SlideShare une entreprise Scribd logo

Sysdig Open Source Intro

Michael Ducy
Michael Ducy

An overview of Sysdig's Open Source projects, Sysdig, Sysdig Inspect, and Sysdig Falco.

Technologie
1  sur  35
Télécharger pour lire hors ligne
Michael Ducy - @mfdii Sysdig Open Source Intro
The Container Intelligence Platform.
Loris Degioanni. Co-creator of Wireshark, and former CTO at Riverbed. Open source driven project. Launched in 2013. 1M+ downloads. Hundreds of thousands of users. 300+ +300 Enterprise customers. Ecosystem partners with OpenShift, Docker, Kubernetes, Mesos, and AWS. Open by Design. Built for Modern Infrastructure.
Monitoring & Security Platform for Containers.
Open by Design. Built for Modern Infrastructure. Sysdig: The Container Intelligence Platform Commercial Sysdig Monitor Sysdig Secure Open Source Sysdig Sysdig Inspect Sysdig Falco
@mfdii Sysdig Projects & Products Sysdig Open Source - https://www.sysdig.com/opensource/ - Sysdig - https://github.com/draios/sysdig - sysdig - csysdig - Sysdig Inspect! https://github.com/draios/sysdig-inspect - Falco - https://github.com/draios/falco Sysdig Container Intelligence Platform - https://www.sysdig.com/ - Sysdig Monitor - Sysdig Secure
Sysdig - Troubleshooting and Forensics - Powerful Filter Language ala tcpdump - Real-time troubleshooting - Offline troubleshooting
@mfdii Sysdig Architecture enter/exit glibc probe: syscalls
@mfdii Filtering - the key for using Sysdig: similar to tcpdump - filter events (system calls) - filtering based on field classes - mixed with operators: =, !=, <, <=, >, >=, contains, and, or, not
@mfdii Understanding Sysdig output 1 01:40:19.601363716 1 httpd (7513) > accept 2 01:40:19.601374197 1 httpd (7513) < accept fd=14(<4t>127.0.0.1:39175->127.0.0.1:80) tuple=127.0.0.1:39175->127.0.0.1:80 queuepct=0 3 01:40:19.601506564 1 httpd (7513) > read fd=14(<4t>127.0.0.1:39175->127.0.0.1:80) size=8000 4 01:40:19.601512497 1 httpd (7513) < read res=85 data=GET /textfile.txt HTTP/1.1..User-Agent: curl/7.35.0..Host: 127.0.0.1..Accept: */ 5 01:40:19.601516976 0 httpd (3750) > switch next=0 pgft_maj=0 pgft_min=522 vm_size=350196 vm_rss=9304 vm_swap=0 [...] Driver Events:354756 Driver Drops:0 Elapsed time: 0.194, Captured Events: 27089, 139915.29 eps Incremental event number, Event timestamp, CPU number (ID), Process name, Thread ID (as seen by gettid()), Event direction: > means enter, < means exit, Event type, Event arguments (arguments)
@mfdii $ What can we filter? > syscall(SYSCALLID ID, UINT16 nativeID) < syscall(SYSCALLID ID) > open() < open(FD fd, FSPATH name, FLAGS32 flags, UINT32 mode) > close(FD fd) < close(ERRNO res) > read(FD fd, UINT32 size) < read(ERRNO res, BYTEBUF data) > write(FD fd, UINT32 size) < write(ERRNO res, BYTEBUF data) > socket(FLAGS32 domain, UINT32 type, UINT32 proto) < socket(FD fd) > bind(FD fd) < bind(ERRNO res, SOCKADDR addr) > connect(FD fd) < connect(ERRNO res, SOCKTUPLE tuple) > listen(FD fd, UINT32 backlog) < listen(ERRNO res) sysdig -L
@mfdii $ How can we filter? ---------------------- Field Class: fd fd.num the unique number identifying the file descriptor. fd.type type of FD. Can be 'file', 'directory', 'ipv4', 'ipv6', 'unix', 'pipe', 'event', 'signalfd', 'eventpoll', 'inotify' or 'signal fd'. fd.typechar type of FD as a single character. Can be 'f' for file, 4 for IP v4 socket, 6 for IPv6 socket, 'u' for unix socket, p for pipe, 'e' for eventfd, 's' for signalfd, 'l' for eventpoll, 'i' for i notify, 'o' for unknown. fd.name FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple. fd.directory If the fd is a file, the directory that contains it. fd.filename If the fd is a file, the filename without the path. fd.ip matches the ip address (client or server) of the fd. sysdig -l
@mfdii Field Classes Based on “Field Classes”. Supported classes include: fd - File Descriptors process - Processes evt - System Events user - Users group - Groups syslog - Syslog messages container - Container info fdlist - FD poll events k8s - Kubernetes events mesos - Mesos events span - Start/Stop markers evtin - Filter based on Spans
@mfdii File descriptors filters - files - network connections (sockets) - standard input, standard output, and standard error - pipes - timers - signals Examples: sysdig fd.type=ipv4 sysdig fd.l4proto=tcp sysdig fd.sip=127.0.0.1 sysdig fd.sport=39157
@mfdii Create Captures/Read Captures Create capture: sudo sysdig -w filename.scap Read from capture: sysdig -r filename.scap - we can filter on capture time too - we can read + filter + write again - capture files contain entire process table but just filtered events: - to remove it use --filter-proclist - “-z” compresses the capture
@mfdii Sysdig Inspect
@mfdii Sysdig Chisels - Scripts written in Lua - Analyze, aggregate and report on sequences of events (in a similar fashion to dtrace)
@mfdii Sysdig Chisels List all available chisels: sysdig -cl Usage information for a given chisel: sysdig -i chisel_name Running a chisel: sysdig -c chisel_name https://github.com/draios/sysdig/wiki/Sysdig-Chisel-API-Reference-Manual
