Falco

This content originally appeared on DEV Community and was authored by Omar Ahmed

Falco Basics

Falco is an open-source, cloud-native runtime security project designed to detect unexpected application behavior and alert on threats in real time.
By default, Falco has 5 outputs for its events: stdout, file, gRPC, shell and http.
These can be integrated with other components using falcosidekick, a daemon that extends that number of possible outputs.
Key Points about Falco:

• Runtime Security: It continuously monitors your applications, containers, and hosts at runtime to detect abnormal activities.
• Container Visibility: It provides complete visibility into containerized environments using a single lightweight sensor.
• Rules-Based Detection: Falco uses a rich set of rules to define what is considered abnormal. When these rules are violated, alerts are triggered.

Examples of what Falco can detect by default:

• A shell being run inside a container (which could indicate a breach).
• A server process spawning an unexpected type of child process.
• An attempt to read sensitive files, like /etc/shadow.

Falco Installation

kubectl create namespace falco

helm repo add falcosecurity https://falcosecurity.github.io/charts

helm install falco falcosecurity/falco \
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=true \
-n falco
# --set falcosidekick.config.slack.webhookurl="https://hooks.slack.com/services/XXXX"

# falco → release name
# falcosecurity/falco → chart
# -n falco --create-namespace → installs Falco in a separate falco namespace

# check that the Falco pods are running:
kubectl get pods -n falco
# Falco pod(s) might need a few seconds to start. Wait until they are ready:
kubectl wait pods --for=condition=Ready --all -n falco

This content originally appeared on DEV Community and was authored by Omar Ahmed