►
From YouTube: Container Host Security Demo - Falco for GitLab 13.2
Description
This is a demo of the new Container Host Security feature available in GitLab 13.2. The feature embeds Falco to allow security analysts to monitor containers for potentially anomalous behavior and be confident that they were not compromised by a malicious actor.
https://gitlab.com/gitlab-org/gitlab/-/issues/218026
A
Hello,
everyone,
my
name,
is
Allen
/
chefs
came
senior
beckoned
engineer
from
the
defense
team
at
gate
lab
and
today
I'd
like
to
show
you
a
small
demo
of
the
container
house
security
feature
the
integration
with
Falco.
So
this
is
just
an
NBC,
the
first
step
to
to
achieve
what
we
want
to
achieve
for
that
feature.
So,
basically,
we
would
like
to
present
you
the
ability
to
integrate
with
Falco
easily
through
gitlab,
see
ICT
apps.
A
What
it
will
give
us
it
will
give
us
a
way
to
monitor
and
detect
potentially
anomalous
behavior,
so
I
can
make
sure
that
my
containers
are
not
compromised
by
by
any
anyone.
So
in
this
short
team,
I
would
like
to
present
you
a
few
things.
So
let
me
start
with
the
demo
application
that
I'll
be
I'll,
be
showing
the
project
on
so
the
first
thing
will
be
will
be
the
application,
so
we
prepared
a
small
application
container
house
security
demo.
That,
basically,
is
the
go.
A
Application
go
web
app
that
has
few
things,
few
potentially
malicious
things
that
you
could
find
in
unusual
web
applications.
So
someone
can
execute
the
D
code
on
the
on
the
container
or
any
anything
else.
So
this
is
what
would
like
to
present
you,
so
this
is
already
deployed.
We
deployed
it
and
it's
real
secure,
so
it
looks
like
I
can,
for
example,
finger
device,
so
I
can
easily
feel
like
it
live.com
and
it
will
provide
me
a
ping,
but
I
can
also
do
some
malicious
thing
here.
A
If
I'll
just
escape
the
command
to
paint
something
and
then
provide
my
my
command,
that
I
would
like
to
run
okay,
so
let's
then
go
to
the
second
application
that
I
would
like
to
present
here,
and
this
is
container
for
security,
cluster
management
project,
and
here
I'm
gonna
talk
shortly
about
what
we
need
to
do
here
to
enables
Falco
in
your
cluster,
so
I
already
have
configured
to
kubernetes
cluster
and
it's
already
enabled
available
for
the
classroom
management
project.
So
here
I
have
a
print
discussed
earlier.
A
The
most
important
thing
here
is
that
in
advanced
settings
you
need
to
enable
classroom
management
project
and
select
the
project
that
that
you'd
like
to
manage
your
cluster
we've
worth
two
CS
with
the
application.
So
it's
already
there
so
I
can
use
that.
Then
I
can
show
you
in
the
documentation
that
what
you
need
to
do
to
install
Falco.
A
So
you
need
to
specify,
in
the
in
the
values
llamo
file
at
the
conflict
for
managed
apps.
That
Falco
has
to
be
installed,
and
here
you
can
also
see
that
there
are
multiple
additional
options
that
you
can
have.
For
example,
you
can
enable
or
disable
EPF
support
in
if
your
cluster
knows
or
supporting
EPF
do
you
think
could
use
them
if
they're
not
supporting
it.
There
are
other
ways
to
achieve
what
Falco
can
achieve
and
you
can
specify
your
own
custom
rules.
A
You
can
specify
the
program
output
so
whenever
that
is
currently
possible
in
Falco
help
chart
so
which
is
here
so,
if
you'd
like
to
see
you
can
go
to
follicle
security
charts
and
get
the
the
information
what
you
can
specify
in
your
health
charts.
You
can
do
the
same
thing
in
our
integration,
with
Falco
in
gitlab
as
well.
Alright,
so
let's
go
and
let's
enable
everything
in
let's
deploy
it
now.
A
So
I
have
the
container
for
security
cluster
management
project
here
and
let's
go
and
edit
and
keep
type
C
our
Yahoo
file
and
thence
modify
the
managed
apps
files
as
well.
Okay,
so
I'm
going
to
web
ID
in-
and
here
you
see
that
I
already
have
a
template
which
has
like
managed
cluster
applications
for
it
map
and
since
this
is
included,
I
need
to
specify
additional
information
for
for
that
template
to
to
install
proper
implications.
