Falco rules can be extended by adding our own rules. In this recipe, we will deploy a simple application and create a new rule to detect a malicious application accessing our database.
Perform the following steps to create an application and define custom rules for Falco:
- Change to the src/chapter9/falco directory, which is where our examples are located:
$ cd src/chapter9/falco
- Create a new falcotest namespace:
$ kubectl create ns falcotest
- Review the YAML manifest and deploy them using the following commands. These commands will create a MySQL pod, web application, a client that we will use to ping the application, and its services:
$ kubectl create -f mysql.yaml
$ kubectl create -f ping.yaml
$ kubectl create -f client.yaml
- Now, use the client pod with the default credentials of bob/foobar to send a ping to our application. As expected, we will be able to authenticate and complete the task successfully:
$ kubectl exec client -n falcotest -- curl -F "s=OK" -F "user=bob" -F "passwd=foobar" -F "ipaddr=localhost" -X POST http://ping/ping.php
- Edit the falco_rules.local.yaml file:
$ vim config/falco_rules.local.yaml
- Add the following rule to the end of the file and save it:
- rule: Unauthorized process
desc: There is a running process not described in the base template
condition: spawned_process and container and k8s.ns.name=falcotest and k8s.deployment.name=ping and not proc.name in (apache2, sh, ping)
output: Unauthorized process (%proc.cmdline) running in (%container.id)
priority: ERROR
tags: [process]
- Update the ConfigMap that's being used for the DaemonSet and delete the pods to get a new configuration by running the following command:
$ kubectl delete -f falco-daemonset-configmap.yaml
$ kubectl create configmap falco-config --from-file=config --dry-run --save-config -o yaml | kubectl apply -f -
$ kubectl apply -f falco-daemonset-configmap.yaml
- We will execute a SQL injection attack and access the file where our MySQL credentials are stored. Our new custom rule should be able to detect it:
$ kubectl exec client -n falcotest -- curl -F "s=OK" -F "user=bad" -F "passwd=wrongpasswd' OR 'a'='a" -F "ipaddr=localhost; cat /var/www/html/ping.php" -X POST http://ping/ping.php
- The preceding command will return the content of the PHP file. You will be able to find the MySQL credentials there:
3 packets transmitted, 3 received, 0% packet loss, time 2044ms
rtt min/avg/max/mdev = 0.028/0.035/0.045/0.007 ms
<?php
$link = mysqli_connect("mysql", "root", "foobar", "employees");
?>
- List the Falco pods:
$ kubectl get pods | grep falco-daemonset
falco-daemonset-5785b 1/1 Running 0 9m52s
falco-daemonset-brjs7 1/1 Running 0 9m52s
falco-daemonset-mqcjq 1/1 Running 0 9m52s
falco-daemonset-pdx45 1/1 Running 0 9m52s
- View the logs from a Falco pod:
$ kubectl exec -it falco-daemonset-94p8w bash
$ kubectl logs falco-daemonset-94p8w
- In the logs, you will see that Falco detects our shell access to the pods:
05:41:59.9275580001: Error Unauthorized process (cat /var/www/html/ping.php) running in (5f1b6d304f99) k8s.ns=falcotest k8s.pod=ping-74dbb488b6-6hwp6 container=5f1b6d304f99
With that, you know how to add custom rules using Kubernetes metadata such as k8s.ns.name and k8s.deployment.name. You can also use other filters. This is described in more detail in the Supported filters link in See also section.