Falco

Sysdig Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by sysdig’s system call capture infrastructure, falco lets you continuously monitor and detect container, application, host, and network activity… all in one place, from one source of data, with one set of rules.

Also provides a Deployment for generating Falco alerts. This is useful for testing purposes. Define what activity is considered normal for your containerized applications & be notified when an application deviates.

Key Features:

Kubernetes Aware: Build rules specific to your Kubernetes clusters to enforce policy across all your containers & microservices.

Container-native: Runtime Security built for containers. Built from the ground up to natively support container runtimes.

See Everything: Complete container visibility through a single daemon. Easily build rules and get informed immediately.

Designed For Us: Designed with an easy to learn rule set, Sysdig Falco makes your entire team productive in minutes.

Adaptive: Custom rules to allow you to adapt Sysdig Falco to enforce your organization’s container security policy.

What kind of behaviors can Falco detect?

Falco can detect and alert on any behavior that involves making Linux system calls. Thanks to Sysdig’s core decoding and state tracking functionality, Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, you can easily detect things like:

A shell is run inside a container

A server process spawns a child process of an unexpected type

Unexpected read of a sensitive file (like /etc/shadow)

A non-device file is written to /dev

A standard system binary (like ls) makes an outbound network connection

How Falco Compares to Other Security Tools like SELinux, Auditd, etc.

One of the questions we often get when we talk about Sysdig Falco is “How does it compare to other tools like SELinux, AppArmor, Auditd, etc. that also have security policies?”. We wrote a blog post comparing Falco to other tools.

How you use it

Falco is deployed as a long-running daemon. You can install it as a debian/rpm package on a regular host or container host, or you can deploy it as a container.

Falco is configured via a rules file defining the behaviors and events to watch for, and a general configuration file. Rules are expressed in a high-level, human-readable language. We’ve provided a sample rule file ./rules/falco_rules.yaml as a starting point – you can (and will likely want!) to adapt it to your environment.

When developing rules, one helpful feature is Falco’s ability to read trace files saved by sysdig. This allows you to “record” the offending behavior once, and replay it with Falco as many times as needed while tweaking your rules.

Once deployed, Falco uses the Sysdig kernel module and userspace libraries to watch for any events matching one of the conditions defined in the rule file. If a matching event occurs, a notification is written to the configured output(s).

Falco Alerts

When Falco detects suspicious behavior, it sends alerts via one or more of the following channels:

• Writing to standard error
• Writing to a file
• Writing to syslog

Pipe to a spawned program. A common use of this output type would be to send an email for every Falco notification.