Falco v0.16.0: Behavioral Activity Monitoring With Container Support
Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by sysdig’s system call capture infrastructure, Falco lets you continuously monitor and detect container, application, host, and network activity… all in one place, from one source of data, with one set of rules.
Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the Falco CNCF project proposal.
What kind of behaviors can Falco detect?
Falco can detect and alert on any behavior that involves making Linux system calls. Thanks to Sysdig’s core decoding and state tracking functionality, Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, you can easily detect things like:
- A shell is run inside a container
- A container is running in privileged mode or is mounting a sensitive path like /proc from the host.
- A server process spawns a child process of an unexpected type
- Unexpected read of a sensitive file (like /etc/shadow)
- A non-device file is written to /dev
- A standard system binary (ls) makes an outbound network connection
How you use it
Falco is deployed as a long-running daemon. You can install it as a Debian/rpm package on a regular host or container host, or you can deploy it as a container.
Falco is configured via a rules file defining the behaviors and events to watch for, and a general configuration file. Rules are expressed in a high-level, human-readable language. We’ve provided a sample rule file ./rules/falco_rules.yaml as a starting point – you can (and will likely want!) to adapt it to your environment.
When developing rules, one helpful feature is Falco’s ability to read trace files saved by sysdig. This allows you to “record” the offending behavior once, and replay it with Falco as many times as needed while tweaking your rules.
Once deployed, Falco uses the Sysdig kernel module and userspace libraries to watch for any events matching one of the conditions defined in the rule file. If a matching event occurs, a notification is written to the configured output(s).
Falco Alerts
When Falco detects suspicious behavior, it sends alerts via one or more of the following channels:
- Writing to standard error
- Writing to a file
- Writing to syslog
- Pipe to a spawned program. A common use of this output type would be to send an email for every Falco notification.
More details on these alerts are described [here](Falco Alerts).
Changelog v0.16
Major Changes
- Clean up error reporting to provide more meaningful error messages along with context when loading rules files. When run with -V, the results of the validation (“OK” or error message) are sent to standard output. [#708]
- Improve rule loading performance by optimizing lua parsing paths to avoid expensive pattern matches. [#694]
- Bump falco engine version to 4 to reflect new fields
ka.useragent, others. [#710] [#681] - Add Catch2 as a unit testing framework. This will add additional coverage on top of the regression tests using Avocado. [#687]
Minor Changes
- Add SYSDIG_DIR Cmake option to specify location for sysdig source code when building falco. [#677] [#679] [#702]
- New field
ka.useragentreports the useragent from k8s audit events. [#709] - Add clang formatter for C++ syntax formatting. [#701] [#689]
- Partial changes towards lua syntax formatting. No particular formatting enforced yet, though. [#718]
- Partial changes towards yaml syntax formatting. No particular formatting enforced yet, though. [#714]
- Add cmake syntax formatting. [#703]
- Token bucket unit tests and redesign. [#692]
- Update github PR template. [#699]
- Fix PR template for kind/rule-*. [#697]
Bug Fixes
- Remove an unused cmake file. [#700]
- Misc Cmake cleanups. [#673]
- Misc k8s install docs improvements. [#671]
Rule Changes
- Allow k8s.gcr.io/kube-proxy image to run privileged. [#717]
- Add runc to the list of possible container entrypoint parents. [#712]
- Skip Source RFC 1918 addresses when considering outbound connections. [#685]
- Add additional
user_XXXplaceholder macros to allow for easy customization of rule exceptions. [#685] - Let weaveworks programs change namespaces. [#685]
- Add additional openshift images. [#685]
- Add openshift as a k8s binary. [#678]
- Add dzdo as a binary that can change users. [#678]
- Allow azure/calico binaries to change namespaces. [#678]
- Add back trusted_containers list for backport compatibility [#675]
- Add mkdirat as a syscall for mkdir operations. [#667]
- Add container id/repository to rules that can work with containers. [#667]
Copyright (C) mstemm
