falco.sh

# Source: https://gist.github.com/vfarcic/c5428e3d774ec4741dd6b133cbebe6db

##################################################################
# Unseen Dangers Unveiled: Detecting Security Threats with Falco #
##################################################################

# Additional Info:
# - Falco: https://falco.org

#########
# Setup #
#########

# Create a Kubernetes cluster
# The demo was tested on GKE but it should work on any Kubernetes
#   cluster, except those running inside containers like KinD or
#   Civo.

git clone https://github.com/vfarcic/falco-demo

cd falco-demo

helm upgrade --install falco falco \
    --repo https://falcosecurity.github.io/charts \
    --values values.yaml --namespace falco --create-namespace \
    --wait

kubectl create namespace demo

kubectl --namespace demo run demo --image alpine \
    -- sh -c "sleep infinity"

# Install `jq` by following the instructions at
#   https://jqlang.github.io/jq/download

####################################
# Falco Threat-Detection in Action #
####################################

kubectl --namespace demo exec --stdin --tty demo \
    -- sh -c "ls /"

kubectl --namespace falco logs \
    --selector app.kubernetes.io/name=falco --container falco \
    | grep Notice | jq .

kubectl --namespace falco get pods

# Replace `[...]` with the name of one of the `falco-*` pods
export POD=[...]

kubectl --namespace falco exec -it $POD \
    -- sh -c "cat /etc/falco/falco_rules.yaml"

cat rule-example.yaml

###########
# Destroy #
###########

# Destroy or reset the cluster