►
Description
Behind The Scenes at OpenShift Commons
hosted by Michael Hausenblas
Falco Interview with Michael Ducy (Sysdig)
B
Shot
so
I
was
going
to
show
off
a
project
called
Falco.
Falco
is
one
of
the
newest
projects
in
the
CNCs
sandbox,
and
what
Falco
focuses
on
is
detecting
abnormal
behavior
in
container
environments.
So,
if
all
of
a
sudden,
a
database
container
starts
making
outbound
connections
to
the
Internet
or
somebody's
spawned
an
interactive
shell
inside
of
the
container,
how
can
you
detect
those
things?
So
we
kind
of
think
of
ourselves.
B
As
you
know,
you
have
image
scanning
at
the
beginning
to
make
sure
that
you're
not
getting
vulnerabilities
into
the
environment,
and
then
we
think
of
ourselves
more
at
the
runtime
environment,
where
we
can
actually
actively
at
least
notify
you
about
things.
The
interesting
thing
about
Falco
and
why
we
kind
of
wanted
to
join
the
CN
CF
is
there's
two
areas
that
we
want
to
try
and
improve,
and
working
with
the
community
or
broader
community
would
be
important
to
do
that.
So
the
first
one
is
right.
B
Now,
Paco
only
looks
at
system
calls,
so
it
has
a
kernel
module
that
can
take
these
system
calls
and
turn
them
into
an
event
stream.
We
want
to
have
more
event
streams
to
where
you
can
begin
to
apply
the
rules,
a
phrase,
kubernetes
audit
events,
so
you
you
would
have
you
point
your
kubernetes
cluster
to
send
audit
events
as
a
web
book
over
to
Falco,
and
then
you
can
write
rules
around
that
to.
B
B
B
So
what
we'll
do
in
this
demo
is
we're
gonna,
detect
a
normal
event
that
events
going
to
get
pushed
off
into
Nats,
and
then
we
have
subscribers
and
Nats,
which
can
do
a
variety
of
different
things.
So
in
this
environment,
what
we're
going
to
do
is
we're
going
to
actually
delete
the
pod
where
we
saw
the
offending
action
take
taken
place.
We
have
a
number
of
these
playbooks
that
we
cover
that
we
published
on
the
Falco
security,
slash,
Falco
github
repository,
and
you
can
have
a
function
fire
to
do
things
like
taint.
B
A
B
A
messaging
server,
so
it
allows
us
to
just
kind
of
fire
and
forget
the
message
over
into
the
messaging
server,
and
then
you
can
have
subscribers
subscribe
to
that
message
or
that
topic
as
that's
called
and
then
the
nice
thing
is.
Is
you
can
subscribe
to
different
priorities
of
alerts?
So
you
could
subscribe
to
all
alerts
or
you
could
just
subscribe
to
specific
alerts
and
then
that
way,
what
will
happen
is
is
the
subscribers
to
the
topic.
Can
then
will
get
that
message
off
the
NAT
server
and
then
they
can
take
action
on
it.
B
B
So
coup
bliss
is
basically
allows
us
to
take
action.
So
let
me
actually
show
you
the
function
that
will
fire,
so
it's
just
allows
us
to
load
up
a
very,
very
small
function
to
take
action,
and
so
you
can
see
here.
What
we
have
is
this
function
right
here
is
the
wonderful
fire.
It's
doubly
pod,
so
we
get
the
event
in
off
of
Nats.
B
B
Exactly
okay,
and
just
to
give
you
I'll,
just
show
you
some
of
the
rules
that
we're
gonna
trigger
in
this
environment
so
and
kind
of
give
you
an
overview
of
how
rules
work
so
make
this
a
bit
larger.
So
we
have
some
custom
rules
that
we
created.
The
first
thing
that
we
created
is
what's
called
a
macro,
so
this
is
what
the
rules
conditions
look
like
and
since
what
we
were
doing
here
is
creating
a
macro.
