Falco Open Source Frequently Asked Questions (FAQs)
Falco is an open source runtime security tool designed for cloud-native environments. Below are answers to some of the most common questions about using and configuring Falco.
1. What is Falco?
Falco is an open source cloud-native runtime security tool originally developed by Sysdig. It monitors system behavior in real time to detect suspicious activity such as:
- Unexpected processes
- File modifications
- Network activity
- Container-level anomalies
2. How does Falco work?
Falco uses a kernel module or an eBPF probe to intercept system calls made by processes on a Linux host. It then applies rules to these events to determine if they represent unexpected or potentially malicious behavior.
3. What are Falco rules?
Falco rules define the behaviors you want to monitor. Each rule includes:
- A condition (e.g., "shell launched inside a container")
- An output message for alerts
- A severity level (e.g., Info, Warning, Error)
You can use built-in rules or create your own in YAML format.
4. What types of events can Falco detect?
Falco can detect many runtime behaviors, including:
- Shells spawned inside containers
- Writes to sensitive files (e.g., /etc/passwd)
- Execution of known network tools (e.g., curl, nc)
- Outbound network connections
- Privilege escalations
5. What is the difference between Falco and Falco Sidekick?
- Falco: A security tool that detects anomalous behavior using kernel-level event inspection.
- Falco Sidekick: A lightweight daemon that listens for Falco alerts and forwards them to other services like Slack, Webhooks, AWS SNS, Discord, and more.
6. Does Falco support Kubernetes?
Yes, Falco natively supports Kubernetes and provides:
- Enrichment with pod metadata (namespace, pod name, container ID)
- Rules specific to Kubernetes events
- Compatibility with Helm charts for deployment
7. What are Falco plugins?
Falco plugins extend the sources from which events can be consumed. Examples include:
- Kubernetes Audit Logs
- AWS CloudTrail logs
- GCP Audit logs
- JSON-formatted log streams
Plugins let you apply Falco rules to more than just system calls.
8. How do I install Falco?
Falco can be installed in multiple ways. The most straightforward way for Kubernetes is by using Helm:
Bash
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco
For all other installation methods, please refer to the official documentation at https://falco.org/docs/setup/
9. Can I run Falco in eBPF mode instead of using a kernel module?
Falco uses the eBPF with CO-RE technology by default. There’s no need to configure if you want to use Falco in eBPF mode.
10. Where can I find or contribute custom Falco rules? Is there a community?
You can find the default ruleset at the https://github.com/falcosecurity/rules GitHub repository. To contribute custom rules, fork the rules repo, add your custom rules, and open a pull request.
Come join the Sysdig Open Source Community @ https://community.sysdig.com
It's a place built to empower analysts, engineers, and innovators for the future of security.