As companies move more of their workloads to the cloud and adopt containerized microservices, security becomes a top priority. With containers and orchestration platforms like Kubernetes, you get portability and scalability, but also new attack vectors to worry about. That’s where Falco comes in.
Falco is an open-source runtime security tool designed specifically for cloud-native environments. It keeps a watchful eye on your applications by monitoring system calls and kernel activity. This deep visibility allows Falco to detect malicious behavior, unauthorized access, and other threats in real time.
One of the coolest things about Falco is its tight integration with Kubernetes. But you don’t have to be running k8s to use it – Falco also works great on plain standalone hosts like Ubuntu servers. Speaking of which, this article will walk through installing and configuring Falco on an Ubuntu machine.
We’ll cover all the prerequisites, the actual installation steps, and how to customize Falco’s detection rules to fit your environment and security policies. By the end, you’ll have a powerful runtime security enforcer safeguarding your Ubuntu systems and workloads.
Falco Installation on Ubuntu:
In this guide, you’ll learn how to install Falco, a powerful cloud-native runtime security tool, on an Ubuntu host. You’ll also trigger a Falco rule by simulating a suspicious event and examine the resulting output. This practical exercise aims to provide you with a real-world understanding of how Falco operates.
Upon completing this guide, you’ll be well-equipped to explore advanced use cases, such as integrating Falco with Kubernetes, or delve deeper into additional resources to further enhance your knowledge.
Prerequisites
This guide focuses on installing Falco using the kernel module approach on Ubuntu. The steps have been tested and verified on Ubuntu Virtual Machines running on VirtualBox and Lima (for MacBooks with Apple Silicon chips).
While the guide may work with Ubuntu instances on cloud providers or other virtualization platforms, it has not been explicitly tested on those environments. Therefore, some minor adjustments might be necessary.
Setting Up the Virtual Environment
To follow along with this guide, you’ll need to set up a virtual Ubuntu environment. Here are the steps for two popular virtualization options:
VirtualBox:
- Install Essentials: Make sure you have VirtualBox and Vagrant installed according to their official instructions for your operating system.
- Create an Ubuntu VM: Fire up your terminal and run the following commands to create a new Ubuntu 20.04 virtual machine:
vagrant init bento/ubuntu-20.04
vagrant up- Log In: Your virtual machine should be up and running. Use vagrant ssh (default password: vagrant) to log in and proceed to the “Install Falco” section below.
Using Lima (Apple M1/M2):
- Install Homebrew: If you haven’t already, follow the official Homebrew installation guide to get it set up on your Mac.
- Get Lima: Use Homebrew to install Lima:
brew install lima- Create a VM: Now, create a new Ubuntu 20.04 virtual machine using Lima:
limactl start --name=falco-quickstart template://ubuntu-lts
- Access the VM: Shell into your newly created VM using:
limactl shell falco-quickstart
Once you’re logged in (either through VirtualBox or Lima), we can move on to installing Falco.
Installing Falco
Now that your environment is set up, let’s get Falco up and running on your Ubuntu machine. Here’s a breakdown of the steps:
Configure Package Repository
First, we need to add the official Falco repository to your system’s package list. This ensures you get the latest and most secure version of Falco.
Import the Falco repository key:
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | \
sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpgAdd the Falco repository to your system’s sources list:
sudo bash -c 'cat << EOF > /etc/apt/sources.list.d/falcosecurity.list
deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main
EOF'These commands download the Falco repository key and add the repository information to your system’s sources list.
Update Package Lists:
Next, update your system’s package list to reflect the newly added Falco repository:
sudo apt-get update -y
Install Dependencies:
Falco requires some additional software to function properly. We’ll install the necessary kernel headers, development tools, and the dialog package (used during installation) with the following command:
sudo apt-get install -y dkms make linux-headers-$(uname -r) dialog
Install Falco:
Install the latest stable version of Falco:
sudo apt-get install -y falco
During installation, you’ll be prompted to choose the Kmod option. Select this, as it compiles the Falco module specifically for your kernel version.
Additionally, you’ll be asked to choose Yes if you want to enable automatic rule updates. While not required for this exercise, it’s recommended to keep your Falco installation up-to-date with the latest security rules.
