Open in app

Sign in

Write

Sign in

What is Falco?

Onur Yaşar
adessoTurkey
Published in
3 min readDec 31, 2021

We can hear a lot of attacks on Linux systems almost every day. Hackers, intruders, people who intents to gain benefit by hacking some systems, or by doing just for to harm. To avoid this kind of attack, to guard our systems well we need to use some security tools like Falco.

Falco is a genus name in taxonomy, scientific classification. Falco is Late Latin meaning a falcon from falx, falcis which is meaning “a sickle” referring to the claws of the bird. Falco’s logo is a falcon obviously :)

For example, spawning a shell in a container is most likely not required and could be an attack.

Falco is a cloud-native runtime security project which is built by sysdig inc. It’s mainly focused on the Kubernetes threat detection engine.

Falco is the first runtime security project to join CNCF (Cloud Native Computing Foundation) as an incubation-level project. Falco acts as a security camera continuously detecting unexpected behavior, configuration changes, intrusions, and data theft in real-time.

What does Falco do?
Falco uses system calls to secure and monitor a system, by:

  • Parsing the Linux system calls from the kernel at runtime
  • Asserting the stream against a powerful rule engine
  • Alerting when a rule is violated

Why do we need Falco?
A standard Kubernetes cluster does not provide any mechanisms for monitoring such events; a tool like Falco is therefore required.

Falco makes it possible to monitor such events directly inside the cluster. The events may include:

  • Outgoing connections to specific IPs or domains
  • Use or mutation of sensitive files such as /etc/passwd
  • Execution of system binaries such as su
  • Privilege escalation or changes to the namespace
  • Modifications in certain folders such as /sbin

Falco Architecture

How to Install Falco

Debian/Ubuntu
Install as a Package
curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
echo “deb https://download.falco.org/packages/deb stable main” | tee -a /etc/apt/sources.list.d/falcosecurity.list
apt-get update -y
apt-get -y install linux-headers-$(uname -r)
apt-get install -y falco

Install as a DaemonSet
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco

Run Falco as a Service
If you installed Falco by using the DEB or the RPM package, you can start the service by running:
systemctl enable falco
systemctl start falco

You can view logs using journalctl. This command will allow us to inspect events that are generated by Falco. -u flag will maintain the new events are continuously printed on the screen.
journalctl -fu falco

Falco Rules Examples

Example Usage

Reference Links
https://blog.ti8m.com/Falco.html
https://falco.org/docs/getting-started/
https://www.cncf.io/online-programs/getting-started-with-container-runtime-security-using-falco/
https://github.com/falcosecurity/charts/tree/master/falco

DevOps

--

--

Onur Yaşar
adessoTurkey

Written by Onur Yaşar

17 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams