Interactive Lab ยท CKS Topic ยท Advanced

FALCO RUNTIME SECURITY

$ cat /var/log/falco/events.log | grep CRITICAL
๐Ÿ”’ CKS Exam Topic
๐Ÿฆ… What is Falco?
  • 1Falco is a runtime security tool for Kubernetes. It watches system calls at the kernel level and generates alerts when suspicious behavior is detected.
  • 2Unlike static policies (like PodSecurityAdmission), Falco detects threats while they are happening not just at admission time. It can catch shell executions inside containers, file writes in sensitive paths, and network connections to unexpected destinations.
  • 3Falco uses rules written in YAML to define what counts as suspicious. Each rule has a condition (what to detect), an output (what to log), and a priority (how severe it is).
  • 4On the CKS exam you need to: understand Falco alert output, identify which rule triggered an alert, and modify or write simple rules.
๐Ÿฆ… Falco is installed on the node as a systemd service or DaemonSet. Rules are stored in /etc/falco/falco_rules.yaml (built-in) and /etc/falco/falco_rules.local.yaml (custom). Always put your custom rules in the local file.
Common Falco Rule Structure
# A basic Falco rule
- rule: Terminal shell in container
  desc: Alert when a shell is opened inside a container
  condition: container and shell_procs and proc.tty != 0
  output: Shell opened in container (user=%user.name container=%container.name)
  priority: WARNING
  tags: [container, shell]
๐Ÿ“‹ Step 2 Read and Understand Falco Alerts
  • 1Falco alerts are written to /var/log/falco/events.log or to syslog. Each line contains the time, severity, rule name, and the details of what triggered it.
  • 2On the CKS exam, you may be asked to find which pod triggered a specific Falco alert, or which rule file to look in. Parse the output fields carefully.
  • 3Click each alert below to understand what triggered it and which real attack it represents.
Falco alert stream
โ— LIVE
Click "Start Alert Stream" to see live Falco alerts...
โœ๏ธ Step 3 Write a Falco Rule
  • 1Write a Falco rule that detects when a process writes to /etc/passwd inside a container. This is a common container escape indicator.
  • 2The condition should check: container (running in a container), open_write (file write syscall), and fd.name (the file path).
  • 3Set the priority to CRITICAL writing to /etc/passwd is a serious security event.
falco_rules.local.yaml
๐Ÿšจ Step 4 Identify Threats from Alerts
  • 1Below are 4 real Falco alert snippets. For each one, identify the attack type and what the attacker was attempting.
  • 2This is exactly the type of analysis the CKS exam tests. Reading Falco output and understanding what it means is a core skill.
  • 3Click each alert to reveal the analysis.
Rule Fields
ruleName of the rule. Must be unique.
descHuman-readable description of what the rule detects.
conditionFalco filter expression. Defines what triggers the alert.
outputLog message format. Can include field variables.
priorityEMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFORMATIONAL, DEBUG
tagsOptional labels for categorizing rules.
Common Condition Fields
containerTrue if the event happened inside a container.
proc.nameName of the process (e.g. "bash", "python").
fd.nameFile descriptor path. Use for detecting file access.
user.nameUsername of the process owner.
container.nameName of the container where the event occurred.
k8s.pod.nameName of the Kubernetes pod.
open_writeMatches file open for writing syscalls.
spawned_processMatches new process creation events.
Falco Commands
systemctl status falcoCheck if Falco is running.
cat /var/log/falco/events.logRead Falco alerts from log file.
journalctl -u falcoRead Falco alerts from systemd journal.
falco -r /etc/falco/falco_rules.local.yamlTest a rules file for syntax errors.
systemctl restart falcoRestart Falco to load new rules.
/etc/falco/falco_rules.local.yamlWhere to put your custom rules.
โœ“
Falco
Step complete