 Hey, my name is Fernando and I'm a technical marketing manager here at GitLab and today I'm going to go over container host security with Falco GitLab container host security monitoring Uses Falco as a runtime security tool that listens to the Linux kernel using eBPF Falco parts a system calls and asserts a stream against a configurable rules engine in real time This is useful because it allows you to detect and alert on security threats as soon as they happen Allowing you to respond accordingly In order to install Falco, there's a few prerequisites First of all, we must have a Kubernetes cluster installed on our project This cluster must be a GitLab managed cluster. It must also have the project selected on their cluster management project a Cluster management project can be used to run deployment jobs with Kubernetes cluster admin privileges This is needed in order to install Falco. Now, let's take a look at the CI file and GitLab CI we need the managed cluster applications template which calls the apply job We also need a directory called dot GitLab managed apps and Add a file called config.yaml. This will tell us to install Falco This is what the pipeline will look like You can see the apply job here along with the rest of the pipeline Now let's go ahead and add a custom rule We can do this by adding a new directory in the managed apps directory Called Falco within that directory will add a values.yaml file Here we can specify the custom rules key and go ahead and add a custom rule I'm going to add one that detects Directory being created now once I merge this it'll apply the rule to Falco You can add nested rules here as well Now let's explore what that looks like in our cluster After the apply job has completed we can see if the Falco pods are up and running Now I'm going to create a simple pod Which creates the file a in the dev directory. This is something that Falco searches for Now let's go ahead and apply the pod Now let's exec into the pod and Here we can add to a dot text in the dev directory We can also just create another directory in Dev which is the custom rule. I just added now we can take a look at the logs It would be helpful to actually pipe this to a file so we can search on The logs are outputted in JSON. I'm going to go ahead and show the rules that we just caught These are what the alerts look like on the left We can see an error caused for a directory being created, which is the custom rule we added on The right we can see that a file was created in the slash dev directory. This is a default rule from Falco With Falco, you can create an alert each time an error is found There are many different ways of alerting. You can write the standard out a file or even send alerts to an application or endpoint This can be done by simply adding to the YAML file located in .gitlab slash manageapp slash falco values.yaml For more information on alerting we can see the links in the description Now I'm going to pass it over to product manager Sam White to talk a little bit about Falco's roadmap At GitLab we have several plans to improve our integration with Falco The first of these is through an integration with our policy management user interface To allow users to easily configure Falco rules in GitLab through a simple rules editor or through YAML The second is an integration with our newly released security alert dashboard to allow select Events to show up on that alert dashboard to be triaged by end users The third is better statistics and performance monitoring Which involves the ability to view summary statistics for those events that have been triggered by Falco rules And lastly we want to provide support for the GitLab Kubernetes agent so that users can deploy Falco Into their cluster through GitLab without requiring GitLab to have cluster admin rights These items are subject to change and we welcome your feedback Thanks for watching for more information on container host security with Falco see the links in the description And be sure to subscribe