
Hari 39: Falco Setup — Runtime Security Monitoring
Install Falco 0.44.1 via Helm dengan modern eBPF driver. 8 pods Running, 25 default rules, alerts firing. Falcosidekick + Web UI untuk alert forwarding. Runtime detection layer.
Day 34 install Gatekeeper (admission control — cek sebelum Pod masuk). Hari ini install Falco (runtime monitoring — cek setelah Pod running). Dua layer yang complementary: Gatekeeper mencegah, Falco mendeteksi.
Kenapa Falco?
Gatekeeper cek di pintu masuk cluster: "Pod tanpa resources = ditolak". Tapi kalau attacker sudah dapat akses ke Pod yang running (misal via RCE), Gatekeeper tidak bisa bantu. Falco "memata-matai" syscall di kernel level — kalau ada yang exec shell di container, baca file sensitif, atau bikin reverse shell, Falco alert langsung.
Driver Selection: Modern eBPF
Falco butuh kernel-level driver untuk capture syscalls. 3 options:
| Driver | Requirement | k3d Status |
|---|---|---|
| Kernel module | /lib/modules/ + kernel headers |
❌ Empty |
| eBPF (legacy) | Kernel ≥ 4.14, bcc | ⚠️ Mungkin |
| Modern eBPF | BTF (/sys/kernel/btf/vmlinux) |
✅ Available |
Pilih modern eBPF — BTF available di kernel 6.6.12-linuxkit. Paling portable untuk containerized environments.
Install via Helm
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco \
--namespace falco \
--create-namespace \
--set driver.kind=modern_ebpf \
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=true \
--timeout 10m
Chart 9.1.0, app 0.44.1 (latest). driver.kind=modern_ebpf explicit — default auto mungkin pick kernel module (akan fail di k3d).
Pod Inventory: 8 Pods Running
$ kubectl get pods -n falco
NAME READY STATUS RESTARTS AGE
falco-b9hh7 2/2 Running 0 11m # DaemonSet (server)
falco-bqdgl 2/2 Running 0 11m # DaemonSet (agent-0)
falco-lqvf5 2/2 Running 0 11m # DaemonSet (agent-1)
falco-falcosidekick-856495f798-5k6rw 1/1 Running 0 11m # Alert forwarder
falco-falcosidekick-856495f798-tcjtd 1/1 Running 0 11m # Alert forwarder
falco-falcosidekick-ui-84f9fc7d87-6965z 1/1 Running 0 2m9s # Web UI
falco-falcosidekick-ui-84f9fc7d87-pk8rd 1/1 Running 0 11m # Web UI
falco-falcosidekick-ui-redis-0 1/1 Running 0 11m # Redis for UI
3 Falco DaemonSet pods (1 per node = 3 nodes), 2 Falcosidekick, 2 Web UI, 1 Redis.
Modern eBPF Probe: Loaded with Warnings
Opening 'syscall' source with modern BPF probe.
[libs]: libpman: disabled BPF iterators (not running in the root PID namespace)
[libs]: libbpf: failed to determine tracepoint 'syscalls/sys_enter_connect'
[libs]: libbpf: failed to determine tracepoint 'syscalls/sys_enter_open'
Probe loaded successfully — Falco running. Tapi beberapa tracepoint tidak available di k3d (nested virtualization, linuxkit kernel). "Detection will continue to work" per Falco log message. Ini k3d limitation, bukan Falco issue — production dengan real kernel tidak ada problem.
25 Default Rules
- rule: Terminal shell in container
- rule: Read sensitive file untrusted
- rule: Netcat Remote Code Execution in Container
- rule: Clear Log Activities
- rule: Search Private Keys or Passwords
- rule: Contact K8S API Server From Container
- rule: Redirect STDOUT/STDIN to Network Connection in Container
- rule: Linux Kernel Module Injection Detected
- rule: Detect release_agent File Container Escapes
... (25 total)
Rules cover: shell execution, file access, network activity, privilege escalation, container escape attempts. Tags include MITRE ATT&CK TTPs (T1070, dll) dan NIST 800-53 controls.
