Hari 39: Falco Setup — Runtime Security Monitoring
5 min read

Hari 39: Falco Setup — Runtime Security Monitoring

Install Falco 0.44.1 via Helm dengan modern eBPF driver. 8 pods Running, 25 default rules, alerts firing. Falcosidekick + Web UI untuk alert forwarding. Runtime detection layer.

devsecops
kubernetes
falco
runtime security
ebpf
Share

Day 34 install Gatekeeper (admission control — cek sebelum Pod masuk). Hari ini install Falco (runtime monitoring — cek setelah Pod running). Dua layer yang complementary: Gatekeeper mencegah, Falco mendeteksi.

Kenapa Falco?

Gatekeeper cek di pintu masuk cluster: "Pod tanpa resources = ditolak". Tapi kalau attacker sudah dapat akses ke Pod yang running (misal via RCE), Gatekeeper tidak bisa bantu. Falco "memata-matai" syscall di kernel level — kalau ada yang exec shell di container, baca file sensitif, atau bikin reverse shell, Falco alert langsung.

Driver Selection: Modern eBPF

Falco butuh kernel-level driver untuk capture syscalls. 3 options:

Driver Requirement k3d Status
Kernel module /lib/modules/ + kernel headers ❌ Empty
eBPF (legacy) Kernel ≥ 4.14, bcc ⚠️ Mungkin
Modern eBPF BTF (/sys/kernel/btf/vmlinux) ✅ Available

Pilih modern eBPF — BTF available di kernel 6.6.12-linuxkit. Paling portable untuk containerized environments.

Install via Helm

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

helm install falco falcosecurity/falco \
  --namespace falco \
  --create-namespace \
  --set driver.kind=modern_ebpf \
  --set falcosidekick.enabled=true \
  --set falcosidekick.webui.enabled=true \
  --timeout 10m

Chart 9.1.0, app 0.44.1 (latest). driver.kind=modern_ebpf explicit — default auto mungkin pick kernel module (akan fail di k3d).

Pod Inventory: 8 Pods Running

$ kubectl get pods -n falco
NAME                                      READY   STATUS    RESTARTS   AGE
falco-b9hh7                               2/2     Running   0          11m    # DaemonSet (server)
falco-bqdgl                               2/2     Running   0          11m    # DaemonSet (agent-0)
falco-lqvf5                               2/2     Running   0          11m    # DaemonSet (agent-1)
falco-falcosidekick-856495f798-5k6rw      1/1     Running   0          11m    # Alert forwarder
falco-falcosidekick-856495f798-tcjtd      1/1     Running   0          11m    # Alert forwarder
falco-falcosidekick-ui-84f9fc7d87-6965z   1/1     Running   0          2m9s   # Web UI
falco-falcosidekick-ui-84f9fc7d87-pk8rd   1/1     Running   0          11m    # Web UI
falco-falcosidekick-ui-redis-0            1/1     Running   0          11m    # Redis for UI

3 Falco DaemonSet pods (1 per node = 3 nodes), 2 Falcosidekick, 2 Web UI, 1 Redis.

Modern eBPF Probe: Loaded with Warnings

Opening 'syscall' source with modern BPF probe.
[libs]: libpman: disabled BPF iterators (not running in the root PID namespace)
[libs]: libbpf: failed to determine tracepoint 'syscalls/sys_enter_connect'
[libs]: libbpf: failed to determine tracepoint 'syscalls/sys_enter_open'

Probe loaded successfully — Falco running. Tapi beberapa tracepoint tidak available di k3d (nested virtualization, linuxkit kernel). "Detection will continue to work" per Falco log message. Ini k3d limitation, bukan Falco issue — production dengan real kernel tidak ada problem.

25 Default Rules

- rule: Terminal shell in container
- rule: Read sensitive file untrusted
- rule: Netcat Remote Code Execution in Container
- rule: Clear Log Activities
- rule: Search Private Keys or Passwords
- rule: Contact K8S API Server From Container
- rule: Redirect STDOUT/STDIN to Network Connection in Container
- rule: Linux Kernel Module Injection Detected
- rule: Detect release_agent File Container Escapes
... (25 total)

Rules cover: shell execution, file access, network activity, privilege escalation, container escape attempts. Tags include MITRE ATT&CK TTPs (T1070, dll) dan NIST 800-53 controls.

Alert: Clear Log Activities (Warning)

Falco langsung menghasilkan alert setelah startup:

{
  "priority": "Warning",
  "rule": "Clear Log Activities",
  "output": "Log files were tampered | file=.../var/log/dpkg.log evt_type=openat",
  "tags": ["NIST_800-53_AU-10", "T1070", "mitre_defense_evasion"]
}

Ini false positive (containerd normal activity saat pull image), tapi membuktikan Falco menangkap syscall events di kernel level. Falcosidekick forward ke WebUI: POST OK (200).

Falcosidekick: Alert Forwarding Proxy

[INFO] : Falcosidekick version: 2.32.0
[INFO] : Enabled Outputs: [WebUI]
[INFO] : WebUI - POST OK (200)

Falcosidekick menerima alerts dari Falco dan forward ke multiple outputs. Sekarang hanya WebUI enabled. Day 42 akan enable Webhook output untuk n8n alert pipeline → Slack.

Falco vs Gatekeeper: Before vs After

Aspek Before (Day 38) After (Day 39)
Admission control Gatekeeper (pre-deploy) Gatekeeper (unchanged)
Runtime monitoring ❌ None ✅ Falco (post-deploy)
Detection layer Scanner only (Checkov/Trivy) Scanner + Falco runtime
Alert forwarding ❌ None Falcosidekick → WebUI
Pods 2 (SecureBank) + 2 (Gatekeeper) + 8 (Falco)

Pelajaran Hari Ini

Falco = runtime detection, Gatekeeper = admission prevention. Gatekeeper cek sebelum Pod masuk (admission webhook). Falco monitor setelah Pod running (kernel syscalls). Defense in depth: pakai keduanya.

Modern eBPF = BTF requirement. Paling portable untuk containerized environments. Butuh BTF (/sys/kernel/btf/vmlinux) — available di kernel 5.10+. k3d kernel 6.6.12 punya BTF.

k3d tracepoint limitations. Nested virtualization tidak expose semua tracepoints. Beberapa sys_enter_* missing. Falco tetap running, tapi beberapa detection rules mungkin tidak trigger. Production dengan real kernel = full coverage.

Falcosidekick = alert forwarding proxy. Falco engine → Falcosidekick → multiple outputs (WebUI, Slack, Discord, Webhook). Day 42 akan pakai webhook untuk n8n.

Repo

Semua code dan dokumentasi ada di: https://github.com/stayrelevantid/chalange-devsecops

Kesimpulan

Falco 0.44.1 installed dengan modern eBPF driver. 8 pods Running, 25 default rules, alerts firing ("Clear Log Activities"). Falcosidekick forwarding ke WebUI. k3d tracepoint limitations documented. Besok Day 40 — custom rules: alert khusus untuk SecureBank container (bash/sh execution).

Enjoyed this article? Share it!

Share

Diskusi & Komentar

Artikel Terkait