Kali Purple Falcosidekick-ui 1

1. #There could be a CONTAINER RUNTIME SECURITY MODULE - for individuals running containers locally on-prem, something like this could come preinstalled, I currently successfully run manually on fresh Kali Purple:
2.  
3.  
4. #1 Kali Purple System Update, Docker Install
5. sudo apt update -y && sudo apt upgrade -y
6.  
7. sudo apt install docker.io -y
8.  
9. sudo usermod -aG docker $USER && newgrp docker
10.  
11.  
12. #2 Install Kubectl, Minikube
13. curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
14.  
15. chmod +x ./kubectl
16.  
17. sudo mv ./kubectl /usr/local/bin/kubectl
18.  
19. curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
20.  
21. sudo install minikube-linux-amd64 /usr/local/bin/minikube
22.  
23. minikube start --memory=6G #[kali purple vm: vcpu 2, memory 8G+]
24.  
25. kubectl get pods -A
26.  
27.  
28. #3 Install Helm https://helm.sh/docs/intro/install/#from-script
29. curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
30.  
31. chmod 700 get_helm.sh
32.  
33. ./get_helm.sh
34.  
35.  
36. #4 Install Falco, Falcosidekick, Falcosidekick-ui https://github.com/falcosecurity/falco/issues/2540#issuecomment-1731863875
37. helm repo add falcosecurity https://falcosecurity.github.io/charts
38.  
39. helm repo update
40.  
41. kubectl create ns falco
42.  
43. helm install falco falcosecurity/falco \
44. --namespace falco \
45. --set driver.kind=modern-bpf
46.  
47. kubectl get all -n falco #pods and a daemonset should be running, watch 2/2 pods come up: kubectl get pods -n falco -w, then Ctrl+C
48.  
49. helm upgrade falco -n falco --set tty=true falcosecurity/falco \
50. --set falcosidekick.enabled=true \
51. --set falcosidekick.webui.enabled=true \
52. --set driver.kind=modern-bpf
53.  
54. kubectl get all -n falco #pods, services, daemonset, deployments, replicasets, and a statefulset should be running, watch pods come up: kubectl get pods -n falco -w, then Ctrl+C
55.  
56. kubectl port-forward svc/falco-falcosidekick-ui \
57. -n falco 2802:2802 &> /dev/null &
58.  
59. http://127.0.0.1:2802 , default creds admin/admin #access Falcosidekick-ui
60.  
61.  
62. ######### + Bonus TEST
63. #To see more events in Falcosidekick-ui Events tab, Test with Atomic Red Team tests https://falco.org/blog/falco-atomic-red/
64. kubectl create ns atomic-red
65.  
66. kubectl apply -f - <<EOF
67. apiVersion: apps/v1
68. kind: Deployment
69. metadata:
70. name: atomicred
71. namespace: atomic-red
72. labels:
73. app: atomicred
74. spec:
75. replicas: 1
76. selector:
77. matchLabels:
78. app: atomicred
79. template:
80. metadata:
81. labels:
82. app: atomicred
83. spec:
84. containers:
85. - name: atomicred
86. image: issif/atomic-red:latest
87. imagePullPolicy: "IfNotPresent"
88. command: ["sleep", "3560d"]
89. securityContext:
90. privileged: true
91. nodeSelector:
92. kubernetes.io/os: linux
93. EOF
94.  
95. kubectl get pods -n atomic-red -w #watch until the pod comes up, then Ctrl+C
96.  
97. kubectl exec -it -n atomic-red deploy/atomicred -- bash
98.  
99. pwsh
100.  
101. Import-Module "~/AtomicRedTeam/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1" -Force
102.  
103. Invoke-AtomicTest T1070.004 -ShowDetails
104.  
105. Invoke-AtomicTest T1070.004 -GetPreReqs
106.  
107. Invoke-AtomicTest T1070.004
108.  
109. Invoke-AtomicTest T1556.003
110.  
111. Invoke-AtomicTest T1036.005
112.  
113. Invoke-AtomicTest T1070.002
114.  
115. Invoke-AtomicTest T1070.003
116.  
117. Invoke-AtomicTest T1014
118. #End of TEST, Falcosidekick-ui Events tab now filled
119.