Top Related Projects
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Open Policy Agent (OPA) is an open source, general-purpose policy engine.
eBPF-based Networking, Security, and Observability
Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
Quick Overview
Falco is an open-source cloud-native runtime security tool designed to detect and alert on anomalous behavior in Linux systems, containers, and Kubernetes clusters. It uses system calls to provide detailed behavioral activity monitoring and alerting for applications and containers.
Pros
- Comprehensive security monitoring for cloud-native environments
- Highly customizable rules engine for detecting various security threats
- Integrates well with popular container orchestration platforms like Kubernetes
- Supports multiple output formats for alerts, including Slack, email, and various logging systems
Cons
- Can have a learning curve for creating custom rules
- May introduce some performance overhead, especially with complex rule sets
- Requires careful tuning to reduce false positives in some environments
- Limited support for Windows environments compared to Linux
Getting Started
To get started with Falco:
- Install Falco on your system:
curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
echo "deb https://download.falco.org/packages/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list
apt-get update -y
apt-get -y install linux-headers-$(uname -r)
apt-get install -y falco
- Start Falco:
systemctl start falco
- Check Falco's status:
systemctl status falco
- View Falco's logs:
journalctl -fu falco
For more advanced configurations and custom rules, refer to the official Falco documentation.
Competitor Comparisons
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Pros of Trivy
- Broader scope: Scans containers, filesystems, git repositories, and more
- Faster scanning speed, especially for large images
- More comprehensive vulnerability database, including multiple sources
Cons of Trivy
- Less real-time monitoring capabilities
- Focused primarily on static analysis, lacking runtime security features
- Limited system-wide behavioral analysis compared to Falco
Code Comparison
Trivy command for scanning a container image:
trivy image alpine:3.10
Falco rule for detecting a suspicious file access:
- rule: Suspicious File Access
desc: Detect access to sensitive files
condition: open_read and sensitive_files
output: "Sensitive file opened for reading (user=%user.name file=%fd.name)"
priority: WARNING
Both tools serve different primary purposes: Trivy excels in vulnerability scanning and static analysis, while Falco focuses on runtime security and behavioral monitoring. Trivy is more user-friendly for quick scans, whereas Falco provides deeper insights into system behavior but requires more setup and configuration.
Open Policy Agent (OPA) is an open source, general-purpose policy engine.
Pros of OPA
- More versatile, can be used for various policy enforcement scenarios beyond runtime security
- Easier to integrate into existing systems and workflows
- Supports multiple policy languages (Rego and JSON) for flexibility
Cons of OPA
- Less specialized for runtime security and threat detection
- Requires more setup and configuration for security-specific use cases
- May have a steeper learning curve for security-focused teams
Code Comparison
Falco rule example:
- rule: Detect Suspicious Shell Activity
desc: Detect a shell spawned by a web server
condition: proc.name = httpd and spawned_process.name = bash
output: "Shell spawned by web server (user=%user.name pid=%proc.pid)"
priority: WARNING
OPA policy example:
package webserver
deny[msg] {
input.process.name == "httpd"
input.child_process.name == "bash"
msg := sprintf("Shell spawned by web server (user=%s pid=%d)", [input.user.name, input.process.pid])
}
Both examples aim to detect suspicious shell activity, but OPA's policy is more flexible and can be easily adapted for various use cases beyond runtime security.
eBPF-based Networking, Security, and Observability
Pros of Cilium
- Provides comprehensive network security and observability for cloud-native environments
- Offers eBPF-powered networking, security, and observability capabilities
- Supports multiple container runtimes and orchestrators, including Kubernetes
Cons of Cilium
- Steeper learning curve due to its complex architecture and eBPF integration
- May require more resources to run effectively in large-scale environments
- Configuration can be more challenging compared to simpler security tools
Code Comparison
Cilium (Go):
func (d *Daemon) compileBase() error {
var args []string
prog := d.conf.BpfDir + "/bpf_lxc.c"
args = append(args, []string{"-DSKIP_DEBUG=1", "-DENABLE_IPV4=1"}...)
args = append(args, bpf.GetCompilerFlags()...)
args = append(args, []string{"-c", prog, "-o", prog + ".o"}...)
