Getting Started
Getting started with Falco
The Falco Project is an open source runtime security tool originally built by Sysdig, Inc. Falco was donated to the CNCF and is now a CNCF incubating project.
Falco uses system calls to secure and monitor a system, by:
For more information, see Falco Rules.
Falco ships with a default set of rules that check the kernel for unusual behavior such as:
setns
/etc
, /usr/bin
, /usr/sbin
, etcexecve
sh
, bash
, csh
, zsh
, etcssh
, scp
, sftp
, etccoreutils
executablesshadowutil
or passwd
executables such as shadowconfig
, pwck
, chpasswd
, getpasswd
, change
, useradd
, etc
, and others.Rules are the items that Falco asserts against. They are defined in the Falco configuration file, and represent the events you can check on the system. For more information about writing, managing, and deploying rules, see Falco Rules.
Alerts are configurable downstream actions that can be as simple as logging to STDOUT
or as complex as delivering a gRPC call to a client. For more information about configuring, understanding, and developing alerts, see Falco Alerts. Falco can send alerts to :
Falco is composed of three main components:
Userspace program - is the CLI tool falco
that you can use to interact with Falco. The userspace program handles signals, parses information from a Falco driver, and sends alerts.
Configuration - defines how Falco is run, what rules to assert, and how to perform alerts. For more information, see Configuration.
Driver - is a software that adheres to the Falco driver specification and sends a stream of system call information. You cannot run Falco without installing a driver. Currently, Falco supports the following drivers:
libscap
and libsinsp
C++ librariesFor more information, see Falco Drivers.
Getting started with Falco
Configuration for the Falco daemon
Contribution recognitions
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.