# Falco — Cloud Native Runtime Security & Threat Detection > Falco is an open-source runtime security tool that detects abnormal activity in containers and hosts using eBPF and syscalls. Real-time threat detection for Kubernetes. ## Install Save the content below to `.claude/skills/` or append to your `CLAUDE.md`: ## Quick Use ```bash # Install via Helm helm repo add falcosecurity https://falcosecurity.github.io/charts helm install falco falcosecurity/falco --namespace falco --create-namespace --set driver.kind=modern_ebpf ``` ## Intro **Falco** is a cloud-native runtime security tool that detects and alerts on abnormal application behavior. Originally created by Sysdig and now a CNCF graduated project, Falco uses eBPF (or kernel modules) to monitor system calls and generate alerts when configured rules are matched — detecting threats like privilege escalation, filesystem tampering, crypto mining, and data exfiltration in real-time. With 8.8K+ GitHub stars and Apache-2.0 license, Falco is the de facto standard for runtime security in Kubernetes environments, used by thousands of organizations to meet compliance requirements (PCI DSS, SOC 2) and detect active attacks. ## What Falco Does - **Syscall Monitoring**: Observe all system calls on hosts and containers - **Rule-Based Detection**: Pre-built rules for common threats + custom rules - **Real-Time Alerts**: Detect and alert within milliseconds of suspicious activity - **Kubernetes Integration**: Enrich alerts with Kubernetes metadata (pod, namespace, labels) - **Multiple Drivers**: Modern eBPF (recommended), legacy eBPF, or kernel module - **Container Awareness**: Understand container context and isolation - **Output Channels**: Syslog, files, HTTPS, gRPC, Slack, PagerDuty - **Falcosidekick**: Forward alerts to 50+ destinations - **Compliance**: Pre-built rulesets for PCI, HIPAA, NIST 800-53 - **Incident Response**: Trigger automated response actions ## Architecture ``` ┌────────────────────────────────────┐ │ Node / Host │ │ ┌──────────────────────────────┐ │ │ │ Linux Kernel │ │ │ │ ┌──────────────────────┐ │ │ │ │ │ eBPF Probes │ │ │ │ │ │ - Syscalls │ │ │ │ │ │ - Network Events │ │ │ │ │ │ - Process Events │ │ │ │ │ └──────────┬───────────┘ │ │ │ └─────────────┼────────────────┘ │ │ │ │ │ ┌────────▼─────────┐ │ │ │ Falco Engine │ │ │ │ - Rule Matching │ │ │ │ - K8s Enrichment│ │ │ └────────┬─────────┘ │ └────────────────┼────────────────────┘ │ ┌────────▼──────────┐ │ Falcosidekick │ │ (Alert Router) │ └────────┬──────────┘ │ ┌─────────────┼─────────────┐ │ │ │ ┌──┴──┐ ┌─────┴────┐ ┌────┴───┐ │Slack│ │PagerDuty │ │ SIEM │ └─────┘ └──────────┘ └────────┘ ``` ## Installation ### Kubernetes via Helm (Recommended) ```bash helm repo add falcosecurity https://falcosecurity.github.io/charts helm repo update helm install falco falcosecurity/falco --namespace falco --create-namespace --set driver.kind=modern_ebpf --set tty=true --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true ``` ### Linux Host ```bash # Debian/Ubuntu curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" | sudo tee /etc/apt/sources.list.d/falcosecurity.list sudo apt update sudo apt install -y falco # Start service sudo systemctl start falco sudo journalctl -u falco -f ``` ## Falco Rules ### Default Rules (Examples) ```yaml # Detect shell spawned in container - rule: Terminal shell in container desc: A shell was used as the entrypoint/exec point into a container condition: > spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint output: > A shell was spawned in a container (user=%user.name container=%container.info shell=%proc.name) priority: NOTICE tags: [container, shell, mitre_execution] ``` ```yaml # Detect write to sensitive directory - rule: Write below etc desc: An attempt to write to /etc condition: > write_etc_common and not proc.name in (allowed_etc_writers) output: > File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name) priority: ERROR tags: [filesystem, mitre_persistence] ``` ```yaml # Detect crypto mining - rule: