Runtime Security
Versiones compatibles: Falco 0.39+, Tetragon 1.2+, Kubernetes 1.31, 1.32, 1.33 Última actualización: February 22, 2026
La seguridad en tiempo de ejecución implica detectar y responder a actividad maliciosa y comportamiento anómalo mientras los contenedores están en ejecución. Este documento cubre estrategias de seguridad en tiempo de ejecución centradas en Falco y Tetragon.
Table of Contents
- Runtime Threat Landscape
- Falco
- Tetragon
- Falco vs Tetragon Comparison
- Kubernetes Audit Logging
- Runtime Threat Detection Patterns
- Incident Response
- SIEM/SOAR Integration
Runtime Threat Landscape
Container Runtime Threats
┌─────────────────────────────────────────────────────────────────────────┐
│ Container Runtime Threat Types │
│ │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Attack Vectors │ │
│ │ │ │
│ │ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ │ │
│ │ │Vulnerability│ │ Miscon- │ │ Malicious │ │ Supply │ │ │
│ │ │ Exploit │ │figuration │ │ Image │ │ Chain │ │ │
│ │ └─────┬─────┘ └─────┬─────┘ └─────┬─────┘ └─────┬─────┘ │ │
│ │ │ │ │ │ │ │
│ │ └──────────────┴──────────────┴──────────────┘ │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌─────────────────────────────────────────────────────────┐ │ │
│ │ │ Runtime Threats │ │ │
│ │ │ │ │ │
│ │ │ • Cryptocurrency Mining │ │ │
│ │ │ • Reverse Shell │ │ │
│ │ │ • Privilege Escalation │ │ │
│ │ │ • Container Escape │ │ │
│ │ │ • Data Exfiltration │ │ │
│ │ │ • Lateral Movement │ │ │
│ │ │ • Persistence │ │ │
│ │ └─────────────────────────────────────────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────┘Detection Technologies
| Technology | Description | Pros | Cons |
|---|---|---|---|
| Syscall Monitoring | Kernel system call tracing | Detailed visibility | Overhead |
| eBPF | Kernel-level programming | High performance, safe | Complex implementation |
| Audit Logs | K8s API call recording | Compliance | Limited runtime visibility |
| Network Monitoring | Traffic pattern analysis | Lateral movement detection | Encrypted traffic |
Falco
Falco Overview
Falco es una herramienta de seguridad en tiempo de ejecución cloud-native que analiza llamadas al sistema para detectar comportamiento anómalo.
┌─────────────────────────────────────────────────────────────────────────┐
│ Falco Architecture │
│ │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Kubernetes Node │ │
│ │ │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │ Container A │ │ Container B │ │ Container C │ │ │
│ │ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │ │
│ │ │ │ │ │ │
│ │ └────────────────┼────────────────┘ │ │
│ │ │ System Calls │ │
│ │ ▼ │ │
│ │ ┌─────────────────────────────────────────────────────────┐ │ │
│ │ │ Linux Kernel │ │ │
│ │ │ ┌─────────────────────────────────────────────────┐ │ │ │
│ │ │ │ Falco eBPF/Kernel Module │ │ │ │
│ │ │ │ (System Call Capture) │ │ │ │
│ │ │ └─────────────────────────────────────────────────┘ │ │ │
│ │ └─────────────────────────────────────────────────────────┘ │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌─────────────────────────────────────────────────────────┐ │ │
│ │ │ Falco Engine │ │ │
│ │ │ ┌───────────┐ ┌───────────┐ ┌───────────────────┐ │ │ │
│ │ │ │ Rules │ │ Filtering │ │ Output Channels │ │ │ │
│ │ │ │ Engine │──▶│ Engine │──▶│ • stdout │ │ │ │
│ │ │ │ │ │ │ │ • file │ │ │ │
│ │ │ │ │ │ │ │ • Slack │ │ │ │
│ │ │ │ │ │ │ │ • PagerDuty │ │ │ │
│ │ │ └───────────┘ └───────────┘ └───────────────────┘ │ │ │
│ │ └─────────────────────────────────────────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────┘Falco Installation (EKS)
bash
# Install Falco using Helm
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
# Use eBPF driver (recommended)
helm install falco falcosecurity/falco \