out, err := exec.Command("clang", args...).CombinedOutput()
if err != nil {
return fmt.Errorf("failed to compile %s: %s", prog, err)
}
return nil
}
Falco (C++):
int falco_engine::load_rules(const string &rules_content, bool verbose, string &err)
{
scap_open_args oargs = {};
if(m_syscall_source)
{
m_syscall_source->get_scap_open_args(&oargs);
}
return m_rules->load_rules(rules_content, verbose, err, &oargs);
}
Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
Pros of Wazuh
- More comprehensive security solution, including SIEM, XDR, and compliance capabilities
- Offers a user-friendly web interface for easier management and visualization
- Provides built-in integration with various third-party tools and services
Cons of Wazuh
- Higher resource consumption due to its broader feature set
- Steeper learning curve for configuration and customization
- May be overkill for organizations primarily focused on runtime security
Code Comparison
Falco rule example:
- rule: Detect Unauthorized Process
desc: Detect when an unauthorized process is run
condition: spawned_process and not proc.name in (authorized_processes)
output: "Unauthorized process detected (user=%user.name command=%proc.cmdline)"
priority: WARNING
Wazuh rule example:
<rule id="100001" level="7">
<if_sid>530</if_sid>
<match>^New process detected: </match>
<description>Unauthorized process detected</description>
</rule>
Both projects use rule-based detection, but Falco focuses on runtime security with a more concise YAML syntax, while Wazuh uses XML for broader security event management.
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
Pros of OSSEC-HIDS
- More comprehensive security features, including file integrity monitoring and rootkit detection
- Longer history and wider adoption in enterprise environments
- Supports a broader range of operating systems, including legacy systems
Cons of OSSEC-HIDS
- Less focus on container and cloud-native environments
- Configuration and setup can be more complex
- Updates and releases are less frequent compared to Falco
Code Comparison
OSSEC-HIDS (rules example):
<rule id="100001" level="5">
<if_sid>530</if_sid>
<match>^user: root</match>
<description>Root user logged in.</description>
</rule>
Falco (rules example):
- rule: Root user login
desc: Detect root user login
condition: user.name = "root" and evt.type = login
output: "Root user login detected (user=%user.name)"
priority: WARNING
Both projects use rule-based systems for threat detection, but Falco's syntax is more concise and uses YAML format, while OSSEC-HIDS uses XML. Falco's rules are more focused on runtime behavior and system calls, while OSSEC-HIDS covers a broader range of security aspects, including file integrity and log analysis.
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
Pros of Terrascan
- Focuses on Infrastructure as Code (IaC) security scanning, covering multiple IaC tools like Terraform, Kubernetes, and Helm
- Provides a wider range of cloud security checks across various providers (AWS, Azure, GCP)
- Offers integration with CI/CD pipelines and supports multiple output formats
Cons of Terrascan
- Limited to static analysis of IaC files, lacking runtime security monitoring capabilities
- May require more manual configuration and policy customization compared to Falco's out-of-the-box rules
- Less extensive community-driven rule development and contributions
Code Comparison
Terrascan (policy definition):
resource:
- aws_s3_bucket
attribute:
- acl
operator: eq
value: private
Falco (rule definition):
- rule: Detect S3 Bucket Public Access
desc: Detect when an S3 bucket is made publicly accessible
condition: evt.type = s3 and evt.action = PutBucketAcl and evt.result = success and s3.bucket.acl = "public-read"
output: "S3 bucket made public (bucket=%s.bucket.name)"
priority: WARNING
Both projects aim to enhance cloud security, but Terrascan focuses on IaC static analysis, while Falco provides runtime monitoring and broader system-level security checks. Terrascan may be more suitable for early-stage security in the development lifecycle, whereas Falco excels in real-time threat detection during runtime.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Falco
Falco is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.
At its core, Falco is a kernel monitoring and detection agent that observes events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.
Falco, originally created by Sysdig, is a graduated project under the Cloud Native Computing Foundation (CNCF) used in production by various organisations.
For detailed technical information and insights into the cyber threats that Falco can detect, visit the official Falco website.
For comprehensive information on the latest updates and changes to the project, please refer to the Change Log. Additionally, we have documented the Release Process for delivering new versions of Falco.
Falco Repo: Powering the Core of The Falco Project
This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its libs and the falco.yaml configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following core repositories:
- falcosecurity/libs: Falco's libraries are key to its fundamental operations, making up the greater portion of the source code of the Falco binary and providing essential features such as kernel drivers.
- falcosecurity/rules: Contains the official ruleset for Falco, providing pre-defined detection rules for various security threats and abnormal behaviors.
- falcosecurity/plugins: Falco plugins facilitate integration with external services, expand Falco's capabilities beyond syscalls and container events, and are designed to evolve with specialized functionality in future releases.
- falcosecurity/falcoctl: Command-line utility for managing and interacting with Falco.
