Sysdig Secure uses Falco under the hood to deliver Runtime Security for Linux, containers and Kubernetes.
Hence, all the benefits of the Open Source Ecosystem are available when protecting workloads in runtime.
In this module you will learn how to trigger, detect and investigate a runtime security incident. You will also learn how to prevent issues like this one responding to them as soon as they are detected.
Visit your Sysdig Secure account to and check that all the
Kubernetes Audit
and Runtime (Workload)
policies are enabled.
If not, enable them in the Secure > Runtime Policies dashboard.
Access the policy with the edit button and Enable (Actions> captures). This will be used for Forensics.
Go back to your terminal and execute the next command:
kubectl exec -it -n sysdig-agent -- touch /bin/bash
From there, create a new binary:
curl -s https://busybox.net/downloads/binaries/1.21.1/busybox-i686 -o /bin/inject
Go to the events section and observe the security event. WIth Sysdig Secure you can detect Security incidents like privilege Escalation.
The Activity Audit menu allows you to apply further forensics to understand an incident.
Click on the previous detected event and go to its details. Here, click View Activity Audit. Here you’ll find a time based event feed with all the related activity of the security event. All the related Kubernetes activity is included with the rest of the information.
Go back to the event and click on its details. From its detials, click on Respond, then View Capture with Inspect.
Here you can filter and dig deeper to observe all the syscall activity of the security incident.