输出到统一的告警管理平台进行个性化的攻击数据分析及串联。
Falco 在 0.18.0 版本之后提供 gRPC Server 用于 Client Side 消费 Falco 产生的安全告警,为用户提供了更加灵活的告警处理方式。
Falco gRPC Server 两种运行方式:
这里我选择更加通用的 mTLS 进行配置,需要如下几个步骤:
部分代码如下:
c, err := client.NewForConfig(context.Background(), &client.Config{
Hostname: "falcoXXXXX.YYYYY.com",
Port: 5060,
CertFile: "ClientCerts/client.crt",
KeyFile: "ClientCerts/client.key",
CARootFile: "ClientCerts/ca.crt",
})
{
"time": {
"seconds": 1570094449,
"nanos": 259268899
},
"priority": 3,
"rule": "Modify binary dirs",
"output": "09:20:49.259268899: Error File below known binary directory renamed/removed (user=vagrant command=lua /home/vagrant/.dotfiles/zsh/.config/zsh/plugins/z.lua/z.lua --init zsh once enhanced pcmdline=zsh operation=rena
me file=<NA> res=0 oldpath=/usr/bin/realpath newpath=/usr/bin/realpath container_id=host image=<NA>)",
"output_fields": {
"container.id": "host",
"container.image.repository": "<NA>",
"evt.args": "res=0 oldpath=/usr/bin/realpath newpath=/usr/bin/realpath ",
"evt.time": "09:20:49.259268899",
"evt.type": "rename",
"fd.name": "<NA>",
"proc.cmdline": "lua /home/vagrant/.dotfiles/zsh/.config/zsh/plugins/z.lua/z.lua --init zsh once enhanced",
"proc.pcmdline": "zsh",
"user.name": "vagrant"
}
}
{
"time": {
"seconds": 1570094449,
"nanos": 620298462
},
"priority": 4,
"rule": "Delete or rename shell history",
"output": "09:20:49.620298462: Warning Shell history had been deleted or renamed (user=vagrant type=unlink command=zsh fd.name=<NA> name=<NA> path=/home/vagrant/.zsh_history.LOCK oldpath=<NA> host (id=host))",
"output_fields": {
"container.id": "host",
"container.name": "host",
"evt.arg.name": "<NA>",
"evt.arg.oldpath": "<NA>",
"evt.arg.path": "/home/vagrant/.zsh_history.LOCK",
"evt.time": "09:20:49.620298462",
"evt.type": "unlink",
"fd.name": "<NA>",
"proc.cmdline": "zsh",
"user.name": "vagrant"
}
}
https://github.com/tonghuaroot/FalcoSec