--namespace falco \
--create-namespace \
--set driver.kind=ebpf \
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=trueyaml
# values.yaml (detailed configuration)
driver:
kind: ebpf
falco:
jsonOutput: true
jsonIncludeOutputProperty: true
httpOutput:
enabled: true
url: http://falcosidekick:2801
customRules:
custom-rules.yaml: |-
# Add custom rules here
falcosidekick:
enabled: true
config:
slack:
webhookurl: "https://hooks.slack.com/services/xxx"
outputformat: "all"
minimumpriority: "warning"
pagerduty:
apikey: "xxx"
minimumpriority: "critical"
webui:
enabled: true
service:
type: ClusterIPFalco Rule Structure
yaml
# Rule structure
- rule: <rule name>
desc: <description>
condition: <condition expression>
output: <output message>
priority: <severity: EMERGENCY|ALERT|CRITICAL|ERROR|WARNING|NOTICE|INFO|DEBUG>
tags: [<tag list>]
enabled: true|falseDefault Rule Examples
yaml
# /etc/falco/falco_rules.yaml
# Detect shell execution in container
- rule: Terminal shell in container
desc: A shell was spawned in a container
condition: >
spawned_process and
container and
shell_procs and
proc.tty != 0
output: >
Shell spawned in a container
(user=%user.name user_loginuid=%user.loginuid container=%container.name
shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline
terminal=%proc.tty exe_flags=%evt.arg.flags)
priority: WARNING
tags: [shell, container, mitre_execution]
# Detect sensitive file reads
- rule: Read sensitive file untrusted
desc: An untrusted program read a sensitive file
condition: >
sensitive_files and
open_read and
proc_name_exists and
not user_trusted_containers
output: >
Sensitive file read by untrusted program
(user=%user.name name=%proc.name command=%proc.cmdline
file=%fd.name parent=%proc.pname gparent=%proc.aname[2]
container=%container.name image=%container.image.repository)
priority: WARNING
tags: [filesystem, mitre_credential_access]
# Detect privilege escalation
- rule: Detect su or sudo
desc: Detect su or sudo execution
condition: >
spawned_process and
(proc.name in (su, sudo))
output: >
Privilege escalation via su/sudo
(user=%user.name command=%proc.cmdline container=%container.name)
priority: WARNING
tags: [privilege_escalation]Writing Custom Rules
yaml
# Cryptocurrency mining detection
- rule: Detect Cryptocurrency Mining
desc: Detect cryptocurrency mining processes
condition: >
spawned_process and
container and
(
proc.name in (xmrig, minerd, cgminer, cpuminer, bfgminer) or
proc.cmdline contains "stratum+tcp://" or
proc.cmdline contains "pool.minexmr.com" or
proc.cmdline contains "cryptonight"
)
output: >
Cryptocurrency mining detected
(user=%user.name command=%proc.cmdline container=%container.name
image=%container.image.repository)
priority: CRITICAL
tags: [cryptomining, mitre_resource_hijacking]
# Reverse shell detection
- rule: Reverse Shell Detection
desc: Detect reverse shell connections
condition: >
spawned_process and
container and
(
(proc.name = bash and proc.cmdline contains "/dev/tcp/") or
(proc.name = nc and proc.args contains "-e") or
(proc.name = python and proc.cmdline contains "socket" and
proc.cmdline contains "subprocess") or
(proc.name = perl and proc.cmdline contains "socket") or
(proc.name = ruby and proc.cmdline contains "TCPSocket")
)
output: >
Reverse shell detected
(user=%user.name command=%proc.cmdline container=%container.name
image=%container.image.repository connection=%fd.name)
priority: CRITICAL
tags: [reverse_shell, mitre_execution]
# Kubernetes Secret access detection
- rule: Unauthorized K8s Secret Access
desc: Detect unauthorized access to mounted Kubernetes secrets
condition: >
open_read and
container and
fd.name startswith "/var/run/secrets/kubernetes.io" and
not proc.name in (kubelet, kube-proxy)
output: >