@mfdii $ List available Chisels Category: Application --------------------- httplog HTTP requests log httptop Top HTTP requests memcachelog memcached requests log Category: CPU Usage ------------------- spectrogram Visualize OS latency in real time. subsecoffset Visualize subsecond offset execution time. topcontainers_cpu Top containers by CPU usage topprocs_cpu Top processes by CPU usage sysdig -cl
@mfdii Sysdig Chisels Application httplog - HTTP requests log httptop - Top HTTP requests memcachelog - memcached requests log Errors topcontainers_error - Top containers by number of errors topfiles_errors - Top files by number of errors topprocs_errors - Top processes by number of errors CPU Usage spectrogram - Visualize OS latency in real time. subsecoffset - Visualize subsecond offset execution time. topcontainers_cpu - Top containers by CPU usage topprocs_cpu - Top processes by CPU usage
@mfdii I/O echo_fds - Print the data read and written by processes. fdbytes_by - I/O bytes, aggregated by an arbitrary filter field fdcount_by - FD count, aggregated by an arbitrary filter field fdtime_by - FD time group by Sysdig Chisels I/O iobytes - Sum of I/O bytes on any type of FD iobytes_file - Sum of file I/O bytes spy_file - Echo any read/write made by any process to all files or a specific file passed as an option.
@mfdii I/O stderr - Print stderr of processes stdin - Print stdin of processes stdout - Print stdout of processes Sysdig Chisels I/O topcontainers_file - Top containers by R+W disk bytes topfiles_bytes - Top files by R+W bytes topfiles_time - Top files by time topprocs_file - Top processes by R+W disk bytes
@mfdii Sysdig Chisels Logs spy_logs - Echo any write made by any process to a log file. Optionally, export the events around each log message to file. spy_syslog - Print every message written to syslog. Optionally, export the events around each syslog message to file. Security list_login_shells - List the login shell IDs shellshock_detect - print shellshock attacks spy_users - Display interactive user activity Misc around - Export to file the events around the time range where the given filter matches.
@mfdii Sysdig Chisels Networking iobytes_net - Show total network I/O bytes spy_ip - Show the data exchanged with the given IP address spy_port - Show the data exchanged using the given IP port number topconns - Top network connections by total bytes topcontainers_net - Top containers by network I/O topports_server - Top TCP/UDP server ports by R+W bytes topprocs_net - Top processes by network I/O
@mfdii Sysdig Chisels Performance bottlenecks - Slowest system calls fileslower - Trace slow file I/O netlower - Trace slow network I/0 proc_exec_time - Show process execution time scallslower - Trace slow syscalls topscalls - Top system calls by number of calls topscalls_time - Top system calls by time
@mfdii Sysdig Chisels System State lscontainers - List the running containers lsof - List (and optionally filter) the open file descriptors. netstat - List (and optionally filter) network connections. ps - List (and optionally filter) the machine processes.
@mfdii Other useful Chisels sudo sysdig -pc -c topcontainers_net ● Top containers by network I/O sudo sysdig -pc -c topprocs_net ● Top processes by network I/O sudo sysdig -c topcontainers_file ● Top containers by R+W disk bytes sudo sysdig -pc -c topprocs_file ● Top processes by R+W disk bytes
@mfdii What is Falco? A behavioral activity monitor •Detects suspicious activity defined by a set of rules •Uses Sysdig’s flexible and powerful filtering expressions With full support for containers/orchestration •Utilizes sysdig’s container & orchestrator support And flexible notification methods •Alert to files, standard output, syslog, programs Open Source •Anyone can contribute rules or improvements
@mfdii Quick examples A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = create or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
@mfdii Falco architecture falco_probe Kernel Module Kernel User Syscalls Sysdig Libraries ` Events Alerting Falco Rules Suspicious Events File Syslog Stdout Filter Expression Shell
@mfdii Falco Rules 25 common rules available OOTB Focused on common container best practices: ■ Writing files in bin or etc directories ■ Reading sensitive files ■ Binaries being executed other than CMD/ENTRYPOINT
@mfdii Falco rules .yaml file containing Macros, Lists, and Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
@mfdii Falco rules Rules • name: used to identify rule • desc: description of rule • condition: filter expression, can contain macro references • output: message to emit when rule triggers, can contain formatted info from event • priority: severity of rule (WARNING, INFO, etc.) Macros • name: text to use in later rules • condition: filter expression snippet Lists • name: text to use later • items: list of items
@mfdii Sysdig Projects & Products Sysdig Open Source - https://www.sysdig.com/opensource/ - Sysdig - https://github.com/draios/sysdig - sysdig - csysdig - Sysdig Inspect! https://github.com/draios/sysdig-inspect - Falco - https://github.com/draios/falco Sysdig Container Intelligence Platform - https://www.sysdig.com/ - Sysdig Monitor - Sysdig Secure
@mfdii Thank You! Michael Ducy - @mfdii

