How do I install Falco — Cloud Native Runtime Security & Threat Detection?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

Falco — Cloud Native Runtime Security & Threat Detection

What Falco Does

Syscall Monitoring: Observe all system calls on hosts and containers
Rule-Based Detection: Pre-built rules for common threats + custom rules
Real-Time Alerts: Detect and alert within milliseconds of suspicious activity
Kubernetes Integration: Enrich alerts with Kubernetes metadata (pod, namespace, labels)
Multiple Drivers: Modern eBPF (recommended), legacy eBPF, or kernel module
Container Awareness: Understand container context and isolation
Output Channels: Syslog, files, HTTPS, gRPC, Slack, PagerDuty
Falcosidekick: Forward alerts to 50+ destinations
Compliance: Pre-built rulesets for PCI, HIPAA, NIST 800-53
Incident Response: Trigger automated response actions

Architecture

┌────────────────────────────────────┐
│       Node / Host                   │
│  ┌──────────────────────────────┐   │
│  │     Linux Kernel             │   │
│  │  ┌──────────────────────┐    │   │
│  │  │  eBPF Probes         │    │   │
│  │  │  - Syscalls          │    │   │
│  │  │  - Network Events    │    │   │
│  │  │  - Process Events    │    │   │
│  │  └──────────┬───────────┘    │   │
│  └─────────────┼────────────────┘   │
│                │                     │
│       ┌────────▼─────────┐           │
│       │  Falco Engine    │           │
│       │  - Rule Matching │           │
│       │  - K8s Enrichment│           │
│       └────────┬─────────┘           │
└────────────────┼────────────────────┘
                 │
        ┌────────▼──────────┐
        │  Falcosidekick    │
        │  (Alert Router)    │
        └────────┬──────────┘
                 │
   ┌─────────────┼─────────────┐
   │             │             │
┌──┴──┐   ┌─────┴────┐   ┌────┴───┐
│Slack│   │PagerDuty │   │  SIEM  │
└─────┘   └──────────┘   └────────┘

Installation

Kubernetes via Helm (Recommended)

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

helm install falco falcosecurity/falco 
  --namespace falco --create-namespace 
  --set driver.kind=modern_ebpf 
  --set tty=true 
  --set falcosidekick.enabled=true 
  --set falcosidekick.webui.enabled=true

Linux Host

# Debian/Ubuntu
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | 
  sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" | 
  sudo tee /etc/apt/sources.list.d/falcosecurity.list

sudo apt update
sudo apt install -y falco

# Start service
sudo systemctl start falco
sudo journalctl -u falco -f

Falco Rules

Default Rules (Examples)

# Detect shell spawned in container
- rule: Terminal shell in container
  desc: A shell was used as the entrypoint/exec point into a container
  condition: >
    spawned_process and container
    and shell_procs and proc.tty != 0
    and container_entrypoint
  output: >
    A shell was spawned in a container (user=%user.name container=%container.info shell=%proc.name)
  priority: NOTICE
  tags: [container, shell, mitre_execution]

# Detect write to sensitive directory
- rule: Write below etc
  desc: An attempt to write to /etc
  condition: >
    write_etc_common and not proc.name in (allowed_etc_writers)
  output: >
    File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)
  priority: ERROR
  tags: [filesystem, mitre_persistence]

# Detect crypto mining
- rule: Detect crypto miners using the Stratum protocol
  desc: Miners typically use the Stratum protocol to communicate
  condition: >
    spawned_process and proc.cmdline contains "stratum+tcp"
  output: >
    Possible crypto mining (command=%proc.cmdline)
  priority: CRITICAL
  tags: [process, mitre_impact]

Custom Rules

Create custom-rules.yaml:

- rule: Unauthorized Access to Secrets
  desc: Detect read access to Kubernetes secrets
  condition: >
    open_read and container
    and fd.name contains "/var/run/secrets/kubernetes.io/serviceaccount"
    and not proc.name in (trusted_processes)
  output: >
    Unauthorized access to secrets (user=%user.name pod=%k8s.pod.name command=%proc.cmdline)
  priority: WARNING

- rule: Reverse Shell Detected
  desc: Detect reverse shell execution
  condition: >
    spawned_process and container
    and (proc.name in (shell_binaries) and proc.cmdline contains "-i" and proc.pcmdline contains "/bin/")
  output: >
    Reverse shell detected (user=%user.name container=%container.info command=%proc.cmdline)
  priority: CRITICAL

Apply via ConfigMap:

kubectl create configmap custom-rules 
  --from-file=custom-rules.yaml 
  --namespace falco

# Update Helm values to include custom rules
helm upgrade falco falcosecurity/falco 
  --namespace falco 
  --set customRules."custom-rules.yaml"="$(cat custom-rules.yaml)"

Alert Output

Example Alert

{
  "output": "A shell was spawned in a container (user=root container=app-xyz123 shell=bash)",
  "priority": "Notice",
  "rule": "Terminal shell in container",
  "time": "2024-04-10T12:34:56Z",
  "output_fields": {
    "container.id": "xyz123abc",
    "container.name": "app",
    "k8s.pod.name": "app-deployment-xyz123",
    "k8s.ns.name": "production",
    "proc.cmdline": "bash -i",
    "user.name": "root"
  }
}

Falcosidekick Integration

Falcosidekick forwards Falco alerts to 50+ destinations:

# Configure outputs
falcosidekick:
  config:
    slack:
      webhookurl: https://hooks.slack.com/services/xxx/yyy/zzz
      minimumpriority: warning
      channel: "#security-alerts"

    pagerduty:
      routingkey: YOUR_PD_KEY
      minimumpriority: critical

    elasticsearch:
      hostport: http://elastic:9200
      index: falco

    opsgenie:
      apikey: YOUR_OPSGENIE_KEY

Supported destinations:

Chat: Slack, Discord, Teams, Mattermost, Rocket.Chat
Incidents: PagerDuty, OpsGenie, VictorOps
SIEM: Splunk, Elasticsearch, Loki, Datadog
Cloud: AWS SNS/SQS/Lambda, GCP Pub/Sub, Azure Event Hub
Messaging: Kafka, NATS, RabbitMQ
Notification: Email, SMS, Webhook

Falco vs Alternatives

Feature	Falco	Tetragon	Aqua Runtime	Tracee
Open Source	Yes (Apache-2.0)	Yes (Apache-2.0)	No (paid)	Yes
Technology	eBPF + syscalls	eBPF	eBPF	eBPF
Rule language	YAML + CEL	TracingPolicy	Proprietary	Rego
Kubernetes	Native	Native	Native	Native
CNCF status	Graduated	Incubating	N/A	N/A
Performance	Good	Excellent	Good	Good
Maturity	Very mature	Newer	Mature	Newer

FAQ

Q: Does Falco impact performance? A: Very little. The eBPF driver typically has <1% CPU overhead. The legacy kernel module driver may be slightly higher. Falco is designed to be nearly imperceptible in production.

Q: Are the default rules enough? A: The default rules cover common threats (shell execution, privilege escalation, crypto mining, etc.) and are great for getting started quickly. For production, we recommend customizing rules to fit your application to reduce false positives.

Q: How do I handle false positives? A: Use macros to define whitelisted processes/containers/paths. For example, certain legitimate admin operations shouldn't trigger alerts. Falco supports flexible exception rule authoring.

Sources & Credits

GitHub: falcosecurity/falco — 8.8K+ ⭐ | Apache-2.0
Official site: falco.org