Falco Talon
Falco Talon
is a Response Engine for managing threats in your Kubernetes. It enhances the solutions proposed by Falco community with a no-code dedicated solution. With easy rules, you can react to events
from Falco
in milliseconds.
Architecture
Falco Talon
can receive the events
from Falco
or Falcosidekick
:
┌──────────┐ ┌───────────────┐ ┌─────────────┐
│ Falco ├──────► Falcosidekick ├──────► Falco Talon │
└──────────┘ └───────────────┘ └─────────────┘
or
┌──────────┐ ┌─────────────┐
│ Falco ├──────► Falco Talon │
└──────────┘ └─────────────┘
Glossary
event
: an event detected by Falco
and sent to its outputs
rule
: defines criterias for linking events and actions
actionner
: defines what to do when the event matches the rule
notifier
: defines what outputs to notify with the result of the action
Actionners
Actionners
define actions to apply when an event matches a rule, they are named with pattern category:action
.
category
allows to group actions
and avoid multiple initializations (eg, multi Kubernetes API client, multi AWS clients, ...).
Each actionner
is configured with:
parameters
: key:value map of parameters passed to the action, eg: list of labels
for kubernetes:labelize
. value can be a string, an int or a map.
Several rules can match same event, so several action can be triggered, except for actionners
with Continue: false
.
kubernetes:terminate
- Description: Terminate pod
- Continue:
false
- Before:
false
- Parameters:
gracePeriodSeconds
: The duration in seconds before the pod should be deleted. The value zero indicates delete immediately.
ignoreDaemonsets
: If true, the pods which belong to a Daemonset are not terminated.
ignoreStatefulsets
: If true, the pods which belong to a Statefulset are not terminated.
minHealthyReplicas
: Minimum number of healthy pods to allow the termination, can be an absolute or % value (the value must be a quoted string).
- Required fields:
kubernetes:labelize
- Description: Add, modify or delete labels of pod
- Continue:
true
- Before:
false
- Parameters:
labels
: key:value map of labels to add/modify/delete (empty value means label deletion)
- Required fields:
kubernetes:networkpolicy
- Description: Create, update a network policy to block all egress traffic for pod
- Continue:
true
- Before:
true
- Parameters:
allow
: list of CIDR to allow anyway (eg: private subnets)
- Required fields:
kubernetes:exec
- Description: Exec a command in a pod
- Continue:
true
- Before:
true
- Parameters:
shell
: SHELL used to run the command (default: /bin/sh
)
command
Command to run
- Required fields:
kubernetes:script
- Description: Run a script in a pod
- Continue:
true
- Before:
true
- Parameters:
shell
: SHELL used to run the script (default; /bin/sh
)
script
: Script to run (use |
to use multiline) (can't be used at the same time than file
)
file
: Shell script file (can't be used at the same time than script
)
- Required fields:
Notifiers
Notifiers
define which outputs to notify with result of actions.
K8s Events
This notifiers creates a k8s event in the target resource namespace. No configuration is requested.
Slack
Setting |
Default |
Description |
webhookurl |
n/a |
Webhook URL |
icon |
https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg |
Avatar for messages |
username |
Falco Talon |
Username for messages |
footer |
https://github.com/Issif/falco-talon |
Footer for messages |
format |
long |
Format for messages (`long |
Results:
SMTP
Setting |
Default |
Description |
hostport |
n/a |
Host:Port of SMTP server |
user |
n/a |
User for SMTP |
password |
n/a |
Password for SMTP |
from |
n/a |
From |
to |
n/a |
To (comma separated list of adresses) |
format |
html |
Format of the email (`text |
tls |
false |
Use TLS connection |
Results:
Webhook
Setting |
Default |
Description |
url |
n/a |
URL |
Results:
{"pod":"test","namespace":"default","action":"kubernetes:labelize","status":"success"}
Configuration
The configuration of Falco Talon
is set with a .yaml
file (default: ./config.yaml
) or with environment variables.
