The Latest

Falco – Open Source Cloud Runtime Security Suite

byPriyanshu Sahay
February 2, 2021
3 minute read
Falco Cloud Security
Falco Cloud Security
Total
0
Shares
0
0
0
0
0
Falco is an Open Source Cloud-native Runtime Security Suite.

The Falco Cloud Security Project, originally created by Sysdig, is an incubating CNCF open source cloud native runtime security tool. Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. Falco can also be extended to other data sources by using plugins. Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native. If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.

What can Falco detect?

Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:

  • A shell is running inside a container or pod in Kubernetes.
  • A container is running in privileged mode, or is mounting a sensitive path, such as /proc, from the host.
  • A server process is spawning a child process of an unexpected type.
  • Unexpected read of a sensitive file, such as /etc/shadow.
  • A non-device file is written to /dev.
  • A standard system binary, such as ls, is making an outbound network connection.
  • A privileged pod is started in a Kubernetes cluster.

Installing Falco

If you would like to run Falco in production please adhere to the official installation guide.
Kubernetes
          Tool                       Link                                         Note
  • Helm          Chart Repository      The Falco community offers regular helm chart releases.
  • Minikube          Tutorial               The Falco driver has been baked into minikube for easy deployment.
  • Kind                   Tutorial              Running Falco with kind requires a driver on the host system.
  • GKE                   Tutorial              We suggest using the eBPF driver for running Falco on GKE.

Developing

Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
Falco has a gRPC endpoint and an API defined in protobuf. The Falco Project supports various SDKs for this endpoint.

SDKs

Language    Repository
   Go                  client-go
  Rust               client-rs
  Python          client-py

What can Falco detect?

Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process.
For example, Falco can easily detect incidents including but not limited to:
  • A shell is running inside a container or pod in Kubernetes.
  • A container is running in privileged mode, or is mounting a sensitive path, such as /proc, from the host.
  • A server process is spawning a child process of an unexpected type.
  • Unexpected read of a sensitive file, such as /etc/shadow.
  • A non-device file is written to /dev.
  • A standard system binary, such as ls, is making an outbound network connection.
  • A privileged pod is started in a Kubernetes cluster.

Join Our Club

Enter your Email address to receive notifications | Join over Million Followers

Previous Article

SSRF King- Burp Suit Plugin To Automates SSRF Detection

byPriyanshu Sahay
February 2, 2021
2 minute read
Next Article
Chrome Update

Google Fixes Zero-Day For Chrome Browser

byPriyanshu Sahay
February 5, 2021
2 minute read
Related Posts
Total
0
Share
0
0
0
0
0
0