Writing and Testing Custom Falco Rules

Writing and Testing Custom Falco Rules Overview

Objective: In this lab, you will learn how to write custom Falco rules tailored to your specific security requirements. You will then test these rules by simulating various security incidents within your Kubernetes environment to ensure that Falco triggers the appropriate alerts. This hands-on exercise will help you understand how to extend Falco’s monitoring capabilities to better fit your organization’s security needs.

Prerequisites:

A running Kubernetes cluster with Falco installed (as completed in Lab 5.1).
Basic understanding of Falco rules and how they are structured.
kubectl command-line tool configured to interact with your cluster.

Step 1: Understand the Structure of a Falco Rule

Before writing custom rules, it’s important to understand the basic structure of a Falco rule. A typical Falco rule consists of:

Rule Name: A unique name that identifies the rule.
Description: A brief explanation of what the rule is detecting.
Condition: The criteria that must be met for the rule to trigger.
Output: The alert message generated when the rule is triggered.
Priority: The severity level of the alert (e.g., Warning, Critical).
Tags: Optional labels that help categorize the rule.

Step 2: Write a Custom Falco Rule

Now, you’ll write a custom Falco rule that detects a specific security scenario. In this example, we’ll create a rule that detects any attempts to modify the /etc/passwd file, which could indicate an unauthorized attempt to gain elevated privileges.

Create a new YAML file for your custom rule:
```
touch falco-custom-rules.yaml
```

Open the file in your preferred text editor and add the following rule:

- rule: Unauthorized Access to /etc/passwd
  desc: Detects any attempt to modify the /etc/passwd file, which may indicate a privilege escalation attempt.
  condition: open_write and fd.name = "/etc/passwd"
  output: "Unauthorized access to /etc/passwd detected (user=%user.name command=%proc.cmdline)"
  priority: Critical
  tags: [filesystem, privilege_escalation]

Explanation:

The condition specifies that the rule will trigger if there is an attempt to write (open_write) to the /etc/passwd file.
The output message provides details about the user and command involved in the event.
The priority is set to Critical due to the potential severity of the action.

Step 3: Load the Custom Rule into Falco

To apply your custom rule, you need to load it into Falco. This is typically done by adding the custom rule to Falco’s configuration.

Create a ConfigMap in Kubernetes to hold your custom rules:

kubectl create configmap falco-custom-rules --from-file=falco-custom-rules.yaml -n falco

Edit the Falco DaemonSet to include your custom rules. You’ll need to modify the Falco deployment to mount the ConfigMap containing your custom rules.
- First, open the Falco DaemonSet configuration for editing:
  kubectl edit daemonset falco -n falco
- Add a volume to the DaemonSet that mounts the ConfigMap:
  volumes: - name: falco-custom-rules configMap: name: falco-custom-rules
- Then, mount the volume in the Falco container:
  volumeMounts: - mountPath: /etc/falco/rules.d/falco-custom-rules.yaml name: falco-custom-rules subPath: falco-custom-rules.yaml
Save and exit the editor. Kubernetes will automatically update the Falco pods with the new configuration.

Step 4: Test the Custom Rule

Now that your custom rule is loaded, you can test it by simulating an event that should trigger the rule.

Start a test pod with an interactive shell:

kubectl run -it --rm test-shell --image=busybox -- sh

Inside the shell, try to modify the /etc/passwd file:
```
echo "fakeuser:x:1001:1001::/home/fakeuser:/bin/sh" >> /etc/passwd
```
This command simulates an unauthorized attempt to add a user to the /etc/passwd file.
Exit the shell.

Check the Falco logs to see if the custom rule was triggered:

kubectl logs -n falco -l app=falco

You should see an alert similar to the following:

18:45:23.123456789: Critical Unauthorized access to /etc/passwd detected (user=root command=sh -c echo "fakeuser:x:1001:1001::/home/fakeuser:/bin/sh" >> /etc/passwd)

Step 5: Fine-Tune the Rule (Optional)

Depending on your environment, you may need to fine-tune the rule to reduce false positives or make it more specific.

Refine the Condition:
- You could adjust the condition to only trigger on certain processes or users, making the rule more targeted.
Test Various Scenarios:
- Simulate different scenarios, such as legitimate modifications by system administrators, to ensure that the rule only triggers on truly unauthorized attempts.

Step 6: Clean Up

After completing the lab, clean up the resources you created.

Delete the test pod (if not already removed):
```
kubectl delete pod test-shell
```
Optionally, remove the custom rule:
```
kubectl delete configmap falco-custom-rules -n falco
```
- Edit the Falco DaemonSet to remove the volume mount if you’re not keeping the custom rule:
  kubectl edit daemonset falco -n falco
- Remove the corresponding entries for the falco-custom-rules volume and volume mount.

Conclusion:

In this lab, you successfully wrote and tested a custom Falco rule to detect unauthorized modifications to the /etc/passwd file. This exercise demonstrated how to extend Falco’s monitoring capabilities by creating rules tailored to your specific security needs. You also learned how to load custom rules into Falco and validate their effectiveness through testing. With this knowledge, you can now create and deploy custom rules to enhance the security monitoring of your Kubernetes environment.

PreviousDeploying Falco on a Kubernetes Cluster NextIntegrating Falco with a SIEM System

Last updated 9 months ago

- rule: Unauthorized Access to /etc/passwd desc: Detects any attempt to modify the /etc/passwd file, which may indicate a privilege escalation attempt. condition: open_write and fd.name = "/etc/passwd" output: "Unauthorized access to /etc/passwd detected (user=%user.name command=%proc.cmdline)" priority: Critical tags: [filesystem, privilege_escalation]