Falco Workshop 9-12-19

Sign up for Falco updates

• Kris Nova (Sysdig) nova@sysdig.com

Sign up for an EC2 instanse

• Fun
• Kenneth
• NoFun
• Oleg
• Paul
• JD
• Olga
• Britney
• Akshay Mittal
• David
• john
• Scott
• Sean
• preachermanx
• steinmasterflex
• tempestfarer
• chris coovrey
• Grace
• Mat

Kris Nova i-001ea717e8ee4318c: ec2-34-212-41-49.us-west-2.compute.amazonaws.com
NoFun i-01b09ffebb6d204ed: ec2-54-69-103-27.us-west-2.compute.amazonaws.com

Akshay : i-01c2b9afa72b80317: ec2-54-202-101-168.us-west-2.compute.amazonaws.com

tempestfarer - i-02bc88892be623774: ec2-18-237-39-241.us-west-2.compute.amazonaws.com
CrAsH N bUrN (david) - i-043d891836ff2d7e6: ec2-54-214-228-227.us-west-2.compute.amazonaws.com
mountains
MrPool: i-05a69d972591eb249: ec2-54-149-92-108.us-west-2.compute.amazonaws.com
Kenneth i-07b2549d1ceca02eb: ec2-35-160-152-48.us-west-2.compute.amazonaws.com
spacepants - i-088573ebd15f5fe94: ec2-34-219-97-46.us-west-2.compute.amazonaws.com
dunedain289: i-08b3703a86a4d6210: ec2-34-221-116-111.us-west-2.compute.amazonaws.com
Olga: i-08cde5f96837a0c33: ec2-52-42-201-57.us-west-2.compute.amazonaws.com
Grace: i-090beaa973aa09ef7: ec2-34-217-127-43.us-west-2.compute.amazonaws.com
Preetha Appan - i-094021aaf83cf9184: ec2-54-184-166-220.us-west-2.compute.amazonaws.com
chris coovrey - i-096728844ef12b552: ec2-54-190-125-188.us-west-2.compute.amazonaws.com

• uuei: i-0a57b817995d96f43: ec2-52-43-170-40.us-west-2.compute.amazonaws.com
  JD: i-0ab056df8914d66ad: ec2-52-26-90-1.us-west-2.compute.amazonaws.com
  Sean: i-0adcd0e94217ef14a: ec2-18-237-52-168.us-west-2.compute.amazonaws.com
  preachermanx: i-0b2953c448a7c5300: ec2-18-237-194-126.us-west-2.compute.amazonaws.com
  7 Oleg: i-0d3c2ad96bf1f3773: ec2-54-185-118-169.us-west-2.compute.amazonaws.com
  Britney: i-0ec12c58071cd0e95: ec2-18-236-230-233.us-west-2.compute.amazonaws.com
  steinmasterflex

john: i-009d3b468f5e2cb1a: ec2-52-53-204-28.us-west-1.compute.amazonaws.com
i-05dc8358a6dbcbe37: ec2-18-144-5-200.us-west-1.compute.amazonaws.com
i-06e138ceeabd84e5d: ec2-54-193-103-162.us-west-1.compute.amazonaws.com
i-0714fcfbd8e328144: ec2-54-153-64-232.us-west-1.compute.amazonaws.com

Akki: i-07189fa186217de9b: ec2-54-183-137-241.us-west-1.compute.amazonaws.com
i-07cfb4604893a052f: ec2-52-53-212-156.us-west-1.compute.amazonaws.com
i-07e33161756f54d53: ec2-18-144-29-237.us-west-1.compute.amazonaws.com
i-082d0fa606184143f: ec2-13-52-180-103.us-west-1.compute.amazonaws.com
i-08647c6ad5b51fd69: ec2-18-144-26-71.us-west-1.compute.amazonaws.com
i-093300db14c176261: ec2-18-144-1-110.us-west-1.compute.amazonaws.com
i-09384fa8f48c74496: ec2-54-219-167-167.us-west-1.compute.amazonaws.com
i-09a6e3cd1ef098040: ec2-13-57-221-236.us-west-1.compute.amazonaws.com
i-0d1a5aa0532bbf8d4: ec2-52-53-244-134.us-west-1.compute.amazonaws.com
i-0d26e3740bc7722ee: ec2-18-144-66-59.us-west-1.compute.amazonaws.com
i-0dd455f0e497552aa: ec2-54-153-88-41.us-west-1.compute.amazonaws.com
i-0f737b3b3a312ce82: ec2-54-183-151-229.us-west-1.compute.amazonaws.com
Peter i-0ff21918846d21670: ec2-13-57-252-107.us-west-1.compute.amazonaws.com
zazz: i-0ff90ce5eaf47834d: ec2-13-57-184-10.us-west-1.compute.amazonaws.com
Mat: i-0ffd6ba714e1082e5: ec2-54-183-231-204.us-west-1.compute.amazonaws.com

Get your instance started up

./.bak/workshop/start.sh
cd falco-kubernetes-workshop && git pull

Notes

ssh falco@
pwd: mountains
networkpassword: ilovefalco

This error is ok:

error: the path "k8s-using-daemonset/k8s-with-rbac/falco-service.yaml" does not exist
./.bak/workshop/start.sh: line 21: cd: k8s_audit_config: No such file or directory
./.bak/workshop/start.sh: line 22: webhook-config.yaml.in: No such file or directory
cp: cannot stat 'audit-policy.yaml': No such file or directory
cp: cannot stat 'webhook-config.yaml': No such file or directory
cp: cannot stat 'apiserver-config.patch.sh': No such file or directory
./.bak/workshop/start.sh: line 27: cd: OLDPWD not set

Make sure you can connect to k8s:

k get po

Should output something like this:

NAME                    READY   STATUS    RESTARTS   AGE
falco-daemonset-2xg29   1/1     Running   4          29h
scary                   1/1     Running   1          26h

./.bak/workshop/start.sh
cd falco-kubernetes-workshop && git pull

ssh falco@

Exercise 1
gcc container.c -o container
sudo ./container

k get po

BPF History https://www.freebsd.org/cgi/man.cgi?query=bpf # So sadly not 1979 Like I thought :(

​​​​ The Enet packet filter was	created	in 1980	by Mike	Accetta	and Rick
​​​​ Rashid at Carnegie-Mellon University.  Jeffrey Mogul, at Stanford,	ported
​​​​ the code to BSD and continued its development from	1983 on.  Since	then,
​​​​ it	has evolved into the Ultrix Packet Filter at DEC, a STREAMS NIT	module
​​​​ under SunOS 4.1, and BPF.