Container Runtime Security: Falco ile Threat Detection
Container Runtime Security: Falco ile Threat Detection
Image scanning yeterli değil. Runtime'da ne oluyor? Container içinde shell spawn, crypto mining, data exfiltration - real-time detect edin.
Neden Runtime Security?
Image scan sadece known vulnerabilities yakalıyor. Runtime threats:
- Zero-day exploits
- Malicious insider
- Compromised credentials
- Supply chain attacks
- Misconfigurations
Falco Nedir?
CNCF project. Kernel-level system call monitoring. Behavior analysis. Anomaly detection.
Installation (Kubernetes)
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \
--namespace falco \
--create-namespace \
--set falcosidekick.enabled=trueDefault Rules
Falco 100+ built-in rules:
- Shell in Container: Unexpected shell spawn
- Write below /etc: System file modification
- Read sensitive files: /etc/shadow access
- Outbound connection: Unexpected network
- Privilege escalation: sudo, setuid calls
- Crypto mining: Known miner processes
Custom Rules
# /etc/falco/falco_rules.local.yaml
- rule: Unauthorized Process in Container
desc: Detect unexpected process execution
condition: >
spawned_process and
container and
container.image contains "nginx" and
not proc.name in (nginx, sh, bash)
output: >
Unexpected process in nginx container
(user=%user.name process=%proc.name container=%container.name)
priority: WARNING
tags: [container, process]
- rule: Database Access from Web Container
desc: Web container should not access database directly
condition: >
outbound and
container.image contains "frontend" and
fd.sip = "10.0.1.5" and
fd.sport = 5432
output: >
Frontend container accessing database directly
(container=%container.name dest=%fd.sip:%fd.sport)
priority: CRITICALIntegration: Falcosidekick
Alerts göndermek için:
# values.yaml
falcosidekick:
enabled: true
config:
slack:
webhookurl: "https://hooks.slack.com/services/XXX"
minimumpriority: "warning"
elasticsearch:
hostport: "http://elasticsearch:9200"
index: "falco"
prometheus:
extralabels: "cluster:production"Slack notification + Elasticsearch logging + Prometheus metrics.
Response Automation
Falco → Falcosidekick → Kubeless Function:
# Auto-kill suspicious pod
import kubele
def kill_pod(event):
pod_name = event['output_fields']['container.name']
namespace = event['output_fields']['k8s.ns.name']
if event['priority'] == 'Critical':
k8s_client.delete_pod(pod_name, namespace)
slack.send(f"Killed suspicious pod: {pod_name}")
return {'status': 'ok'}Monitoring & Tuning
False Positives Azaltma:
- Baseline behavior öğren (1-2 hafta)
- Noisy rules disable/tune et
- Whitelist legitimate processes
- Priority levels düzenle
Performance Impact:
- CPU overhead: %2-5
- Memory: 100-200MB per node
- Negligible - production safe
Best Practices
- Defense in Depth: Image scan + Runtime security + Network policies
- Least Privilege: Non-root containers, read-only filesystem
- Audit Logging: Falco events → SIEM (Splunk, Elastic)
- Incident Response: Runbooks her alert için
- Regular Updates: Falco rules güncel tut
Alternative Tools
- Sysdig Secure: Commercial, Falco-based
- Aqua Security: Full platform
- Prisma Cloud: Palo Alto Networks
- StackRox (Red Hat): K8s-native
Sonuç
Runtime security proactive threat detection. Zero-day'e karşı savunma. Devups container security audit.
