Cloud native security with Wazuh and Falco

Cloud native security involves the practices and tools used to protect applications and infrastructures built in cloud-native technologies like microservices, containers, and orchestrators. Continuous monitoring and real-time threat detection are required to identify and mitigate unauthorized activities within cloud-native environments. By observing system behavior at runtime, security tools can detect security violations and respond to potential risks.

Falco is an open source runtime security tool based on eBPF (Extended Berkeley Packet Filter), designed to detect abnormal behaviors in containerized environments. Falco monitors system calls to detect unauthorized access, privilege escalation, and unexpected process executions through a rule-based engine. It generates alerts that can be forwarded for further analysis or automated response.

The Wazuh SIEM and XDR provides a centralized security platform for threat detection, incident response, and compliance monitoring. When integrated with Falco, Wazuh centralizes log analysis and enhances visibility across cloud-native environments.

Infrastructure

To demonstrate cloud native security with Wazuh and Falco, we use the following endpoints and software:

• A pre-built, ready-to-use Wazuh OVA 4.11.1. Follow this guide to download the virtual machine.
• An Ubuntu 24.04 endpoint with:
  • The  Wazuh agent 4.11.1 installed and enrolled to the Wazuh server.
  • A self-managed Kubernetes cluster K3s.
  • Falco installed with Modern eBPF.

Configuration

This section provides the steps involved in configuring the components of the infrastructure for a seamless integration:

Ubuntu endpoint

Perform the steps below to configure Falco and the Wazuh agent.

1. Create a file named falco_custom.yaml in the /etc/falco/config.d/ directory and insert the following custom configurations. These configurations will override the settings in the default /etc/falco/falco.yaml configuration file:

#Enable logs in json format
json_output: true

#Adds extra information to the logs. This will serve as a base to trigger alerts on Wazuh
append_output:
  - extra_fields:
      - wazuh_integration: "falco"

#Save the logs to /var/log/falco_events.json file
file_output:
  enabled: true
  keep_alive: false
  filename: /var/log/falco_events.json

The parameters used in the configuration file are as follows:

• json_output: If set to true, this enables JSON format for Falco output.
• append_output:
  • extra_fields: This option specifies custom fields to include in the alert’s output, without affecting the primary alert message.
• file_output:
  • enable: Enable file output for Falco events when set to true.
  • keep_alive: When set to false, Falco reopens the file for each alert. When true, the file stays open, appending alerts continuously.
  • filename: This specifies the file where Falco will write the alerts.

2. Restart the Falco service to apply the configuration changes:

# systemctl restart falco

3. Append the following configuration to the Wazuh agent /var/ossec/etc/ossec.conf file to forward Falco events saved in /var/log/falco_events.json to the Wazuh server:

<ossec_config>
  <localfile>
    <location>/var/log/falco_events.json</location>
    <log_format>json</log_format>
  </localfile>
</ossec_config>

4. Restart the Wazuh agent service to apply the configuration changes:

# systemctl restart wazuh-agent

Wazuh server

Perform these steps on the Wazuh server to configure the alerting rules:

1. Create a file called falco_rules.xml in the /var/ossec/etc/rules/ directory and insert the following custom rules:

<group name="falco,">
  <rule id="100600" level="0">
    <decoded_as>json</decoded_as>
    <field name="output_fields.wazuh_integration">falco</field>
    <description>Falco: run-time security logs.</description>
    <options>no_full_log</options>
  </rule>

  <rule id="100601" level="4">
    <if_sid>100600</if_sid>
    <field name="priority">Info</field>
    <description>"Falco Alert - " $(output)</description>
    <options>no_full_log</options>
  </rule>

  <rule id="100602" level="6">
    <if_sid>100600</if_sid>
    <field name="priority">Notice</field>
    <description>"Falco Alert - " $(output)</description>
    <options>no_full_log</options>
  </rule>

  <rule id="100603" level="8">
    <if_sid>100600</if_sid>
    <field name="priority">Warning</field>
    <description>"Falco Alert - " $(output)</description>
    <options>no_full_log</options>
  </rule>

  <rule id="100604" level="10">
    <if_sid>100600</if_sid>
    <field name="priority">Error</field>
    <description>"Falco Alert - " $(output)</description>
    <options>no_full_log</options>
  </rule>

  <rule id="100605" level="12">
    <if_sid>100600</if_sid>
    <field name="priority">Critical</field>
    <description>"Falco Alert - " $(output)</description>
    <options>no_full_log</options>
  </rule>

  <rule id="100606" level="14">
    <if_sid>100600</if_sid>
    <field name="priority">Alert</field>
    <description>"Falco Alert - " $(output)</description>
    <options>no_full_log</options>
  </rule>

  <rule id="100607" level="16">
    <if_sid>100600</if_sid>
    <field name="priority">Emergency</field>
    <description>"Falco Alert - " $(output)</description>
    <options>no_full_log</options>
  </rule>
</group>

Where:

• 100600: Serves as the base rule, triggered when an alert with the output_fields.wazuh_integration value set to falco is generated.
• 100601: is triggered when a rule with priority level info is triggered on Falco.
• 100602: is triggered when a rule with priority level notice is triggered on Falco.
• 100603: is triggered when a rule with priority level warning is triggered on Falco.
• 100604: is triggered when a rule with priority level error is triggered on Falco.
• 100605: is triggered when a rule with priority level critical is triggered on Falco.
• 100606: is triggered when a rule with priority level alert is triggered on Falco.
• 100607: is triggered when a rule with priority level emergency is triggered on Falco.

2. Restart the Wazuh manager to apply the changes:

# systemctl restart wazuh-manager

Testing

Run the command below to install and run busybox, a sample application that will be monitored for security threats in the Kubernetes cluster:

# kubectl run busybox --image=busybox --restart=Never --command -- sleep infinity

Perform some suspicious activities on our sample application to trigger some Falco rules. Run the following commands on your Kubernetes cluster:

1. Access a sensitive file:

# kubectl exec -it busybox --  cat /etc/shadow

2. Create a hardlink on a sensitive file:

# kubectl exec -it busybox -- ln /etc/shadow /tmp/shadow_hardlink

3. Create a symbolic link on a sensitive file:

# kubectl exec -it busybox -- ln -s /etc/shadow /tmp/shadow_simlink

4. Perform directory traversal:

# kubectl exec -it busybox -- cat ../../../../../../etc/passwd

5. Spawn a shell:

# kubectl exec -it busybox -- /bin/sh

6. Execute a binary not part of the base image:

# kubectl exec -it busybox --  sh -c 'wget https://dl.k8s.io/release/v1.32.0/bin/linux/amd64/kubectl -O kubectl && chmod +x kubectl && ./kubectl'

7. Run netcat:

# kubectl exec -it busybox -- timeout 2 nc -l -p 4444 -e /bin/sh

Visualize the alerts on the Wazuh dashboard

The alerts below are generated after running the suspicious commands on the Kubernetes cluster. Perform the following steps to visualize the alerts on the Wazuh dashboard:

1. Navigate to Threat intelligence > Threat Hunting.

2. Click + Add filter. Then filter by rule.groups.

3. In the Operator field, select is.

4. Type falco in the Value field.

5. Click Save to enable the filter.

6. Click Inspect document details on an alert to have a detailed view.

Conclusion

Integrating Falco with Wazuh enables runtime monitoring, centralized log analysis, and incident response, providing detailed visibility into containerized environments. Falco detects kernel-level events while Wazuh correlates logs and applies threat intelligence enabling security event analysis and response.

References

• Wazuh documentation
• Falco documentation