Recommandé

Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Michael Ducy
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open SourceMichael Ducy
 
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Michael Ducy
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Find the Hacker
Find the HackerFind the Hacker
Find the HackerSysdig
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 

Recommandé

Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Michael Ducy
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open SourceMichael Ducy
 
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Michael Ducy
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Find the Hacker
Find the HackerFind the Hacker
Find the HackerSysdig
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
Behavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoBehavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoSysdig
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaCODE BLUE
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime SecuritySysdig
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short descriptionJose Moruno Cadima
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerPhil Estes
 
Mem forensic
Mem forensicMem forensic
Mem forensicChong-Kuan Chen
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windowsn|u - The Open Security Community
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbain|u - The Open Security Community
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxPatricia Aas
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheetMartin Cabrera
 

Contenu connexe

Tendances

Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
Behavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoBehavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoSysdig
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaCODE BLUE
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime SecuritySysdig
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short descriptionJose Moruno Cadima
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerPhil Estes
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
 

Tendances (20)

Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 
Container security
Container securityContainer security
Container security
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure Containers
 
Behavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoBehavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig Falco
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime Security
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windows
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 

Similaire à Sysdig Open Source Intro

Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxPatricia Aas
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheetMartin Cabrera
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
Sysdig
SysdigSysdig
Sysdiggnosek
 
Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringRamit Surana
 
Querying 1.8 billion reddit comments with python
Querying 1.8 billion reddit comments with pythonQuerying 1.8 billion reddit comments with python
Querying 1.8 billion reddit comments with pythonDaniel Rodriguez
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Kqueue : Generic Event notification
Kqueue : Generic Event notificationKqueue : Generic Event notification
Kqueue : Generic Event notificationMahendra M
 
Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxRajKumar Rampelli
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
breed_python_tx_redacted
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redactedRyan Breed
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaNéstor Salceda
 

Similaire à Sysdig Open Source Intro (20)

Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
Sysdig
SysdigSysdig
Sysdig
 
Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of Monitoring
 
Querying 1.8 billion reddit comments with python
Querying 1.8 billion reddit comments with pythonQuerying 1.8 billion reddit comments with python
Querying 1.8 billion reddit comments with python
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Kqueue : Generic Event notification
Kqueue : Generic Event notificationKqueue : Generic Event notification
Kqueue : Generic Event notification
 
