falco/rules.d/ directory via ConfigMap. Falco config sudah set rules_files untuk include rules.d directory — tidak perlu modify default rules file.
Test Trigger: Simulated Attacker
# Tag busybox as securebank image (has shell, matches rule condition)
docker tag busybox:latest securebank:test
k3d image import securebank:test -c securebank
# Create Gatekeeper-compliant test pod
# command: sh -c "cat /etc/passwd && sleep 30"
# Should trigger: Rule 1 (shell) + Rule 2 (sensitive file /etc/passwd)
kubectl apply -f test-attacker-pod.yaml
Test pod Running di k3d-securebank-server-0. Falco pod di node yang sama: falco-jnl7w.
Test Result: k3d Tracepoint Limitation
Rules did NOT trigger. Root cause:
$ docker exec k3d-securebank-server-0 ls /sys/kernel/tracing/events/syscalls/
No such file or directory
k3d nodes (Docker containers dengan linuxkit kernel) tidak expose /sys/kernel/tracing/events/syscalls/ — tracepoint filesystem tidak mounted. Modern eBPF probe loaded, tapi tidak bisa attach ke syscall tracepoints. spawned_process butuh execve tracepoint, open_read butuh openat — keduanya unavailable.
Ini k3d limitation, bukan Falco atau rules issue:
- Rules schema validation: OK (3/3 pods)
- Rule conditions syntactically correct
- Production dengan real kernel: rules akan trigger
Before vs After
| Aspek | Before (Day 39) | After (Day 40) |
|---|---|---|
| Rules | 25 default only | 29 (25 + 4 custom) |
| Helm config | --set flags |
falco-values.yaml (committed) |
| App-specific | ❌ Generic | ✅ SecureBank-targeted |
| MITRE tags | Default | + execution, credential_access, discovery |
Falco Priority Levels
| Priority | Custom Rule |
|---|---|
| CRITICAL | Sensitive file read |
| WARNING | Shell spawned, K8s API access |
| NOTICE | Network tool |
Priority menentukan alert routing — Day 42 akan route CRITICAL → Slack #security-alerts.
Pelajaran Hari Ini
Custom rules = app-specific detection. Default rules generic. Custom rules scope ke app tertentu dengan container.image.repository contains "securebank". Distroless pods tidak punya shell — kalau "Shell spawned" trigger, something is very wrong.
rules.d/ directory untuk custom rules. Falco load dari multiple files: falco_rules.yaml (default) + rules.d/ (custom). Helm customRules ConfigMap di-mount ke rules.d/. Tidak perlu modify default rules.
values.yaml > --set flags. Reproducible, version-controlled, self-documenting. helm upgrade --values falco-values.yaml = satu command.
Rule ties ke RBAC work. Rule 4 (K8s API access) relevan karena Day 38 set automountServiceAccountToken: false. Custom rules bisa tie ke security decisions dari hari-hari sebelumnya.
Repo
Semua code dan dokumentasi ada di: https://github.com/stayrelevantid/chalange-devsecops
Kesimpulan
4 custom Falco rules untuk SecureBank: shell (WARNING), sensitive file (CRITICAL), network tool (NOTICE), K8s API access (WARNING). Helm values.yaml untuk reproducible upgrades. 29 total rules, schema validation OK. k3d tracepoint limitation block test trigger — rules valid, production dengan real kernel akan work. Besok Day 41 — Falco attack simulation.
Diskusi & Komentar
Hari 39: Falco Setup — Runtime Security Monitoring
Next ArticleHari 41: Falco Attack Sim — 6 Alerts, Defense in Depth
Artikel Terkait
Hari 20: Terraform + Checkov, 15 Celah IaC Ketahuan
Bikin infrastructure as code pakai Terraform, lalu scan dengan Checkov. Hasilnya 15 celah keamanan ketahuan — S3 tanpa enkripsi, security group terbuka ke dunia.
Hari 22: Pipeline IaC, Dua Scanner Barengan Gagal
Bikin workflow GitHub Actions khusus infrastructure security. Checkov dan Trivy IaC scan Terraform barengan. Hasilnya pipeline MERAH — security gate bekerja!
Hari 22 Bonus: Perbaikan Pipeline Gitleaks yang Merah Diam-diam
Pipeline Gitleaks merah sejak Day 14 karena flag --no-gitignore tidak pernah ada. Gitleaks detect scan git history, bukan working directory. Fix: hapus flag.