云原生时代Kubernetes技术解决了基础架构平台Day 1 Operation问题,而Day 2 Operation包含了monitor,maintain,和 troubleshoot等一系列运行时工作,其中「云原生安全问题」已经引起越来越多的注意,今天的主角「Falco」就是保障云原生运行时安全。

Falco,云原生时代的安全保镖

Falco,开源的云原生运行时安全项目,目前是威胁Kubernetes平台监测引擎的事实标准,还可以监测意外的应用行为和运行时发出的威胁警告。Falco也是第一个加入云原生计算基金会CNCF并处于孵化阶段的运行时安全项目,可谓是前途无量的正规军。

cloud-native-security-falco

安装Falco

在Kubernetes平台部署Falco非常简单,helm一键安装或者使用原生的DaemonSet yaml部署都可以。由于Falco支持内核级别的系统调用监测,安装部署前需要确认你的集群节点的内核模块是否满足条件,详细可以看官方中文文档

通过minikube 1.8尝试Falco

最近官方博客提到了最新的minikube 1.8版本内置了Falco所需的内核模块,这样一来,安装Falco就只需一条helm install命令。

由于众所周知的原因,原生minikube start下载物料不快。给大家准备好了下载好的物料作为cache,大家放置到适合的文件位置,就可以加速minikube start启动速度(下文基于MacOS系统的hyperkit虚拟化技术)。

  • minikube-v1.8.0.iso, 放置在目录/Users/david/.minikube/cache/iso
  • preloaded-images-k8s-v1-v1.17.3-docker-overlay2.tar.lz4,放置在目录/Users/david/.minikube/cache/preloaded-tarball

以上两个文件可以到这里下载:

链接: https://pan.baidu.com/s/1Orr6pMri2E6L9mrTTpqe-Q 提取码: 1cj4

然后就可以用以下命令启动,为了防止下载好的物料不生效,已经配置了国内下载绿色通道:

minikube start --v=7 \
  --image-mirror-country='cn' \
  --registry-mirror=http://f1361db2.m.daocloud.io \ # maybe not working, need to manually config
  --image-repository=registry.cn-hangzhou.aliyuncs.com/google_containers 

安装Falco

一条命令搞定:

# 如果你还没有添加helm官方stable仓库,那你就还需要一条命令:
# helm repo add stable https://kubernetes-charts.storage.googleapis.com/
helm install falco stable/falco

如果你想看下Falco的helm chart具体是什么样子的,可以用 helm install falco stable/falco --dry-run > falco-helm-chart.yaml导出到文件,一睹其真容。

等部署完成后,观察Falco pod的运行日志,如果看到以下信息,就是成功启动了:

> kubectl logs -l app=falco

* Unloading falco-probe, if present
* Running dkms install for falco
Error! echo
Your kernel headers for kernel 4.19.94 cannot be found at
/lib/modules/4.19.94/build or /lib/modules/4.19.94/source.
* Running dkms build failed, couldn't find /var/lib/dkms/falco/0.20.0+d77080a/build/make.log
* Trying to load a system falco-probe, if present
falco-probe found and loaded with modprobe
Thu Mar 12 12:07:19 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Thu Mar 12 12:07:19 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Thu Mar 12 12:07:20 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Thu Mar 12 12:07:21 2020: Starting internal webserver, listening on port 8765

使用Falco默认规则,监控容器运行时行为

官方Falco已自带了很多默认监控规则,具体可以查看Falco pod中的/etc/falco/falco_rules.yaml文件。下面给大家运行几个样例:

  1. 如果使用 kubectl exec 进入一个pod/container,就会触发下面的规则:
- rule: Terminal shell in container
  desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
  condition: >
    spawned_process and container
    and shell_procs and proc.tty != 0
    and container_entrypoint
  output: >
    A shell was spawned in a container with an attached terminal (user=%user.name %container.info
    shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)
  priority: NOTICE
  tags: [container, shell, mitre_execution]

监控输出:

 Notice A shell was spawned in a container with an attached terminal (user=root k8s.ns=default k8s.pod=falco-rw8wg container=b915a438710d shell=sh parent=runc cmdline=sh terminal=34816 container_id=b915a438710d image=<NA>) k8s.ns=default k8s.pod=falco-rw8wg container=b915a438710d
  1. 如果在Pod/Container内运行 wget sth,就会触发:
- rule: Write below root
  desc: an attempt to write to any file directly below / or /root
  condition: >
    root_dir and evt.dir = < and open_write
    and not fd.name in (known_root_files)
    and not fd.directory in (known_root_directories)
    and not exe_running_docker_save
    and not gugent_writing_guestagent_log
    and not dse_writing_tmp
    and not zap_writing_state
    and not airflow_writing_state
    and not rpm_writing_root_rpmdb
    and not maven_writing_groovy
    and not chef_writing_conf
    and not kubectl_writing_state
    and not cassandra_writing_state
    and not galley_writing_state
    and not calico_writing_state
    and not rancher_writing_root
    and not runc_writing_exec_fifo
    and not known_root_conditions
    and not user_known_write_root_conditions
    and not user_known_write_below_root_activities
  output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)"
  priority: ERROR
  tags: [filesystem, mitre_persistence]

监控输出:

Error File below / or /root opened for writing (user=root command=wget http://www.baidu.com parent=sh file=/index.html program=wget container_id=ffbf070885d5 image=<NA>) k8s.ns=default k8s.pod=testbox container=ffbf070885d5 k8s.ns=default k8s.pod=testbox container=ffbf070885d5 
  1. 如果在Pod/Container中执行如apt get等包安装行为,就会触发:
# Container is supposed to be immutable. Package management should be done in building the image.
- rule: Launch Package Management Process in Container
  desc: Package management process ran inside container
  condition: >
    spawned_process
    and container
    and user.name != "_apt"
    and package_mgmt_procs
    and not package_mgmt_ancestor_procs
    and not user_known_package_manager_in_container
  output: >
    Package management process launched in container (user=%user.name
    command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority: ERROR
  tags: [process, mitre_persistence]

监控输出:

Error Package management process launched in container (user=root command=apk add --no-cache mysql-client container_id=cc1cdcea736c container_name=<NA> image=<NA>:<NA>) k8s.ns=default k8s.pod=testbox container=cc1cdcea736c k8s.ns=default k8s.pod=testbox container=cc1cdcea736c

是不是非常Cool!快来动手体验下云原生安全保镖的威力吧!

推荐Falco学习视频

下面是最近两年CNCF云原生大会上Falco的精彩talk,都是来自sysdig的大神,介绍了Falco的运作原理和使用场景,是了解掌握Falco非常好的材料,大家不要错过。

CNCF 2018:

CNCF 2019:

特别介绍下面这个视频,名字为Cloud Native Runtime Security with Falco – Kris Nova, Sysdig & Abhinav Srivastava, Frame.io,其中Kris是个非常cool的技术女神,她的PPT也非常有个性,是基于命令行的。

下次我们讲讲如何将这些监控消息发送出去,形成实时告警机制,尽情期待。

1 对 “云原生运行时安全Falco入门”的想法;

发表评论

电子邮件地址不会被公开。 必填项已用*标注