falco-security Cloud Native Runtime Security

CloudNativeRuntimeSecurity.

Wanttotalk?Joinusonthe#falcochannelintheKubernetesSlack.

Latestreleases

Readthechangelog.

developmentstablerpmdebbinary

TheFalcoProject,originallycreatedbySysdig,isanincubatingCNCFopensourcecloudnativeruntimesecuritytool.Falcomakesiteasytoconsumekernelevents,andenrichthoseeventswithinformationfromKubernetesandtherestofthecloudnativestack.FalcohasarichsetofsecurityrulesspecificallybuiltforKubernetes,Linux,andcloud-native.Ifaruleisviolatedinasystem,Falcowillsendanalertnotifyingtheuseroftheviolationanditsseverity.

InstallingFalco

IfyouwouldliketorunFalcoinproductionpleaseadheretotheofficialinstallationguide.

Kubernetes

ToolLinkNoteHelmChartRepositoryTheFalcocommunityoffersregularhelmchartreleases.MinikubeTutorialTheFalcodriverhasbeenbakedintominikubeforeasydeployment.KindTutorialRunningFalcowithkindrequiresadriveronthehostsystem.GKETutorialWesuggestusingtheeBPFdriverforrunningFalcoonGKE.Developing

Falcoisdesignedtobeextensiblesuchthatitcanbebuiltintocloud-nativeapplicationsandinfrastructure.

FalcohasagRPCendpointandanAPIdefinedinprotobuf.TheFalcoProjectsupportsvariousSDKsforthisendpoint.

SDKs

LanguageRepositoryGoclient-goRustclient-rsPythonclient-pyWhatcanFalcodetect?

FalcocandetectandalertonanybehaviorthatinvolvesmakingLinuxsystemcalls.Falcoalertscanbetriggeredbytheuseofspecificsystemcalls,theirarguments,andbypropertiesofthecallingprocess.Forexample,Falcocaneasilydetectincidentsincludingbutnotlimitedto:

AshellisrunninginsideacontainerorpodinKubernetes.Acontainerisrunninginprivilegedmode,orismountingasensitivepath,suchas/proc,fromthehost.Aserverprocessisspawningachildprocessofanunexpectedtype.Unexpectedreadofasensitivefile,suchas/etc/shadow.Anon-devicefileiswrittento/dev.Astandardsystembinary,suchasls,ismakinganoutboundnetworkconnection.AprivilegedpodisstartedinaKubernetescluster.Documentation

TheOfficialDocumentationisthebestresourcetolearnaboutFalco.

JointheCommunity

TogetinvolvedwithTheFalcoProjectpleasevisitthecommunityrepositorytofindmore.

Howtoreachout?

Jointhe#falcochannelontheKubernetesSlackJointheFalcomailinglistReadtheFalcodocumentationContributing

SeetheCONTRIBUTING.md.

SecurityAudit

AthirdpartysecurityauditwasperformedbyCure53,youcanseethefullreporthere.

Reportingsecurityvulnerabilities

Pleasereportsecurityvulnerabilitiesfollowingthecommunityprocessdocumentedhere.

LicenseTerms

FalcoislicensedtoyouundertheApache2.0opensourcelicense.