Vulnerability-Management-remediation-with-Talon-

Create EKS Cluster with Cilium CNI

Access Falco sidekick UI

Option 1: portforwarding

kubectl port-forward svc/falco-falcosidekick-ui -n falco 2802 --insecure-skip-tls-verify

Option 2: creating node port

apiVersion: v1
kind: Service
metadata:
  name: falco-falcosidekick-ui-nodeport
  namespace: falco
spec:
  type: NodePort
  selector:
    app.kubernetes.io/component: ui
    app.kubernetes.io/instance: falco
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: falcosidekick
    app.kubernetes.io/part-of: falcosidekick
    app.kubernetes.io/version: 2.28.0
    helm.sh/chart: falcosidekick-0.7.11
  ports:
    - protocol: TCP
      port: 2802
      targetPort: 2802
      nodePort:31000

Then access falcosidekick ui via 'http://nodeip:2802/ui' username/password: admin/admin

scan Jenkins image using sysdig CLI

docker image pull jenkins/jenkins:2.401.2

export SECURE_API_TOKEN="Enter_Your_Sysdig_Token"

sudo -E ./sysdig-cli-scanner --apiurl eu1.app.sysdig.com jenkins/jenkins:2.401.2

scan results will show Curl vulnerability "CVE-2023-38545"

Vulnerability details:

CVE-2023-38545 /Exploited / Critical / CVSS 9.8

Pckage: curl - 7.74.0-1.3+deb11u7 /OS

Description: cURL and libcURL contain an overflow condition in the do_SOCKS5() function in lib/socks.c that is triggered when handling an overly large hostname during a slow SOCKS5 proxy handshake. With a specially crafted web server, a context-dependent attacker can cause a heap-based buffer overflow, potentially allowing the execution of arbitrary code.

POC: https://github.com/d0rb/CVE-2023-38545

Is CURL used in this image or not? let's see

Falco rule to monitor opened files inside each container

    - rule: Monitor Opened Files in Containers
      desc: Detect when files are opened inside containers
      condition: evt.type in (open,openat,openat2) and container and container.image != "host" and k8s.ns.name= "default"
      output: >
        Opened file: %fd.name
        Process: %proc.name
        Process ID: %proc.pid
        Container ID: %container.id
        Container Name: %container.name
      priority: NOTICE
      tags:
        - file_open

Falco rule to detect libcurl

- rule: Monitor libcurl
  desc: Detect when files with 'libcurl' in their name are opened inside containers
  condition: evt.type in (open, openat, openat2) and container and container.image != "host" and k8s.ns.name = "default" and fd.name contains "libcurl"
  output: >
    Opened file: %fd.name
    Process: %proc.name
    Process ID: %proc.pid
    Container ID: %container.id
    Container Name: %container.name
  priority: NOTICE
  tags:
    - file_open

Update Faclo with the new rules

helm upgrade falco falcosecurity/falco --namespace falco \
  --create-namespace \
  --set tty=true \
  --set falcosidekick.enabled=true \
  --set falcosidekick.webui.enabled=true \
  --set falcosidekick.webui.redis.storageEnabled=false \
  --set falcosidekick.config.webhook.address=http://falco-talon:2803 \
  --set "falcoctl.config.artifact.install.refs={falco-rules:2,falco-incubating-rules:2,falco-sandbox-rules:2}" \
  --set "falcoctl.config.artifact.follow.refs={falco-rules:2,falco-incubating-rules:2,falco-sandbox-rules:2}" \
  --set "falco.rules_file={/etc/falco/falco_rules.yaml,/etc/falco/falco-incubating_rules.yaml,/etc/falco/falco-sandbox_rules.yaml,/etc/falco/rules.d}" \
  -f custom-rules.yaml

preventing Curl from running using Talon

- action: Exec a command in a pod
  actionner: kubernetes:exec
  Parameters:
    shell: /bin/sh'

- action: Run a script in a pod
  actionner: kubernetes:script

- rule: kill curl
  match:
    rules:
      - Monitor libCurl
  actions:
    - action: Exec a command in a pod
      parameters:
        command: 'process_name="curl"; pkill -f "$process_name"; if [ $? -eq 0 ]; then echo "Successfully terminated all $process_name processes."; else echo "No $process_name processes found."; fi'