The Falco Project
What is Falco?
Falco is a cloud native security tool that provides runtime security across hosts, containers, Kubernetes, and cloud environments. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.
At its core, Falco is a monitoring and detection agent that observes events (such as Linux kernel events and other data sources through plugins) and delivers real-time alerts based on custom rules. Falco also enhances these events by integrating contextual metadata from container runtimes and Kubernetes. The generated alert events can be forwarded to other components to take action or be analyzed in SIEM or data lake systems for further investigation.
Falco, originally created by Sysdig, is now a graduate Cloud Native Computing Foundation (CNCF) project used in production by various organisations.
What does Falco do?
Falco uses syscalls to monitor a system's activity, by:
- Parsing the Linux syscalls from the kernel at runtime
- Asserting the stream against a powerful rules engine
- Alerting when a rule is violated
For more information, see Falco Rules.
Falco's monitoring capabilities are not limited to syscalls as it can be extended via plugins to ingest data from many more types of sources.
What does Falco check for?
Falco ships with a default set of rules that check the kernel for unusual behavior such as:
- Privilege escalation using privileged containers
- Namespace changes using tools like
setns
- Read/Writes to well-known directories such as
/etc
,/usr/bin
,/usr/sbin
, etc - Creating symlinks
- Ownership and Mode changes
- Unexpected network connections or socket mutations
- Spawned processes using
execve
- Executing shell binaries such as
sh
,bash
,csh
,zsh
, etc - Executing SSH binaries such as
ssh
,scp
,sftp
, etc - Mutating Linux
coreutils
executables - Mutating login binaries
- Mutating
shadowutil
orpasswd
executables such asshadowconfig
,pwck
,chpasswd
,getpasswd
,change
,useradd
,etc
, and others.
What are Falco rules?
Rules are the conditions under which an alert should be generated. A rule is accompanied by a descriptive output string sent with the alert. They are defined using YAML files and loaded by the Falco configuration file. For more information about writing, managing, and deploying rules, see Falco Rules.
What are Falco alerts?
Alerts are configurable downstream actions that can be as simple as logging to stdout
or as complex as delivering a gRPC call to a client. For more information about configuring, understanding, and developing alerts, see Falco Alerts. Falco can send alerts to:
- Standard Output
- A file
- Syslog
- A spawned program
- A HTTP[s] end point
- A client through the gRPC API
What are the Components of Falco?
Falco is composed of several main components:
Userspace program - is the CLI tool
falco
that you can use to interact with Falco. The userspace program handles signals, parses information from a Falco driver, and sends alerts.Configuration - defines how Falco is run, what rules to assert, and how to perform alerts. For more information, see Configuration.
Driver - is a software that adheres to the Falco driver specification and sends a stream of kernel events. Currently, Falco supports the following drivers:
- (Default) Modern eBPF probe (CO-RE paradigm and more)
- Legacy eBPF probe built
- Kernel module
For more information, see Falco Drivers.
Plugins - allow to extend the functionality of Falco by adding new event sources and new fields that can extract information from events. For more information, see Plugins.
Falcoctl - allows to easily install rules and plugins and perform administrative tasks with Falco. It is bundled together with Falco.
What are the ecosystem projects that can interact with Falco?
Apart from the Falco core projects, the Falco organization also maintains and distributes ecosystem projects that help adopters get the most out of Falco. To learn more, visit the Falco Evolution repositories list. For example, the falcosidekick project makes it easier to output Falco events to many applications and channels, falcoctl makes it easier to perform a number of administrative tasks for Falco, including installing and updating rules and plugins, while the falco-exporter tool is used to integrate Falco with Prometheus.
Getting Started
Getting started with Falco
Setup
Learn how to install and configure Falco
Falco Rules
Write and customize Falco Rules to secure your environment
Falco Outputs
Work with Falco Outputs and send Falco Alerts in your desired platform
Metrics
Falco Metrics and Performance
Falco Plugins
Extend Falco functionality using Plugins for Falco libraries/Falco daemon
Event Sources
Leverage multiple Event Sources to increase the power of Falco
Developer Guide
Learn how to develop with Falco
Troubleshooting
Community driven troubleshooting guides
Reference
Quick access to Falco customization options, default rules, supported fields and much more
Contribute
Find out how to contribute to the Falco Project
The Falco Roadmap
The Project direction
Available Documentation Versions
Archived versions of Falco Documentation
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.