0x00 Scenario
================
输出到统一的告警管理平台进行个性化的攻击数据分析及串联。
Falco 在 0.18.0 版本之后提供 gRPC Server 用于 Client Side 消费 Falco 产生的安全告警,为用户提供了更加灵活的告警处理方式。
Falco gRPC Server 两种运行方式:
mTLS
local unix socket
这里我选择更加通用的 mTLS 进行配置,需要如下几个步骤:
生成用于通信的客户端、服务端证书
在 Falco 配置文件中指定证书并开启 gRPC Server 及 Outputs
Client Side 指定客户端证书及 gRPC Server 地址
部分代码如下:
`c, err := client.NewForConfig(context.Background(), &client.Config{ Hostname: "falcoXXXXX.YYYYY.com", Port: 5060, CertFile: "ClientCerts/client.crt", KeyFile: "ClientCerts/client.key", CARootFile: "ClientCerts/ca.crt", })`
`{ "time": { "seconds": 1570094449, "nanos": 259268899 }, "priority": 3, "rule": "Modify binary dirs", "output": "09:20:49.259268899: Error File below known binary directory renamed/removed (user=vagrant command=lua /home/vagrant/.dotfiles/zsh/.config/zsh/plugins/z.lua/z.lua --init zsh once enhanced pcmdline=zsh operation=rena me file=<NA> res=0 oldpath=/usr/bin/realpath newpath=/usr/bin/realpath container_id=host image=<NA>)", "output_fields": { "container.id": "host", "container.image.repository": "<NA>", "evt.args": "res=0 oldpath=/usr/bin/realpath newpath=/usr/bin/realpath ", "evt.time": "09:20:49.259268899", "evt.type": "rename", "fd.name": "<NA>", "proc.cmdline": "lua /home/vagrant/.dotfiles/zsh/.config/zsh/plugins/z.lua/z.lua --init zsh once enhanced", "proc.pcmdline": "zsh", "user.name": "vagrant" } } { "time": { "seconds": 1570094449, "nanos": 620298462 }, "priority": 4, "rule": "Delete or rename shell history", "output": "09:20:49.620298462: Warning Shell history had been deleted or renamed (user=vagrant type=unlink command=zsh fd.name=<NA> name=<NA> path=/home/vagrant/.zsh_history.LOCK oldpath=<NA> host (id=host))", "output_fields": { "container.id": "host", "container.name": "host", "evt.arg.name": "<NA>", "evt.arg.oldpath": "<NA>", "evt.arg.path": "/home/vagrant/.zsh_history.LOCK", "evt.time": "09:20:49.620298462", "evt.type": "unlink", "fd.name": "<NA>", "proc.cmdline": "zsh", "user.name": "vagrant" } } `
https://github.com/tonghuaroot/FalcoSec
image