B
This
allows
us
to
use
this
macro
over
and
over
in
other
locations,
and
this
filtering
expression
will
be
substituted
and
replaced
inside
of
the
engine.
So
if
I
needed
to
maybe
we're
having
more
than
one
label
on
our
pods
or
maybe
there's
a
additional
criteria
that
I
want
to
add
in
here,
I
can
change
the
macro
and
I
don't
have
to
go
and
change
all
the
rules.
B
So
you
can
see
here
that
we're
identifying
what
a
node
front-end
server
looks
like
off
of
some
kubernetes
information,
and
then
we
have
a
rule
here
that
says,
if
any
of
the
node
from
a
node
app
front,
end
servers
spawn
a
process
and
it's
running
inside
of
a
container,
so
container
ID
does
not
equal
host.
Then
the
proc
command
line
contains
the
string
stratum
TCP.
Then
we
want
to
throw
a
critical
alert
gods.
So
what
will
happen?
Is
this
output
will
get
put
in
the
alert?
B
They're
they're
internal,
the
Falcon
they
leverage,
Falco's
sister,
open
source
project,
sistex
filtering
language
as
well
as
falco,
also
borrows
the
kernel
module
from
that
project
as
well
to
instrument
the
kernel
to
get
to
information
as
well.
So,
if
you're
already
familiar
assisted,
then
the
rules
will
actually
look
pretty
familiar.
B
Or
that's
something
that
actually
the
scenes
you
have
talked
brought
up
to
us
as
a
possible
point
of
integration
to
fit
better
into
the
car
native
community
yeah.
So
that's
we
haven't
started
investigating
that
just
yet,
but
that's
definitely
something
that
we
want
to
talk
more
with
the
OPA
team
about.
B
So
just
one
other
element:
I'll
show
you
about
rules
real
quick.
You
can
also
create
lists
and
Sarah
essentially
like
a
variable
or
an
array
that
you
can
use
I
mean
you
can
see
that
where
you
define
the
list
there
and
then
we're
going
to
use
that
list
and
saying.
If
anybody
makes
a
connection
to
one
of
these
ports,
then
then
we'll
match
the
condition
all
right.
So
let's
jump
into
the
demonstration
so
and.
A
B
That,
here,
real
quick,
okay,
we
have
a
config
map.
So
if
I
do
a
CTL,
git
config
maps-
and
you
can
see-
we've
had
that
spoken
config
config
map
and
that
actually
consists
of
everything.
That's
in
this
Falco
config
directory,
and
so
we
just
drop
our
Falco
llamó,
which
is
the
configuration
file
and
then
the
rules
files.
Now
this
rules
file.
These
are
rules
that
we
actually
ship
out
of
the
box.
C
B
There's
about
30
rules
that
we
ship
out
of
the
box
that
are
kind
of
around
common
common
kind
of
container
best
practices,
there's
also
lots
of
macros
that
we
define
as
well,
so
that
you
don't
have
to
worry
about
how
to
define
that
somebody's
open.
Something
for
writing.
You
just
need
to
use
our
macro,
and
we
maintain
that,
for
you
and
in
in
the
local
rules,
you'll
be
able
to
use
any
of
the
macros
that
we
define
as
well,
so
I
could
have
specified
some
of
those
rules.
B
Actually
I
did
specify
some
of
those
rules
when
right
here,
this
spawn
process
is
actually
something.
That's
come
from
the
other
file,
the
one
that
we
should
all
right,
so
I've
already
created
the
config
map,
as
you
can
see.
So
the
next
thing
I
just
need
to
do
is:
do
the
coop
sitio
create
on
the
team
and
set.
B
We
also
ship
this
as
a
hub
chart
as
well,
so
I've
found
something
that
you're
using
chart
that
we
provide
and
if
I
just
do
a
coop
CTL
get
odds.
We
can
see
that
their
pods
are
up
and
running
when
it's
completed
it
shouldn't
be
in
that
state.
