K8s 威脅偵測引擎 - Falco

# K8s 威脅偵測引擎 - Falco * Falco 是 Cloud Native Computing Foundation（CNCF）旗下的開源 Kubernetes 監控與威脅偵測工具，用於即時監控容器、Pod、節點與應用程式的異常行為。它主要透過系統調用（syscalls）來檢測異常活動，例如未授權的執行、檔案變更、異常網路存取等。 ## 實作 * 在 sles15-sp5 安裝 falco ``` $ rpm --import https://falco.org/repo/falcosecurity-packages.asc $ curl -s -o /etc/zypp/repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo $ zypper -n update $ zypper in -y falco ``` ![image](https://hackmd.io/_uploads/B1gWHaPaJg.png) * ubuntu 安裝 ``` $ version=$(curl -sL https://api.github.com/repos/falcosecurity/falco/releases/latest | jq -r .name) $ curl -sLO https://download.falco.org/packages/bin/x86_64/falco-"${version}"-x86_64.tar.gz $ tar -xf falco-"${version}"-x86_64.tar.gz $ sudo cp -R falco-"${version}"-x86_64/* / $ rm -r falco-* ``` ``` $ falco --version Mon Mar 31 15:33:01 2025: Falco version: 0.40.0 (x86_64) Mon Mar 31 15:33:01 2025: Falco initialized with configuration files: Mon Mar 31 15:33:01 2025: /etc/falco/falco.yaml | schema validation: ok Mon Mar 31 15:33:01 2025: System info: Linux version 6.4.0-150600.21-default (geeko@buildhost) (gcc (SUSE Linux) 7.5.0, GNU ld (GNU Binutils; SUSE Linux Enterprise 15) 2.41.0.20230908-150100.7.46) #1 SMP PREEMPT_DYNAMIC Thu May 16 11:09:22 UTC 2024 (36c1e09) Falco version: 0.40.0 Libs version: 0.20.0 Plugin API: 3.10.0 Engine: 0.46.0 Driver: API version: 8.0.0 Schema version: 3.5.0 Default driver: 8.0.0+driver ``` ## 實作 * 建立 sample ``` $ echo 'apiVersion: apps/v1 kind: Deployment metadata: labels: app: ollama name: cpu namespace: default spec: replicas: 1 selector: matchLabels: app: ollama template: metadata: labels: app: ollama spec: containers: - command: - sh - -c - while true; do cat /dev/mem; sleep 5; done image: quay.io/flysangel/library/busybox name: cpu securityContext: privileged: true' | kubectl apply -f - $ echo 'apiVersion: apps/v1 kind: Deployment metadata: labels: app: ollama name: amd namespace: default spec: replicas: 1 selector: matchLabels: app: ollama template: metadata: labels: app: ollama spec: containers: - command: - sh - -c - sleep infinity image: quay.io/flysangel/library/busybox name: amd' | kubectl apply -f - $ echo 'apiVersion: apps/v1 kind: Deployment metadata: labels: app: ollama name: gpu namespace: default spec: replicas: 1 selector: matchLabels: app: ollama template: metadata: labels: app: ollama spec: containers: - command: - sh - -c - sleep infinity image: quay.io/flysangel/library/busybox name: ollama-container' | kubectl apply -f - $ kubectl get pod NAME READY STATUS RESTARTS AGE amd-5dbbf895fc-cpdw8 1/1 Running 0 33s cpu-6f957b9dc5-m7sv7 1/1 Running 0 33s gpu-d984d7c7-8kd7q 1/1 Running 0 33s ``` * 建立 Falco rule，如果是透過指令檢查只會檢查這個節點，如過要檢查整個叢集就要透過 helm 裝 operator 就可以檢測。 * Falco 這條規則的作用是在偵測是否有程式嘗試讀取 /dev/mem 記憶體裝置檔案。 * `open_read and fd.name=/dev/mem` 找到誰在讀取檔案。 * output 誰在讀取 `/dev/mem` 就會把 container 放到`(container=%container.id)`。 ``` $ sudo nano /etc/falco/falco_rules.local.yamlsudo nano /etc/falco/falco_rules.local.yaml - rule: cat /dev/mem desc: > find /dev/mem condition: > open_read and fd.name=/dev/mem output: catch /dev/mem (container=%container.id) priority: CRITICAL ``` ``` $ sudo falco –U … Mon Mar 31 01:37:29 2025: /etc/falco/falco_rules.local.yaml | schema validation: ok Mon Mar 31 01:37:29 2025: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs) Mon Mar 31 01:37:29 2025: Starting health webserver with threadiness 4, listening on 0.0.0.0:8765 Mon Mar 31 01:37:29 2025: Loaded event sources: syscall Mon Mar 31 01:37:29 2025: Enabled event sources: syscall Mon Mar 31 01:37:29 2025: Opening 'syscall' source with modern BPF probe. Mon Mar 31 01:37:29 2025: One ring buffer every '2' CPUs. 01:37:33.255572541: Critical catch /dev/mem (container=6b2746309d4d) # 找到這個 container 在讀取 /dev/mem ``` * 根據 container id 找出是哪個 container 有違規行為。 ``` $ sudo crictl ps -a|grep 6b2746309d4d 6b2746309d4dc quay.io/flysangel/library/busybox@sha256:ad9fa4d07136a83e69a54ef00102f579d04eba431932de3b0f098cc5d5948f9f 11 minutes ago Running cpu 0 df1dc76094ca3 cpu-6f957b9dc5-m7sv7 $ sudo docker ps -a|grep 6b2746309d4d 6b2746309d4d quay.io/flysangel/library/busybox "sh -c 'while true; …" 11 minutes ago Up 11 minutes k8s_cpu_cpu-6f957b9dc5-m7sv7_default_3a595a5c-ebbf-48bd-a0f0-2b19f2aec16d_0 ``` * 根據上述結果就知道是 `cpu-6f957b9dc5-m7sv7` 這個 pod 有違規行為。 ``` $ kubectl get pod NAME READY STATUS RESTARTS AGE amd-5dbbf895fc-cpdw8 1/1 Running 0 12m cpu-6f957b9dc5-m7sv7 1/1 Running 0 12m gpu-d984d7c7-8kd7q 1/1 Running 0 12m ``` ## 參考 https://falco.org/docs/setup/packages/#install-with-zypper https://falco.org/docs/concepts/rules/basic-elements/#conditions