Setting up falco+falcosidekick+ui in kubernetes cluster
Today, Cloud Native Security is more and more important. the Falco is sysdig open source cloud security tools.
We can install to independent host or kubernetes cluster Please reference previous post about basic and install falco:
Change every independent machine hostname to a meaningful name
1hostnamectl set-hostname qa-performance-testing
Change macro ignore the itself rules
- change the
/etc/falco/falco_rules.yaml
to exclude falco event when falco upgrade check the writable
1# add /etc/falco/._check_writable to not fd.name
2 - macro: write_etc_common
3 condition: >
4 and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc, /etc/falco/._check_writable)
- restart the falco service
systemctl restart falco-bpf
Custom compile the driver of kernel
- Reference the repo: pipeline to compile of github
- The driverkit to compile the module driverkit
- Or online search Falco driver search
- The driver-loader script driver-loader
- Amazon linux kernel devel rpm package mirror amazon linux devel rpm
- The tools for driver compile
1#!/usr/bin/env bash
2
3# compile the amazon linux2 kernel specification version for ebpf and kernel for falco
4docker run -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/output:/falco/output -ti falcosecurity/driverkit:latest driverkit docker --kernelrelease 5.4.238-148.346.amzn2.x86_64 --target amazonlinux2 --output-module /falco/output/5.4.238-148.346.ko --output-probe /falco/output/5.4.238-148.346.o --kernelurls "http://52.45.193.166/mirrors/http/amazonlinux.us-east-1.amazonaws.com/amazon_linux_2/kernel-devel-5.4.238-148.346.amzn2.x86_64.rpm" --driverversion 4.0.0+driver
- The ubuntu linux kernel devel deb packages mirror ubuntu aws linux kernel
1
2# you can also view download the pages find other versions
3docker run -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/:/tmp -ti --rm falcosecurity/driverkit:latest driverkit docker --kernelrelease 5.13.0-1022-aws --target ubuntu-aws --output-module /tmp/falco_ubuntu-aws_5.13.0-1022-aws_24.ko --output-probe /tmp/falco_ubuntu-aws_5.13.0-1022-aws_24.o --kernelurls "http://security.ubuntu.com/ubuntu/pool/main/l/linux-aws-5.13/linux-aws-5.13-headers-5.13.0-1022_5.13.0-1022.24~20.04.1_all.deb,http://security.ubuntu.com/ubuntu/pool/main/l/linux-aws-5.13/linux-headers-5.13.0-1022-aws_5.13.0-1022.24~20.04.1_amd64.deb" --driverversion 4.0.0+driver
- driverversion need reference driver libs you can use branch or tags or commitid to compile the probe
- May in host temp folder random named you can tree find
1├── snap-private-tmp
2│ └── snap.docker
3│ └── tmp
4│ └── output
5│ └── output
6│ ├── 5.4.238-148.346.ko
7│ ├── 5.4.238-148.346.o
- Use custom url to load the driver
1# set environment variable
2export DRIVERS_REPO=http://localhost:8080
3# the http serve the static file path like following
4# {WEB_ROOT}/4.0.0+driver/x86_64/*.o
5# loader program should access to : http://localhost:8080/4.0.0%2Bdriver/x86_64/falco_ubuntu-aws_5.13.0-1022-aws_24.o
6# load the driver
7falco-driver-loader bpf
Get the falco helm chart package
Independent install the falcosidekick
component for recevie the event from other falco agent
1# add the repo repository
2helm repo add falcosecurity https://falcosecurity.github.io/charts
3# pull the falcosidekick package
4helm pull falcosecurity/falcosidekick
5#