Falco
Falco is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.
At its core, Falco is a kernel event monitoring and detection agent that captures events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.
Falco, originally created by Sysdig, is an incubating project under the Cloud Native Computing Foundation (CNCF) used in producation by various organisations.
For detailed technical information and insights into the cyber threats that Falco can detect, visit the official Falco website.
For comprehensive information on the latest updates and changes to the project, please refer to the change log. Additionally, we have documented the release process for delivering new versions of Falco.
Falco Repo: Powering the Core of The Falco Project
This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its libraries and the falco.yaml configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following core repositories:
- falcosecurity/libs: Falco's libraries are key to its fundamental operations, making up the greater portion of the source code of the Falco binary and providing essential features such as kernel drivers.
- falcosecurity/rules: Contains the official ruleset for Falco, providing pre-defined detection rules for various security threats and abnormal behaviors.
- falcosecurity/plugins: Falco plugins facilitate integration with external services, expand Falco's capabilities beyond syscalls and container events, and are designed to evolve with specialized functionality in future releases.
- falcosecurity/falcoctl: Command-line utility for managing and interacting with Falco.
For more information, visit the official hub of The Falco Project: falcosecurity/evolution. It provides valuable insights and information about the project's repositories.
Getting Started with Falco
Carefully review and follow the official guide and documentation.
Considerations and guidance for Falco adopters:
-
Understand dependencies: Assess the environment where you'll run Falco and consider kernel versions and architectures.
-
Define threat detection objectives: Clearly identify the threats you want to detect and evaluate Falco's strengths and limitations.
-
Consider performance and cost: Assess compute performance overhead and align with system administrators or SREs. Budget accordingly.
-
Choose build and customization approach: Decide between the open source Falco build or creating a custom build pipeline. Customize the build and deployment process as necessary, including incorporating unique tests or approaches, to ensure a resilient deployment with fast deployment cycles.
-
Integrate with output destinations: Integrate Falco with SIEM, data lake systems, or other preferred output destinations to establish a robust foundation for comprehensive data analysis and enable effective incident response workflows.
How to Contribute
Please refer to the contributing guide and the code of conduct for more information on how to contribute.
Join the Community
To get involved with the Falco Project please visit the community repository to find more information and ways to get involved.
If you have any questions about Falco or contributing, do not hesitate to file an issue or contact the Falco maintainers and community members for assistance.
How to reach out?
- Join the #falco channel on the Kubernetes Slack.
- Join the Falco mailing list.
- File an issue or make feature requests.
Commitment to Falco's Own Security
Full reports of various security audits can be found here.
In addition, you can refer to the falco security and libs security sections for detailed updates on security advisories and policies.
To report security vulnerabilities, please follow the community process outlined in the documentation found here.
What's next for Falco?
Stay updated with Falco's evolving capabilities by exploring the Falco Roadmap, which provides insights into the features currently under development and planned for future releases.
License
Falco is licensed to you under the Apache 2.0 open source license.