Linux
LinuxLinux
Linux
 
Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linux
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
 
File management
File managementFile management
File management
 
UNIX Basics and Cluster Computing
UNIX Basics and Cluster ComputingUNIX Basics and Cluster Computing
UNIX Basics and Cluster Computing
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle Hailey
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
breed_python_tx_redacted
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redacted
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
 

Plus de Michael Ducy

Automating Security Response with Serverless
Automating Security Response with ServerlessAutomating Security Response with Serverless
Automating Security Response with ServerlessMichael Ducy
 
Rethinking Open Source in the Age of Cloud
Rethinking Open Source in the Age of CloudRethinking Open Source in the Age of Cloud
Rethinking Open Source in the Age of CloudMichael Ducy
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
DevOps in a Cloud Native World
DevOps in a Cloud Native WorldDevOps in a Cloud Native World
DevOps in a Cloud Native WorldMichael Ducy
 
Monitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMonitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMichael Ducy
 
Principles of Monitoring Microservices
Principles of Monitoring MicroservicesPrinciples of Monitoring Microservices
Principles of Monitoring MicroservicesMichael Ducy
 
Survey of Container Build Tools
Survey of Container Build ToolsSurvey of Container Build Tools
Survey of Container Build ToolsMichael Ducy
 
Monoliths, Myths, and Microservices - CfgMgmtCamp
Monoliths, Myths, and Microservices - CfgMgmtCampMonoliths, Myths, and Microservices - CfgMgmtCamp
Monoliths, Myths, and Microservices - CfgMgmtCampMichael Ducy
 
Monoliths, Myths, and Microservices
Monoliths, Myths, and MicroservicesMonoliths, Myths, and Microservices
Monoliths, Myths, and MicroservicesMichael Ducy
 
Why Pipelines Matter
Why Pipelines MatterWhy Pipelines Matter
Why Pipelines MatterMichael Ducy
 
The Future of Everything
The Future of EverythingThe Future of Everything
The Future of EverythingMichael Ducy
 
Improving Goat Production
Improving Goat ProductionImproving Goat Production
Improving Goat ProductionMichael Ducy
 
Changing the Way Development and Operations Works
Changing the Way Development and Operations WorksChanging the Way Development and Operations Works
Changing the Way Development and Operations WorksMichael Ducy
 
CloudStack Day 14 - Automation: The Key to Hybrid Cloud
CloudStack Day 14 - Automation: The Key to Hybrid CloudCloudStack Day 14 - Automation: The Key to Hybrid Cloud
CloudStack Day 14 - Automation: The Key to Hybrid CloudMichael Ducy
 
The Road to Hybrid Cloud is Paved with Automation
The Road to Hybrid Cloud is Paved with AutomationThe Road to Hybrid Cloud is Paved with Automation
The Road to Hybrid Cloud is Paved with AutomationMichael Ducy
 
The Velocity of Bureaucracy
The Velocity of BureaucracyThe Velocity of Bureaucracy
The Velocity of BureaucracyMichael Ducy
 
The Goat and the Silo
The Goat and the SiloThe Goat and the Silo
The Goat and the SiloMichael Ducy
 
Little Tech, Big Impact - Monktoberfest 2013
Little Tech, Big Impact - Monktoberfest 2013Little Tech, Big Impact - Monktoberfest 2013
Little Tech, Big Impact - Monktoberfest 2013Michael Ducy
 
Object, measure thyself
Object, measure thyselfObject, measure thyself
Object, measure thyselfMichael Ducy
 
DevOps Columbus Meetup Kickoff - Infrastructure as Code
DevOps Columbus Meetup Kickoff - Infrastructure as CodeDevOps Columbus Meetup Kickoff - Infrastructure as Code
DevOps Columbus Meetup Kickoff - Infrastructure as CodeMichael Ducy
 

Plus de Michael Ducy (20)

Automating Security Response with Serverless
Automating Security Response with ServerlessAutomating Security Response with Serverless
Automating Security Response with Serverless
 
Rethinking Open Source in the Age of Cloud
Rethinking Open Source in the Age of CloudRethinking Open Source in the Age of Cloud
Rethinking Open Source in the Age of Cloud
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
DevOps in a Cloud Native World
DevOps in a Cloud Native WorldDevOps in a Cloud Native World
DevOps in a Cloud Native World
 
Monitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMonitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in Kubernetes
 
