Skip to content

Commit

Permalink
wip: new(docs): update getting started pages
Browse files Browse the repository at this point in the history 
Signed-off-by: Luca Guerra <[email protected]>
  • Loading branch information
@LucaGuerra
LucaGuerra committed Jun 24, 2024
1 parent bf26592 commit a5d0600
Show file tree
Hide file tree
Showing 5 changed files with 154 additions and 243 deletions.
15 changes: 3 additions & 12 deletions content/en/docs/getting-started/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,8 @@ description: Getting started with Falco
weight: 10
---

Falco is a cloud-native security tool. It provides near real-time threat detection for cloud, container, and Kubernetes workloads by leveraging runtime insights. Falco can monitor events from various sources, including the Linux kernel, and enrich them with metadata from the Kubernetes API server, container runtime, and more.
Falco is a cloud-native security tool. It provides near real-time threat detection for cloud, container, and Kubernetes workloads by leveraging runtime insights. Falco can monitor events defined via customizable {{< glossary_tooltip text="rules" term_id="rules" >}} from various sources, including the Linux kernel, and enrich them with metadata from the Kubernetes API server, container runtime, and more. Falco supports a wide range of kernel versions, x86_64 and ARM64 architectures, and many different {{< glossary_tooltip text="output" term_id="outputs" >}} channels.

Once Falco has received these events, it compares them to a set of {{< glossary_tooltip text="rules" term_id="rules" >}} to determine if the actions being performed need further investigation. If they do, Falco can forward the {{< glossary_tooltip text="output" term_id="outputs" >}} to multiple different endpoints either natively (syslog, stdout, HTTPS, and gRPC endpoints) or with the help of [Falcosidekick](https://github.com/falcosecurity/falcosidekick), a companion tool that offers integrations to several different applications and services.

## Falco Architecture

Falco operates in both kernel and user space. In kernel space, Linux system calls ({{< glossary_tooltip text="syscalls" term_id="syscalls" >}}) are collected by a {{< glossary_tooltip text="driver" term_id="drivers" >}}, for example, the Falco kernel module or Falco eBPF probe. Next, syscalls are placed in a {{< glossary_tooltip text="ring buffer" term_id="ring-buffer" >}} from which they are moved into user space for processing. The events are filtered using a rules engine with a Falco rule set. Falco ships with a default set of rules, but operators can modify or turn off those rules and add their own. If Falco detects any suspicious events those are forwarded to various endpoints.

![Falco Architecture](images/falco-architecture-v2.png)

## Next Steps

A great next step would be to try Falco yourself. The quickstart below walks through how to get Falco running on a Linux host, create a suspicious event, and then check the Falco output.
## Try it now

Get started on your Linux host or Kubernetes cluster.
2 changes: 1 addition & 1 deletion content/en/docs/getting-started/additional-resources.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ description: Learn More About Falco
slug: falco-additional
aliases:
- ../../falco-additional
weight: 30
weight: 40
---

## Learn more about Falco
Expand Down
76 changes: 76 additions & 0 deletions content/en/docs/getting-started/docker-quickstart.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
---
title: Try Falco with Docker
description: Try Falco locally using Docker
slug: falco-docker-quickstart
aliases:
- ../../try-falco-with-docker
weight: 10
---

## Install Falco

First, make sure you have a Linux machine with a recent version of Docker installed. Note that the following won't work on Windows or MacOS running Docker Desktop.

Run the following command:

```sh
sudo docker run --rm -i -t --name falco --privileged \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro \
falcosecurity/falco:{{< latest >}}
```

Falco is now enabled and is monitoring your system for events. Falco comes with a [pre-installed set of rules](https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml) that alert you upon suspicious behavior.

## Trigger a rule

Open another terminal on the same machine and run:

```sh
sudo cat /etc/shadow
```

Now go back to Falco and you'll see a message:

```
2024-06-21T08:54:23.812791015+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=sudo ggparent=bash gggparent=tmux: evt_type=openat user=root user_uid=0 user_loginuid=1000 process=cat proc_exepath=/usr/bin/cat parent=sudo command=cat /etc/shadow terminal=34826 container_id=host container_name=host)
```

This is your first Falco event 🦅! If you are curious, [this](https://github.com/falcosecurity/rules/blob/c0a9bf17d5451340ab8a497efae1b8a8bd95adcb/rules/falco_rules.yaml#L398) is the rule that describes it.

## Create a custom rule

Now it's time to create our own rule and load it into Falco. We can be pretty creative with them, but let's stick with something simple. This time, we want to be alerted when any file is opened for writing in the `/etc` directory, either on the host or inside containers.

Stop the Falco container with `Ctrl-C`, copy the following text in a file and call it `falco_custom_rules.yaml`:

```yaml
- rule: Write below etc
desc: An attempt to write to /etc directory
condition: >
(evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0)
and fd.name startswith /etc
output: "File below /etc opened for writing (file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)"
priority: WARNING
tags: [filesystem, mitre_persistence]
```
Now start Falco again, this time mounting the new rule file:
```sh
sudo docker run --name falco --rm -i -t --privileged \
-v $(pwd)/falco_custom_rules.yaml:/etc/falco/falco_rules.local.yaml \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro \
falcosecurity/falco:{{< latest >}}
```

Now open another terminal and let's write a file in `/etc`:

```sh
sudo touch /etc/test_file_falco_rule
```

You should see an alert in the Falco terminal, just as before. As you can see, a lot of contextual information is displayed, as it was specified in the `output` field of the rule. There are many such fields that you can use both in the condition and the output to build your rule.
Loading

0 comments on commit a5d0600

Please sign in to comment.