Falco is an open-source runtime security tool that detects unexpected application behavior and alerts on threats in real-time. It uses eBPF to monitor system calls at the kernel level without modifying your applications.
What Is Falco?
Falco is a CNCF graduated project created by Sysdig. It monitors Linux system calls and alerts when suspicious activity occurs — like a container spawning a shell, reading sensitive files, or making unexpected network connections.
Key Features:
- eBPF-based kernel monitoring
- 100+ built-in security rules
- Custom rule engine (YAML)
- Kubernetes audit log support
- Multiple output channels (Slack, webhook, syslog)
- Falcosidekick for alert routing
- gRPC and REST API
- Plugin system
Installation
# Kubernetes via Helm
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco -n falco --create-namespace \
--set driver.kind=ebpf \
--set falcosidekick.enabled=true
# Or Docker
docker run -d --name falco --privileged \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /proc:/host/proc:ro \
falcosecurity/falco:latest
Falco Rules
# Custom rules
- rule: Shell Spawned in Container
desc: Detect shell spawned in a container
condition: >
spawned_process and container and
proc.name in (bash, sh, zsh, dash) and
not proc.pname in (sshd, docker, containerd)
output: >
Shell spawned in container
(user=%user.name container=%container.name
image=%container.image.repository
shell=%proc.name parent=%proc.pname)
priority: WARNING
tags: [container, shell]
- rule: Sensitive File Read
desc: Detect reading of sensitive files
condition: >
open_read and container and
fd.name in (/etc/shadow, /etc/passwd, /etc/sudoers)
output: >
Sensitive file read (user=%user.name file=%fd.name
container=%container.name image=%container.image.repository)
priority: CRITICAL
tags: [filesystem, sensitive]
- rule: Outbound Connection to Unusual Port
desc: Detect connections to non-standard ports
condition: >
outbound and container and
not fd.sport in (80, 443, 53, 8080, 8443, 5432, 3306, 6379)
output: >
Unusual outbound connection
(container=%container.name image=%container.image.repository
connection=%fd.name port=%fd.sport)
priority: NOTICE
tags: [network]
Falco API: Event Streaming
import requests
import json
FALCO = "http://localhost:8765"
# Get Falco version and info
info = requests.get(f"{FALCO}/version").json()
print(f"Falco v{info['version']}, Rules: {info.get('rules_count', 'N/A')}")
# Stream events via Falcosidekick webhook
# Falcosidekick forwards events to your endpoint
from flask import Flask, request
app = Flask(__name__)
@app.route('/webhook', methods=['POST'])
def handle_alert():
event = request.json
print(f"[{event['priority']}] {event['rule']}: {event['output']}")
return '', 200
Falcosidekick: Alert Routing
# falcosidekick config
slack:
webhookurl: https://hooks.slack.com/services/XXX
channel: "#security-alerts"
minimumpriority: warning
webhook:
address: http://security-api:8080/alerts
prometheus:
extralabels: "env:production"
elasticsearch:
hostport: http://elasticsearch:9200
index: falco-alerts
Kubernetes Audit Logs
# Monitor K8s API audit events
- rule: K8s ConfigMap with Sensitive Data
desc: Detect creating configmaps that may contain secrets
condition: >
kevt and kcreate and configmap and
ka.req.configmap.data contains "password"
output: >
ConfigMap with sensitive data created
(user=%ka.user.name configmap=%ka.target.name
namespace=%ka.target.namespace)
priority: WARNING
Resources
- Falco Docs
- Falco GitHub — 7.5K+ stars
- Rule Reference
Need to scrape web data for your security workflows? Check out my web scraping tools on Apify — production-ready actors for Reddit, Google Maps, and more. Questions? Email me at spinov001@gmail.com
Top comments (0)