Falco project, originally created by Sysdig, is an incubating CNCF open source cloud native runtime security tool. Falco makes the consumption kernel events easier and uses information from Kubernetes and other cloud native stacks to enrich these events.
Falco can also extend to other data sources by using plug-ins. Falco has a rich set of security rules, specifically built for Kubernetes, Linux and cloud native. If a rule is violated in the system, Falco will send an alert to notify the user of the violation and its severity.
Falco can detect and warn of any behavior involving making Linux system calls. Falco alerts can be triggered by using specific system calls, their parameters, and the properties of the calling process. For example, Falco can easily detect events, including but not limited to:
- The shell runs in Kubernetes' container or pod.
- The container runs in privileged mode, or is mounting a sensitive path from the host, such as
/proc
。
- The server process is generating a child process of unexpected type.
- Unexpected reading of sensitive files, such as
/etc/shadow
.
- Write non device files
/dev
.
- Standard system binaries (e.g
ls
)Establishing outbound network connection.
- The privileged pod is started in the Kubernetes cluster.