Security Monitoring with Sysdig Falco

In May 2016, the developers of Sysdig released Falco, a tool for detecting anomalous system behavior.

Falco consists of two main components: the sysdig_probe kernel module (which Sysdig also runs on) and the daemon for writing the information it collects to the disk.

Falco tracks applications according to user-defined rules, and if any anomalies are detected, it writes the information to a standard output, syslog, or user-defined file. in their blog, the developers jokingly call Falco “…a hybrid of snort, ossec and strace,” and position it as a simple IDS that puts almost no additional load on the system.

Our definition is a bit different. Instead, we would characterize Falco as an extremely capable auditing tool. It can track the same events as the Linux audit subsystem, but that’s not all. Some of the events it can track include:

• command shell launches within containers
• non-device file entries in the /dev catalog (something some rootkits do)
• irregular network connections initiated by applications
• attempts to change files in key directories, like /etc/passwd
• irregular events in independent applications

On its own, Falco doesn’t offer any kind of security, it only gathers information on system events under the given conditions. Certain conclusions can be drawn from this information and if necessary, additional measures can be taken.

Installation

Before installing Falco, we have to add the proper repositories (all command line examples are given for Ubuntu 16.04):

$ curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add -
$ curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/stable/deb/draios.list
$ sudo apt-get update

We also need to install kernel headers:

$ sudo apt-get -y install linux-headers-$(uname -r)

Afterwards, we install Falco and add the sysdig_probe module to the kernel:

$ sudo apt-get -y install falco
$ modprobe sysdig-probe

And our installation is complete. Now we can launch Falco:

$ sudo service falco start

Information about all of the detected system events will be written to syslog. Falco can also be launched in live mode:

$ falco

All information about suspicious activity will be written as a standard output. The default rules and settings are enough to get started.
Rules for every situation fathomable are written to /etc/falco_rules.yaml. There are even pre-written rules for a wide variety of applications and services: MySQL, MongoDB, CouchDB, Fluentd, Elasticsearch, and more.

Existing rules can always be changed and new rules added if need be. Let’s take a look at Falco’s configuration file.

Initial Configuration

Falco’s basic configuration is saved to /etc/falco.yaml. The default settings should look like the following:

# File containing Falco rules, loaded at startup.
rules_file: /etc/falco_rules.yaml
 
# Whether to output events in json or text
json_output: false
 
# Send information logs to stderr and/or syslog Note these are *not* security
# notification logs! These are just Falco lifecycle (and possibly error) logs.
log_stderr: true
log_syslog: true
 
 
# Where security notifications should go.
# Multiple outputs can be enabled.
 
syslog_output:
  enabled: true
 
file_output:
  enabled: false
  filename: ./events.txt
 
stdout_output:
  enabled: true
 
program_output:
  enabled: false
  program: mail -s "Falco Notification" someone@example.com

As we can see, this file shows us what file rules are saved to, the output format (plain text or json), and where information about anomalies should be written. Falco can write messages to a standard output, syslog, or user-defined text file.

Rules and Syntax

The file /etc/falco_rules.yaml contains rules that define what behavior Sysdig Falso should pay special attention to. Below is a fragment from this file:

- rule: write_etc
 desc: an attempt to write to any file below /etc, not in a pipe installer session
 condition: write_etc_common and not proc.sname=fbash
 output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)"
 priority: WARNING

Everything here is fairly straightforward: this rule states that Flaco should inform us about any attempt to open a file in the /etc directory for writing (except for cases where the file in /etc is created when installing a program).

Each rule contains the following fields:

• desc — an arbitrary description of the rule
• condition — the condition under which a rule is activated (the standard Sysdig syntax is used to write conditions; for more information, see the official documentation or our article)
• output — the output to be displayed when a rule is activated
• priority — priority level (INFO, WARNING, ALERT, DEBUG, CRITICAL)

Let’s see how this rule works. We’ll launch Falco in live mode:

$ falco

In another terminal, we’ll try to open a file from the /etc directory. We’ll see that messages are written in a standard output:

12:43:52.640375428: Warning File below /etc opened for writing (user=useri command=nano /etc/default/grub file=/etc/default/.grub.swp)
12:43:52.640973730: Warning File below /etc opened for writing (user=useri command=nano /etc/default/grub file=/etc/default/grub)

If we stop Falco by pressing Ctrl+C, a short summary will be printed out in the console about the events detected:

Events detected: 2
Rule counts by severity:
   Error: 0
   Warning: 2
   Informational: 0
Triggered rules by rule name:
   write_etc: 2

Let’s look at another example and see how Flaco can be used to audit system events in containers.

Monitoring Containers

Sysdig Falco is good for monitoring what happens inside containers. Let’s look at how this works.

We create a Docker container:

$ docker pull:ubuntu 14.04

Afterwards, we add an additional rule to /etc/falco_rules.yaml (our example comes from here):

- rule: system_binaries_network_activity_container
desc: any network activity performed by system binaries that are not expected to send or receive any network traffic in a container
condition: ((inbound or outbound) and (fd.sockfamily = ip)) and fd.name != '' and container
output: "Suspicious binary sent/received network traffic from container=%container.id (user=%user.name command=%proc.cmdlin
e connection=%fd.name type=%evt.type)"
priority: WARNING

We save these changes and relaunch Falco. Afterwards, we enter the container:

$ docker run --rm -it ubuntu:14.04 /bin/bash

Inside the container we run the command:

$ ping ya.ru

On the main host, the following messages will pop up in the syslog:

16:08:56.944164593: Warning Suspicious binary sent/received network traffic from container=0b86d8efdf0a (user=root command=ping ya.ru connection=172.17.0.2:47776->123.45.67.89:53 type=connect)
16:08:56.945398068: Warning Suspicious binary sent/received network traffic from container=0b86d8efdf0a (user=root command=ping ya.ru connection=172.17.0.2:38643->123.45.67.89:1025 type=connect)

They contain the container id, the user name, and the command that caused the network connection to initiate.

Conclusion

Sysdig Falco is an interesting and perspective tool. It has the same features as Sysdig: flexibility, comfortable rule syntax, and easy-to-read outputs. It can be used for collecting a lot of valuable system information, which we wouldn’t be able to get from other tools.
If you’ve used Falco, please share your experience in the comments below.

For anyone interested in learning more, here are several useful links:

• https://github.com/draios/falco — the official Falco repository on GitHub
• https://github.com/draios/falco/wiki — the official Falco documentation
• https://sysdig.com/blog/tag/falco/ — a series of articles on Falco from the Draios company blog
• https://www.youtube.com/watch?v=flcu2Mz9bpo — a brief lecture on Sysdig Falco