Kubernetes secret accessed
(user=%user.name command=%proc.cmdline file=%fd.name
container=%container.name image=%container.image.repository)
priority: WARNING
tags: [k8s, secrets, mitre_credential_access]
# Container escape attempt detection
- rule: Container Escape Attempt
desc: Detect potential container escape attempts
condition: >
spawned_process and
container and
(
proc.cmdline contains "nsenter" or
proc.cmdline contains "/proc/1/root" or
proc.cmdline contains "/.dockerenv" or
(proc.name = mount and proc.args contains "cgroup")
)
output: >
Container escape attempt detected
(user=%user.name command=%proc.cmdline container=%container.name
image=%container.image.repository)
priority: CRITICAL
tags: [container_escape, mitre_privilege_escalation]Falco Alert Configuration
yaml
# Falcosidekick configuration for various alert channels
falcosidekick:
config:
# Slack
slack:
webhookurl: "https://hooks.slack.com/services/xxx/yyy/zzz"
channel: "#security-alerts"
username: "Falco"
outputformat: "all"
minimumpriority: "warning"
# PagerDuty
pagerduty:
routingkey: "xxx"
minimumpriority: "critical"
# AWS CloudWatch
cloudwatchlogs:
region: "us-east-1"
loggroup: "/falco/alerts"
logstream: "eks-cluster"
# AWS Security Hub
securityhub:
region: "us-east-1"
minimumpriority: "high"
# Prometheus
prometheus:
extralabels: "cluster:production"
# Elasticsearch
elasticsearch:
hostport: "https://elasticsearch:9200"
index: "falco"
type: "_doc"Tetragon
Tetragon Overview
Tetragon es una herramienta de observabilidad de seguridad y aplicación de controles en tiempo de ejecución basada en eBPF, del proyecto Cilium.
┌─────────────────────────────────────────────────────────────────────────┐
│ Tetragon Architecture │
│ │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Kubernetes Cluster │ │
│ │ │ │
│ │ ┌───────────────────────────────────────────────────────────┐ │ │
│ │ │ Tetragon DaemonSet │ │ │
│ │ │ │ │ │
│ │ │ ┌─────────────────────────────────────────────────────┐ │ │ │
│ │ │ │ eBPF Programs │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ • Process Execution • File Access │ │ │ │
│ │ │ │ • Network Activity • Capability Usage │ │ │ │
│ │ │ │ • Namespace Changes • Syscall Tracing │ │ │ │
│ │ │ └─────────────────────────────────────────────────────┘ │ │ │
│ │ │ │ │ │ │
│ │ │ ▼ │ │ │
│ │ │ ┌─────────────────────────────────────────────────────┐ │ │ │
│ │ │ │ TracingPolicy CRD │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ • kprobes • tracepoints • uprobes │ │ │ │
│ │ │ │ • Selectors • Actions • Filters │ │ │ │
│ │ │ └─────────────────────────────────────────────────────┘ │ │ │
│ │ │ │ │ │ │
│ │ │ ▼ │ │ │
│ │ │ ┌─────────────────────────────────────────────────────┐ │ │ │
│ │ │ │ Outputs │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ • JSON Events • gRPC API • Prometheus Metrics │ │ │ │
│ │ │ └─────────────────────────────────────────────────────┘ │ │ │
│ │ └────────────────────────────────────────────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────┘Tetragon Installation
bash
# Install Tetragon using Helm
helm repo add cilium https://helm.cilium.io
helm repo update
helm install tetragon cilium/tetragon \
-n kube-system \
--set tetragon.enableProcessCred=true \
--set tetragon.enableProcessNs=trueTracingPolicy Basic Structure
yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: example-policy
spec:
# kprobes: kernel function tracing
kprobes:
- call: "security_file_open"
syscall: false
args:
- index: 0
type: "file"
selectors:
- matchArgs:
- index: 0
operator: "Prefix"
values:
- "/etc/shadow"
matchActions:
- action: Sigkill # Kill processProcess Monitoring
yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: process-monitoring
spec:
kprobes:
# Monitor execve system call
- call: "sys_execve"
