Skip to content

VadimZy/falco

 
 

Repository files navigation

Cloud Native Runtime Security.


Build Status CII Best Practices Summary GitHub Latest Architectures

Want to talk? Join us on the #falco channel in the Kubernetes Slack.

Latest releases

Read the change log.

development stable
rpm-x86_64 rpm-dev rpm
deb-x86_64 deb-dev deb
binary-x86_64 bin-dev bin
rpm-aarch64 rpm-dev rpm
deb-aarch64 deb-dev deb
binary-aarch64 bin-dev bin

The Falco Project, originally created by Sysdig, is an incubating CNCF open source cloud native runtime security tool. Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. Falco can also be extended to other data sources by using plugins. Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native. If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.

What can Falco detect?

Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:

  • A shell is running inside a container or pod in Kubernetes.
  • A container is running in privileged mode, or is mounting a sensitive path, such as /proc, from the host.
  • A server process is spawning a child process of an unexpected type.
  • Unexpected read of a sensitive file, such as /etc/shadow.
  • A non-device file is written to /dev.
  • A standard system binary, such as ls, is making an outbound network connection.
  • A privileged pod is started in a Kubernetes cluster.

Installing Falco

If you would like to run Falco in production please adhere to the official installation guide.

Kubernetes

Tool Link Note
Helm Chart Repository The Falco community offers regular helm chart releases.
Minikube Tutorial The Falco driver has been baked into minikube for easy deployment.
Kind Tutorial Running Falco with kind requires a driver on the host system.
GKE Tutorial We suggest using the eBPF driver for running Falco on GKE.

Developing

Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.

Falco has a gRPC endpoint and an API defined in protobuf. The Falco Project supports various SDKs for this endpoint.

SDKs

Language Repository
Go client-go

Plugins

Falco comes with a plugin framework that extends it to potentially any cloud detection scenario. Plugins are shared libraries that conform to a documented API and allow for:

  • Adding new event sources that can be used in rules;
  • Adding the ability to define new fields and extract information from events.

The Falco Project maintains various plugins and provides SDKs for plugin development.

SDKs

Language Repository
Go falcosecurity/plugin-sdk-go

Documentation

The Official Documentation is the best resource to learn about Falco.

Join the Community

To get involved with The Falco Project please visit the community repository to find more.

How to reach out?

How to contribute

See the contributing guide and the code of conduct.

Security Audit

A third party security audit was performed by Cure53, you can see the full report here.

Reporting security vulnerabilities

Please report security vulnerabilities following the community process documented here.

License

Falco is licensed to you under the Apache 2.0 open source license.

Project Evolution

The falcosecurity/evolution repository is the official space for the community to work together, discuss ideas, and document processes. It is also a place to make decisions. Check it out to find more helpful resources.

Resources

About

Cloud Native Runtime Security

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C++ 71.6%
  • CMake 10.7%
  • Shell 9.0%
  • Python 4.7%
  • Dockerfile 3.6%
  • C 0.4%