Detect crypto miners using the Stratum protocol desc: Miners typically use the Stratum protocol to communicate condition: > spawned_process and proc.cmdline contains "stratum+tcp" output: > Possible crypto mining (command=%proc.cmdline) priority: CRITICAL tags: [process, mitre_impact] ``` ### Custom Rules Create `custom-rules.yaml`: ```yaml - rule: Unauthorized Access to Secrets desc: Detect read access to Kubernetes secrets condition: > open_read and container and fd.name contains "/var/run/secrets/kubernetes.io/serviceaccount" and not proc.name in (trusted_processes) output: > Unauthorized access to secrets (user=%user.name pod=%k8s.pod.name command=%proc.cmdline) priority: WARNING - rule: Reverse Shell Detected desc: Detect reverse shell execution condition: > spawned_process and container and (proc.name in (shell_binaries) and proc.cmdline contains "-i" and proc.pcmdline contains "/bin/") output: > Reverse shell detected (user=%user.name container=%container.info command=%proc.cmdline) priority: CRITICAL ``` Apply via ConfigMap: ```bash kubectl create configmap custom-rules --from-file=custom-rules.yaml --namespace falco # Update Helm values to include custom rules helm upgrade falco falcosecurity/falco --namespace falco --set customRules."custom-rules.yaml"="$(cat custom-rules.yaml)" ``` ## Alert Output ### Example Alert ```json { "output": "A shell was spawned in a container (user=root container=app-xyz123 shell=bash)", "priority": "Notice", "rule": "Terminal shell in container", "time": "2024-04-10T12:34:56Z", "output_fields": { "container.id": "xyz123abc", "container.name": "app", "k8s.pod.name": "app-deployment-xyz123", "k8s.ns.name": "production", "proc.cmdline": "bash -i", "user.name": "root" } } ``` ## Falcosidekick Integration Falcosidekick forwards Falco alerts to 50+ destinations: ```yaml # Configure outputs falcosidekick: config: slack: webhookurl: https://hooks.slack.com/services/xxx/yyy/zzz minimumpriority: warning channel: "#security-alerts" pagerduty: routingkey: YOUR_PD_KEY minimumpriority: critical elasticsearch: hostport: http://elastic:9200 index: falco opsgenie: apikey: YOUR_OPSGENIE_KEY ``` Supported destinations: - **Chat**: Slack, Discord, Teams, Mattermost, Rocket.Chat - **Incidents**: PagerDuty, OpsGenie, VictorOps - **SIEM**: Splunk, Elasticsearch, Loki, Datadog - **Cloud**: AWS SNS/SQS/Lambda, GCP Pub/Sub, Azure Event Hub - **Messaging**: Kafka, NATS, RabbitMQ - **Notification**: Email, SMS, Webhook ## Falco vs Alternatives | Feature | Falco | Tetragon | Aqua Runtime | Tracee | |---------|-------|----------|--------------|--------| | Open Source | Yes (Apache-2.0) | Yes (Apache-2.0) | No (paid) | Yes | | Technology | eBPF + syscalls | eBPF | eBPF | eBPF | | Rule language | YAML + CEL | TracingPolicy | Proprietary | Rego | | Kubernetes | Native | Native | Native | Native | | CNCF status | Graduated | Incubating | N/A | N/A | | Performance | Good | Excellent | Good | Good | | Maturity | Very mature | Newer | Mature | Newer | ## FAQ **Q: Does Falco impact performance?** A: Very little. The eBPF driver typically has <1% CPU overhead. The legacy kernel module driver may be slightly higher. Falco is designed to be nearly imperceptible in production. **Q: Are the default rules enough?** A: The default rules cover common threats (shell execution, privilege escalation, crypto mining, etc.) and are great for getting started quickly. For production, we recommend customizing rules to fit your application to reduce false positives. **Q: How do I handle false positives?** A: Use `macros` to define whitelisted processes/containers/paths. For example, certain legitimate admin operations shouldn't trigger alerts. Falco supports flexible exception rule authoring. ## Sources & Credits - GitHub: [falcosecurity/falco](https://github.com/falcosecurity/falco) — 8.8K+ ⭐ | Apache-2.0 - Official site: [falco.org](https://falco.org) --- Source: https://tokrepo.com/en/workflows/falco-cloud-native-runtime-security-threat-detection-e6d09344 Author: Script Depot