What is Falco?
The Falco Project is an open source runtime security tool originally built by Sysdig, Inc. Falco was donated to the CNCF and is now a CNCF incubating project.
What does Falco do?
Falco parses Linux system calls from the kernel at runtime, and asserts the stream against a powerful rules engine. If a rule is violated a Falco alert is triggered. Read more about Falco rules
What does Falco look for?
By default Falco ships with a mature set of rules that will check the kernel for unusual behavior such as
- Privilege escalation using privileged containers
- Namespace changes using tools like
- Read/Writes to well-known directories such as
- Creating symlinks
- Ownership and Mode changes
- Unexpected network connections or socket mutations
- Spawned processes using
- Executing shell binaries such as
- Executing SSH binaries such as
- Mutating Linux
- Mutating login binaries
…and many more.
What are Falco rules?
These are the items that Falco will assert against. They are defined in the Falco configuration, and represent the things you will be looking for on your system.
See the section on rules for more information on writing, managing, and deploying Falco rules.
What are Falco alerts?
These are configurable downstream actions that can be as simple as logging to
STDOUT or as complex as delivering a gRPC call to a client.
See the section on alerts for more information on configuring, understanding, and developing Falco alerts.
Falco is composed of 3 main components
- Userspace program
Falco userspace program
This is the CLI tool
falco. This is the program a user interacts with. The userspace program is responsible for handling signals, parsing information from a Falco driver, and alerting.
This is a piece of software that adheres to the Falco driver spec and can send a stream of system call information from the kernel. Falco cannot run without a driver installed.
Currently the Falco project has support for the following drivers
- (Default) A kernel module built on
- A BPF probe built from the same modules
- A new BPF probe being built out by the Falco community
This defines how Falco is run, what rules to assert, and how to perform alerts. See the section on configuration for more information on how to configure Falco.
Table of contents