Practical Cloud Native Security with Falco - Helion

ebook

Autor: Loris Degioanni, Leonardo Grasso
ISBN: 9781098118532
stron: 228, Format: ebook
Data wydania: 2022-08-10
Księgarnia: Helion

Cena książki: 211,65 zł (poprzednio: 246,10 zł)
Oszczędzasz: 14% (-34,45 zł)

Osoby, które kupiły tę książkę, wybierały także »

As more and more organizations migrate their applications to the cloud, cloud native computing has become the dominant way to approach software development and execution. Protecting modern, cloud native applications from threats requires the ability to defend them at runtime, when they're most vulnerable to attacks.

This practical guide introduces you to Falco, the open source standard for continuous risk and threat detection across Kubernetes, containers, and the cloud. Falco creator Loris Degioanni and core maintainer Leonardo Grasso bring you up to speed on threat detection and show you how to get Falco up and running, plus advanced topics such as deploying Falco in production and writing your own security rules.

You'll learn how to:

Leverage runtime security in cloud native environments
Detect configuration changes and unexpected behavior in the cloud
Protect containers, Kubernetes, and cloud applications using Falco
Run, deploy, and customize Falco
Deploy, configure, and maintain Falco in a production environment
Improve your compliance

Osoby które kupowały "Practical Cloud Native Security with Falco", wybierały także:

Windows Media Center. Domowe centrum rozrywki 66,67 zł, (8,00 zł -88%)
Ruby on Rails. Ćwiczenia 18,75 zł, (3,00 zł -84%)
DevOps w praktyce. Kurs video. Jenkins, Ansible, Terraform i Docker 190,00 zł, (39,90 zł -79%)
Przywództwo w świecie VUCA. Jak być skutecznym liderem w niepewnym środowisku 58,64 zł, (12,90 zł -78%)
Scrum. O zwinnym zarządzaniu projektami. Wydanie II rozszerzone 58,64 zł, (12,90 zł -78%)

