Falco Open Source Frequently Asked Questions (FAQs)

Falco is an open source runtime security tool designed for cloud-native environments. Below are answers to some of the most common questions about using and configuring Falco.

‍

1. What is Falco?

Falco is an open source cloud-native runtime security tool originally developed by Sysdig. It monitors system behavior in real time to detect suspicious activity such as:

- Unexpected processes
- File modifications
- Network activity
- Container-level anomalies

‍

2. How does Falco work?

Falco uses a kernel module or an eBPF probe to intercept system calls made by processes on a Linux host. It then applies rules to these events to determine if they represent unexpected or potentially malicious behavior.

‍

3. What are Falco rules?

Falco rules define the behaviors you want to monitor. Each rule includes:

- A condition (e.g., "shell launched inside a container")
- An output message for alerts
- A severity level (e.g., Info, Warning, Error)

You can use built-in rules or create your own in YAML format.

‍

4. What types of events can Falco detect?

Falco can detect many runtime behaviors, including:

- Shells spawned inside containers
- Writes to sensitive files (e.g., /etc/passwd)
- Execution of known network tools (e.g., curl, nc)
- Outbound network connections
- Privilege escalations

‍

5. What is the difference between Falco and Falco Sidekick?

- Falco: A security tool that detects anomalous behavior using kernel-level event inspection.
- Falco Sidekick: A lightweight daemon that listens for Falco alerts and forwards them to other services like Slack, Webhooks, AWS SNS, Discord, and more.

‍

6. Does Falco support Kubernetes?

Yes, Falco natively supports Kubernetes and provides:

- Enrichment with pod metadata (namespace, pod name, container ID)
- Rules specific to Kubernetes events
- Compatibility with Helm charts for deployment

‍

7. What are Falco plugins?

Falco plugins extend the sources from which events can be consumed. Examples include:

- Kubernetes Audit Logs
- AWS CloudTrail logs
- GCP Audit logs
- JSON-formatted log streams

Plugins let you apply Falco rules to more than just system calls.

‍

8. How do I install Falco?

Falco can be installed in multiple ways. The most straightforward way for Kubernetes is by using Helm:

Bash
helm repo add falcosecurity https://falcosecurity.github.io/charts
‍helm install falco falcosecurity/falco

For all other installation methods, please refer to the official documentation at https://falco.org/docs/setup/

9. Can I run Falco in eBPF mode instead of using a kernel module?

Falco uses the eBPF with CO-RE technology by default. There’s no need to configure if you want to use Falco in eBPF mode.

‍

10. Where can I find or contribute custom Falco rules? Is there a community? 

You can find the default ruleset at the https://github.com/falcosecurity/rules GitHub repository. To contribute custom rules, fork the rules repo, add your custom rules, and open a pull request.

Come join the Sysdig Open Source Community @ https://community.sysdig.com
‍It's a place built to empower analysts, engineers, and innovators for the future of security.

‍