Verify Installation:
Once the installation is complete, Falco should be up and running in the background. You can verify this by checking its service status:
sudo systemctl status falcoYou should see output similar to the following when checking the status of the falco-kmod service:
falco-kmod.service - Falco: Container Native Runtime Security
Loaded: loaded (/lib/systemd/system/falco-kmod.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2023-01-25 10:44:04 UTC; 12s ago
Docs: https://falco.org/docs/
Main PID: 26488 (falco)
Tasks: 9 (limit: 2339)
Memory: 13.1M
CGroup: /system.slice/falco-kmod.service
└─26488 /usr/bin/falco --pidfile=/var/run/falco.pid
Jan 25 10:44:04 ubuntu systemd[1]: Started Falco: Container Native Runtime Security with kmod.
Jan 25 10:44:04 ubuntu falco[26488]: Falco version: 0.34.1 (x86_64)
Jan 25 10:44:04 ubuntu falco[26488]: Falco initialized with configuration file: /etc/falco/falco.yaml
Jan 25 10:44:04 ubuntu falco[26488]: Loading rules from file /etc/falco/falco_rules.yaml
Jan 25 10:44:04 ubuntu falco[26488]: Loading rules from file /etc/falco/falco_rules.local.yaml
Jan 25 10:44:04 ubuntu falco[26488]: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Jan 25 10:44:04 ubuntu falco[26488]: Starting health webserver with threadiness 2, listening on port 8765
Jan 25 10:44:04 ubuntu falco[26488]: Enabled event sources: syscall
Jan 25 10:44:04 ubuntu falco[26488]: Opening capture with Kernel moduleTriggering a Falco Rule
Now that Falco is installed and running, let’s see it in action!
Generating a Suspicious Event:
To observe Falco in action, you can intentionally generate a suspicious event that should trigger one of its predefined rules.
Falco has a rule that flags unauthorized access to sensitive files, like the password file /etc/shadow. To trigger this rule, run the following command (be aware that this might violate your system’s security policies):
sudo cat /etc/shadow > /dev/null
This simply reads the contents of /etc/shadow and discards them.
Examining Falco’s Output:
Falco can send its output to various destinations, including syslog. Here, we’ll explore two methods to examine Falco’s logs:
1. Using journalctl:
This command-line tool allows you to view system logs. Let’s look at Falco’s warnings specifically:
sudo journalctl _COMM=falco -p warning
The output should resemble this:
...
Jan 25 10:52:54 ubuntu falco: 10:52:54.144872253: Warning Sensitive file opened for reading by non-trusted program (user=root user_loginuid=-1 program=cat command=cat /etc/shadow pid=27550 file=/etc/shadow parent=bash gparent=kc-terminal ggparent=bash gggparent=systemd container_id=host image=<NA>)
...This indicates that Falco detected a program (in this case, cat) trying to read the sensitive /etc/shadow file.
2. Using /var/log/syslog
Syslog is another common location for system logs. You can use grep to filter these logs for Falco messages:
sudo grep Sensitive /var/log/syslog
The output should be similar to what we saw with journalctl:
...
Jan 25 10:52:54 ubuntu falco: 10:52:54.144872253: Warning Sensitive file opened for reading by non-trusted program (user=root user_loginuid=-1 program=cat command=cat /etc/shadow pid=27550 file=/etc/shadow parent=bash gparent=kc-terminal ggparent=bash gggparent=systemd container_id=host image=<NA>)Cleaning Up:
If you wish to remove the virtual machine used for this exercise, you can run the following commands:
For Lima:
limactl delete falco-quickstart --force
For VirtualBox:
vagrant destroy
Make sure you’re in the same directory as your Vagrantfile before running this command.
That’s it! You’ve successfully installed Falco, triggered a security rule, and examined its output. This is a great first step towards understanding how Falco can help safeguard your system.
Conclusion
This guide equipped you with the knowledge to install and explore Falco on your Ubuntu machine. You witnessed how Falco effectively monitors system activity and flags suspicious events. Falco is a powerful open-source tool, and the journey to mastering its potential has just begun! There’s a wealth of resources available to delve deeper:
We encourage you to join our thriving community of security professionals. By contributing to the open-source project, sharing your knowledge, and staying updated on the latest threats, you can become a guardian of your cloud-native infrastructure.
For a comprehensive cloud-native security solution, look no further than CloudDefense.AI. Our holistic approach empowers you to safeguard your environment. Book a free demo today and discover how CloudDefense.AI can elevate your cloud security posture!