Building a Personal Network and Host Defense System Part 5: Host Monitoring With Falco
With the borders of our castle monitored and protected, we will deploy guards to observe the activities within the castle so we are able to apprehend spies and enemies who managed to sneak into the castle. For this we will install Falco on our machine to observe and inform us on anomalous activities.
Again head to the NHIDPS repository, clone it and change into the directory. You may skip the succeeding commands for building the golden image if you have already built one from previous walkthrough, otherwise run the commands below to build the golden image.
1
2
3
4
5
6
7
8
# hash the passwords and insert in the preseed fileROOT_PASSWORD="INSERT_ROOT_PASSWORD_HERE";USER_PASSWORD="INSERT_USER_PASSWORD_HERE"echo$ROOT_PASSWORD| mkpasswd -s -m sha-512 # replace passwd/root-password-crypted valueecho$USER_PASSWORD| mkpasswd -s -m sha-512 # replace passwd/user-password-crypted value# building the system with packer json definitionpacker plugins install github.com/hashicorp/virtualbox
ISO_URL="INSERT_ISO_FILEPATH"TMPDIR=./ PACKER_LOG_PATH=packer.log PACKER_LOG=2 packer build -var-file template-vars.json -force template.json
With existing golden image and earlier generated key pair - you may run the first command if you do not have the key pair generated yet - run the command below to configure the machine for host monitoring.
1
2
ssh-keygen -t ed25519 -b 4096 -f nhidps -C "nhidps keypair" -N ""# create an ssh keyvagrant up --provision-with ansible # start and configure the vm
Log into the machine with your specified credentials and run the following commands to observe process calls.
1
2
3
4
5
6
7
8
# check the status of falccosudo systemctl status falco-modern-bpf
# search for private keysfind /root/.ssh -type f \( -name "id_rsa" -o -name "*.pem" -o -name "*key"\)# observe host process callstail -f /var/log/falco.json | jq -rc .