Demonstrating how you can take an action to your intrusions detected by Falco using OpenFaaS functions

OpenFaaS k3s Falco CIVO

Kubernetes Response Engine powered by OpenFaaS

Although Falco can be used to detect any intrusion attempts and sends alerts to channels according to the given rules afterwards, it does not have any remediation system. This is why we need something called Kubernetes Response Engine. It simply aims to catch alerts and take actions on it. These actions can be designed as fine-grained serverless functions.

Think of a scenario you want to take action to your alerts that being notified by Falco, but the important thing that we should notice here is we are going to do different things for the different levels of alerts. For example, we are going to send the notification for notice level alert but for the warning level alert we are going to delete the pod, the overall architecture will be like this:

                +-----------+
                |   Falco   +
                +-----^-----+
                      |
              +-------v-------+
              >   OpenFaaS    +
              +-------v-------+
+-----------+         |          +-----------+
| notify-fn <---------+----------> delete-fn |
+-----v-----+ notice     warning +-----+-----+
      |                                |
      | send alert          delete pod |
      |                                |
+-----v-----+                    +-----v-----+       
|   Slack   |                    | Pwned Pod |
+-----------+                    +-----------+

🎁 Table of Contents

Prerequisites

  • civo cli v0.7.6
  • Helm v3.5.1
  • faas-cli
  • kubectl v1.20.2

We are going to do this demo on macOS Catalina 1.15.7, you can find the prerequisites on brew.

Target Audience

If you want to:

  • Set up a K3S cluster on CIVO
  • Set up the Falco
  • Create custom serverless functions using OpenFaaS
  • Subscribe Falco events from serverless functions

What is ...?

CIVO

Built for speed and simplicity, with K3s under the hood

Join the #Kube100 beta: Apply to join today (Get free credit to test-drive the world’s first K3s-powered, managed Kubernetes service)

  • Simple, fast and powerful

Spin up Kubernetes in under 2 minutes, without the bloat, using the lightweight K3s distribution

  • Management CLI

Manage your clusters with the custom-built CLI and streamline your deployment with simple REST API.

  • Application marketplace

Launch clusters with preinstalled applications, or install on the fly using Civo's Kubernetes marketplace.

  • Bandwidth Pooling

Use all your bandwidth allowance across all your Civo services. Only pay for what you use.

  • Marketplace

Install applications quickly and easily to your clusters during or after set up with Civo marketplace. Also you can contribute an application to marketplace

  • Custom Firewalls

Configure custom firewalls from your Civo dashboard using OpenStack’s security groups.

K3S

The certified Kubernetes distribution built for IoT & Edge computing

  • Perfect for Edge

K3s is a highly available, certified Kubernetes distribution designed for production workloads in unattended, resource-constrained, remote locations or inside IoT appliances. Simplified & Secure

  • Simplified & Secure

K3s is packaged as a single <40MB binary that reduces the dependencies and steps needed to install, run and auto-update a production Kubernetes cluster.

  • Optimized for ARM

Both ARM64 and ARMv7 are supported with binaries and multiarch images available for both. K3s works great from something as small as a Raspberry Pi to an AWS a1.4xlarge 32GiB server.

Falco

Cloud-Native runtime security, de facto Kubernetes threat detection engine

  • Strengthen container security

The flexible rules engine allows you to describe any type of host or container behavior or activity.

  • Reduce risk via immediate alerts

You can immediately respond to policy violation alerts and integrate Falco within your response workflows.

  • Leverage most current detection rules

Falco out-of-the box rules alert on malicious activity and CVE exploits.

OpenFaaS

OpenFaaS® makes it simple to deploy both functions and existing code to Kubernetes

  • Anywhere

Avoid lock-in through the use of Docker. Run on any public or private cloud.

  • Any code

Build both microservices & functions in any language. Legacy code and binaries.

  • Any scale

Auto-scale for demand or to zero when idle.

Hands-on Demonstration

Create CIVO Playground

civo_dashboard_settings

$ civo apikey save my-awesome-key $KEY
Saved the API Key $KEY as my-awesome-key
$ civo apikey list
+----------------+---------+
| Name           | Default |
+----------------+---------+
| my-awesome-key | $KEY    |
+----------------+---------+
$ civo apikey current my-awesome-key
Set the default API Key to be my-awesome-key
  • Create a cluster
$ civo kubernetes create playground --size=g3.k3s.medium --nodes=3 --region NYC1 --wait
Created Kubernetes cluster playground
$ civo kubernetes show playground
          ID : 79435efe-2dac-403d-bfd2-f6644988830a
        Name : playground
       Nodes : 3
        Size : g3.k3s.medium
      Status : ACTIVE
     Version : 1.20.0-k3s2
API Endpoint : https://212.2.243.151:6443
   Master IP : 212.2.243.151
DNS A record : 79435efe-2dac-403d-bfd2-f6644988830a.k8s.civo.com
Nodes:
+-------------+---------------+--------+---------------+-----------+------+----------+
| Name        | IP            | Status | Size          | Cpu Cores | Ram  | SSD disk |
+-------------+---------------+--------+---------------+-----------+------+----------+
| master-7c8a | 212.2.243.151 | ACTIVE | g3.k3s.medium |         2 | 4096 |       25 |
| node-04ed   |               | ACTIVE | g3.k3s.medium |         2 | 4096 |       25 |
| node-5258   |               | ACTIVE | g3.k3s.medium |         2 | 4096 |       25 |
+-------------+---------------+--------+---------------+-----------+------+----------+

