Task weight: 4%

Use context: kubectl config use-context workload-prod

Falco is installed with default configuration on node cluster1-node1 . Connect using ssh cluster1-node1 . Use it to:

  • Find a Pod running image nginx which creates unwanted package management processes inside its container.
  • Find a Pod running image httpd which modifies /etc/passwd .

Save the Falco logs for case 1 under /opt/course/2/falco.log in format: time-with-nanosconds,container-id,container-name,user-name No other information should be in any line. Collect the logs for at least 30 seconds.

Afterwards remove the threads (both 1 and 2) by scaling the replicas of the Deployments that control the offending Pods down to 0.

译文

任务权重:4%。

使用环境: kubectl config use-context workload-prod

Falco已经以默认配置安装在 cluster1-node1 节点上。使用 ssh cluster1-node1 连接到节点

  • 找到一个运行nginx镜像的Pod,它在其容器内创建了不需要的包管理进程。
  • 找到一个运行httpd镜像的Pod,它修改了/etc/passwd

将上面的Falco日志保存在/opt/course/2/falco.log下,格式为。 time-with-nanosconds,container-id,container-name,user-name 任何一行都不应该有其他信息。收集至少30秒的日志。

之后,将违规 Pod 的 Deployments 的副本缩减到 0 ,删除线程(包括1和2)。

参考

http://www.falco.org/

https://github.com/draios/sysdig

https://github.com/aquasecurity/tracee

解答
kubectl config use-context workload-prod
ssh cluster1-node1
ll /etc/falco/

检查 falco配置 syslog输出是否开启

# /etc/falco/falco.yaml
...
# Where security notifications should go.
# Multiple outputs can be enabled.

syslog_output:
  enabled: true
...

查看容器id 并通过id 查看pod信息

grep falco /var/log/syslog | grep nginx | grep process | grep container_id
crictl ps -id 7a5ea6a080d1
crictl pods -id 7a864406b9794

falco-2-0

falco-2-1

第一个pod 在 team-blue

grep falco /var/log/syslog  | grep httpd | grep passwd | grep container_id
crictl ps -id b1339d5cc2de
crictl pods -id 595af943c3245

falco-2-2

第二个pod 在 team-purple

对pod进行缩容到0

k -n team-blue scale deploy webapi --replicas 0
k -n team-purple scale deploy rating-service --replicas 0

查找 /etc/falco目录下 包含相关单词的文件

grep -ir "Package management process launched" /etc/falco/
cp /etc/falco/falco_rules.yaml .
vim /etc/falco/falco_rules.yaml

falco-2-3 

# Container is supposed to be immutable. Package management should be done in building the image.
- rule: Launch Package Management Process in Container
  desc: Package management process ran inside container
  condition: >
    spawned_process
    and container
    and user.name != "_apt"
    and package_mgmt_procs
    and not package_mgmt_ancestor_procs
    and not user_known_package_manager_in_container
  output: >
    #Package management process launched in container (user=%user.name user_loginuid=%user.loginuid
    #command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
    Package management process launched in container %evt.time,%container.id,%container.name,%user.name
    # 删除上面两行,并添加
  priority: ERROR
  tags: [process, mitre_persistence]

格式化输出falco日志, 并把结果复制到文件

systemctl restart falco
grep -i "Package management" /var/log/syslog | awk '{printf $26}' | sed 's/root/root\n/g'

falco-2-4