Practical Cloud Native Security with Falco: Risk and Threat Detection for Containers, Kubernetes, and Cloud
- Length: 224 pages
- Edition: 1
- Language: English
- Publisher: O'Reilly Media
- Publication Date: 2022-09-20
- ISBN-10: 109811857X
- ISBN-13: 9781098118570
- Sales Rank: #2265629 (See Top 100 Books)
As more and more organizations migrate their applications to the cloud, cloud native computing has become the dominant way to approach software development and execution. Protecting modern, cloud native applications from threats requires the ability to defend them at runtime, when they’re most vulnerable to attacks.
This practical guide introduces you to Falco, the open source standard for continuous risk and threat detection across Kubernetes, containers, and the cloud. Falco creator Loris Degioanni and core maintainer Leonardo Grasso bring you up to speed on threat detection and show you how to get Falco up and running, plus advanced topics such as deploying Falco in production and writing your own security rules.
You’ll learn how to:
- Leverage runtime security in cloud native environments
- Detect configuration changes and unexpected behavior in the cloud
- Protect containers, Kubernetes, and cloud applications using Falco
- Run, deploy, and customize Falco
- Deploy, configure, and maintain Falco in a production environment
- Improve your compliance
Preface Who Is This Book For? Overview Part I: The Basics Part II: The Architecture of Falco Part III: Running Falco in Production Part IV: Extending Falco Conventions Used in This Book Using Code Examples O’Reilly Online Learning How to Contact Us Acknowledgments Leonardo Loris I. The Basics 1. Introducing Falco Falco in a Nutshell Sensors Data Sources Rules Data Enrichment Output Channels Containers and More Falco’s Design Principles Specialized for Runtime Suitable for Production Intent-Free Instrumentation Optimized to Run at the Edge Avoids Moving and Storing a Ton of Data Scalable Truthful Robust Defaults, Richly Extensible Simple What You Can Do with Falco What You Cannot Do with Falco Background and History Network Packets: BPF, libpcap, tcpdump, and Wireshark Snort and Packet-Based Runtime Security The Network Packets Crisis System Calls as a Data Source: sysdig Falco 2. Getting Started with Falco on Your Local Machine Running Falco on Your Local Machine Downloading and Installing the Binary Package Installing the Driver Starting Falco Generating Events Interpreting Falco’s Output Customizing Your Falco Instance Rules Files Output Channels Conclusion II. The Architecture of Falco 3. Understanding Falco’s Architecture Falco and the Falco Libraries: A Data-Flow View Drivers Plugins libscap Managing Data Sources Supporting Trace Files Collecting System State libsinsp State Engine Event Parsing Filtering Output Formatting One More Thing About libsinsp Rule Engine Conclusion 4. Data Sources System Calls Examples Observing System Calls Capturing System Calls Accuracy Performance Scalability So What About Stability and Security? Kernel-Level Instrumentation Approaches The Falco Drivers Which Driver Should You Use? Capturing System Calls Within Containers Running the Falco Drivers Kernel Module eBPF Probe Using Falco in Environments Where Kernel Access Is Not Available: pdig Running Falco with pdig Falco Plugins Plugin Architecture Concepts How Falco Uses Plugins Conclusion 5. Data Enrichment Understanding Data Enrichment for Syscalls Operating System Metadata Container Metadata Kubernetes Metadata Data Enrichment with Plugins Conclusion 6. Fields and Filters What Is a Filter? Filtering Syntax Reference Relational Operators Logical Operators Strings and Quoting Fields Argument Fields Versus Enrichment Fields Mandatory Fields Versus Optional Fields Field Types Using Fields and Filters Fields and Filters in Falco Fields and Filters in sysdig Falco’s Most Useful Fields General Processes File Descriptors Users and Groups Containers Kubernetes CloudTrail Kubernetes Audit Logs Conclusion 7. Falco Rules Introducing Falco Rules Files Anatomy of a Falco Rules File Rules Macros Lists Rule Tagging Declaring the Expected Engine Version Replacing, Appending to, and Disabling Rules Replacing Macros, Lists, and Rules Appending to Macros, Lists, and Rules Disabling Rules Conclusion 8. The Output Framework Falco’s Output Architecture Output Formatting Output Channels Standard Output Syslog Output File Output Program Output HTTP Output gRPC Output Other Logging Options Conclusion III. Running Falco in Production 9. Installing Falco Choosing Your Setup Installing Directly on the Host Using a Package Manager Without Using a Package Manager Managing the Driver Running Falco in a Container Syscall Instrumentation Scenario Plugin Scenario Deploying to a Kubernetes Cluster Using Helm Using Manifests Conclusion 10. Configuring and Running Falco Configuring Falco Differences Among Installation Methods Host Installation Containers Kubernetes Deployments Command-Line Options and Environment Variables Configuration Settings Instrumentation Settings (Syscalls Only) Data Enrichment Settings (Syscalls Only) Ruleset Settings Output Settings Other Settings for Debugging and Troubleshooting Configuration File Ruleset Loading Rules Files Tuning the Ruleset Using Plugins Changing the Configuration Conclusion 11. Using Falco for Cloud Security Why Falco for AWS Security? Falco’s Architecture and AWS Security Detection Examples Configuring and Running Falco for CloudTrail Security Receiving Log Files Through an SQS Queue Reading Events from an S3 Bucket or the Local Filesystem Extending Falco’s AWS Ruleset What About Other Clouds? Conclusion 12. Consuming Falco Events Working with Falco Outputs falco-exporter Falcosidekick Observability and Analysis Getting Notified Responding to Threats Conclusion IV. Extending Falco 13. Writing Falco Rules Customizing the Default Falco Rules Writing New Falco Rules Our Rule Development Method Things to Keep in Mind When Writing Rules Priorities Noise Performance Tagging Conclusion 14. Falco Development Working with the Codebase The falcosecurity/falco Repository The falcosecurity/libs Repository Building Falco from Source Extending Falco Using the gRPC API Extending Falco with Plugins Preparing a Plugin in Go Plugin State and Initialization Adding Event Sourcing Capability Adding Field Extraction Capability Finalizing the Plugin Building a Plugin Written in Go Using Plugins While Developing Conclusion 15. How to Contribute What Does It Mean to Contribute to Falco? Where Should I Start? Contributing to Falcosecurity Projects Issues Pull Requests Conclusion Index About the Authors
Donate to keep this site alive
How to download source code?
1. Go to: https://www.oreilly.com/
2. Search the book title: Practical Cloud Native Security with Falco: Risk and Threat Detection for Containers, Kubernetes, and Cloud
, sometime you may not get the results, please search the main title
3. Click the book title in the search results
3. Publisher resources
section, click Download Example Code
.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.