syscall: true
args:
- index: 0
type: "string" # Executable path
selectors:
- matchBinaries:
- operator: "In"
values:
- "/bin/bash"
- "/bin/sh"
- "/usr/bin/python"
matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns" # Exclude host namespaceFile Access Monitoring
yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: sensitive-file-access
spec:
kprobes:
- call: "security_file_open"
syscall: false
args:
- index: 0
type: "file"
selectors:
# Monitor sensitive file access
- matchArgs:
- index: 0
operator: "Prefix"
values:
- "/etc/shadow"
- "/etc/passwd"
- "/etc/sudoers"
- "/root/.ssh"
- "/var/run/secrets/kubernetes.io"
matchActions:
- action: Post # Log event
---
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: block-sensitive-file-write
spec:
kprobes:
- call: "security_file_open"
syscall: false
args:
- index: 0
type: "file"
- index: 1
type: "int" # flags
selectors:
# Block write access to sensitive files
- matchArgs:
- index: 0
operator: "Prefix"
values:
- "/etc/passwd"
- "/etc/shadow"
- index: 1
operator: "Mask"
values:
- "2" # O_WRONLY or O_RDWR
matchActions:
- action: Sigkill # Kill processNetwork Monitoring
yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: network-monitoring
spec:
kprobes:
# Monitor outbound connections
- call: "tcp_connect"
syscall: false
args:
- index: 0
type: "sock"
selectors:
- matchArgs:
- index: 0
operator: "DPort"
values:
- "22" # SSH
- "4444" # Common reverse shell port
- "5555" # Common reverse shell port
matchActions:
- action: Post
# Monitor DNS queries
- call: "udp_sendmsg"
syscall: false
args:
- index: 0
type: "sock"
selectors:
- matchArgs:
- index: 0
operator: "DPort"
values:
- "53"
matchActions:
- action: PostRuntime Enforcement
yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: block-crypto-miners
spec:
kprobes:
- call: "sys_execve"
syscall: true
args:
- index: 0
type: "string"
selectors:
# Block cryptocurrency mining processes
- matchArgs:
- index: 0
operator: "Postfix"
values:
- "xmrig"
- "minerd"
- "cgminer"
matchActions:
- action: Sigkill
---
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: block-reverse-shells
spec:
kprobes:
- call: "sys_execve"
syscall: true
args:
- index: 0
type: "string"
- index: 1
type: "string" # argv
selectors:
# Block reverse shell patterns
- matchArgs:
- index: 1
operator: "Contains"
values:
- "/dev/tcp/"
- "bash -i"
- "nc -e"
matchActions:
- action: SigkillTetragon CLI Usage
bash
# View event stream
kubectl exec -n kube-system ds/tetragon -c tetragon -- tetra getevents
# Filter process events
kubectl exec -n kube-system ds/tetragon -c tetragon -- \
tetra getevents -o compact --process curl
# JSON format output
kubectl exec -n kube-system ds/tetragon -c tetragon -- \
tetra getevents -o json
# Filter by namespace
kubectl exec -n kube-system ds/tetragon -c tetragon -- \
tetra getevents --namespace productionFalco vs Tetragon Comparison
Feature Comparison Table
| Feature | Falco | Tetragon |
|---|---|---|
| Technology Base | Kernel module/eBPF | eBPF only |
| Performance | Good | Excellent |
| Rule Language | YAML + conditions | CRD (TracingPolicy) |
| Runtime Enforcement | Limited | Native support |
| Kubernetes Integration | Good | Excellent (Cilium) |
| Process Tracing | ✓ | ✓ |
| File Monitoring | ✓ | ✓ |
| Network Monitoring | Limited | ✓ (Cilium integration) |
| Community | Large and mature | Growing |
| Learning Curve | Medium | High |
| Alert Integration | Falcosidekick | Prometheus, gRPC |
Use Case Recommendations
┌─────────────────────────────────────────────────────────────────────────┐
│ Recommended Tools by Use Case │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ Detection-focused Monitoring │
│ └─▶ Falco (mature ruleset, diverse alert integration) │
│ │
│ Runtime Enforcement Needed │