Spis treści

Practical Cloud Native Security with Falco eBook -- spis treści

Preface
- Who Is This Book For?
- Overview
  - Part I: The Basics
  - Part II: The Architecture of Falco
  - Part III: Running Falco in Production
  - Part IV: Extending Falco
- Conventions Used in This Book
- Using Code Examples
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
  - Leonardo
  - Loris
I. The Basics
1. Introducing Falco
- Falco in a Nutshell
  - Sensors
  - Data Sources
  - Rules
  - Data Enrichment
  - Output Channels
  - Containers and More
- Falcos Design Principles
  - Specialized for Runtime
  - Suitable for Production
  - Intent-Free Instrumentation
  - Optimized to Run at the Edge
  - Avoids Moving and Storing a Ton of Data
  - Scalable
  - Truthful
  - Robust Defaults, Richly Extensible
  - Simple
- What You Can Do with Falco
- What You Cannot Do with Falco
- Background and History
  - Network Packets: BPF, libpcap, tcpdump, and Wireshark
  - Snort and Packet-Based Runtime Security
  - The Network Packets Crisis
  - System Calls as a Data Source: sysdig
  - Falco
    - Expanding into Kubernetes
    - Joining the Cloud Native Computing Foundation
    - Plugins and the cloud
    - A long journey
2. Getting Started with Falco on Your Local Machine
- Running Falco on Your Local Machine
  - Downloading and Installing the Binary Package
  - Installing the Driver
  - Starting Falco
- Generating Events
- Interpreting Falcos Output
- Customizing Your Falco Instance
  - Rules Files
  - Output Channels
- Conclusion
II. The Architecture of Falco
3. Understanding Falcos Architecture
- Falco and the Falco Libraries: A Data-Flow View
- Drivers
- Plugins
- libscap
  - Managing Data Sources
  - Supporting Trace Files
    - Step 1: Create the trace file
    - Step 2: Process the trace file with Falco
  - Collecting System State
- libsinsp
  - State Engine
  - Event Parsing
  - Filtering
  - Output Formatting
  - One More Thing About libsinsp
- Rule Engine
- Conclusion
4. Data Sources
- System Calls
  - Examples
  - Observing System Calls
    - strace
    - sysdig
    - Trace files
- Capturing System Calls
  - Accuracy
  - Performance
  - Scalability
  - So What About Stability and Security?
  - Kernel-Level Instrumentation Approaches
    - Kernel modules
    - eBPF
- The Falco Drivers
  - Which Driver Should You Use?
  - Capturing System Calls Within Containers
- Running the Falco Drivers
  - Kernel Module
  - eBPF Probe
  - Using Falco in Environments Where Kernel Access Is Not Available: pdig
  - Running Falco with pdig
- Falco Plugins
  - Plugin Architecture Concepts
  - How Falco Uses Plugins
- Conclusion
5. Data Enrichment
- Understanding Data Enrichment for Syscalls
  - Operating System Metadata
  - Container Metadata
  - Kubernetes Metadata
- Data Enrichment with Plugins
- Conclusion
6. Fields and Filters
- What Is a Filter?
- Filtering Syntax Reference
  - Relational Operators
  - Logical Operators
  - Strings and Quoting
- Fields
  - Argument Fields Versus Enrichment Fields
  - Mandatory Fields Versus Optional Fields
  - Field Types
- Using Fields and Filters
  - Fields and Filters in Falco
  - Fields and Filters in sysdig
- Falcos Most Useful Fields
  - General
  - Processes
  - File Descriptors
  - Users and Groups
  - Containers
  - Kubernetes
  - CloudTrail
  - Kubernetes Audit Logs
- Conclusion
7. Falco Rules
- Introducing Falco Rules Files
- Anatomy of a Falco Rules File
  - Rules
  - Macros
  - Lists
  - Rule Tagging
  - Declaring the Expected Engine Version
- Replacing, Appending to, and Disabling Rules
  - Replacing Macros, Lists, and Rules
  - Appending to Macros, Lists, and Rules
  - Disabling Rules
    - Disabling rules from the command line
    - Disabling rules by overriding the enabled flag
- Conclusion
8. The Output Framework
- Falcos Output Architecture
- Output Formatting
- Output Channels
  - Standard Output
  - Syslog Output
  - File Output
  - Program Output
  - HTTP Output
  - gRPC Output
  - Other Logging Options
- Conclusion
III. Running Falco in Production
9. Installing Falco
- Choosing Your Setup
- Installing Directly on the Host
  - Using a Package Manager
    - Using apt (.deb package)
    - Using yum (.rpm package)
    - Completing the installation
    - Switching to the eBPF probe
    - Using a plugin
  - Without Using a Package Manager
  - Managing the Driver
- Running Falco in a Container
  - Syscall Instrumentation Scenario
    - Fully privileged mode
    - Least privileged mode
  - Plugin Scenario
- Deploying to a Kubernetes Cluster
  - Using Helm
  - Using Manifests
- Conclusion
10. Configuring and Running Falco
- Configuring Falco
- Differences Among Installation Methods
  - Host Installation
  - Containers
  - Kubernetes Deployments
- Command-Line Options and Environment Variables
  - Configuration Settings
  - Instrumentation Settings (Syscalls Only)
  - Data Enrichment Settings (Syscalls Only)
  - Ruleset Settings
  - Output Settings
  - Other Settings for Debugging and Troubleshooting
- Configuration File
- Ruleset
  - Loading Rules Files
  - Tuning the Ruleset
- Using Plugins
- Changing the Configuration
- Conclusion
11. Using Falco for Cloud Security
- Why Falco for AWS Security?
- Falcos Architecture and AWS Security
  - Detection Examples
- Configuring and Running Falco for CloudTrail Security
  - Receiving Log Files Through an SQS Queue
    - Terraform-based deployment
    - Manual deployment
  - Reading Events from an S3 Bucket or the Local Filesystem
    - S3 bucket
    - Local filesystem path
- Extending Falcos AWS Ruleset
- What About Other Clouds?
- Conclusion
12. Consuming Falco Events
- Working with Falco Outputs
  - falco-exporter
    - Host installation
    - Running in a container
    - Deploying to Kubernetes
  - Falcosidekick
    - Host installation
    - Running in a container
    - Deploying to Kubernetes
- Observability and Analysis
- Getting Notified
- Responding to Threats
- Conclusion
IV. Extending Falco
13. Writing Falco Rules
- Customizing the Default Falco Rules
- Writing New Falco Rules
  - Our Rule Development Method
    - 1. Replicate the events you want to detect
    - 2. Capture the events and save them in a trace file
    - 3. Craft and test the condition filter with the aid of sysdig
    - 4. Craft and test the output with the aid of sysdig
    - 5. Convert the sysdig command line into a rule
    - 6. Validate the rule in Falco
    - 7. Modularize and optimize the rule
    - 8. Create a regression
    - 9. Share the rule with the community
- Things to Keep in Mind When Writing Rules
  - Priorities
  - Noise
  - Performance
  - Tagging
- Conclusion
14. Falco Development
- Working with the Codebase
  - The falcosecurity/falco Repository
  - The falcosecurity/libs Repository
  - Building Falco from Source
- Extending Falco Using the gRPC API
- Extending Falco with Plugins
  - Preparing a Plugin in Go
  - Plugin State and Initialization
  - Adding Event Sourcing Capability
  - Adding Field Extraction Capability
  - Finalizing the Plugin
  - Building a Plugin Written in Go
  - Using Plugins While Developing
- Conclusion
15. How to Contribute
- What Does It Mean to Contribute to Falco?
- Where Should I Start?
- Contributing to Falcosecurity Projects
  - Issues
  - Pull Requests
    - Git conflict resolution and linear history
    - The Developer Certificate of Origin
- Conclusion
Index