#There could be a CONTAINER RUNTIME SECURITY MODULE - for individuals running containers locally on-prem, something like this could come preinstalled, I currently successfully run manually on fresh Kali Purple:


#1 Kali Purple System Update, Docker Install
sudo apt update -y && sudo apt upgrade -y 

sudo apt install docker.io -y

sudo usermod -aG docker $USER && newgrp docker


#2 Install Kubectl, Minikube
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl

chmod +x ./kubectl

sudo mv ./kubectl /usr/local/bin/kubectl

curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64

sudo install minikube-linux-amd64 /usr/local/bin/minikube

minikube start --memory=6G      #[kali purple vm: vcpu 2, memory 8G+]

kubectl get pods -A


#3 Install Helm https://helm.sh/docs/intro/install/#from-script
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3

chmod 700 get_helm.sh

./get_helm.sh


#4 Install Falco, Falcosidekick, Falcosidekick-ui https://github.com/falcosecurity/falco/issues/2540#issuecomment-1731863875
helm repo add falcosecurity https://falcosecurity.github.io/charts

helm repo update

kubectl create ns falco

helm install falco falcosecurity/falco \
    --namespace falco \
    --set driver.kind=modern-bpf

kubectl get all -n falco  #pods and a daemonset should be running, watch 2/2 pods come up: kubectl get pods -n falco -w, then Ctrl+C

helm upgrade falco -n falco --set tty=true falcosecurity/falco \
  --set falcosidekick.enabled=true \
  --set falcosidekick.webui.enabled=true \
  --set driver.kind=modern-bpf

kubectl get all -n falco  #pods, services, daemonset, deployments, replicasets, and a statefulset should be running, watch pods come up: kubectl get pods -n falco -w, then Ctrl+C

kubectl port-forward svc/falco-falcosidekick-ui \
  -n falco 2802:2802 &> /dev/null &

http://127.0.0.1:2802 , default creds admin/admin     #access Falcosidekick-ui


######### + Bonus TEST
#To see more events in Falcosidekick-ui Events tab, Test with Atomic Red Team tests https://falco.org/blog/falco-atomic-red/
kubectl create ns atomic-red

kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: atomicred
  namespace: atomic-red
  labels:
    app: atomicred
spec:
  replicas: 1
  selector:
    matchLabels:
      app: atomicred
  template:
    metadata:
      labels:
        app: atomicred
    spec:
      containers:
      - name: atomicred
        image: issif/atomic-red:latest
        imagePullPolicy: "IfNotPresent"
        command: ["sleep", "3560d"]
        securityContext:
          privileged: true
      nodeSelector:
        kubernetes.io/os: linux
EOF

kubectl get pods -n atomic-red -w  #watch until the pod comes up, then Ctrl+C

kubectl exec -it -n atomic-red deploy/atomicred -- bash

pwsh

Import-Module "~/AtomicRedTeam/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1" -Force

Invoke-AtomicTest T1070.004 -ShowDetails

Invoke-AtomicTest T1070.004 -GetPreReqs

Invoke-AtomicTest T1070.004

Invoke-AtomicTest T1556.003

Invoke-AtomicTest T1036.005

Invoke-AtomicTest T1070.002

Invoke-AtomicTest T1070.003

Invoke-AtomicTest T1014
#End of TEST, Falcosidekick-ui Events tab now filled