│ └─▶ Tetragon (process termination, network blocking) │
│ │
│ Cilium CNI Environment │
│ └─▶ Tetragon (native integration) │
│ │
│ Compliance/Auditing │
│ └─▶ Falco + Tetragon (complementary) │
│ │
│ Minimal Overhead Required │
│ └─▶ Tetragon (pure eBPF) │
│ │
└─────────────────────────────────────────────────────────────────────────┘Kubernetes Audit Logging
Audit Policy Configuration
yaml
# audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# Log authentication failures
- level: Metadata
users: ["system:anonymous"]
verbs: ["*"]
# Detailed Secret access logging
- level: RequestResponse
resources:
- group: ""
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Pod exec/attach logging
- level: RequestResponse
resources:
- group: ""
resources: ["pods/exec", "pods/attach", "pods/portforward"]
verbs: ["create"]
# RBAC change logging
- level: RequestResponse
resources:
- group: "rbac.authorization.k8s.io"
resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
verbs: ["create", "update", "patch", "delete"]
# Minimal logging for read operations
- level: Metadata
verbs: ["get", "list", "watch"]
# All other requests
- level: Request
verbs: ["*"]EKS Audit Log Analysis
bash
# CloudWatch Logs Insights queries
# Secret access events
fields @timestamp, user.username, verb, objectRef.resource, objectRef.name
| filter objectRef.resource = "secrets"
| sort @timestamp desc
| limit 100
# Permission denied events
fields @timestamp, user.username, verb, objectRef.resource, responseStatus.code
| filter responseStatus.code = 403
| sort @timestamp desc
# exec/attach events
fields @timestamp, user.username, objectRef.name, requestURI
| filter objectRef.subresource in ["exec", "attach"]
| sort @timestamp descRuntime Threat Detection Patterns
Cryptocurrency Mining Detection
yaml
# Falco rule
- rule: Cryptocurrency Mining Activity
desc: Detect processes commonly used for cryptocurrency mining
condition: >
spawned_process and container and
(
proc.name in (xmrig, minerd, cpuminer, cgminer) or
proc.cmdline contains "stratum+tcp" or
proc.cmdline contains "pool." and proc.cmdline contains ":" or
proc.cmdline contains "--algo=cryptonight"
)
output: >
Cryptocurrency mining activity detected
(user=%user.name command=%proc.cmdline container=%container.name
image=%container.image.repository pod=%k8s.pod.name)
priority: CRITICAL
tags: [cryptomining, mitre_resource_hijacking]Reverse Shell Detection
yaml
- rule: Reverse Shell Activity
desc: Detect outbound network connections that may be reverse shells
condition: >
spawned_process and container and
(
(proc.name = bash and proc.cmdline contains "/dev/tcp/") or
(proc.name = nc and (proc.args contains "-e" or proc.args contains "-c")) or
(proc.name = ncat and proc.args contains "--sh-exec") or
(proc.name = python and proc.cmdline contains "socket" and
proc.cmdline contains "subprocess") or
(proc.name = perl and proc.cmdline contains "socket" and
proc.cmdline contains "exec") or
(proc.name = php and proc.cmdline contains "fsockopen")
)
output: >
Reverse shell detected
(user=%user.name command=%proc.cmdline container=%container.name
image=%container.image.repository pod=%k8s.pod.name)
priority: CRITICAL
tags: [reverse_shell, mitre_command_and_control]Privilege Escalation Detection
yaml
- rule: Privilege Escalation via SUID
desc: Detect execution of SUID binaries
condition: >
spawned_process and container and
proc.is_exe_upper_layer=false and
user.uid != 0 and
proc.suid != 0 and
proc.suid != proc.uid
output: >
SUID binary executed
(user=%user.name uid=%user.uid suid=%proc.suid command=%proc.cmdline
container=%container.name)
priority: WARNING
tags: [privilege_escalation, mitre_privilege_escalation]
- rule: Setuid/Setgid Binary Created
desc: Detect creation of setuid/setgid binaries