civo_dashboard_settings

  • Configure the playground
$ civo kubernetes config playground --save --local-path ./kubeconfig
Access your cluster with:
KUBECONFIG=./kubeconfig kubectl get node
  • Ensure all is OK
$ export KUBECONFIG=./kubeconfig
$ kubectl get node
NAME                                  STATUS   ROLES                  AGE   VERSION
k3s-playground-66b18d51-node-04ed     Ready    <none>                 40h   v1.20.2+k3s1

You can find more details about civo cli here.

  • Set up OpenFaaS

You can install OpenFaaS from Civo marketplace -

or via helm

$ helm repo add openfaas https://openfaas.github.io/faas-netes/
$ kubectl create namespace openfaas-fn
$ helm upgrade openfaas --install openfaas/openfaas \
    --namespace openfaas --create-namespace \
    -f openfaas-override.yaml
Release "openfaas" does not exist. Installing it now.
NAME: openfaas
LAST DEPLOYED: Thu Mar  4 14:28:32 2021
NAMESPACE: openfaas
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
To verify that openfaas has started, run:

  kubectl -n openfaas get deployments -l "release=openfaas, app=openfaas"
  • Set up Falco
$ helm repo add falcosecurity https://falcosecurity.github.io/charts
$ helm upgrade falco --install falcosecurity/falco \
--namespace falco --create-namespace \
-f override.yaml
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: ./kubeconfig
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: ./kubeconfig
Release "falco" does not exist. Installing it now.
NAME: falco
LAST DEPLOYED: Thu Mar  4 14:34:54 2021
NAMESPACE: falco
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Falco agents are spinning up on each node in your cluster. After a few
seconds, they are going to start monitoring your containers looking for
security issues.


No further action should be required.


Tip:
You can easily forward Falco events to Slack, Kafka, AWS Lambda and more with falcosidekick.
Full list of outputs: https://github.com/falcosecurity/charts/falcosidekick.
You can enable its deployment with `--set falcosidekick.enabled=true` or in your values.yaml.
See: https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml for configuration values.

After everyting is ok, configure the faas-cli in order to deploy functions.

export OPENFAAS_URL="http://79435efe-2dac-403d-bfd2-f6644988830a.k8s.civo.com:31112"

Let's see what functions present.

$ faas-cli list
Function                        Invocations     Replicas

You should see nothing.

NOTE: Don't forget to change Docker ID in the function's description files.

Now Deploy the functions.

$ faas-cli up -f dispatch-fn.yml
$ faas-cli up -f notifier-fn.yml
$ faas-cli up -f delete-pod-fn.yml
...

Once it's completed, you should see the pods that's running on openfaas-fn namespace, and you should also see functions by typing faas-cli list command.

$ faas-cli list
Function                        Invocations     Replicas
dispatch-fn                     37              1
notifier-fn                     23              1
delete-pod-fn                   0               1

$ kubectl get pods --namespace=openfaas-fn
Found existing alias for "kubectl get pods". You should use: "kgp"
NAME                             READY   STATUS    RESTARTS   AGE
dispatch-fn-b5b68df77-r7crl      1/1     Running   0          7m23s
notifier-fn-5fd846c887-hgpf4     1/1     Running   0          4m48s
delete-pod-fn-55cc89965c-fs55q   1/1     Running   0          37s

If everything works well, you should see the Slack messages in the #falco-alert channel. Here is the screenshot above that shows this.

Learn more about how you can set up a Slack workspace from this link.

falco_alerts

The next thing that you need to do this, you should create an alert at Warning level, in order to that, you need to create a Pod based on the alpine image, and you should connect to it, and access some important folders like /etc/shadow. Once this is done, you should notice that the Pod gets killed by the delete-pod-fn function.

Let's test it with creating a Pod.

$  kubectl run alpine -n default --image=alpine --restart='Never' -- sh -c "sleep 600"
Found existing alias for "kubectl". You should use: "k"
pod/alpine created

Connect to it.

$ kubectl exec -ti alpine -- sh
Found existing alias for "kubectl exec -ti". You should use: "keti"
/ #

Once you connect it, open a second terminal and watch the state of the Pod.

