What Falco Does
- Syscall Monitoring: Observe all system calls on hosts and containers
- Rule-Based Detection: Pre-built rules for common threats + custom rules
- Real-Time Alerts: Detect and alert within milliseconds of suspicious activity
- Kubernetes Integration: Enrich alerts with Kubernetes metadata (pod, namespace, labels)
- Multiple Drivers: Modern eBPF (recommended), legacy eBPF, or kernel module
- Container Awareness: Understand container context and isolation
- Output Channels: Syslog, files, HTTPS, gRPC, Slack, PagerDuty
- Falcosidekick: Forward alerts to 50+ destinations
- Compliance: Pre-built rulesets for PCI, HIPAA, NIST 800-53
- Incident Response: Trigger automated response actions
Architecture
┌────────────────────────────────────┐
│ Node / Host │
│ ┌──────────────────────────────┐ │
│ │ Linux Kernel │ │
│ │ ┌──────────────────────┐ │ │
│ │ │ eBPF Probes │ │ │
│ │ │ - Syscalls │ │ │
│ │ │ - Network Events │ │ │
│ │ │ - Process Events │ │ │
│ │ └──────────┬───────────┘ │ │
│ └─────────────┼────────────────┘ │
│ │ │
│ ┌────────▼─────────┐ │
│ │ Falco Engine │ │
│ │ - Rule Matching │ │
│ │ - K8s Enrichment│ │
│ └────────┬─────────┘ │
└────────────────┼────────────────────┘
│
┌────────▼──────────┐
│ Falcosidekick │
│ (Alert Router) │
└────────┬──────────┘
│
┌─────────────┼─────────────┐
│ │ │
┌──┴──┐ ┌─────┴────┐ ┌────┴───┐
│Slack│ │PagerDuty │ │ SIEM │
└─────┘ └──────────┘ └────────┘Installation
Kubernetes via Helm (Recommended)
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco
--namespace falco --create-namespace
--set driver.kind=modern_ebpf
--set tty=true
--set falcosidekick.enabled=true
--set falcosidekick.webui.enabled=trueLinux Host
# Debian/Ubuntu
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc |
sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" |
sudo tee /etc/apt/sources.list.d/falcosecurity.list
sudo apt update
sudo apt install -y falco
# Start service
sudo systemctl start falco
sudo journalctl -u falco -fFalco Rules
Default Rules (Examples)
# Detect shell spawned in container
- rule: Terminal shell in container
desc: A shell was used as the entrypoint/exec point into a container
condition: >
spawned_process and container
and shell_procs and proc.tty != 0
and container_entrypoint
output: >
A shell was spawned in a container (user=%user.name container=%container.info shell=%proc.name)
priority: NOTICE
tags: [container, shell, mitre_execution]# Detect write to sensitive directory
- rule: Write below etc
desc: An attempt to write to /etc
condition: >
write_etc_common and not proc.name in (allowed_etc_writers)
output: >
File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)
priority: ERROR
tags: [filesystem, mitre_persistence]# Detect crypto mining
- rule: Detect crypto miners using the Stratum protocol
desc: Miners typically use the Stratum protocol to communicate
condition: >
spawned_process and proc.cmdline contains "stratum+tcp"
output: >
Possible crypto mining (command=%proc.cmdline)
priority: CRITICAL
tags: [process, mitre_impact]Custom Rules
Create custom-rules.yaml:
- rule: Unauthorized Access to Secrets
desc: Detect read access to Kubernetes secrets
condition: >
open_read and container
and fd.name contains "/var/run/secrets/kubernetes.io/serviceaccount"
and not proc.name in (trusted_processes)
output: >
Unauthorized access to secrets (user=%user.name pod=%k8s.pod.name command=%proc.cmdline)
priority: WARNING
- rule: Reverse Shell Detected
desc: Detect reverse shell execution
condition: >
spawned_process and container
and (proc.name in (shell_binaries) and proc.cmdline contains "-i" and proc.pcmdline contains "/bin/")
output: >
Reverse shell detected (user=%user.name container=%container.info command=%proc.cmdline)
priority: CRITICALApply via ConfigMap:
kubectl create configmap custom-rules
--from-file=custom-rules.yaml
--namespace falco
# Update Helm values to include custom rules
helm upgrade falco falcosecurity/falco
--namespace falco
--set customRules."custom-rules.yaml"="$(cat custom-rules.yaml)"Alert Output
Example Alert
{
"output": "A shell was spawned in a container (user=root container=app-xyz123 shell=bash)",
"priority": "Notice",
"rule": "Terminal shell in container",
"time": "2024-04-10T12:34:56Z",
"output_fields": {
"container.id": "xyz123abc",
"container.name": "app",
"k8s.pod.name": "app-deployment-xyz123",
"k8s.ns.name": "production",
"proc.cmdline": "bash -i",
"user.name": "root"
}
}Falcosidekick Integration
Falcosidekick forwards Falco alerts to 50+ destinations:
# Configure outputs
falcosidekick:
config:
slack:
webhookurl: https://hooks.slack.com/services/xxx/yyy/zzz
minimumpriority: warning
channel: "#security-alerts"
pagerduty:
routingkey: YOUR_PD_KEY
minimumpriority: critical
elasticsearch:
hostport: http://elastic:9200
index: falco
opsgenie:
apikey: YOUR_OPSGENIE_KEYSupported destinations:
- Chat: Slack, Discord, Teams, Mattermost, Rocket.Chat
- Incidents: PagerDuty, OpsGenie, VictorOps
- SIEM: Splunk, Elasticsearch, Loki, Datadog
- Cloud: AWS SNS/SQS/Lambda, GCP Pub/Sub, Azure Event Hub
- Messaging: Kafka, NATS, RabbitMQ
- Notification: Email, SMS, Webhook
Falco vs Alternatives
| Feature | Falco | Tetragon | Aqua Runtime | Tracee |
|---|---|---|---|---|
| Open Source | Yes (Apache-2.0) | Yes (Apache-2.0) | No (paid) | Yes |
| Technology | eBPF + syscalls | eBPF | eBPF | eBPF |
| Rule language | YAML + CEL | TracingPolicy | Proprietary | Rego |
| Kubernetes | Native | Native | Native | Native |
| CNCF status | Graduated | Incubating | N/A | N/A |
| Performance | Good | Excellent | Good | Good |
| Maturity | Very mature | Newer | Mature | Newer |
常见问题
Q: Falco 对性能有影响吗? A: 非常小。eBPF 驱动的性能开销通常 <1% CPU。传统内核模块驱动可能稍高。Falco 设计为对生产环境几乎无感知。
Q: 默认规则够用吗? A: 默认规则涵盖常见威胁(shell 执行、特权提升、crypto mining 等),适合快速开始。生产环境建议根据自己的应用特点自定义规则,减少误报。
Q: 如何处理误报?
A: 使用 macros 定义白名单进程/容器/路径。例如某些合法的管理员操作不应触发告警。Falco 支持灵活的例外规则编写。
来源与致谢
- GitHub: falcosecurity/falco — 8.8K+ ⭐ | Apache-2.0
- 官网: falco.org