Falco, a cloud-native runtime security project, was accepted by the Cloud Native Computing Foundation (CNCF) as an incubation-level hosted project. Falco provides intrusion and abnormality detection for platforms like Kubernetes, Mesosphere, and Cloud Foundry. With the move into the incubation stage, the Falco team has been focusing on making the tool easier to adopt and use.
Falco first entered the CNCF sandbox in 2018 as a project created by Sysdig to better understand container behavior and help protect container platforms from malicious activity. Falco's rules engine can detect abnormal activity in applications, containers, the underlying host, and the container platform. It leverages open source Linux kernel instrumentation to monitor the stream of system calls from the kernel. As it runs in user-space, it is able to augment the kernel data with other input streams such as container runtime metrics and Kubernetes metrics.
Falco can detect and alert on any behaviour that makes Linux system calls. The alerting rules make use of Sysdig's filtering expressions to identify potentially suspicious activity. Alerts can be triggered on the use of specific system calls, the arguments to those calls, and by the properties of the calling process. This includes scenarios such as a process starting a shell inside a container, a container running in privileged mode, or an unexpected read of a sensitive file. In the event of a detection, Falco can notify via Slack, Fluentd, and NATS.
In a Falco rule, the condition field is a filter that is applied to each system call. In this example, this rule is monitoring for attempts to start a shell process within a container:
- rule: shell_in_container
desc: notice shell activity within a container
condition: container.id != host and proc.name = bash
output: shell in a container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)
priority: WARNING
Falco rules can contain macros which allow for declaring reusable expression snippets. Macros can then be referenced by name within conditions. Lists are also a supported syntax type. For example, the following macro declares a condition to check if the current directory is contained within the specified list:
- macro: bin_dir
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
With Falco 0.4.0 communication with Kubernetes and Mesos servers is possible allowing for creation of policies using the context of those frameworks. This allows specifying properties such as container ids, image names, Kubernetes namespaces, services, deployments, or Mesos frameworks.
While similar to other tools that allow for declaring security policies such as SELinux, AppArmor, or auditd, Falco has some differences. As Mark Stemm, software engineer at Sysdig, notes:
Overall, these products can be grouped into ones focused on enforcement vs auditing. Both groups define a policy that describes the allowed or disallowed behavior for a process, in terms of system calls, their arguments, and host resources accessed.
Tools like seccomp, seccomp-bpf, SELinux, and AppArmor fall into the enforcement category in that they will alter the behaviour of processes if they are found to violate the defined rules. Falco and other tools, such as auditd, fall in the auditing category as they will notify when detecting a violation.
According to Stemm, one difference between Falco and these other tools is that "Falco runs in user space, using a kernel module to obtain system calls, while the other tools perform system call filtering/monitoring at the kernel level." This allows Falco to have more available data to be used within its policies as noted previously.
With the move into the incubator program, the Falco team is looking to migrate the code into an API-first architecture to better enable community support for developing integrations. Falco is open-source and available for download under the Apache 2.0 license. The team has regular office hours to support users.