There
we
go
it's
stabilized
now
and
then
I'm
going
to
go
and.
B
B
Okay,
so
we
can
see
that
it's
loaded,
it's
come
up.
It
found
the
kernel
as
well,
and
it's
also
loaded
the
appropriate
kernel
module
for
the
platform.
What
it
will
do
is
that
it
will
attempt
to
build
a
kernel
module
if
I
can't
find
a
pre
compiled
one
that
we
provided.
You
can
also
specify
a
URL
where
maybe
you've
built
your
own
kernel
module.
B
B
B
Yeah,
so
this
is
a
node.js
container
and
it's
just
running
a
basic
application
and
we're
just
going
to
get
into
it
and
well,
you
know
in
theory.
What
would
actually
happen
is
you
would
have
some
they
come
in
to
node,
J,
abs
and
exploit
it
and
then
start
to
run
things,
and
the
challenge
is,
is
you
may
not
necessarily
know
that
container
ever
got
exploited
because
the
container
goes
and
dies
and
gets
be
scheduled
by
kubernetes,
and
so
you
need
to
be
able
to
have
something
that's
going
to.
B
Right
so
some
of
spawned
a
shuttle
on
the
container-
and
you
can
see
right
away
that
we
got
an
on
that
shell
and
this
is
just
a
notice,
but
these
notice,
these
notice
alerts
can
actually
be
pretty
useful.
When
we
see
a
lot
of
end
users
that
Paco
doing
is
is
they'll
log.
All
of
these
notice
events
and
they're
logging
a
lot
of
information,
but
they
push
it
back
to
something
like
elasticsearch
and
then
they
can
use
that
I
should
later
go
and
do
auditing
to
actually
figure
out.
What's
going
on
in
the
Brett,
because.
A
B
It's
actually
a
default
rule
that
basically
spawned
the
interactive
shell
inside
of
the
containers
on
fire,
nice
and
alert,
which
is
kind
of
something
that
she
kind
of
want
right.
You
know
you
do
need
to
somehow
and
get
into
a
pod,
so
two
troubleshooting
and
debugging,
but
at
least
you
now
know
that
somebody
went
and
did
that
right.
B
C
B
That
you
would
do
if
somebody's
installing
software
after
the
container
launches
and
the
container
no
longer,
because
and
then
also
you
know
if
the
mission
or
if
the
container
was
exploited
and
somebody's
trying
to
install
over
kit
and
replace
your
binaries
and
other
things
like
that
as
well
right
all
right.
So,
let's
see
if
we
can
get
this
rule,
the
trigger
I've
had.
B
Stratton,
it
doesn't
matter
that
curl
doesn't
know
about
this
protocol.
Remember
that
rule
that
we
were
looking
at
as
anytime,
that
we
see
the
proc
command
line
containing
start
on
TCP.
We
want
to
flare
our
critical
alert
these
really.
This
is
something
that's
specific
to
cryptocurrency
miners.
It's
very
rarely
that
someone
would
have
that
string
in
their
command
line.
So
if
I
just
did
it
dinner
at
this
point,
you
can
see
sure
well
done.
C
B
A
B
And
then
you
can
see
a
few
other
alerts
that
we
got
as
well,
and
these
are
just
kind
of
notice.
Events
around
kubernetes
is
spinning
up
a
new
pod,
so
we
get
a
lot
of
information,
but
then
you
can
see
right
here
then
what
possible
minor
was
ran
inside
of
a
container
and
our
roll
fired,
as
we
expected
it
to
and.
B
B
If
this
was
the
scenario
where
you
did
a
coop
CTL
exact,
you
would
actually
be
able
to
see
who
did
that
coop
CTL
exact
by
getting
that
audit
event,
and
so
you
would
have
one
alert
that
is
the
acoustical
exec
and
then
all
the
commands
that
I
and
then
you
would
get
this
notice
that
a
spot
shell
will
spawn.
