Falco, the cloud-native runtime security tool, can be configured to detect violations of CIS (Center for Internet Security) Benchmarks. This means you can use Falco to actively monitor your Kubernetes cluster and other containerized environments for misconfigurations that deviate from security best practices recommended by CIS.
Let’s see this in action. Imagine you have a Kubernetes pod that’s running with elevated privileges, a common CIS benchmark violation. Here’s how you might detect it with Falco:
- rule: Run container as root user
desc: "Ensure that the container is not running as root user. Running as root is a security risk."
condition: container.privileged=true
output: "Container is running as root user (user=%container.user, image=%container.image, name=%container.name)"
priority: HIGH
tags:
- cis
- kubernetes
- privilege
This rule would trigger an alert if any container within your cluster is detected as running with privileged: true. The output would include details like the container user, image, and name, giving you immediate context for the violation.
The fundamental problem CIS Benchmarks aim to solve is the inherent insecurity of default configurations in cloud-native environments. Many systems, out of the box, are not hardened against common attack vectors. CIS Benchmarks provide a standardized, actionable checklist to mitigate these risks. Falco, by translating these benchmarks into runtime rules, allows you to enforce security policies not just at build time or configuration management time, but continuously during runtime.
Internally, Falco works by tapping into kernel system calls (via a kernel module or eBPF) and Kubernetes audit logs. For CIS benchmarks, it primarily leverages the system call data to detect anomalous or insecure behaviors. For example, a CIS benchmark might dictate that certain sensitive files should not be accessible by unprivileged users. Falco can monitor open system calls to these files and alert if a process attempts to access them in a way that violates the policy. The container.privileged=true condition in the example rule directly inspects container metadata exposed by the Kubernetes API, which Falco also ingests.
The levers you control with Falco for CIS compliance are the rules themselves. You can:
- Select specific CIS benchmarks: Focus on benchmarks relevant to your environment (e.g., Kubernetes, Docker, Node.js).
- Translate benchmark requirements into Falco conditions: This is the core of the process. For example, a benchmark stating "Ensure that the /etc/passwd file is not world-writable" can be translated into a Falco rule monitoring
chmodorfchmodatsystem calls on/etc/passwdwith write permissions set for 'other' users. - Adjust rule severity (priority): Prioritize critical violations over less impactful ones.
- Define custom outputs: Tailor alert messages to include specific context needed for your incident response.
- Integrate with alerting systems: Send detected violations to Slack, PagerDuty, or your SIEM for immediate action.
A common misconception is that Falco only uses kernel syscalls. While that’s its primary strength for detecting behavioral anomalies, it also integrates deeply with Kubernetes. It can ingest Kubernetes audit logs and API server events, allowing it to enforce declarative security policies based on the state of Kubernetes objects themselves, which is crucial for many CIS benchmark checks that focus on configuration rather than runtime behavior.
The next step after detecting CIS violations with Falco is to automate remediation.