Falco, a runtime security tool, can be configured to enforce Payment Card Industry Data Security Standard (PCI-DSS) compliance within containerized environments by detecting and alerting on suspicious activities that violate specific compliance controls.
Let’s see this in action. Imagine a containerized application that handles credit card data. A critical PCI-DSS requirement is to prevent unauthorized access to sensitive data. A common violation would be a shell process spawning within the container, potentially indicating an attacker trying to explore the filesystem or exfiltrate data.
Here’s a Falco rule designed to catch this:
- rule: PCI-DSS 2.4 - Prevent Shell Spawning in Production Containers
desc: "Detects if a shell process (bash, sh, zsh, etc.) is spawned inside a container, which is a violation of PCI-DSS requirement 2.4 (protecting cardholder data from unauthorized access)."
condition: container and proc.name in (bash, sh, zsh, ksh, tcsh, csh) and not proc.name = "docker-init" and not proc.name = "containerd-shim"
output: "Shell process '%(proc.name)s' spawned in container '%(container.name)' (ID: %(container.id)) on host '%(ாளர்.name)'. User: %(user.name) (UID: %(user.uid))."
priority: critical
tags:
- pci_dss
- compliance
- container
- execution
When this rule triggers, it means a shell process has started within a container. The condition checks for processes named bash, sh, zsh, etc., specifically within a containerized context (container). We exclude common container runtime processes like docker-init and containerd-shim to avoid false positives. The output provides crucial context: the shell name, the container name and ID, the host it’s running on, and the user who initiated the process.
Now, let’s consider another PCI-DSS requirement: isolating systems and protecting cardholder data. A violation could be a container trying to access sensitive files outside its intended scope, or even attempting to mount host directories.
Here’s a Falco rule for that:
- rule: PCI-DSS 2.2 - Prevent Unauthorized Host File Access via Mounts
desc: "Detects if a container attempts to mount sensitive host directories, violating PCI-DSS requirement 2.2 (protecting system configurations and cardholder data from unauthorized access)."
condition: container and syscall.type = "mount" and evt.arg.targetpath in ("/etc", "/var/log", "/home", "/root", "/opt") and evt.arg.sourcepath startswith "/"
output: "Container '%(container.name)' (ID: %(container.id)) attempted to mount host path '%(evt.arg.sourcepath)' to '%(evt.arg.targetpath)'. User: %(user.name) (UID: %(user.uid))."
priority: critical
tags:
- pci_dss
- compliance
- container
- access
- security
This rule monitors the mount syscall. If a container attempts to mount a directory like /etc, /var/log, or /home from the host into its own filesystem, this rule fires. The evt.arg.targetpath lists the common sensitive host directories we want to protect, and evt.arg.sourcepath startswith "/" ensures we’re looking at host-based mounts.
Beyond just preventing direct access, PCI-DSS also mandates logging and monitoring of all access to cardholder data. Falco can help by logging file access events within containers for critical directories.
Consider this rule:
- rule: PCI-DSS 10.2.1 - Log All Access to Sensitive Data Directories
desc: "Logs all file access within sensitive data directories inside containers, fulfilling PCI-DSS requirement 10.2.1 (logging all access to all files)."
condition: container and evt.type = "open" and (evt.arg.pathname contains "/data/cards" or evt.arg.pathname contains "/app/secrets")
output: "File '%(evt.arg.pathname)' accessed in container '%(container.name)' (ID: %(container.id)) by process '%(proc.name)' (PID: %(proc.pid)). User: %(user.name) (UID: %(user.uid))."
priority: informational
tags:
- pci_dss
- compliance
- logging
- audit
- file_access
This rule uses the open syscall to log any attempt to read or write files within directories like /data/cards or /app/secrets. While this rule is informational in priority, the logs it generates are crucial for auditing and incident response, satisfying the PCI-DSS logging requirement. The key here is that Falco captures these events at the syscall level, giving you visibility even if the application itself doesn’t log granular file access.
A common blind spot for container security, and a PCI-DSS concern, is the potential for containers to communicate with unauthorized external networks. This can be a vector for data exfiltration or command-and-control.
Here’s a rule for that:
- rule: PCI-DSS 1.2 - Prevent Outbound Network Connections to Unauthorized IPs
desc: "Detects outbound network connections from containers to IP addresses not on an approved allowlist, aligning with PCI-DSS requirement 1.2 (protecting cardholder data from unauthorized access)."
condition: container and evt.type = "connect" and fd.sport > 1023 and fd.sport < 65535 and fd.ip != "192.168.1.0/24" and fd.ip != "10.0.0.0/8" and fd.ip != "172.16.0.0/12" and fd.ip !~ "^10\." and fd.ip !~ "^192\.168\." and fd.ip !~ "^172\.(1[6-9]|2\d|3[0-1])\."
output: "Outbound connection attempt from container '%(container.name)' (ID: %(container.id)) to IP '%(fd.ip):%(fd.sport)'. Process: '%(proc.name)' (PID: %(proc.pid))."
priority: warning
tags:
- pci_dss
- compliance
- network
- egress
This rule monitors the connect syscall for outbound connections. It attempts to filter out common private IP ranges (though a robust solution would involve a dynamic allowlist). The core idea is to flag any connection to an IP address outside of your known, trusted network segments. The fd.sport > 1023 and fd.sport < 65535 helps focus on application-level connections rather than system-level ones, and the IP address checks are designed to catch connections to public IPs or potentially malicious internal IPs.
Finally, PCI-DSS requirement 6.4.3 emphasizes keeping systems patched and secure. In a containerized world, this translates to ensuring images are free of known vulnerabilities. While Falco isn’t a vulnerability scanner, it can detect the runtime manifestation of a vulnerability being exploited. For example, if a vulnerability allows arbitrary command execution, you might see unexpected processes or network activity.
Consider a rule that flags any unexpected network listener:
- rule: PCI-DSS 6.4.3 - Detect Unexpected Network Listeners
desc: "Detects unexpected network listeners being opened by processes within containers, potentially indicating exploitation of vulnerabilities (PCI-DSS 6.4.3)."
condition: container and evt.type = "bind" and fd.sport > 1023 and fd.sport < 65535 and proc.name != "nginx" and proc.name != "apache2" and proc.name != "node"
output: "Unexpected network listener on port %(fd.sport) by process '%(proc.name)' (PID: %(proc.pid)) in container '%(container.name)' (ID: %(container.id))."
priority: warning
tags:
- pci_dss
- compliance
- vulnerability
- network
- exploit
This rule monitors the bind syscall, looking for processes opening network ports. We exclude common web server processes (nginx, apache2, node) that are expected to listen on ports. If a process that shouldn’t be opening a port suddenly does, it’s a strong indicator of a potential compromise or vulnerability exploitation. This gives you a runtime signal that your images might not be as secure as you thought.
The next challenge you’ll face is integrating these Falco alerts into your existing security incident response (SIR) workflow, ensuring timely investigation and remediation.