Principles of Monitoring Microservices
Principles of Monitoring MicroservicesPrinciples of Monitoring Microservices
Principles of Monitoring Microservices
 
Survey of Container Build Tools
Survey of Container Build ToolsSurvey of Container Build Tools
Survey of Container Build Tools
 
Monoliths, Myths, and Microservices - CfgMgmtCamp
Monoliths, Myths, and Microservices - CfgMgmtCampMonoliths, Myths, and Microservices - CfgMgmtCamp
Monoliths, Myths, and Microservices - CfgMgmtCamp
 
Monoliths, Myths, and Microservices
Monoliths, Myths, and MicroservicesMonoliths, Myths, and Microservices
Monoliths, Myths, and Microservices
 
Why Pipelines Matter
Why Pipelines MatterWhy Pipelines Matter
Why Pipelines Matter
 
The Future of Everything
The Future of EverythingThe Future of Everything
The Future of Everything
 
Improving Goat Production
Improving Goat ProductionImproving Goat Production
Improving Goat Production
 
Changing the Way Development and Operations Works
Changing the Way Development and Operations WorksChanging the Way Development and Operations Works
Changing the Way Development and Operations Works
 
CloudStack Day 14 - Automation: The Key to Hybrid Cloud
CloudStack Day 14 - Automation: The Key to Hybrid CloudCloudStack Day 14 - Automation: The Key to Hybrid Cloud
CloudStack Day 14 - Automation: The Key to Hybrid Cloud
 
The Road to Hybrid Cloud is Paved with Automation
The Road to Hybrid Cloud is Paved with AutomationThe Road to Hybrid Cloud is Paved with Automation
The Road to Hybrid Cloud is Paved with Automation
 
The Velocity of Bureaucracy
The Velocity of BureaucracyThe Velocity of Bureaucracy
The Velocity of Bureaucracy
 
The Goat and the Silo
The Goat and the SiloThe Goat and the Silo
The Goat and the Silo
 
Little Tech, Big Impact - Monktoberfest 2013
Little Tech, Big Impact - Monktoberfest 2013Little Tech, Big Impact - Monktoberfest 2013
Little Tech, Big Impact - Monktoberfest 2013
 
Object, measure thyself
Object, measure thyselfObject, measure thyself
Object, measure thyself
 
DevOps Columbus Meetup Kickoff - Infrastructure as Code
DevOps Columbus Meetup Kickoff - Infrastructure as CodeDevOps Columbus Meetup Kickoff - Infrastructure as Code
DevOps Columbus Meetup Kickoff - Infrastructure as Code
 

Dernier

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Dernier (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Sysdig Open Source Intro

