Officially supported Falco artifacts
You can deploy Falco on a local machine, cloud, a managed Kubernetes cluster, or a Kubernetes cluster such as K3s running on IoT & Edge computing.
Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts are triggered based on specific system calls, arguments, and properties of the calling process. Falco operates at the user space and kernel space. The system calls are interpreted by the Falco kernel module. The syscalls are then analyzed using the libraries in the userspace. The events are then filtered using a rules engine where the Falco rules are configured. Suspicious events are then alerted to outputs that are configured as Syslog, files, Standard Output, and others.
Currently, you can deploy Falco by:
- Downloading and running Falco on a Linux host or running Falco userspace program in a container, with a driver installed on the underlying host.
- Building from source and then running Falco on a Linux host or on a container.
Setting up Falco on a Linux system
Upgrading Falco on a Linux system
Installing Falco on a Cluster
Operating and Managing Falco
Build Falco or its libraries yourself from the source code
Community driven integrations built on the Falco core
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.