通过 Golang gRPC 消费 Falco 告警
2022-4-17 00:4:31 Author: mp.weixin.qq.com(查看原文) 阅读量:0 收藏

输出到统一的告警管理平台进行个性化的攻击数据分析及串联。

0x01 Summary

Falco 在 0.18.0 版本之后提供 gRPC Server 用于 Client Side 消费 Falco 产生的安全告警,为用户提供了更加灵活的告警处理方式。

Falco gRPC Server 两种运行方式:

  1. mTLS
  2. local unix socket

这里我选择更加通用的 mTLS 进行配置,需要如下几个步骤:

  1. 生成用于通信的客户端、服务端证书
  2. 在 Falco 配置文件中指定证书并开启 gRPC Server 及 Outputs
  3. Client Side 指定客户端证书及 gRPC Server 地址

部分代码如下:

 c, err := client.NewForConfig(context.Background(), &client.Config{
  Hostname:   "falcoXXXXX.YYYYY.com",
  Port:       5060,
  CertFile:   "ClientCerts/client.crt",
  KeyFile:    "ClientCerts/client.key",
  CARootFile: "ClientCerts/ca.crt",
 })

0x02 Example Data

{
  "time": {
    "seconds": 1570094449,
    "nanos": 259268899
  },
  "priority": 3,
  "rule""Modify binary dirs",
  "output""09:20:49.259268899: Error File below known binary directory renamed/removed (user=vagrant command=lua /home/vagrant/.dotfiles/zsh/.config/zsh/plugins/z.lua/z.lua --init zsh once enhanced pcmdline=zsh operation=rena
me file=<NA> res=0 oldpath=/usr/bin/realpath newpath=/usr/bin/realpath container_id=host image=<NA>)"
,
  "output_fields": {
    "container.id""host",
    "container.image.repository""<NA>",
    "evt.args""res=0 oldpath=/usr/bin/realpath newpath=/usr/bin/realpath ",
    "evt.time""09:20:49.259268899",
    "evt.type""rename",
    "fd.name""<NA>",
    "proc.cmdline""lua /home/vagrant/.dotfiles/zsh/.config/zsh/plugins/z.lua/z.lua --init zsh once enhanced",
    "proc.pcmdline""zsh",
    "user.name""vagrant"
  }
}
{
  "time": {
    "seconds": 1570094449,
    "nanos": 620298462
  },
  "priority": 4,
  "rule""Delete or rename shell history",
  "output""09:20:49.620298462: Warning Shell history had been deleted or renamed (user=vagrant type=unlink command=zsh fd.name=<NA> name=<NA> path=/home/vagrant/.zsh_history.LOCK oldpath=<NA> host (id=host))",
  "output_fields": {
    "container.id""host",
    "container.name""host",
    "evt.arg.name""<NA>",
    "evt.arg.oldpath""<NA>",
    "evt.arg.path""/home/vagrant/.zsh_history.LOCK",
    "evt.time""09:20:49.620298462",
    "evt.type""unlink",
    "fd.name""<NA>",
    "proc.cmdline""zsh",
    "user.name""vagrant"
  }
}

0x03 Demo

https://github.com/tonghuaroot/FalcoSec

image

0x04 References

  1. Falco Go Client - https://github.com/falcosecurity/client-go
  2. Go Client - https://falco.org/docs/grpc/client-go/
  3. https://falco.org/docs/grpc/
  4. https://falco.org/docs/grpc/outputs/
  5. https://falco.org/docs/grpc/version/
  6. https://pkg.go.dev/github.com/falcosecurity/client-go/pkg/api/outputs

文章来源: https://mp.weixin.qq.com/s?__biz=Mzg5NjAxNjc5OQ==&mid=2247483953&idx=1&sn=a173850cb91f1945d9f94e6db4a89bbb&chksm=c006cac1f77143d735206cbfe1cfc317eede585aa94ea94b36c8d50edfa6385f013681d4f8ab&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh