Falco Security

The Falco Project is intended to secure the operation of Linux-based operating systems.

The Falco application:

• Parses Linux kernel system calls at runtime.
• Analyzes signals using a configurable set of rules.
• Sends an alert if the rules are violated.

To use Falco, install Kyverno & Kyverno Policies or another product that supports writing results to wg-policy-prototypes.

1. To install Falcosidekick and send monitoring events via the Policy Adapter to the data collection module used for Kyverno policy results:

   1. Install kubectl and configure it to work with your cluster.

   2. Create a node group for Falco.

   3. Install Kyverno & Kyverno Policies or the following CRDs:

      kubectl create -f https://github.com/kubernetes-sigs/wg-policy-prototypes/raw/master/policy-report/crd/v1alpha2/wgpolicyk8s.io_clusterpolicyreports.yaml && \
      kubectl create -f https://github.com/kubernetes-sigs/wg-policy-prototypes/raw/master/policy-report/crd/v1alpha2/wgpolicyk8s.io_policyreports.yaml
      

2. Configure the application:

   • Namespace: Select a namespace or create a new one.
   • Application name: Enter a name for the application.

3. Click Install.

4. Wait for the application to change its status to Deployed.

Tracking potential threats in a Kubernetes cluster:

• Abusing container privileges and namespaces.
• Read and write operations of system directories (/etc, /usr/bin, and /usr/sbin).
• Unforeseen network connections.
• Running scripts (sh, bash, csh, and zsh) and system utilities (ssh, scp, and sftp).
• Unforeseen changes to the Linux kernel executable modules.

Yandex Cloud technical support is available 24/7. The types of requests you can submit and the appropriate response time depend on your pricing plan. You can switch to the paid support plan in the management console. You can learn more about the technical support terms here.