포스트

CKS 시험정리

게시 업데이트
By hyeonjae
4 분읽는 시간
CKS 시험정리

1. Falco

수백 수천 수만개의 파드의 syscalls를 그냥 분석하는 것은 의미가 없다. 의심스러운 이벤트를 필터링하는 것이 중요하다. 예를들어 컨테이너의 bash의 /etc/shadow로 접속하려는 자는 비정상적인 활동으로 간주될 수 있다.

구체적인 예

  • 공격자들은 때로 로그의 일부를 삭제하려고한다. 로그는 그들이 처음에 시스템에 어떻게 침입했는지 추적할 수 있기 때문이다. 그래서 로그가 삭제되는 것은 비정상적인 활동으로 간주될 수 있다.

2. Falco Overview and Installation

Fa

1

3.
  
1

systemctl status falco

  
1
2
3

kubectl run nginx --image=nginx
kubectl exec -it nginx -- bash
cat /etc/shadow

  
1

journalctl -fu falco #Falco 서비스에서 생성된 이베튼 검사

4. Falco Rules
규칙, 리스트, 매크로
4.1 Rules
예)
  
1
2
3
4
5

- rule: ‹Name of the Rule>
  desc: ‹Detailed Description of the Rule>
  condition: ‹When to filter events matching the rule›
  output: ‹Output to be generated for the Event>
  priority: ‹Severity of the event›

  
1
2
3
4
5

- rule: Detect Shell inside a container
  desc: Alert if a shell such as bash is open inside the container
  condition: container.id != host and proc.name = bash
  output: Bash Opened (user=%user.name container=%container.id)
  priority: WARNING

이벤트 타입 필터 container.id proc.name fd.name evt.type user.name container.image.repository
4.2 List
  
1
2
3
4
5
6

- rule: Detect Shell inside a container
  desc: Alert if a shell such as bash is open inside the container        condition: container.id != host and proc.name in (linux_shells)     
  output: Bash Opened (user=%user. name container=%container.id)
  priority: WARNING
- list: linux_shells
  items: [bash, zsh, ksh, sh, csh]

4.3 Macro
  
1
2
3
4
5
6
7

- rule: Detect Shell inside a container
  desc: Alert if a shell such as bash is open inside the container
  condition: container and proc.name in (linux_shells)
  output: Bash Opened (user=%user. name container=%container.id)
  priority: WARNING
- list: linux_shells
  items: [bash, zsh, ksh, sh, csh]

  
1
2

- macro: container
  condition: container.id != host

Falco Configuration Files
  
1

/etc/falco/falco.yaml

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

/etc/falco/falco.yaml
#
# Copyright (C) 2021 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
#
You may obtain a copy of the License at
#
#
http://www.apache.org/licenses/LICENSE-2.0
#
•
rules_file:
- /etc/falco/falco_rules.yaml
- /etc/falco/falco_rules.local.yaml
- /etc/falco/k8s_audit_rules.yam1
- /etc/falco/rules.d

json_output: false 
log_stderr: true 
log_syslog: true 
log_level: info 
priority: debug

stout_output:
  enabled: true

file_output:
  enabled: true
  filename: /opt/falco/events.txt

program_output: enabled: true
  program: "jq '{text: output}' | curl -d @- -X POST  https://hooks.slack.com/services/XXX"

http_output:
  enabled: true
  url: http://some.ur1/some/path/

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

/etc/talco/taico_rules.yamt
- rule: Terminal shell in container
  desc: A shell was used as the entrypoint/exec point into a container with an   attached terminal.
  condition: >
     spawned_process and container 
     and shell procs and proc.tty != 0
     and container_entrypoint
     and not user_expected_terminal_shell_in_container_conditions
   output: >
     A shell was spawned in a container with an attached terminal (user=%user.  name user_loginuid=%user. loginuid %container.info
     shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   
- rule: Anomalous read in kodekloud/webapp pod 
  desc: Detect Suspicious reads in custom webapp container
  condition: >
    open_read and container
    and container.image.repository="kodekloud/simple-webapp"
    and fd.directory != "/opt/app"
  output: ›
    A file was opened and read outside the /opt/app directory(user=%user. name user_loginuid=%user.loginuid 
    container_id=%container.id image=%container.image.repository)
priority: CRITICAL

How to Hot Reload
Falco 서비스를 재시작하지않고 Falco 엔진을 재시작하는 방법 (구성이 다시 재로드 된다. 즉 새로운 규칙 적용) falco의 프로세스 id를 찾는다.
  
1
2

cat /var/run/falco.pid
# 7183

kill process
  
1

kill -1 $(cat /var/run/falco.pid)

CKS
  
1
2
3
4
5
6
7
8

Use context: kubectl config use-context workload-prod
Falco is installed with default configuration on node cluster1-node1 . Connec using ssh cluster1-node1. Use it to:
1. Find a Pod running image nginx which creates unwanted package management processes inside its container.
2. Find a Pod running image httpd which modifies /etc/passwd .
Save the Falco logs for case 1 under /opt/course/2/falco.log in format:
time-with-nanosconds,container-id, container-name, user- name
No other information should be in any line. Collect the logs for at least 30 seconds.
Afterwards remove the threads (both 1 and 2) by scaling the replicas of the Deployments that control the offending Pods down to 0.

  cks
  k8s cks
 이 기사는 저작권자의  CC BY 4.0  라이센스를 따릅니다.