$ watch kubectl get pods
Every 2.0s: kubectl get pods
NAME     READY   STATUS    RESTARTS   AGE
alpine   1/1     Running   0          106s

Then, in the first terminal, run the cat /etc/shadow, then look at the second terminal, you should notice that Pod's status changed from Running to Terminating, and your connection to the Pod is lost. pod_delete

Owner
Batuhan Apaydın
👨🏻‍💻 researcher, enthusiastic, technologist and life-long learner software engineer❗️⭐️
Batuhan Apaydın
Similar Resources

There is a certain amount of work to be done before you can implement the features of your Go powered CLI app

go-project-template-cli There is a certain amount of work to be done before you can implement the features of your Go powered CLI app. A few of those

Jan 23, 2022

lls is lightweight ls. Using lls, you can get a list of files in a directory that contains a large number of files.

lls lls is lightweight ls. Using lls, you can get a list of files in a directory that contains a large number of files. How? You allocate a buffer for

Dec 29, 2022

A CLI to replace your git commit command, so your git message can partially follow the Conventional Changelog ecosystem

A CLI to replace your git commit command, so your git message can partially follow the Conventional Changelog ecosystem

COMMIT CLI A CLI to replace your git commit command, so your git message can partially follow the Conventional Changelog ecosystem. And yes, it is bui

Feb 9, 2022

Allows you to use the magic remote on your webOS LG TV as a keyboard/mouse for your Linux machine

magic4linux Allows you to use the magic remote on your webOS LG TV as a keyboard/mouse for your PC Linux machine. This is a Linux implementation of th

Nov 25, 2022

A very simple note-taking CLI you can use from the terminal that uses a SQLite DB to persist, and query, notes.

Note Logger Summary A very simple note-taking CLI you can use from the terminal that uses a SQLite DB to persist, and query, notes. Building/Installin

Apr 14, 2022

The Discord terminal client you never knew you wanted.

The Discord terminal client you never knew you wanted.

I AM CLOSING DOWN THE CORDLESS PROJECT Hey, so I know this is somewhat of a bummer, but I got banned because of ToS violation today. This seemed to be

Jan 7, 2023

Golisp-wtf - A lisp interpreter (still just a parser) implementation in golang. You may yell "What the fuck!?.." when you see the shitty code.

R6RS Scheme Lisp dialect interpreter This is an implementation of a subset of R6RS Scheme Lisp dialect in golang. The work is still in progress. At th

Jan 7, 2022

Display a message in morse code on your capslock LED, keyboard backlight or using your screen brightness!

Display a message in morse code on your capslock LED, keyboard backlight or using your screen brightness!

halp halp is a command line utility that lets you display messages in morse code on your capslock LED, keyboard backlight (if you have it) or using yo

Jan 26, 2022

Watch your favourite anime using the video player of your choice directly from the command line

anime-cli Watch your favourite anime using the video player of your choice direc

Feb 10, 2022
A command line tool that builds and (re)starts your web application everytime you save a Go or template fileA command line tool that builds and (re)starts your web application everytime you save a Go or template file

# Fresh Fresh is a command line tool that builds and (re)starts your web application everytime you save a Go or template file. If the web framework yo

Nov 22, 2021
yq lets you read YAML files easily on the terminal. You can find key/values easily
yq lets you read YAML files easily on the terminal. You can find key/values easily

yq yq lets you read YAML files easily on the terminal. You can find key/values easily. Motivation Reading yaml configurations for k8s file becomes ard

Nov 2, 2021
A simple CLI app to take notes daily on markdown file
A simple CLI app to take notes daily on markdown file

A simple CLI app to take notes daily on markdown file

Jul 29, 2022
📝 Take notes quickly and expeditiously from terminal
📝 Take notes quickly and expeditiously from terminal

Installation See the last release, where you can find binary files for your ecosystem Curl: curl -sfL https://raw.githubusercontent.com/anonistas/noty

Dec 29, 2022
Are you programming and suddenly your stomach is rumbling? No problem, order your Ifood without leaving your favorite text editor ❤️

vim-ifood Você ta programando e de repente bateu aquela fome? Sem problemas, peça seu Ifood sem sair do seu editor de texto favorito ❤️ Are you progra

Jun 2, 2022
A CLI tool that you can use create regular backups of your Notion.so Pages.

notion-offliner A CLI tool that you can use create regular backups of your Notion.so Pages. Perfect for disaster scenarios and offline usage. MacOS an

Jan 3, 2023
A password manager as a CLI, where you can use a master password to retrieve a specified password and store it in your clipboard
A password manager as a CLI, where you can use a master password to retrieve a specified password and store it in your clipboard

Password manager Description CLI to store and retrieve passwords. The retrieved password will be stored on your clipboard! Usage 1.Start with Go go ru

Dec 16, 2021
Todo-cmd: an app you can add your tasks , edit or delete them

TODO CMD APP! ??‍♂️ Table of contents General info Update Requirements set-up usage General info todo-cmd is an app you can add your tasks , edit or d

Dec 13, 2021
A simple tool which you can use to move through your directories from the command line

Fe What is Fe ? Fe is a simple tool which you can use to move through your direc

Jan 1, 2022
You can write slowly your words.
You can write slowly your words.

You can write slowly your words. Type Writer function with golang Usage 1 Daktilo(text(string), milliseconds(int)) Usage 2 Daktilo(text(string)) go ru

Jan 18, 2022