This glossary is intended to be a comprehensive, standardized list of Falco terminology. It includes technical terms that are specific to Falco, as well as more general terms that provide useful context.
Click on the [+] indicators below to get a longer explanation for any particular term.
The behavior of an application, container, or other component considered to be suspicious.
Downstream actions executed after a rule is triggered.[+]
They can be as simple as logging to
stdout or as complex as delivering a gRPC call to a client.
Falco supports sending alerts to:
- Standard Output
- A file
- A spawned program
- An HTTP[s] endpoint
- A client through the gRPC API
Criteria to trigger an alert.[+]
A key part of a rule is the condition field. A condition is a Boolean predicate expressed using the condition syntax. It is possible to express conditions on all supported events using their respective supported fields.
With the libsinsp Falco can enrich the events with metadata from the container engine and/or the Kubernetes control plane.
Identify a suspicious event or behavior.
The global term for the software that sends events from the kernel.[+]
eBPF is a technology to collect metrics and events from the kernel in a secure way.[+]
eBPF is a technology that can run sandboxed programs in a privileged context, such as the operating system kernel. It is used to extend the kernel's capabilities at runtime without requiring to change kernel source code or load kernel modules. It is considered safer than kernel modules since it cannot crash your system.
Generate a variety of suspect actions that are detected by Falco rulesets.
Exceptions are cases where the behavior detected by the rule should be allowed.
The name of the project and the main engine on which the rest of the project is built.[+]
Prometheus Metrics Exporter for Falco output events.
The official CLI tool for working with Falco and its ecosystem components.[+]
Connect Falco with third parties.[+]
The fields are used in the condition of a rule and in the output.[+]
The fields are automatically replaced by their values in the output to have the whole context of the alerts.
gRPC is a modern open source, high-performance Remote Procedure Call (RPC) framework that can run in any environment.[+]
It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking, and authentication. It also applies in the last mile of distributed computing to connect devices, mobile applications, and browsers to backend services.
Unsolicited presence in a system.
The kernel is the operating system's core and generally has complete control over everything in the system.[+]
Used to describe the .ko object that would be loaded into the kernel as a potentially risky kernel module.[+]
This is one option used to pass kernel events up to userspace for Falco to consume. Sometimes this word is incorrectly used to refer to a probe.
The Kernel module collects syscalls events from the kernel, as the eBPF Probe does.
The memory space where the kernel executes and provides its services.
Audit logs from the Kubernetes control plane.[+]
Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster.
libscap, aka library for System CAPture, is the library used by Falco to collect the events from the ring buffer before forwarding them up to libsinsp.[+]
libsinsp, aka library for System INSPection, receives the events from libscap and enriches them with machine states.[+]
Macros are rule conditions snippets that can be re-used inside rules and even other macros.[+]
Macros provide a way to name common patterns and factor out redundancies in rules.
More robust eBPF probe, which brings the CO-RE paradigm, better performances, and maintainability.[+]
It will replace the default eBPF probe in the future.
Observing the evolution of a process over time.
Format of the generated alert, the fields used as keys are automatically replaced with their values.
A dynamic shared library (a .so file) that conforms to a documented API and allows to extend the possible inputs for Falco.[+]
Every Falco rule has a priority that indicates how serious a violation of the rule is.[+]
This is similar to what we know as the severity of a syslog message. The priority is included in the message/JSON output/etc.
Used to describe the .o object that would be dynamically loaded into the kernel as a secure and stable eBPF probe.[+]
This is one option used to pass kernel events up to userspace for Falco to consume. Sometimes this word is incorrectly used to refer to a module.
Action to remediate an incident.[+]
Action following the detection, for example, deleting a compromised container.
System of reaction to alerts built on dedicated applications, FaaS or Serverless.
The ring buffer is a memory buffer that behaves as if it had a circular shape, used for FIFO (first in, first out).[+]
It uses to pass the events from the driver (kernel space) to the library libscap (user space)
Rules are conditions under which an alert should be generated.[+]
A rule is accompanied by a descriptive output string that is sent with the alert.
Runtime security is the process of providing protection for your host, containers, and applications while they’re running.
A source plugin provides a new event source.[+]
It has the ability to "open" and "close" a session that provides events. A source plugin can also be an extractor.
Syscalls stands for system calls, a way to request a service from the running kernel.[+]
Labels that can be attached to the rules, allow to select the subset of rules to enable.
Following the path of a request through several components and/or applications.
The memory space where all user actions and applications are executed.