Performing Cloud Native Forensics with Falco
When to Use
- When conducting security assessments that involve performing cloud native forensics with falco
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Familiarity with cloud security concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Instructions
Deploy and manage Falco rules for runtime security detection in containerized environments. Parse Falco alerts for incident response.
# Custom Falco rule for detecting shell in container
- rule: Shell Spawned in Container
desc: Detect shell process started in a container
condition: >
spawned_process and container
and proc.name in (bash, sh, zsh, dash, csh)
and not proc.pname in (docker-entrypo, supervisord)
output: >
Shell spawned in container
(user=%user.name command=%proc.cmdline container=%container.name
image=%container.image.repository)
priority: WARNING
tags: [container, shell, mitre_execution]
Key detection rules:
- Shell spawn in non-interactive containers
- Sensitive file access (/etc/shadow, /etc/passwd)
- Outbound connections from unexpected containers
- Privilege escalation via setuid/setgid
- Container escape via mount or ptrace
Examples
# Run Falco with custom rules
falco -r /etc/falco/custom_rules.yaml -o json_output=true
# Parse JSON alerts
cat /var/log/falco/alerts.json | python3 -c "import json,sys; [print(json.loads(l)['output']) for l in sys.stdin]"