Getting Started
Getting started with Falco
The Falco Project
Last modified August 8, 2022
Cloud Native Runtime Security
What is Falco?
The Falco Project is an open source runtime security tool originally built by Sysdig, Inc. Falco was donated to the CNCF and is now a CNCF incubating project.
What does Falco do?
Falco uses system calls to secure and monitor a system, by:
- Parsing the Linux system calls from the kernel at runtime
- Asserting the stream against a powerful rules engine
- Alerting when a rule is violated
For more information, see Falco Rules.
What does Falco check for?
Falco ships with a default set of rules that check the kernel for unusual behavior such as:
- Privilege escalation using privileged containers
- Namespace changes using tools like
setns - Read/Writes to well-known directories such as
/etc,/usr/bin,/usr/sbin, etc - Creating symlinks
- Ownership and Mode changes
- Unexpected network connections or socket mutations
- Spawned processes using
execve - Executing shell binaries such as
sh,bash,csh,zsh, etc - Executing SSH binaries such as
ssh,scp,sftp, etc - Mutating Linux
coreutilsexecutables - Mutating login binaries
- Mutating
shadowutilorpasswdexecutables such asshadowconfig,pwck,chpasswd,getpasswd,change,useradd,etc, and others.
What are Falco rules?
Rules are the items that Falco asserts against. They are defined in the Falco configuration file, and represent the events you can check on the system. For more information about writing, managing, and deploying rules, see Falco Rules.
What are Falco alerts?
Alerts are configurable downstream actions that can be as simple as logging to STDOUT or as complex as delivering a gRPC call to a client. For more information about configuring, understanding, and developing alerts, see Falco Alerts. Falco can send alerts to :
- Standard Output
- A file
- Syslog
- A spawned program
- A HTTP[s] end point
- A client through the gRPC API
What are the Components of Falco?
Falco is composed of three main components:
Userspace program - is the CLI tool
falcothat you can use to interact with Falco. The userspace program handles signals, parses information from a Falco driver, and sends alerts.Configuration - defines how Falco is run, what rules to assert, and how to perform alerts. For more information, see Configuration.
Driver - is a software that adheres to the Falco driver specification and sends a stream of system call information. You cannot run Falco without installing a driver. Currently, Falco supports the following drivers:
- (Default) Kernel module built on
libscapandlibsinspC++ libraries - BPF probe built from the same modules
- Userspace instrumentation
For more information, see Falco Drivers.
- (Default) Kernel module built on
Plugins - allow users to extend the functionality of falco libraries/falco executable by adding new event sources and new fields that can extract information from events. For more information, see Plugins.
Falco Rules
Write and customize Falco Rules to secure your environment
Falco Alerts
Integrate Falco and send Falco Alerts in your desired platform
Falco Plugins
Extend Falco functionality using Plugins for Falco libraries/Falco daemon
Event Sources
Leverage multiple Event Sources to increase the power of Falco
gRPC API
Enable and configure the gRPC capabilities of Falco
Tutorials
Learn Falco with How-To guides and tutorials
Reference
Quick access to Falco customization options, default rules, supported fields and much more
Contribute
Find out how to contribute to the Falco Project
Available Documentation Versions
Archived versions of Falco Documentation
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified August 8, 2022: Increase separation between menu elements (e878435)