Cloud Native Security Hub
Falco rules management
The Falco community is excited to announce that we will be optimizing how we manage and install security rules for the Falco engine to assert.
We have published an open source repository of common security rules that can be used with Falco. You can check out the rules dynamically rendered on securityhub.dev.
Installing a rule
In this quick example we will be adding runtime detection for
Notice how the meta information found in the repository matches up with the data rendered on the security hub page for CVE-2019-11246
Currently we support
helm upgrade as well as raw YAML for rules.
Installing with Helm
If you are using
helm to install and manage Falco you can mutate the configuration using friendly
helm commands. In this example we use
-f to append our
falco installment with a rule from the repository.
helm upgrade falco -f https://api.securityhub.dev/resources/cve-2019-11246/custom-rules.yaml stable/falco
Installing with raw YAML
You can click the
yaml button in the repository website to view the raw YAML for the rule:
- macro: safe_kubectl_version condition: (jevt.value[/userAgent] startswith "kubectl/v1.19" or jevt.value[/userAgent] startswith "kubectl/v1.18" or jevt.value[/userAgent] startswith "kubectl/v1.17" or jevt.value[/userAgent] startswith "kubectl/v1.16" or jevt.value[/userAgent] startswith "kubectl/v1.15" or jevt.value[/userAgent] startswith "kubectl/v1.14.3" or jevt.value[/userAgent] startswith "kubectl/v1.14.2" or jevt.value[/userAgent] startswith "kubectl/v1.13.7" or jevt.value[/userAgent] startswith "kubectl/v1.13.6" or jevt.value[/userAgent] startswith "kubectl/v1.12.9") # CVE-2019-11246 # Run kubectl version --client and if it does not say client version 1.12.9, 1.13.6, or 1.14.2 or newer, you are running a vulnerable version. - rule: K8s Vulnerable Kubectl Copy desc: Detect any attempt vulnerable kubectl copy in pod condition: kevt_started and pod_subresource and kcreate and ka.target.subresource = "exec" and ka.uri.param[command] = "tar" and not safe_kubectl_version output: Vulnerable kubectl copy detected (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command] userAgent=%jevt.value[/userAgent]) priority: WARNING source: k8s_audit tags: [k8s]
You can then install using the supported Falco parlance defined in the official documentation.
We have plans to take it a step further with our new CLI tool
falcoctl that is currently in an alpha state. Some basic features we are looking to build
- CLI style interface for managing
falcorules (install, get, update, remove)
- Authentication of rules using hashing and well-known keys in a repository
- Documentation on how to build your own repository
- Gitops style workflow
Keep reading to find out more on how to get involved and contribute, especially if you have ideas. We would love to hear them.
The project was originally started by Sysdig, but maintaining the repositories, and building out rules will now be governed by the CNCF and the Falco community.
If you are interested in getting involved with writing rules, or building out tooling around the new hub please reach out to The official CNCF Falco Mailing List or join the Falco slack channel.
Integrating with Falcoctl
We are currently in the process of building out command line tooling for managing security hub rules with falcoctl.
If you write Go, and are interested in joining in the effort of building out a management experience for users, we would love to collaborate with you! Please reach out using the links above and we can get started.
We have proposed some changes to the
falcoctl code base to begin work on using
falcoctl to manage rules.
If reading about this gets you excited, and you would be interested in collaborating we would love to talk more.
Call for maintainers
Furthermore if you are interested in getting directly involved with CNCF open source, and would like a shot at becoming a maintainer please reach out using the links above. You will have a chance to work directly with the Falco team, and the Falco community. As well as have ownership over a cutting edge security tool.
The anatomy of a Falco rule for the security hub is as follows:
apiVersion: v1 kind: FalcoRules name: CVE-2020-12345 shortDescription: What does this rule do? Why is it useful? version: 1.0.0 description: | # Here is valid markdown Add *anything* you want and it will be rendered on the security hub! keywords: - falco, rule, awesome icon: https://cve.mitre.org/images/cvebanner.png maintainers: - name: Kris Nova link: https://github.com/kris-nova rules: - raw: | # Here is a valid Lua rule for Falco
Please open up a PR to the security hub repository with a new rule matching the syntax defined above.