CKS MockExam-1 Question 6 Enabling Falco Output to a file

Kubernetes
#1

Does anybody able to solve Q6 in Mockexam 1 CKS. It is asking to update falco rule which i am able to get it. When writing files to output, that is where i am failing. I followed the solution given by Mockexam 1 also from the falco enable output channels. Can someone please help? Below is the question and answer given in Kodekloud mockexam 1 answer. The below answer is not working for me.

There is something suspicious happening with one of the pods running an httpd image in this cluster.
The Falco service shows frequent alerts that start with: File below a known binary directory opened for writing.

Identify the rule causing this alert and update it as per the below requirements:

  1. Output should be displayed as: CRITICAL File below a known binary directory opened for writing (user_id=user_id file_updated=file_name command=command_that_was_run)
  2. Alerts are logged to /opt/security_incidents/alerts.log
    Do not update the default rules file directly. Rather use the falco_rules.local.yaml file to override.
    Note: Once the alert has been updated, you may have to wait for up to a minute for the alerts to be written to the new log location.

Enable file_output in /etc/falco/falco.yaml on the controlplane node:

file_output:
enabled: true
keep_alive: false
filename: /opt/security_incidents/alerts.log
Next, add the updated rule under the /etc/falco/falco_rules.local.yaml and hot reload the Falco service:

  • rule: Write below binary dir
    desc: an attempt to write to any file below a set of binary directories
    condition: >
    bin_dir and evt.dir = < and open_write
    and not package_mgmt_procs
    and not exe_running_docker_save
    and not python_running_get_pip
    and not python_running_ms_oms
    and not user_known_write_below_binary_dir_activities
    output: >
    File below a known binary directory opened for writing (user_id=%user.uid file_updated=%fd.name command=%proc.cmdline)
    priority: CRITICAL
    tags: [filesystem, mitre_persistence]
    To perform hot-reload falco use ‘kill -1 /SIGHUP’:

Alternatively, you can also restart the falco service by running:
systemctl restart falco

#2

Hi @vinaydeep410

I just verified it, and it works as expected.

CKS-Falco
CKS-Falco1181×492 91.1 KB

#3

hi Santosh,

Did you follow the answer that was given in KodeKloud. I could get the falco running as per expectation, but the log file is not getting created. I made change in falco_rules.yaml for enabling the fileoutputs. as per falco. Below is the lines i appended at the beginning.

file_output:
  enabled: true
  keep_alive: false
  filename: /opt/security_incidents/alerts.log
#4

@Santosh_KodeKloud Here are the steps i followed as per documentation
step 1: ran the following command to create directlry as per question
mkdir -p /opt/security_incidents
step 2: enabled the file output channels a per falco at /etc/falco/falco_rules.yaml

image
image1015×260 15.6 KB

step 3: updated the falco_rules.local.yaml
step 4: when running stat after system restart falco i am not getting the log file created.

could you please let me know where i am missing?

#5

@Santosh_KodeKloud you can close the request. I was in wrong location to enable output channels. This needs to be enabled at /etc/falco/falco.yaml. Appreciate your help.