• Stars
    star
    6,860
  • Rank 5,736 (Top 0.2 %)
  • Language
    C++
  • License
    Apache License 2.0
  • Created almost 9 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Cloud Native Runtime Security

Falco

Latest release Supported Architectures License Docs

Falco Core Repository Stable OpenSSF Best Practices

Falco

Falco is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.

At its core, Falco is a kernel event monitoring and detection agent that captures events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.

Falco, originally created by Sysdig, is an incubating project under the Cloud Native Computing Foundation (CNCF) used in producation by various organisations.

For detailed technical information and insights into the cyber threats that Falco can detect, visit the official Falco website.

For comprehensive information on the latest updates and changes to the project, please refer to the change log. Additionally, we have documented the release process for delivering new versions of Falco.

Falco Repo: Powering the Core of The Falco Project

This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its libraries and the falco.yaml configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following core repositories:

  • falcosecurity/libs: Falco's libraries are key to its fundamental operations, making up the greater portion of the source code of the Falco binary and providing essential features such as kernel drivers.
  • falcosecurity/rules: Contains the official ruleset for Falco, providing pre-defined detection rules for various security threats and abnormal behaviors.
  • falcosecurity/plugins: Falco plugins facilitate integration with external services, expand Falco's capabilities beyond syscalls and container events, and are designed to evolve with specialized functionality in future releases.
  • falcosecurity/falcoctl: Command-line utility for managing and interacting with Falco.

For more information, visit the official hub of The Falco Project: falcosecurity/evolution. It provides valuable insights and information about the project's repositories.

Getting Started with Falco

Carefully review and follow the official guide and documentation.

Considerations and guidance for Falco adopters:

  1. Understand dependencies: Assess the environment where you'll run Falco and consider kernel versions and architectures.

  2. Define threat detection objectives: Clearly identify the threats you want to detect and evaluate Falco's strengths and limitations.

  3. Consider performance and cost: Assess compute performance overhead and align with system administrators or SREs. Budget accordingly.

  4. Choose build and customization approach: Decide between the open source Falco build or creating a custom build pipeline. Customize the build and deployment process as necessary, including incorporating unique tests or approaches, to ensure a resilient deployment with fast deployment cycles.

  5. Integrate with output destinations: Integrate Falco with SIEM, data lake systems, or other preferred output destinations to establish a robust foundation for comprehensive data analysis and enable effective incident response workflows.

How to Contribute

Please refer to the contributing guide and the code of conduct for more information on how to contribute.

Join the Community

To get involved with the Falco Project please visit the community repository to find more information and ways to get involved.

If you have any questions about Falco or contributing, do not hesitate to file an issue or contact the Falco maintainers and community members for assistance.

How to reach out?

Commitment to Falco's Own Security

Full reports of various security audits can be found here.

In addition, you can refer to the falco security and libs security sections for detailed updates on security advisories and policies.

To report security vulnerabilities, please follow the community process outlined in the documentation found here.

What's next for Falco?

Stay updated with Falco's evolving capabilities by exploring the Falco Roadmap, which provides insights into the features currently under development and planned for future releases.

License

Falco is licensed to you under the Apache 2.0 open source license.

Resources

More Repositories

1

falcosidekick

Connect Falco to your ecosystem
Go
502
star
2

charts

Community managed Helm charts for running Falco with Kubernetes
Go
220
star
3

libs

libsinsp, libscap, the kernel module driver, and the eBPF driver sources
C
200
star
4

falco-talon

Response Engine for managing threats in your Kubernetes
Go
112
star
5

falco-exporter

Prometheus Metrics Exporter for Falco output events
Go
108
star
6

falcosidekick-ui

A simple WebUI with latest events from Falco
Vue
97
star
7

rules

Falco rule repository
Go
92
star
8

falcoctl

Administrative tooling for Falco
Go
81
star
9

event-generator

Generate a variety of suspect actions that are detected by Falco rulesets
Go
73
star
10

plugins

Falco plugins registry
Go
69
star
11

pdig

ptrace-based event producer for udig
C
65
star
12

driverkit

Kit for building Falco drivers: kernel modules or eBPF probes
Go
61
star
13

client-go

Go client and SDK for Falco
Go
52
star
14

community

The Falco Project Community
50
star
15

evolution

Evolution process of The Falco Project
Go
45
star
16

falco-website

Source code of the official Falco website
HTML
32
star
17

test-infra

Falco workflow & testing infrastructure
Jsonnet
30
star
18

plugin-sdk-go

Falco plugins SDK for Go
Go
23
star
19

client-py

Python client and SDK for Falco
Python
19
star
20

falco-playground

Web-application used to validate Falco rules and test against scap file
TypeScript
19
star
21

kernel-crawler

A tool to crawl Linux kernel versions
Python
17
star
22

k8s-metacollector

Fetches the metadata from kubernetes API server and dispatches them to Falco instances
Go
14
star
23

client-rs

The rust language implementation of the Falco client
Rust
14
star
24

kilt

Kilt is a project that defines how to inject foreign apps into containers
Go
13
star
25

testing

All-purpose test suite for Falco and its ecosystem
Go
11
star
26

kernel-testing

Ansible playbooks to provision firecracker VMs and run Falco kernel tests
Dockerfile
11
star
27

deploy-kubernetes

Kubernetes deployment resources for Falco
10
star
28

libs-sdk-go

Go SDK for Falco libs
Go
5
star
29

syscalls-bumper

A tool to automatically update supported syscalls in libs
Go
5
star
30

falco-aws-terraform

Terraform Module for Falco AWS Resources
HCL
5
star
31

plugin-sdk-rs

Falco plugins SDK for Rust
Rust
5
star
32

.github

Default community health files
4
star
33

pigeon

Secrets and config manager for Falco's infrastructure
Go
3
star
34

ebpf-probe

eBPF probe for syscall events
3
star
35

kernel-module

3
star
36

dbg-go

A go tool to work with falcosecurity drivers build grid
Go
2
star
37

plugin-sdk-cpp

Falco plugins SDK for C++
C++
2
star
38

libsinsp

System inspection library
2
star
39

libscap

2
star
40

cncf-green-review-testing

Falco configurations intended for testing with the CNCF Green Reviews Working Group
2
star
41

template-repository

Acts as a template for new repositories
1
star
42

advocacy

Advocacy machinery
1
star
43

peribolos-syncer

Tool to synchronize Peribolos configuration with GitHub people sources of truth.
Go
1
star
44

contrib

Community sandbox to test-drive ideas/projects/code
Python
1
star
45

flycheck-falco-rules

Falco Rules Syntax Checker for Emacs, Using Flycheck
Emacs Lisp
1
star