Practical Cloud Native Security with Falco: Risk and Threat Detection for Containers, Kubernetes, and Cloud
- Length: 224 pages
- Edition: 1
- Language: English
- Publisher: O'Reilly Media
- Publication Date: 2022-09-20
- ISBN-10: 109811857X
- ISBN-13: 9781098118570
- Sales Rank: #2265629 (See Top 100 Books)
As more and more organizations migrate their applications to the cloud, cloud native computing has become the dominant way to approach software development and execution. Protecting modern, cloud native applications from threats requires the ability to defend them at runtime, when they’re most vulnerable to attacks.
This practical guide introduces you to Falco, the open source standard for continuous risk and threat detection across Kubernetes, containers, and the cloud. Falco creator Loris Degioanni and core maintainer Leonardo Grasso bring you up to speed on threat detection and show you how to get Falco up and running, plus advanced topics such as deploying Falco in production and writing your own security rules.
You’ll learn how to:
- Leverage runtime security in cloud native environments
- Detect configuration changes and unexpected behavior in the cloud
- Protect containers, Kubernetes, and cloud applications using Falco
- Run, deploy, and customize Falco
- Deploy, configure, and maintain Falco in a production environment
- Improve your compliance
Preface
Who Is This Book For?
Overview
Part I: The Basics
Part II: The Architecture of Falco
Part III: Running Falco in Production
Part IV: Extending Falco
Conventions Used in This Book
Using Code Examples
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Leonardo
Loris
I. The Basics
1. Introducing Falco
Falco in a Nutshell
Sensors
Data Sources
Rules
Data Enrichment
Output Channels
Containers and More
Falco’s Design Principles
Specialized for Runtime
Suitable for Production
Intent-Free Instrumentation
Optimized to Run at the Edge
Avoids Moving and Storing a Ton of Data
Scalable
Truthful
Robust Defaults, Richly Extensible
Simple
What You Can Do with Falco
What You Cannot Do with Falco
Background and History
Network Packets: BPF, libpcap, tcpdump, and Wireshark
Snort and Packet-Based Runtime Security
The Network Packets Crisis
System Calls as a Data Source: sysdig
Falco
2. Getting Started with Falco on Your Local Machine
Running Falco on Your Local Machine
Downloading and Installing the Binary Package
Installing the Driver
Starting Falco
Generating Events
Interpreting Falco’s Output
Customizing Your Falco Instance
Rules Files
Output Channels
Conclusion
II. The Architecture of Falco
3. Understanding Falco’s Architecture
Falco and the Falco Libraries: A Data-Flow View
Drivers
Plugins
libscap
Managing Data Sources
Supporting Trace Files
Collecting System State
libsinsp
State Engine
Event Parsing
Filtering
Output Formatting
One More Thing About libsinsp
Rule Engine
Conclusion
4. Data Sources
System Calls
Examples
Observing System Calls
Capturing System Calls
Accuracy
Performance
Scalability
So What About Stability and Security?
Kernel-Level Instrumentation Approaches
The Falco Drivers
Which Driver Should You Use?
Capturing System Calls Within Containers
Running the Falco Drivers
Kernel Module
eBPF Probe
Using Falco in Environments Where Kernel Access Is Not Available: pdig
Running Falco with pdig
Falco Plugins
Plugin Architecture Concepts
How Falco Uses Plugins
Conclusion
5. Data Enrichment
Understanding Data Enrichment for Syscalls
Operating System Metadata
Container Metadata
Kubernetes Metadata
Data Enrichment with Plugins
Conclusion
6. Fields and Filters
What Is a Filter?
Filtering Syntax Reference
Relational Operators
Logical Operators
Strings and Quoting
Fields
Argument Fields Versus Enrichment Fields
Mandatory Fields Versus Optional Fields
Field Types
Using Fields and Filters
Fields and Filters in Falco
Fields and Filters in sysdig
Falco’s Most Useful Fields
General
Processes
File Descriptors
Users and Groups
Containers
Kubernetes
CloudTrail
Kubernetes Audit Logs
Conclusion
7. Falco Rules
Introducing Falco Rules Files
Anatomy of a Falco Rules File
Rules
Macros
Lists
Rule Tagging
Declaring the Expected Engine Version
Replacing, Appending to, and Disabling Rules
Replacing Macros, Lists, and Rules
Appending to Macros, Lists, and Rules
Disabling Rules
Conclusion
8. The Output Framework
Falco’s Output Architecture
Output Formatting
Output Channels
Standard Output
Syslog Output
File Output
Program Output
HTTP Output
gRPC Output
Other Logging Options
Conclusion
III. Running Falco in Production
9. Installing Falco
Choosing Your Setup
Installing Directly on the Host
Using a Package Manager
Without Using a Package Manager
Managing the Driver
Running Falco in a Container
Syscall Instrumentation Scenario
Plugin Scenario
Deploying to a Kubernetes Cluster
Using Helm
Using Manifests
Conclusion
10. Configuring and Running Falco
Configuring Falco
Differences Among Installation Methods
Host Installation
Containers
Kubernetes Deployments
Command-Line Options and Environment Variables
Configuration Settings
Instrumentation Settings (Syscalls Only)
Data Enrichment Settings (Syscalls Only)
Ruleset Settings
Output Settings
Other Settings for Debugging and Troubleshooting
Configuration File
Ruleset
Loading Rules Files
Tuning the Ruleset
Using Plugins
Changing the Configuration
Conclusion
11. Using Falco for Cloud Security
Why Falco for AWS Security?
Falco’s Architecture and AWS Security
Detection Examples
Configuring and Running Falco for CloudTrail Security
Receiving Log Files Through an SQS Queue
Reading Events from an S3 Bucket or the Local Filesystem
Extending Falco’s AWS Ruleset
What About Other Clouds?
Conclusion
12. Consuming Falco Events
Working with Falco Outputs
falco-exporter
Falcosidekick
Observability and Analysis
Getting Notified
Responding to Threats
Conclusion
IV. Extending Falco
13. Writing Falco Rules
Customizing the Default Falco Rules
Writing New Falco Rules
Our Rule Development Method
Things to Keep in Mind When Writing Rules
Priorities
Noise
Performance
Tagging
Conclusion
14. Falco Development
Working with the Codebase
The falcosecurity/falco Repository
The falcosecurity/libs Repository
Building Falco from Source
Extending Falco Using the gRPC API
Extending Falco with Plugins
Preparing a Plugin in Go
Plugin State and Initialization
Adding Event Sourcing Capability
Adding Field Extraction Capability
Finalizing the Plugin
Building a Plugin Written in Go
Using Plugins While Developing
Conclusion
15. How to Contribute
What Does It Mean to Contribute to Falco?
Where Should I Start?
Contributing to Falcosecurity Projects
Issues
Pull Requests
Conclusion
Index
About the AuthorsDonate to keep this site alive
To access the Link, solve the captcha.
How to download source code?
1. Go to: https://www.oreilly.com/
2. Search the book title: Practical Cloud Native Security with Falco: Risk and Threat Detection for Containers, Kubernetes, and Cloud, sometime you may not get the results, please search the main title
3. Click the book title in the search results
3. Publisher resources section, click Download Example Code.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.