And
after
that
as
well
and
then
the
nice
thing
there
is,
you
can
go
back
and
kind
of
say,
okay.
B
B
So
you
can
find
us
at
falco.
Org
is
the
projects
website,
as
I
said
earlier,
office
security,
slash
Paco
is
our
github
repository
and
in
the
integrations
directory
we
have
this
the
kubernetes
using
a
daemon
set
so
how
to
deploy
thoughtful
on
kubernetes
using
daemon
set.
As
I
said,
there
is
a
home
short
as
well,
and
then
there's
this
kubernetes
response
engine
and
this
kubernetes
responses
and
Allah
basically
allows
you
to
set
up
what
I
just
did.
Oh
and
we
have
some
play
books
and
these
play
book
Somalia
to
do
a
little
bit
more.
B
So
we
have
play
books
around
and
leading
the
pod.
There
is
play
books
around
isolating
the
pod
with
network
policy
as
well,
and
then
we
also
have
some
other
ones
slack
where
you
can
send
a
message
to
slack
or
you
can
take
the
kubernetes
node.
So
it's
not
scheduled
anymore,
but
if
you
fear
that
somebody
has
broken
container
isolation,
you
might
want
to
keep
that
kubernetes
known
around.
So
you
can
go
and
do
forensics
on
it
later.
B
A
Awesome
like
from
a
community
perspective,
one,
like
you
know,
people
watching
that
and
go
like
awesome.
I
want
to
try
it
out.
I
wanna,
you
know
benefit
from
it,
but
in
the
other
direction.
What
can
people
do
where
and
how
like
have
you
got
me
like?
You
know
two
based
virtual
meetings
or
a
telco
con
or
like:
where
do
people
go
if
they
yeah.
B
That's
a
good
question:
I,
probably
shouldn't
have
turned
off
my
screen.
Sharing
there
are
loads
here
again,
another
thing,
so
we
have
it's
locked
channel,
you
go
to
schematics
calm,
you
can
enter
your
email
address
and
join
and
then
there's
a
Falco
channel.
Inside
of
that,
we
haven't
started
doing
community
meetings
just
yet
I
think
maybe
within
the
next
three
months
or
so,
towards
the
towards
the
beginning
of
the
year.
B
It's
something
that
we'll
start
looking
at
doing
more
of
and
then,
as
I
said,
you
know,
github
issues
is
a
good
place
to
communicate
with
the
development
team
as
well,
and
if
people
are
wanting
to
get
involved
in
a
project,
I
think
the
way
that
most
people
could
contribute
a
lot
of
value
is
is
adding
in
rules
and
helping
us
with
the
roles.
We
do
have
some
rules
around
and
we
haven't
moved
this
repo
yet,
but
we
have.
B
Around
kind
of
common
applications
and
these
rules
allow
you
to
basically
say
okay.
This
is
what
we
expect
from
Apache
when
a
conch
expense
up,
so
we
expected
to
listen
on
these
ports.
We
expect
it
to
be
running
these
processes.
We
expected
to
be
using
these
directories
and,
if
it's
using
anything
beyond
that
and
that's
kind
of
a
non-starter
Apache
deployment,
so
helping
us
create
a
library
of
rules
like
that
would
actually
be
a
great
way
for
people
that
get
started
with
a
project.
It
is
written
in
C++
and
Lua
as
well.
A
B
I,
don't
know
not
really,
you
know,
I
think
one
other
thing
that
we're
start.
Looking
at
on
the
open
source
slide.
I
mentioned
the
sister
project,
Cystic
we're
the
new
thing
that's
coming
in
Coober
data
is
113
is
ephemeral.
Containers
and
emerald
containers
are
basically
a
container
that
you
can
be
brought
bring
up
inside
of
a
pod
to
do
debugging
and
we
think
Cystic
is
actually
something
that
could
fit
in
pretty
well
there
so
kind
of
continuing
the
charge
towards
working
more
with
the
cloud
native
community
in
the
kubernetes
community.