Alert: Clear Log Activities (Warning)
Falco langsung menghasilkan alert setelah startup:
{
"priority": "Warning",
"rule": "Clear Log Activities",
"output": "Log files were tampered | file=.../var/log/dpkg.log evt_type=openat",
"tags": ["NIST_800-53_AU-10", "T1070", "mitre_defense_evasion"]
}
Ini false positive (containerd normal activity saat pull image), tapi membuktikan Falco menangkap syscall events di kernel level. Falcosidekick forward ke WebUI: POST OK (200).
Falcosidekick: Alert Forwarding Proxy
[INFO] : Falcosidekick version: 2.32.0
[INFO] : Enabled Outputs: [WebUI]
[INFO] : WebUI - POST OK (200)
Falcosidekick menerima alerts dari Falco dan forward ke multiple outputs. Sekarang hanya WebUI enabled. Day 42 akan enable Webhook output untuk n8n alert pipeline → Slack.
Falco vs Gatekeeper: Before vs After
| Aspek | Before (Day 38) | After (Day 39) |
|---|---|---|
| Admission control | Gatekeeper (pre-deploy) | Gatekeeper (unchanged) |
| Runtime monitoring | ❌ None | ✅ Falco (post-deploy) |
| Detection layer | Scanner only (Checkov/Trivy) | Scanner + Falco runtime |
| Alert forwarding | ❌ None | Falcosidekick → WebUI |
| Pods | 2 (SecureBank) + 2 (Gatekeeper) | + 8 (Falco) |
Pelajaran Hari Ini
Falco = runtime detection, Gatekeeper = admission prevention. Gatekeeper cek sebelum Pod masuk (admission webhook). Falco monitor setelah Pod running (kernel syscalls). Defense in depth: pakai keduanya.
Modern eBPF = BTF requirement. Paling portable untuk containerized environments. Butuh BTF (/sys/kernel/btf/vmlinux) — available di kernel 5.10+. k3d kernel 6.6.12 punya BTF.
k3d tracepoint limitations. Nested virtualization tidak expose semua tracepoints. Beberapa sys_enter_* missing. Falco tetap running, tapi beberapa detection rules mungkin tidak trigger. Production dengan real kernel = full coverage.
Falcosidekick = alert forwarding proxy. Falco engine → Falcosidekick → multiple outputs (WebUI, Slack, Discord, Webhook). Day 42 akan pakai webhook untuk n8n.
Repo
Semua code dan dokumentasi ada di: https://github.com/stayrelevantid/chalange-devsecops
Kesimpulan
Falco 0.44.1 installed dengan modern eBPF driver. 8 pods Running, 25 default rules, alerts firing ("Clear Log Activities"). Falcosidekick forwarding ke WebUI. k3d tracepoint limitations documented. Besok Day 40 — custom rules: alert khusus untuk SecureBank container (bash/sh execution).
Diskusi & Komentar
Artikel Terkait
Hari 20: Terraform + Checkov, 15 Celah IaC Ketahuan
Bikin infrastructure as code pakai Terraform, lalu scan dengan Checkov. Hasilnya 15 celah keamanan ketahuan — S3 tanpa enkripsi, security group terbuka ke dunia.
Hari 22: Pipeline IaC, Dua Scanner Barengan Gagal
Bikin workflow GitHub Actions khusus infrastructure security. Checkov dan Trivy IaC scan Terraform barengan. Hasilnya pipeline MERAH — security gate bekerja!
Hari 22 Bonus: Perbaikan Pipeline Gitleaks yang Merah Diam-diam
Pipeline Gitleaks merah sejak Day 14 karena flag --no-gitignore tidak pernah ada. Gitleaks detect scan git history, bukan working directory. Fix: hapus flag.