Falco v0.15.0: Behavioral Activity Monitoring With Container Support

Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by sysdig’s system call capture infrastructure, Falco lets you continuously monitor and detect container, application, host, and network activity… all in one place, from one source of data, with one set of rules.

Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the Falco CNCF project proposal.

What kind of behaviors can Falco detect?

Falco can detect and alert on any behavior that involves making Linux system calls. Thanks to Sysdig’s core decoding and state tracking functionality, Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, you can easily detect things like:

  • A shell is run inside a container
  • A container is running in privileged mode or is mounting a sensitive path like /proc from the host.
  • A server process spawns a child process of an unexpected type
  • Unexpected read of a sensitive file (like /etc/shadow)
  • A non-device file is written to /dev
  • A standard system binary (ls) makes an outbound network connection

How you use it

Falco is deployed as a long-running daemon. You can install it as a Debian/rpm package on a regular host or container host, or you can deploy it as a container.

Falco is configured via a rules file defining the behaviors and events to watch for, and a general configuration file. Rules are expressed in a high-level, human-readable language. We’ve provided a sample rule file ./rules/falco_rules.yaml as a starting point – you can (and will likely want!) to adapt it to your environment.

When developing rules, one helpful feature is Falco’s ability to read trace files saved by sysdig. This allows you to “record” the offending behavior once, and replay it with Falco as many times as needed while tweaking your rules.

Once deployed, Falco uses the Sysdig kernel module and userspace libraries to watch for any events matching one of the conditions defined in the rule file. If a matching event occurs, a notification is written to the configured output(s).

Falco Alerts

When Falco detects suspicious behavior, it sends alerts via one or more of the following channels:

  • Writing to standard error
  • Writing to a file
  • Writing to syslog
  • Pipe to a spawned program. A common use of this output type would be to send an email for every Falco notification.

More details on these alerts are described [here](Falco Alerts).

Changelog v0.15.0

Major Changes

  • Actions and alerts for dropped events: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. [#561] [#571]
  • Support for Containerd/CRI-O: Falco now supports containerd/cri-o containers. [#585] [#591] [#599] [#sysdig/1376] [#sysdig/1310]
  • Perform docker metadata fetches asynchronously: When new containers are discovered, fetch metadata about the container asynchronously, which should significantly reduce the likelihood of dropped system call events. [#sysdig/1326] [#550] [#570]
  • Better syscall event performance: improve algorithm for reading system call events from kernel module to handle busy event streams [#sysdig/1372]
  • HTTP Output: Falco can now send alerts to http endpoints directly without having to use curl. [#523]
  • Move Kubernetes Response Engine to own repo: The Kubernetes Response Engine is now in its own github repository. [#539]
  • Updated Puppet Module: An all-new puppet module compatible with puppet 4 with a smoother installation process and updated package links. [#537] [#543] [#546]
  • RHEL-based falco image: Provide dockerfiles that use RHEL 7 as the base image instead of debian:unstable. [#544]

Minor Changes

    • ISO-8601 Timestamps: Add the ability to write timestamps in ISO-8601 w/ UTC, and use this format by default when running falco in a container [#518]
    • Docker-based builder/tester: You can now build Falco using the falco-builder docker image, and run regression tests using the falco-tester docker image. [#522] [#584]
    • Several small docs changes to improve clarity and readibility [#524] [#540] [#541] [#542]
    • Add instructions on how to enable K8s Audit Logging for kops [#535]
    • Add a “stale issue” bot that marks and eventually closes old issues with no activity [#548]
    • Improvements to sample K8s daemonset/service/etc files [#562]

    Bug Fixes

    • Fix regression that broke json output [#581]
    • Fix errors when building via docker from MacOS [#582]

    Rule Changes

    • Tag rules using Mitre Attack Framework: Add tags for all relevant rules linking them to the MITRE Attack Framework. We have an associated blog post. [#575] [#578]
    • New rules for additional use cases: New rules Schedule Cron JobsUpdate Package RepositoryRemove Bulk Data from DiskSet Setuid or Setgid bitDetect bash history deletionCreate Hidden Files or Directories look for additional common follow-on activity you might see from an attacker. [#578] [#580]
    • Allow docker’s “exe” (usually part of docker save/load) to write to many filesystem locations [#552]
    • Let puppet write below /etc [#563
    • Add new user_known_write_root_conditionsuser_known_non_sudo_setuid_conditions, and user_known_write_monitored_dir_conditions macros to allow those rules to be easily customized in user rules files [#563] [#566]
    • Better coverage and exceptions for rancher [#559]
    • Allow prometheus to write to its conf directory under etc [#564]
    • Better coverage and exceptions for openshift/related tools [#567] [#573]
    • Better coverage for cassandra/kubelet/kops to reduce FPs [#551]
    • Better coverage for docker, openscap to reduce FPs [#573]
    • Better coverage for fluentd/jboss to reduce FPs [#590]
    • Add ash (Alpine Linux-related shell) as a shell binary [#597]

Bug Fixes

  • Fix formatting of nodejs examples README [#502]

Rule Changes

  • Remove FPs for Launch Sensitive Mount Container rule [#509]
  • Update Container rules/macros to use the more reliable container.image.{repository,tag} that always return the repository/tag of an image instead of container.image, which may not for some docker daemon versions. [#513]

Install & Tutorial

Copyright (C) mstemm