Conference:  Cloud Native SecurityCon North America 2022

Authors: Stefano Chierici, Lorenzo Susini

2022-10-25

The presentation discusses how Falco, an open-source project for runtime security, can be extended to monitor capabilities and detect potential malicious behavior in Kubernetes clusters.

• Falco is an open-source project for runtime security that has become the de facto standard for Kubernetes security.
• Capabilities in Kubernetes can create a gray area in security monitoring, and Falco can be extended to monitor capabilities and detect potential malicious behavior.
• The presenters created two rules using Falco to detect excessive capabilities in new containers and modifications to the release agent file.
• Falco only monitors runtime security and does not consider configuration changes in the YAML files.
• Falco can be deployed on Kubernetes using official charts and packages.

Conference:  ContainerCon 2022

Authors: Aviv Sasson

2022-06-22

Containers are glorified by the fact that no one can escape them, and frankly - escaping containers is a tricky and complex task that is impossible in most scenarios. Many security layers restrict the container in order to prevent an escape. But what are those layers? How do they work? What are their defaults? Can we modify them? Should we? This session will present the Linux kernel features and mechanisms that make up those layers, including Capabilities, Seccomp, SELinux, and AppArmor. It will discuss how container runtimes implement them to create a security stack that keeps the container tamed and whether if it is possible to modify them for specific use cases while explaining the security risks of such actions.