  • 1. Michael Ducy - @mfdii Sysdig Open Source Intro
  • 3. Loris Degioanni. Co-creator of Wireshark, and former CTO at Riverbed. Open source driven project. Launched in 2013. 1M+ downloads. Hundreds of thousands of users. 300+ +300 Enterprise customers. Ecosystem partners with OpenShift, Docker, Kubernetes, Mesos, and AWS. Open by Design. Built for Modern Infrastructure.
  • 4. Monitoring & Security Platform for Containers.
  • 5. Open by Design. Built for Modern Infrastructure. Sysdig: The Container Intelligence Platform Commercial Sysdig Monitor Sysdig Secure Open Source Sysdig Sysdig Inspect Sysdig Falco
  • 6. @mfdii Sysdig Projects & Products Sysdig Open Source - https://www.sysdig.com/opensource/ - Sysdig - https://github.com/draios/sysdig - sysdig - csysdig - Sysdig Inspect! https://github.com/draios/sysdig-inspect - Falco - https://github.com/draios/falco Sysdig Container Intelligence Platform - https://www.sysdig.com/ - Sysdig Monitor - Sysdig Secure
  • 7. Sysdig - Troubleshooting and Forensics - Powerful Filter Language ala tcpdump - Real-time troubleshooting - Offline troubleshooting
  • 9. @mfdii Filtering - the key for using Sysdig: similar to tcpdump - filter events (system calls) - filtering based on field classes - mixed with operators: =, !=, <, <=, >, >=, contains, and, or, not
  • 10. @mfdii Understanding Sysdig output 1 01:40:19.601363716 1 httpd (7513) > accept 2 01:40:19.601374197 1 httpd (7513) < accept fd=14(<4t>127.0.0.1:39175->127.0.0.1:80) tuple=127.0.0.1:39175->127.0.0.1:80 queuepct=0 3 01:40:19.601506564 1 httpd (7513) > read fd=14(<4t>127.0.0.1:39175->127.0.0.1:80) size=8000 4 01:40:19.601512497 1 httpd (7513) < read res=85 data=GET /textfile.txt HTTP/1.1..User-Agent: curl/7.35.0..Host: 127.0.0.1..Accept: */ 5 01:40:19.601516976 0 httpd (3750) > switch next=0 pgft_maj=0 pgft_min=522 vm_size=350196 vm_rss=9304 vm_swap=0 [...] Driver Events:354756 Driver Drops:0 Elapsed time: 0.194, Captured Events: 27089, 139915.29 eps Incremental event number, Event timestamp, CPU number (ID), Process name, Thread ID (as seen by gettid()), Event direction: > means enter, < means exit, Event type, Event arguments (arguments)
  • 11. @mfdii $ What can we filter? > syscall(SYSCALLID ID, UINT16 nativeID) < syscall(SYSCALLID ID) > open() < open(FD fd, FSPATH name, FLAGS32 flags, UINT32 mode) > close(FD fd) < close(ERRNO res) > read(FD fd, UINT32 size) < read(ERRNO res, BYTEBUF data) > write(FD fd, UINT32 size) < write(ERRNO res, BYTEBUF data) > socket(FLAGS32 domain, UINT32 type, UINT32 proto) < socket(FD fd) > bind(FD fd) < bind(ERRNO res, SOCKADDR addr) > connect(FD fd) < connect(ERRNO res, SOCKTUPLE tuple) > listen(FD fd, UINT32 backlog) < listen(ERRNO res) sysdig -L
  • 12. @mfdii $ How can we filter? ---------------------- Field Class: fd fd.num the unique number identifying the file descriptor. fd.type type of FD. Can be 'file', 'directory', 'ipv4', 'ipv6', 'unix', 'pipe', 'event', 'signalfd', 'eventpoll', 'inotify' or 'signal fd'. fd.typechar type of FD as a single character. Can be 'f' for file, 4 for IP v4 socket, 6 for IPv6 socket, 'u' for unix socket, p for pipe, 'e' for eventfd, 's' for signalfd, 'l' for eventpoll, 'i' for i notify, 'o' for unknown. fd.name FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple. fd.directory If the fd is a file, the directory that contains it. fd.filename If the fd is a file, the filename without the path. fd.ip matches the ip address (client or server) of the fd. sysdig -l
  • 13. @mfdii Field Classes Based on “Field Classes”. Supported classes include: fd - File Descriptors process - Processes evt - System Events user - Users group - Groups syslog - Syslog messages container - Container info fdlist - FD poll events k8s - Kubernetes events mesos - Mesos events span - Start/Stop markers evtin - Filter based on Spans
  • 14. @mfdii File descriptors filters - files - network connections (sockets) - standard input, standard output, and standard error - pipes - timers - signals Examples: sysdig fd.type=ipv4 sysdig fd.l4proto=tcp sysdig fd.sip=127.0.0.1 sysdig fd.sport=39157
  • 15. @mfdii Create Captures/Read Captures Create capture: sudo sysdig -w filename.scap Read from capture: sysdig -r filename.scap - we can filter on capture time too - we can read + filter + write again - capture files contain entire process table but just filtered events: - to remove it use --filter-proclist - “-z” compresses the capture
  • 17. @mfdii Sysdig Chisels - Scripts written in Lua - Analyze, aggregate and report on sequences of events (in a similar fashion to dtrace)
  • 18. @mfdii Sysdig Chisels List all available chisels: sysdig -cl Usage information for a given chisel: sysdig -i chisel_name Running a chisel: sysdig -c chisel_name https://github.com/draios/sysdig/wiki/Sysdig-Chisel-API-Reference-Manual
