{"id":3949,"date":"2021-05-18T00:59:33","date_gmt":"2021-05-17T15:59:33","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3949"},"modified":"2021-05-18T00:59:33","modified_gmt":"2021-05-17T15:59:33","slug":"falco%e3%81%ab%e3%81%a6%e3%82%b3%e3%83%b3%e3%83%86%e3%83%8a%e6%93%8d%e4%bd%9c%e6%99%82%e3%81%ae%e3%83%ad%e3%82%b0%e3%82%92%e7%a2%ba%e8%aa%8d%e3%81%97%e3%81%a6%e3%81%bf%e3%81%9f","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3949","title":{"rendered":"Falco\u306b\u3066\u30b3\u30f3\u30c6\u30ca\u64cd\u4f5c\u6642\u306e\u30ed\u30b0\u3092\u78ba\u8a8d\u3057\u3066\u307f\u305f"},"content":{"rendered":"

Falco\u3068\u306f<\/h2>\n

\u30ab\u30fc\u30cd\u30eb\u304b\u3089\u306eLinux\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u3092\u89e3\u6790\u3057\u3066\u30eb\u30fc\u30eb\u306b\u5fdc\u3058\u3066\u5bfe\u51e6\u3059\u308b\u30aa\u30fc\u30d7\u30f3\u30bd\u30fc\u30b9\u30e9\u30f3\u30bf\u30a4\u30e0\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3002<\/p>\n

Ubuntu\u3078\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/h2>\n

\u516c\u5f0f\u30b5\u30a4\u30c8\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u65b9\u6cd5<\/a>\u3092\u53c2\u8003\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305f\u3002<\/p>\n

\r\n# cat \/etc\/lsb-release\r\nDISTRIB_ID=Ubuntu\r\nDISTRIB_RELEASE=18.04\r\nDISTRIB_CODENAME=bionic\r\nDISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"\r\n\r\n# curl -s https:\/\/falco.org\/repo\/falcosecurity-3672BA8F.asc | apt-key add -\r\n# echo "deb https:\/\/download.falco.org\/packages\/deb stable main" | tee -a \/etc\/apt\/sources.list.d\/falcosecurity.list\r\n# apt update\r\n# apt install linux-headers-$(uname -r)\r\n# apt install falco\r\n<\/pre>\n
Falco\u306e\u30ed\u30b0\u3092\u78ba\u8a8d\u3057\u3066\u307f\u305f<\/h2>\n
\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30c4\u30fc\u30eb\u3092\u5229\u7528\u3057\u305f\u5834\u5408<\/h3>\n
\r\n# docker run -it alpine\r\n\/ # apk add tcpdump\r\n\/ # tcpdump host localhost\r\n<\/pre>\n
Falco\u306e\u30ed\u30b0\u306b\u306f\u30b3\u30f3\u30c6\u30ca\u306e\u30bf\u30fc\u30df\u30ca\u30eb\u306b\u63a5\u7d9a\u3057\u305f\u3053\u3068\u3001tcpdump\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3001\u5b9f\u884c\u3057\u305f\u3053\u3068\u304c\u8a18\u9332\u3055\u308c\u305f\u3002<\/p>\n
\r\n# falco start\r\n...\r\n00:07:48.911449265: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 beautiful_panini (id=a13774ad0cbb) shell=sh parent=<NA> cmdline=sh terminal=34816 container_id=a13774ad0cbb image=alpine)\r\n00:08:01.054658576: Error Package management process launched in container (user=root user_loginuid=-1 command=apk add tcpdump container_id=a13774ad0cbb container_name=beautiful_panini image=alpine:latest)\r\n00:08:09.145225056: Notice Network tool launched in container (user=root user_loginuid=-1 command=tcpdump localhost parent_process=sh container_id=a13774ad0cbb container_name=beautiful_panini image=alpine:latest)\r\n00:08:09.147323169: Notice Packet socket was created in a container (user=root user_loginuid=-1 command=tcpdump localhost socket_info=domain=17(AF_PACKET) type=3 proto=0  container_id=a13774ad0cbb container_name=beautiful_panini image=alpine:latest)\r\n<\/pre>\n
\u7279\u6a29\u30b3\u30f3\u30c6\u30ca\u3092\u8d77\u52d5\u3057\u305f\u5834\u5408<\/h3>\n
\r\n# docker run -it --privileged alpine\r\n<\/pre>\n
Falco\u306e\u30ed\u30b0\u306b\u306f\u7279\u6a29\u30b3\u30f3\u30c6\u30ca\u304c\u8d77\u52d5\u3057\u305f\u3053\u3068\u304c\u8a18\u9332\u3055\u308c\u305f\u3002<\/p>\n
\r\n# falco start\r\n...\r\n00:30:08.197789568: Notice Privileged container started (user=root user_loginuid=0 command=container:1e5428f57d5f quirky_hopper (id=1e5428f57d5f) image=alpine:latest)\r\n<\/pre>\n
\u88dc\u8db3<\/h2>\n
\u30eb\u30fc\u30eb(\/etc\/falco\u914d\u4e0b)\u3092\u5909\u66f4\u3059\u308b\u3053\u3068\u3067\u3001\u6539\u3056\u3093\u691c\u77e5\u306a\u3069\u306b\u3082\u5229\u7528\u3067\u304d\u308b\u3002
\n\u307e\u305fDocker\u3067\u306e\u5b9f\u884c<\/a>\u3082\u53ef\u80fd\u3068\u306a\u3063\u3066\u3044\u308b\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
Falco\u3068\u306f \u30ab\u30fc\u30cd\u30eb\u304b\u3089\u306eLinux\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u3092\u89e3\u6790\u3057\u3066\u30eb\u30fc\u30eb\u306b\u5fdc\u3058\u3066\u5bfe\u51e6\u3059\u308b\u30aa\u30fc\u30d7\u30f3\u30bd\u30fc\u30b9\u30e9\u30f3\u30bf\u30a4\u30e0\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3002 Ubuntu\u3078\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb \u516c\u5f0f\u30b5\u30a4\u30c8\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u65b9\u6cd5\u3092\u53c2\u8003\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305f […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[72],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3949"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3949"}],"version-history":[{"count":1,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3949\/revisions"}],"predecessor-version":[{"id":3950,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3949\/revisions\/3950"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3949"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3949"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3949"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}