So
let's
go
to
the
config
Hamill
fallow
of
this,
and
you
see
here
that
I
have
Falco
and
developers
installed.
A
I
can
set
this
to
true
and
then
I
can
go
to
Falco
folder
and
in
Falco
holder
also
had
Holly's
file
that
can
use,
and
here
you
can
specify,
for
example,
customers
that
would
like
to
do
something
more
than
what
it's
by
default
available
for
Falco.
So
we
have
file
integrity.
Monitoring
file.
I
can,
for
example,
go
to
to
cloud
lately.
Security
have
and
get
things
that
are
interesting
for
me,
so,
for
example,
I'm
interested
in
final
integrity,
monitoring
using
Falco,
so
I
can
copy
those
roles.
A
Well,
let's,
let's
copy
this
one,
for
example,
and
I
can
I
can
go
here.
I
can
paste
it
and
I'm
good
to
go.
I
can
comment
this
one.
This
will
trigger
for
me
the
new
pipeline
and
and
then
where
we
will
be
able
to
have
file
integrity
monitoring,
but
for
Timo
purposes.
I
already
did
that,
so
we
will
not
need
to
wait
for
it.
So
I
already
have
the
D
pipeline
that
was
finished.
The
applications
were
automatically
deployed
in
Falco
was
automatically
deploy
to
the
cluster.
A
So
it's
already
there.
So
you
can
see
that
interlocks
further
for
the
pipeline
job.
We
already
have
a
Falco
installed,
which
is
great,
so
I
can
now
go
and
and
start
working
on
the
real
demo
part
right.
Ok,
so
we
have
that
one.
Let's
go
to
the
console
and
let's,
let's
see
what
it
can
do
here,
I'll
just
do
cube.
Ctl.
A
Catapults,
just
to
show
you
that
I
already
have
deployed
application
for
our
demo,
so
clinical
security
team,
oh
and
I,
can
also
show
it
that
the
Falco
is
installed
here.
So
that's
great,
ok,
now
I
can
go
and
get
blocks
from
Falco,
so
I'm,
taking
those
logs
by
using
the
selector
for
an
app
and
a
Falco
I'd
like
to
get
all
the
logs
that
I
have
and
I'm
using
JSON
query
just
to
be
able
to
output
things
that
are
interesting
for
us
right
now.
So,
okay,
all
right!
A
So
now
we
can
go
and
do
something
for
this
one.
Well
it.
Let's
start
with
simple
example:
let's
say
someone
has
an
access
to
your
kubernetes
cluster
and
can
do.
For
example,
like
start
a
shell
script
or
a
run
a
shell,
so
I
can
do
cube,
CL,
exec
ID
and
the
name
of
my
my
pallet
that
is
here
and
I
can
start
a
bash
right
and
as
soon
as
I
did
that
and
and
then
in
the
Falco
logs
already
received
an
information
Oh
someone
tried
to
do
something
nasty
in
your
in
your
cluster.
A
A
So
you
see
something
is
happening
in
the
code
like
the
new
file
is
created
whenever
something
is
going
on
within
the
apt
management.
That's
reflected
in
Falco
as
well,
so
I'll
just
do
app
installed
and
captain
so
I'll
just
install
netiquette.
Here
it's
also
reflected
okay.
We
already
have
to
not
get
here
so
I
can,
for
example,
to
fight.
Okay.
I
would
like
to
start
an
ad
cat
and
this
all
be
will
be
reflected
in
Falco
that
network
tool
launched
in
the
container.
A
So,
let's
go
to
our
letter
deployed
application
that
we
here
so,
for
example,
let's,
let's
do
a
very
simple
thing:
I
will
just
to
test
it
laughs
and
I'll
just
create
a
new
file
in
the
root
directory
test.
Gitlab,
okay,
I'll
submit
this
one
and,
as
you
can
see,
this
was
detected
as
well.
Bye,
bye,
Falco.
This
is
happening
because
we
already
have
a
role
that
it's
detecting,
that
something
is
happening
and
you
can
see
that
stairs
come
online,
that
we've
used
so
first
application
that
we've
written
and
go
was
supposed
to
do
a
ping.
A
A
So-
and
this
was
also
reflected
here-
that
someone
tried
to
do
that,
there's
plenty
of
more
functionalities
and
more
behaviors
that
Falco
can
detect,
and
now
we
are
happy
to
announce
that
you
are
able
to
to
install
it
easily
using
CI
CD
apps
in
get
lab.
So
thank
you.
Thank
you
for
everything.
Have
a
nice
day
bye,
bye,.