  • 19. @mfdii $ List available Chisels Category: Application --------------------- httplog HTTP requests log httptop Top HTTP requests memcachelog memcached requests log Category: CPU Usage ------------------- spectrogram Visualize OS latency in real time. subsecoffset Visualize subsecond offset execution time. topcontainers_cpu Top containers by CPU usage topprocs_cpu Top processes by CPU usage sysdig -cl
  • 20. @mfdii Sysdig Chisels Application httplog - HTTP requests log httptop - Top HTTP requests memcachelog - memcached requests log Errors topcontainers_error - Top containers by number of errors topfiles_errors - Top files by number of errors topprocs_errors - Top processes by number of errors CPU Usage spectrogram - Visualize OS latency in real time. subsecoffset - Visualize subsecond offset execution time. topcontainers_cpu - Top containers by CPU usage topprocs_cpu - Top processes by CPU usage
  • 21. @mfdii I/O echo_fds - Print the data read and written by processes. fdbytes_by - I/O bytes, aggregated by an arbitrary filter field fdcount_by - FD count, aggregated by an arbitrary filter field fdtime_by - FD time group by Sysdig Chisels I/O iobytes - Sum of I/O bytes on any type of FD iobytes_file - Sum of file I/O bytes spy_file - Echo any read/write made by any process to all files or a specific file passed as an option.
  • 22. @mfdii I/O stderr - Print stderr of processes stdin - Print stdin of processes stdout - Print stdout of processes Sysdig Chisels I/O topcontainers_file - Top containers by R+W disk bytes topfiles_bytes - Top files by R+W bytes topfiles_time - Top files by time topprocs_file - Top processes by R+W disk bytes
  • 23. @mfdii Sysdig Chisels Logs spy_logs - Echo any write made by any process to a log file. Optionally, export the events around each log message to file. spy_syslog - Print every message written to syslog. Optionally, export the events around each syslog message to file. Security list_login_shells - List the login shell IDs shellshock_detect - print shellshock attacks spy_users - Display interactive user activity Misc around - Export to file the events around the time range where the given filter matches.
  • 24. @mfdii Sysdig Chisels Networking iobytes_net - Show total network I/O bytes spy_ip - Show the data exchanged with the given IP address spy_port - Show the data exchanged using the given IP port number topconns - Top network connections by total bytes topcontainers_net - Top containers by network I/O topports_server - Top TCP/UDP server ports by R+W bytes topprocs_net - Top processes by network I/O
  • 25. @mfdii Sysdig Chisels Performance bottlenecks - Slowest system calls fileslower - Trace slow file I/O netlower - Trace slow network I/0 proc_exec_time - Show process execution time scallslower - Trace slow syscalls topscalls - Top system calls by number of calls topscalls_time - Top system calls by time
  • 26. @mfdii Sysdig Chisels System State lscontainers - List the running containers lsof - List (and optionally filter) the open file descriptors. netstat - List (and optionally filter) network connections. ps - List (and optionally filter) the machine processes.
  • 27. @mfdii Other useful Chisels sudo sysdig -pc -c topcontainers_net ● Top containers by network I/O sudo sysdig -pc -c topprocs_net ● Top processes by network I/O sudo sysdig -c topcontainers_file ● Top containers by R+W disk bytes sudo sysdig -pc -c topprocs_file ● Top processes by R+W disk bytes
  • 28. @mfdii What is Falco? A behavioral activity monitor •Detects suspicious activity defined by a set of rules •Uses Sysdig’s flexible and powerful filtering expressions With full support for containers/orchestration •Utilizes sysdig’s container & orchestrator support And flexible notification methods •Alert to files, standard output, syslog, programs Open Source •Anyone can contribute rules or improvements
  • 29. @mfdii Quick examples A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = create or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
  • 31. @mfdii Falco Rules 25 common rules available OOTB Focused on common container best practices: ■ Writing files in bin or etc directories ■ Reading sensitive files ■ Binaries being executed other than CMD/ENTRYPOINT
  • 32. @mfdii Falco rules .yaml file containing Macros, Lists, and Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
  • 33. @mfdii Falco rules Rules • name: used to identify rule • desc: description of rule • condition: filter expression, can contain macro references • output: message to emit when rule triggers, can contain formatted info from event • priority: severity of rule (WARNING, INFO, etc.) Macros • name: text to use in later rules • condition: filter expression snippet Lists • name: text to use later • items: list of items
  • 34. @mfdii Sysdig Projects & Products Sysdig Open Source - https://www.sysdig.com/opensource/ - Sysdig - https://github.com/draios/sysdig - sysdig - csysdig - Sysdig Inspect! https://github.com/draios/sysdig-inspect - Falco - https://github.com/draios/falco Sysdig Container Intelligence Platform - https://www.sysdig.com/ - Sysdig Monitor - Sysdig Secure