# Falco — Cloud Native Runtime Security & Threat Detection > Falco is an open-source runtime security tool that detects abnormal activity in containers and hosts using eBPF and syscalls. Real-time threat detection for Kubernetes. ## Install Save as a script file and run: ## Quick Use ```bash # Install via Helm helm repo add falcosecurity https://falcosecurity.github.io/charts helm install falco falcosecurity/falco --namespace falco --create-namespace --set driver.kind=modern_ebpf ``` ## Intro **Falco** is a cloud-native runtime security tool that detects and alerts on abnormal application behavior. Originally created by Sysdig and now a CNCF graduated project, Falco uses eBPF (or kernel modules) to monitor system calls and generate alerts when configured rules are matched — detecting threats like privilege escalation, filesystem tampering, crypto mining, and data exfiltration in real-time. With 8.8K+ GitHub stars and Apache-2.0 license, Falco is the de facto standard for runtime security in Kubernetes environments, used by thousands of organizations to meet compliance requirements (PCI DSS, SOC 2) and detect active attacks. ## What Falco Does - **Syscall Monitoring**: Observe all system calls on hosts and containers - **Rule-Based Detection**: Pre-built rules for common threats + custom rules - **Real-Time Alerts**: Detect and alert within milliseconds of suspicious activity - **Kubernetes Integration**: Enrich alerts with Kubernetes metadata (pod, namespace, labels) - **Multiple Drivers**: Modern eBPF (recommended), legacy eBPF, or kernel module - **Container Awareness**: Understand container context and isolation - **Output Channels**: Syslog, files, HTTPS, gRPC, Slack, PagerDuty - **Falcosidekick**: Forward alerts to 50+ destinations - **Compliance**: Pre-built rulesets for PCI, HIPAA, NIST 800-53 - **Incident Response**: Trigger automated response actions ## Architecture ``` ┌────────────────────────────────────┐ │ Node / Host │ │ ┌──────────────────────────────┐ │ │ │ Linux Kernel │ │ │ │ ┌──────────────────────┐ │ │ │ │ │ eBPF Probes │ │ │ │ │ │ - Syscalls │ │ │ │ │ │ - Network Events │ │ │ │ │ │ - Process Events │ │ │ │ │ └──────────┬───────────┘ │ │ │ └─────────────┼────────────────┘ │ │ │ │ │ ┌────────▼─────────┐ │ │ │ Falco Engine │ │ │ │ - Rule Matching │ │ │ │ - K8s Enrichment│ │ │ └────────┬─────────┘ │ └────────────────┼────────────────────┘ │ ┌────────▼──────────┐ │ Falcosidekick │ │ (Alert Router) │ └────────┬──────────┘ │ ┌─────────────┼─────────────┐ │ │ │ ┌──┴──┐ ┌─────┴────┐ ┌────┴───┐ │Slack│ │PagerDuty │ │ SIEM │ └─────┘ └──────────┘ └────────┘ ``` ## Installation ### Kubernetes via Helm (Recommended) ```bash helm repo add falcosecurity https://falcosecurity.github.io/charts helm repo update helm install falco falcosecurity/falco --namespace falco --create-namespace --set driver.kind=modern_ebpf --set tty=true --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true ``` ### Linux Host ```bash # Debian/Ubuntu curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" | sudo tee /etc/apt/sources.list.d/falcosecurity.list sudo apt update sudo apt install -y falco # Start service sudo systemctl start falco sudo journalctl -u falco -f ``` ## Falco Rules ### Default Rules (Examples) ```yaml # Detect shell spawned in container - rule: Terminal shell in container desc: A shell was used as the entrypoint/exec point into a container condition: > spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint output: > A shell was spawned in a container (user=%user.name container=%container.info shell=%proc.name) priority: NOTICE tags: [container, shell, mitre_execution] ``` ```yaml # Detect write to sensitive directory - rule: Write below etc desc: An attempt to write to /etc condition: > write_etc_common and not proc.name in (allowed_etc_writers) output: > File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name) priority: ERROR tags: [filesystem, mitre_persistence] ``` ```yaml # Detect crypto mining - rule: Detect crypto miners using the Stratum protocol desc: Miners typically use the Stratum protocol to communicate condition: > spawned_process and proc.cmdline contains "stratum+tcp" output: > Possible crypto mining (command=%proc.cmdline) priority: CRITICAL tags: [process, mitre_impact] ``` ### Custom Rules Create `custom-rules.yaml`: ```yaml - rule: Unauthorized Access to Secrets desc: Detect read access to Kubernetes secrets condition: > open_read and container and fd.name contains "/var/run/secrets/kubernetes.io/serviceaccount" and not proc.name in (trusted_processes) output: > Unauthorized access to secrets (user=%user.name pod=%k8s.pod.name command=%proc.cmdline) priority: WARNING - rule: Reverse Shell Detected desc: Detect reverse shell execution condition: > spawned_process and container and (proc.name in (shell_binaries) and proc.cmdline contains "-i" and proc.pcmdline contains "/bin/") output: > Reverse shell detected (user=%user.name container=%container.info command=%proc.cmdline) priority: CRITICAL ``` Apply via ConfigMap: ```bash kubectl create configmap custom-rules --from-file=custom-rules.yaml --namespace falco # Update Helm values to include custom rules helm upgrade falco falcosecurity/falco --namespace falco --set customRules."custom-rules.yaml"="$(cat custom-rules.yaml)" ``` ## Alert Output ### Example Alert ```json { "output": "A shell was spawned in a container (user=root container=app-xyz123 shell=bash)", "priority": "Notice", "rule": "Terminal shell in container", "time": "2024-04-10T12:34:56Z", "output_fields": { "container.id": "xyz123abc", "container.name": "app", "k8s.pod.name": "app-deployment-xyz123", "k8s.ns.name": "production", "proc.cmdline": "bash -i", "user.name": "root" } } ``` ## Falcosidekick Integration Falcosidekick forwards Falco alerts to 50+ destinations: ```yaml # Configure outputs falcosidekick: config: slack: webhookurl: https://hooks.slack.com/services/xxx/yyy/zzz minimumpriority: warning channel: "#security-alerts" pagerduty: routingkey: YOUR_PD_KEY minimumpriority: critical elasticsearch: hostport: http://elastic:9200 index: falco opsgenie: apikey: YOUR_OPSGENIE_KEY ``` Supported destinations: - **Chat**: Slack, Discord, Teams, Mattermost, Rocket.Chat - **Incidents**: PagerDuty, OpsGenie, VictorOps - **SIEM**: Splunk, Elasticsearch, Loki, Datadog - **Cloud**: AWS SNS/SQS/Lambda, GCP Pub/Sub, Azure Event Hub - **Messaging**: Kafka, NATS, RabbitMQ - **Notification**: Email, SMS, Webhook ## Falco vs Alternatives | Feature | Falco | Tetragon | Aqua Runtime | Tracee | |---------|-------|----------|--------------|--------| | Open Source | Yes (Apache-2.0) | Yes (Apache-2.0) | No (paid) | Yes | | Technology | eBPF + syscalls | eBPF | eBPF | eBPF | | Rule language | YAML + CEL | TracingPolicy | Proprietary | Rego | | Kubernetes | Native | Native | Native | Native | | CNCF status | Graduated | Incubating | N/A | N/A | | Performance | Good | Excellent | Good | Good | | Maturity | Very mature | Newer | Mature | Newer | ## 常见问题 **Q: Falco 对性能有影响吗?** A: 非常小。eBPF 驱动的性能开销通常 <1% CPU。传统内核模块驱动可能稍高。Falco 设计为对生产环境几乎无感知。 **Q: 默认规则够用吗?** A: 默认规则涵盖常见威胁(shell 执行、特权提升、crypto mining 等),适合快速开始。生产环境建议根据自己的应用特点自定义规则,减少误报。 **Q: 如何处理误报?** A: 使用 `macros` 定义白名单进程/容器/路径。例如某些合法的管理员操作不应触发告警。Falco 支持灵活的例外规则编写。 ## 来源与致谢 - GitHub: [falcosecurity/falco](https://github.com/falcosecurity/falco) — 8.8K+ ⭐ | Apache-2.0 - 官网: [falco.org](https://falco.org) --- Source: https://tokrepo.com/en/workflows/e6d09344-3558-11f1-9bc6-00163e2b0d79 Author: Script Depot