Setting |
Env var |
Default |
Description |
listenAddress |
LISTENADDRESS |
0.0.0.0 |
Listten Address |
listenPort |
LISTENPORT |
2803 |
Listten Port |
rulesFile |
RULESFILE |
n/a |
File with rules |
watchRules |
WATCHRULES |
true |
Reload rules if they change |
printAllEvents |
PRINTALLEVENTS |
true |
Print in logs all received events, not only those which match |
kubeConfig |
KUBECONFIG |
n/a |
Kube config file, only if Falco Talon runs outside Kubernetes |
logFormat |
LOGFORMAT |
color |
Log Format: text, color, json |
defaultNotifiers |
DEFAULTNOTIFIERS |
n/a |
List of notifiers which are enabled for all rules |
notifiers.x |
NOTIFIERS_X |
n/a |
List of notifiers with their settings |
Example:
listenAddress: "0.0.0.0"
listenPort: "2803"
rulesFile: "./rules.yaml"
kubeConfig: "./kubeconfig.yaml"
defaultNotifiers:
- slack
notifiers:
slack:
webhookurl: "https://hooks.slack.com/services/XXXX"
username: "Falco Talon"
footer: ""
Rules
Actions to trigger for events are set with rules with this syntax:
- name: <string>
match:
rules:
- <string>
- <string>
priority: <string>
tags:
- <string>, <string>, <string>
- <string>, <string>
output_fields:
- <key|string>=<value|string>, <key|string>=<value|string>
- <key|string>!=<value|string>, <key|string>=<value|string>
action:
name: <string>
parameters:
<string>: <value>
<string>:
<string>: <string>
<string>: <string>
continue: <bool>
before: <bool>
dry_run: <bool>
notifiers:
- <string>
- <string>
With:
name
: (mandatory) Name of your rule
match
:
rules
: (list) (OR
logic) Falco rules to match. If empty, all rules match.
priority
: Priority to match. If empty, all priorities match. Syntax is like: >=Critical
, <Warning
, Debug
.
tags
: (list) (OR
logic) Comma separated lists of Tags to match (AND
logic). If empty, all tags match.
output_fields
: (list) (OR
logic) Comma separated lists of key:comparison:value for Output fields to match (AND
logic). If emtpy, all output fields match.
action
:
name
: name of action to trigger
parameters
: key:value map of parameters for the action. value can be a string, an int or a map.
continue
: if true
, no more action are applied after the rule has been triggerd (default is true
).
before
: if true
, no more action are applied after the rule has been triggerd (default is true
).
dry_run
: if true
; the action is not applied (default: false
).
notifiers
: list of notifiers to enabled for the action, in addition with the defaults.
Examples:
- name: Rule 0
match:
rules:
- Terminal shell in container
- Contact K8S API Server From Container
action:
name: kubernetes:terminate
parameters:
gracePeriodSeconds: 3
- name: Rule 1
match:
priority: "<Critical"
action:
name: kubernetes:labelize
parameters:
labels:
suspicious: "true"
continue: false
Usage
$ falco-talon --help
Falco Talon is a Response Engine for managing threats in Kubernetes
It enhances the solutions proposed by Falco community with a dedicated,
no-code solution. With easy rules, you can perform actions over compromised pods
Usage:
falco-talon [command]
Available Commands:
check Check Falco Talon Rules file
completion Generate the autocompletion script for the specified shell
help Help about any command
server Start Falco Talon
version Print version of Falco Talon.
Flags:
-c, --config string Falco Talon Config File (default "/etc/falco-talon/config.yaml")
-h, --help help for falco-talon
-r, --rules string Falco Talon Rules File (default "/etc/falco-talon/rules.yaml")
Use "falco-talon [command] --help" for more information about a command.
$ falco-talon server --help
Start Falco Talon
Usage:
falco-talon server [flags]
Flags:
-h, --help help for server
Global Flags:
-c, --config string Falco Talon Config File (default "/etc/falco-talon/config.yaml")
-r, --rules string Falco Talon Rules File (default "/etc/falco-talon/rules.yaml")
Images
The images for falco-talon
are built using ko
To generate the images to test locally you can run mage buildImagesLocal
Deployment
Helm
values.yaml
allows you to configure Falcon Talon Notifiers
and the deployment.
rules.yaml
is the list of rules.
cd deployment/helm/
helm install falco-talon . -n falco --create-namespace
Once you have installed Falco Talon
with Helm, you need to connect Falcosidekick
by adding the flag --set falcosidekick.config.webhook.address=http://falco-talon:2803
helm install falco falcosecurity/falco --namespace falco \
--create-namespace \
--set tty=true \
--set falcosidekick.enabled=true \
--set falcosidekick.config.webhook.address=http://falco-talon:2803
License
MIT
Author
Thomas Labarussias (https://github.com/Issif)