condition: >
evt.type = chmod and container and
(evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID")
output: >
Setuid/setgid binary created
(user=%user.name file=%fd.name mode=%evt.arg.mode container=%container.name)
priority: CRITICAL
tags: [privilege_escalation, persistence]Incident Response
Pod Isolation Procedure
bash
#!/bin/bash
# incident-response.sh
POD_NAME=$1
NAMESPACE=$2
# 1. Apply isolation network policy
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: isolate-${POD_NAME}
namespace: ${NAMESPACE}
spec:
podSelector:
matchLabels:
app: $(kubectl get pod ${POD_NAME} -n ${NAMESPACE} -o jsonpath='{.metadata.labels.app}')
policyTypes:
- Ingress
- Egress
# Block all traffic
EOF
# 2. Collect pod information
echo "=== Collecting Pod Information ==="
kubectl get pod ${POD_NAME} -n ${NAMESPACE} -o yaml > pod-${POD_NAME}-spec.yaml
kubectl describe pod ${POD_NAME} -n ${NAMESPACE} > pod-${POD_NAME}-describe.txt
kubectl logs ${POD_NAME} -n ${NAMESPACE} --all-containers > pod-${POD_NAME}-logs.txt
# 3. Collect process list (if possible)
kubectl exec ${POD_NAME} -n ${NAMESPACE} -- ps aux > pod-${POD_NAME}-processes.txt 2>/dev/null
# 4. Collect network connections
kubectl exec ${POD_NAME} -n ${NAMESPACE} -- netstat -an > pod-${POD_NAME}-network.txt 2>/dev/null
# 5. Filesystem snapshot (if needed)
# kubectl debug ${POD_NAME} -n ${NAMESPACE} --image=busybox -- tar -cvf /tmp/fs.tar /
echo "=== Evidence Collection Complete ==="
echo "Collected files: pod-${POD_NAME}-*.txt"Forensics Container
yaml
# Debug container for forensics
apiVersion: v1
kind: Pod
metadata:
name: forensics-pod
namespace: security
spec:
containers:
- name: forensics
image: nicolaka/netshoot:latest
command: ["sleep", "3600"]
securityContext:
capabilities:
add:
- SYS_PTRACE
- NET_ADMIN
volumeMounts:
- name: host-proc
mountPath: /host/proc
readOnly: true
- name: evidence
mountPath: /evidence
volumes:
- name: host-proc
hostPath:
path: /proc
- name: evidence
emptyDir: {}SIEM/SOAR Integration
Falco to Elasticsearch
yaml
# Falcosidekick Elasticsearch configuration
falcosidekick:
config:
elasticsearch:
hostport: "https://elasticsearch.logging:9200"
index: "falco"
type: "_doc"
minimumpriority: "warning"
mutualtls: false
checkcert: true
username: "elastic"
password: "${ELASTIC_PASSWORD}"Prometheus + Grafana Dashboard
yaml
# ServiceMonitor for Falco metrics
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: falco
namespace: monitoring
spec:
selector:
matchLabels:
app: falco
endpoints:
- port: metrics
interval: 30syaml
# Grafana dashboard ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: falco-dashboard
namespace: monitoring
labels:
grafana_dashboard: "1"
data:
falco-dashboard.json: |
{
"title": "Falco Security Alerts",
"panels": [
{
"title": "Alerts by Priority",
"type": "piechart",
"targets": [
{
"expr": "sum by (priority) (falco_events_total)"
}
]
},
{
"title": "Alerts Over Time",
"type": "timeseries",
"targets": [
{
"expr": "rate(falco_events_total[5m])"
}
]
}
]
}Summary
Aspectos clave de la seguridad en tiempo de ejecución:
- Falco: Conjunto de reglas maduro, integración diversa de alertas, enfocado en la detección
- Tetragon: Alto rendimiento basado en eBPF, soporte para aplicación de controles en tiempo de ejecución
- Audit Logging: Seguimiento de la actividad de la API de Kubernetes, cumplimiento
- Threat Detection: Minería de criptomonedas, reverse shells, escalamiento de privilegios
- Incident Response: Aislamiento, recopilación de evidencia, análisis forense
Recommendations
- Usar la combinación de Falco + Tetragon para detección y aplicación de controles
- Escribir reglas personalizadas para sistemas críticos
- Integrar con SIEM para monitoreo centralizado
- Preparar playbooks de respuesta a incidentes