Falco Security

The Falco Project is intended to secure the operation of Linux-based operating systems.

The Falco application:

• Parses Linux kernel system calls at runtime.
• Analyzes signals using a configurable set of rules.
• Sends an alert if the rules are violated.

To use Falco, install Kyverno & Kyverno Policies or another product that supports writing results to wg-policy-prototypes.

1. To install Falcosidekick and send monitoring events via the Policy Adapter to the data collection module used for Kyverno policy results:

   1. Install kubectl and configure it to work with your cluster.

   2. Create a node group for Falco.

   3. Install Kyverno & Kyverno Policies or the following CRDs:

      kubectl create -f https://github.com/kubernetes-sigs/wg-policy-prototypes/raw/master/policy-report/crd/v1alpha2/wgpolicyk8s.io_clusterpolicyreports.yaml && \
      kubectl create -f https://github.com/kubernetes-sigs/wg-policy-prototypes/raw/master/policy-report/crd/v1alpha2/wgpolicyk8s.io_policyreports.yaml
      

2. Configure the application:

   • Namespace: Select a namespace or create a new one.
   • Application name: Enter an application name.

3. Click Install.

4. Wait for the application status to change to Deployed.

Tracking potential threats in a Kubernetes cluster:

• Abusing container privileges and namespaces.
• Read and write operations of system directories (/etc, /usr/bin, and /usr/sbin).
• Unforeseen network connections.
• Running scripts (sh, bash, csh, and zsh) and system utilities (ssh, scp, and sftp).
• Unforeseen changes to the Linux kernel executable modules.

Yandex Cloud technical support is available 24/7 to respond to requests. The types of requests available and their response time depend on your pricing plan. You can enable paid support in the management console. Learn more about requesting technical support.