Falco is a cloud-native security tool that leverages custom rules to produce real-time alerting. Falco is designed for Linux systems and utilizes kernel events along with metadata from Kubernetes and containers to improve overall visibility.
This lab focuses on Falco rules. Falco is highlighted as a reference tool in the Certified Kubernetes Security Specialist (CKS) exam. You will learn how to configure a custom rule and how it is outputted in this lab.
Learning objectives
Upon completion of this lab, you will be able to:
- Activate the Falco service
- Customize the alerting output of a rule
- Execute commands to verify the rule is working correctly
Intended audience
- Candidates for the Certified Kubernetes Security Specialist (CKS) exam
- DevOps Engineers
- Security Practitioners
Prerequisites
Familiarity with the following will be beneficial but is not required:
- Kubernetes Pods
kubectl
output formatting
The following content can be used to fulfill the prerequisites:
Daniel is a Cloud Engineer with experience as an AWS Engineer and Operations Specialist. He holds the AWS DevOps Engineer Professional, AWS Developer Associate, AWS SysOps Administrator Associate, Certified Kubernetes Administrator, Microsoft Certified: Azure Administrator Associate, and HashiCorp Certified: Terraform Associate certifications. Daniel is focused on lab operations and enjoys continuously building his knowledge.