Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #There could be a CONTAINER RUNTIME SECURITY MODULE - for individuals running containers locally on-prem, something like this could come preinstalled, I currently successfully run manually on fresh Kali Purple:
- #1 Kali Purple System Update, Docker Install
- sudo apt update -y && sudo apt upgrade -y
- sudo apt install docker.io -y
- sudo usermod -aG docker $USER && newgrp docker
- #2 Install Kubectl, Minikube
- curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
- chmod +x ./kubectl
- sudo mv ./kubectl /usr/local/bin/kubectl
- curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
- sudo install minikube-linux-amd64 /usr/local/bin/minikube
- minikube start --memory=6G #[kali purple vm: vcpu 2, memory 8G+]
- kubectl get pods -A
- #3 Install Helm https://helm.sh/docs/intro/install/#from-script
- curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
- chmod 700 get_helm.sh
- ./get_helm.sh
- #4 Install Falco, Falcosidekick, Falcosidekick-ui https://github.com/falcosecurity/falco/issues/2540#issuecomment-1731863875
- helm repo add falcosecurity https://falcosecurity.github.io/charts
- helm repo update
- kubectl create ns falco
- helm install falco falcosecurity/falco \
- --namespace falco \
- --set driver.kind=modern-bpf
- kubectl get all -n falco #pods and a daemonset should be running, watch 2/2 pods come up: kubectl get pods -n falco -w, then Ctrl+C
- helm upgrade falco -n falco --set tty=true falcosecurity/falco \
- --set falcosidekick.enabled=true \
- --set falcosidekick.webui.enabled=true \
- --set driver.kind=modern-bpf
- kubectl get all -n falco #pods, services, daemonset, deployments, replicasets, and a statefulset should be running, watch pods come up: kubectl get pods -n falco -w, then Ctrl+C
- kubectl port-forward svc/falco-falcosidekick-ui \
- -n falco 2802:2802 &> /dev/null &
- http://127.0.0.1:2802 , default creds admin/admin #access Falcosidekick-ui
- ######### + Bonus TEST
- #To see more events in Falcosidekick-ui Events tab, Test with Atomic Red Team tests https://falco.org/blog/falco-atomic-red/
- kubectl create ns atomic-red
- kubectl apply -f - <<EOF
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: atomicred
- namespace: atomic-red
- labels:
- app: atomicred
- spec:
- replicas: 1
- selector:
- matchLabels:
- app: atomicred
- template:
- metadata:
- labels:
- app: atomicred
- spec:
- containers:
- - name: atomicred
- image: issif/atomic-red:latest
- imagePullPolicy: "IfNotPresent"
- command: ["sleep", "3560d"]
- securityContext:
- privileged: true
- nodeSelector:
- kubernetes.io/os: linux
- EOF
- kubectl get pods -n atomic-red -w #watch until the pod comes up, then Ctrl+C
- kubectl exec -it -n atomic-red deploy/atomicred -- bash
- pwsh
- Import-Module "~/AtomicRedTeam/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1" -Force
- Invoke-AtomicTest T1070.004 -ShowDetails
- Invoke-AtomicTest T1070.004 -GetPreReqs
- Invoke-AtomicTest T1070.004
- Invoke-AtomicTest T1556.003
- Invoke-AtomicTest T1036.005
- Invoke-AtomicTest T1070.002
- Invoke-AtomicTest T1070.003
- Invoke-AtomicTest T1014
- #End of TEST, Falcosidekick-ui Events tab now filled
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement