logo

The Eye of Falco: You Can Escape but Not Hide

2022-10-25

Authors:   Stefano Chierici, Lorenzo Susini


Summary

The presentation discusses how Falco, an open-source project for runtime security, can be extended to monitor capabilities and detect potential malicious behavior in Kubernetes clusters.
  • Falco is an open-source project for runtime security that has become the de facto standard for Kubernetes security.
  • Capabilities in Kubernetes can create a gray area in security monitoring, and Falco can be extended to monitor capabilities and detect potential malicious behavior.
  • The presenters created two rules using Falco to detect excessive capabilities in new containers and modifications to the release agent file.
  • Falco only monitors runtime security and does not consider configuration changes in the YAML files.
  • Falco can be deployed on Kubernetes using official charts and packages.
The presenters explained how attackers can modify the release agent file in Kubernetes clusters to inject malicious code. They created a rule using Falco to detect modifications to the release agent file, which triggers a security alert when the file is open for writing commands and the container has the sysadmin capability and the user is root.

Abstract

Container technologies rely on features like namespaces, cgroups, SecComp filters, and capabilities to isolate different services running on the same host. However, SPOILER ALERT: container isolation isn’t bulletproof. Similar to other security environments, isolation is followed by red-teamer questions such as, “How can I de-isolate from this?” Designed with the principle of least privilege in mind, capabilities provide a way to isolate containers, splitting the power of the root user into multiple units. However, having lots of capabilities introduces complexity and a consequent increase of excessively misconfigured permissions and container escape exploits, as we have seen in recently discovered CVEs. Fortunately using Falco, a CNCF container runtime security tool, it’s possible to monitor Linux capabilities, detect misconfigured containers, and proactively respond to secure environments. In this talk, we explain how you can use Falco to detect and monitor container escaping techniques based on capabilities. We walk through show real-world scenarios based on recent CVEs to show where Falco can help in detection and automatically respond to those behaviors

Materials: