While open source solutions have historically provided the core layer of infrastructure, there have been areas in which organizations would need to look at proprietary solutions. The most notable of which is a security that had until recently remained the bastion of commercial vendors.
For container infrastructure there are typically two key security needs:
1. Image Security
Analyzing images to ensure they do not contain vulnerabilities and are in compliance with your organization’s operational and security policies.
2. Runtime Security
Real-time monitoring of containers to ensure report on or block malicious activity at the network, system or storage layers.
We have spoken at length about the first area: image security and covered how the open source Anchore Engine can quickly and easily be integrated into your CI/CD pipeline, container registries and Kubernetes infrastructure to ensure that only images that meet your organization’s policies are deployed. In this blog, we will introduce you to another open source project, Falco, from the team at Sysdig. Like Anchore Engine, Falco is open source, making it easy for organizations to download and run Falco in their environment and like Anchore there is company behind Falco that provides a commercial offering with centralized management, added features and integration.
Over the last decade, it has become clear that open source technologies provide the right foundation for infrastructure and at Anchore we believe that security and analysis tools should be open source so that anyone can inspect the code to validate that the results are fair and accurate. And since security tools typically are granted the highest level of privilege in terms of access and control of resources you need the mantra of “Trust but verify” is especially true.
With Anchore Engine, we ensure that only the right content, from known sources configured in the right way, is promoted from your CI/CD system and deployed in production but once deployed unknown vulnerabilities or misconfigurations can lead to a container being exploited. The traditional approach to security monitoring involved looking for known signatures is network traffic, files, etc. Similar to the approach taken in the early days of antivirus software where security vendors played an endless game of cat and mouse with virus authors, requiring the antivirus software to be continually updated with new signatures and new viruses were detected in the wild. Over time these solutions evolved to use heuristics in addition to signature mapping.
A similar technique is used by the Falco project which takes a more behavioral approach to detection. While there are many different ways that a container could be compromised all of which would need to be explicitly monitored for Falco looks at what is happening once the attacker has compromised the container allowing you to report and then block anomalous behaviors. For example, why would a reverse proxy container need to write a file into the /bin directory, why would a PostgreSQL container make an outbound network connection, why would your Redis server spawn a shell process?
Falco taps into host kernel for syscall monitoring using either a kernel module or a new approach using extended Berkley Packaged Filters (eBPF) which is available in modern kernels (see an excellent introduction to eBFG in LWN). This approach maximizes visibility into the system while minimizing overhead. Rules can be created that can monitor any activity including network access, file I/O and even interprocess communication (IPC). The Falco Wiki contains some great examples that illustrate the power of this level of integration, for example alerting when a process attempts to write into a directory containing system binaries, they even created default runtime security rules for the most popular Docker images.
With the addition of Anchore Engine and Sysdig Falco you can build an open and secure container infrastructure.