Security Monitoring with Sysdig Falco

O Sysdig — a tool for kernel tracing — we told you two years ago . More recently, in May of this year, the developers of Sysdig presented another interesting product: the Falco Anomaly Detection System.

Falco consists of two main components: the sysdig_probe kernel module (on the basis of which Sysdig also runs) and the daemon that writes the collected information to disk.

Based on user-defined rules, Falco monitors the operation of applications and, when an anomaly is detected, writes information to a standard output, syslog, or user-specified file. Developers in their blog jokingly call Falco "a hybrid of snort, ossec and strace" and position it as a simple IDS, which almost does not create a load on the system.
')
We would briefly describe Sysdig Falco in a slightly different way: it is an advanced auditing tool. It can track the same events as the Linux audit subsystem — but not only. This is not a complete list:

• running a shell inside a container;
• writing to the / dev directory of files that have nothing to do with devices (for example, some rootkits do this);
• unusual application-initiated network connections;
• attempts to change files in critical directories — for example, / etc / passwd;
• atypical events in the work of individual applications.

Falco by itself does not provide any protection, but only collects information about system events that meet specified conditions. Based on this information, certain conclusions can be drawn and, if necessary, additional measures can be taken.

Installation

Before installing Falco, you need to add the corresponding repository (hereinafter all examples of commands are given for Ubuntu 16.04 OS):

$ curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - $ curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/stable/deb/draios.list $ sudo apt-get update 

We also need to install the kernel headers:

 $ sudo apt-get -y install linux-headers-$(uname -r) 

After that, install Falco and add the sysdig_probe module to the kernel:

 $ sudo apt-get -y install falco $ modprobe sysdig-probe 

This completes the installation. After that, Falco can be run:

 $ sudo service falco start 

Information about all detected events will be recorded in the syslog. You can also run Falco online:

 $ falco 

All information about suspicious events will immediately be recorded in the standard output.
The default settings and rules will be more than enough to get started.
The file / etc/falco_rules.yaml already prescribed rules for all occasions. There are even ready-made rules for a variety of applications and services: MySQL, MongoDB, CouchDB, Fluentd, Elasticsearch, and others.

If necessary, you can always change existing rules and even add new ones. Consider the structure of the Falco configuration files in more detail.

Basic settings

Falco's basic settings are stored in the /etc/falco.yaml file. By default, it looks like this:

 # File containing Falco rules, loaded at startup. rules_file: /etc/falco_rules.yaml # Whether to output events in json or text json_output: false # Send information logs to stderr and/or syslog Note these are *not* security # notification logs! These are just Falco lifecycle (and possibly error) logs. log_stderr: true log_syslog: true # Where security notifications should go. # Multiple outputs can be enabled. syslog_output: enabled: true file_output: enabled: false filename: ./events.txt stdout_output: enabled: true program_output: enabled: false program: mail -s "Falco Notification" someone@example.com 

As you can see, here it is indicated in which file the rule is stored, in which format the output should be presented (plain text or json) and where the information about the detected anomalies should be recorded. Falco can write messages to standard output, to syslog, as well as to a user-specified text file.

Rules and their syntax

The /etc/falco_rules.yaml file contains rules that indicate which particular features in the behavior of the Falco Sysdig system should pay special attention. Here is a fragment of this file:

  - rule: write_etc desc: an attempt to write to any file below /etc, not in a pipe installer session condition: write_etc_common and not proc.sname=fbash output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING 

Everything is simple and understandable here: the rule indicates that Falco should inform about any attempt to open any file in the / etc directory for writing (except when files in / etc are created when installing programs.

Each rule consists of the following fields:

• desc - description of the rule in any form;
• condition is the condition under which the rule is triggered (the standard Sysdig syntax is used for writing conditions; see the official documentation for more details ) , as well as in our article );
• output - the output that will be displayed when the rule is triggered;
• prioriry - priority (INFO, WARNING, ALERT, DEBUG, CRITICAL).

Let's see how this rule works. Launch Falco in live monitoring mode:

 $ falco 

In another terminal, try opening a file in the / etc directory. We will see that messages like the following will immediately fall into the standard output:

 12:43:52.640375428: Warning File below /etc opened for writing (user=useri command=nano /etc/default/grub file=/etc/default/.grub.swp) 12:43:52.640973730: Warning File below /etc opened for writing (user=useri command=nano /etc/default/grub file=/etc/default/grub) 

If we stop Falco by pressing Ctrl + C, a brief summary of all detected events will be displayed on the console:

 Events detected: 2 Rule counts by severity: Error: 0 Warning: 2 Informational: 0 Triggered rules by rule name: write_etc: 2 

Consider another example and show how Falco can be used to audit system events in containers.

Watching the container

Falco Sysdig is well suited for monitoring what happens inside containers. Let's see how it works.

Create a Docker container:

 $ docker pull:ubuntu 14.04 

After that, add an additional rule to /etc/falco_rules.yaml (an example is taken from here ):

 - rule: system_binaries_network_activity_container desc: any network activity performed by system binaries that are not expected to send or receive any network traffic in a container condition: ((inbound or outbound) and (fd.sockfamily = ip)) and fd.name != '' and container output: "Suspicious binary sent/received network traffic from container=%container.id (user=%user.name command=%proc.cmdlin e connection=%fd.name type=%evt.type)" priority: WARNING 

Save the changes and restart Falco. After that we enter the container:

 $ docker run --rm -it ubuntu:14.04 /bin/bash 

We will execute the following command in the container:

 $ ping ya.ru 

The following messages appear on the main host in syslog:

 16:08:56.944164593: Warning Suspicious binary sent/received network traffic from container=0b86d8efdf0a (user=root command=ping ya.ru connection=172.17.0.2:47776->123.45.67.89:53 type=connect) 16:08:56.945398068: Warning Suspicious binary sent/received network traffic from container=0b86d8efdf0a (user=root command=ping ya.ru connection=172.17.0.2:38643->123.45.67.89:1025 type=connect) 

They contain the container id, the user name and the command that resulted in the network connection being initiated.

Conclusion

Sysdig Falco is an interesting and promising tool. It has the same advantages as Sysdig: flexibility, convenient syntax of rules, comprehensible form of conclusions. With it, you can get a lot of valuable information about the system, which is impossible to obtain using other tools.
If you already use Falco in practice, we invite you to share your experience in the comments.

In conclusion, we present a selection of useful links for those who want to learn more:

• https://github.com/draios/falco - Falco official repository on GitHub;
• https://github.com/draios/falco/wiki - Falco official documentation;
• https://sysdig.com/blog/tag/falco/ - a series of articles about Falco in the Draios blog;
• https://www.youtube.com/watch?v=flcu2Mz9bpo - a review lecture on Sysdig Falco.

If for one reason or another you cannot leave comments here - welcome to our corporate blog .