For more information, visit the official hub of The Falco Project: falcosecurity/evolution. It provides valuable insights and information about the project's repositories.
Getting Started with Falco
Carefully review and follow the Official Documentation.
Considerations and guidance for Falco adopters:
-
Understand dependencies: Assess the environment where you'll run Falco and consider kernel versions and architectures.
-
Define threat detection objectives: Clearly identify the threats you want to detect and evaluate Falco's strengths and limitations.
-
Consider performance and cost: Assess compute performance overhead and align with system administrators or SREs. Budget accordingly.
-
Choose build and customization approach: Decide between the open source Falco build or creating a custom build pipeline. Customize the build and deployment process as necessary, including incorporating unique tests or approaches, to ensure a resilient deployment with fast deployment cycles.
-
Integrate with output destinations: Integrate Falco with SIEM, data lake systems, or other preferred output destinations to establish a robust foundation for comprehensive data analysis and enable effective incident response workflows.
Demo Environment
A demo environment is provided via a docker-compose file that can be started on a docker host which includes falco, falcosidekick, falcosidekick-ui and its required redis database. For more information see the docker-compose section
How to Contribute
Please refer to the Contributing guide and the Code of Conduct for more information on how to contribute.
Join the Community
To get involved with the Falco Project please visit the Community repository to find more information and ways to get involved.
If you have any questions about Falco or contributing, do not hesitate to file an issue or contact the Falco maintainers and community members for assistance.
How to reach out?
- Join the #falco channel on the Kubernetes Slack.
- Join the Falco mailing list.
- File an issue or make feature requests.
Commitment to Falco's Own Security
Full reports of various security audits can be found here.
In addition, you can refer to the falco and libs security sections for detailed updates on security advisories and policies.
To report security vulnerabilities, please follow the community process outlined in the documentation found here.
What's next for Falco?
Stay updated with Falco's evolving capabilities by exploring the Falco Roadmap, which provides insights into the features currently under development and planned for future releases.
License
Falco is licensed to you under the Apache 2.0 open source license.
Testing
Expand Testing Instructions
Falco's Build Falco from source is the go-to resource to understand how to build Falco from source. In addition, the falcosecurity/libs repository offers additional valuable information about tests and debugging of Falco's underlying libraries and kernel drivers.
Here's an example of a cmake
command that will enable everything you need for all unit tests of this repository:
cmake \
-DUSE_BUNDLED_DEPS=ON \
-DBUILD_LIBSCAP_GVISOR=ON \
-DBUILD_BPF=ON \
-DBUILD_DRIVER=ON \
-DBUILD_FALCO_MODERN_BPF=ON \
-DCREATE_TEST_TARGETS=ON \
-DBUILD_FALCO_UNIT_TESTS=ON ..;
Build and run the unit test suite:
nproc=$(grep processor /proc/cpuinfo | tail -n 1 | awk '{print $3}');
make -j$(($nproc-1)) falco_unit_tests;
# Run the tests
sudo ./unit_tests/falco_unit_tests;
Optionally, build the driver of your choice and test run the Falco binary to perform manual tests.
Lastly, The Falco Project has moved its Falco regression tests to falcosecurity/testing.
Why is Falco in C++ rather than Go or {language}?
Expand Information
- The first lines of code at the base of Falco were written some time ago, where Go didn't yet have the same level of maturity and adoption as today.
- The Falco execution model is sequential and mono-thread due to the statefulness requirements of the tool, and so most of the concurrency-related selling points of the Go runtime would not be leveraged at all.
- The Falco code deals with very low-level programming in many places (e.g. some headers are shared with the eBPF probe and the Kernel module), and we all know that interfacing Go with C is possible but brings tons of complexity and tradeoffs to the table.
- As a security tool meant to consume a crazy high throughput of events per second, Falco needs to squeeze performance in all hot paths at runtime and requires deep control on memory allocation, which the Go runtime can't provide (there's also garbage collection involved).
- Although Go didn't suit the engineering requirements of the core of Falco, we still thought that it could be a good candidate for writing Falco extensions through the plugin system. This is the main reason we gave special attention and high priority to the development of the plugin-sdk-go.
- Go is not a requirement for having statically-linked binaries. In fact, we provide fully-static Falco builds since few years. The only issue with those is that the plugin system can't be supported with the current dynamic library model we currently have.
- The plugin system has been envisioned to support multiple languages, so on our end maintaining a C-compatible codebase is the best strategy to ensure maximum cross-language compatibility.
- In general, plugins have GLIBC requirements/dependencies because they have low-level C bindings required for dynamic loading. A potential solution for the future could be to also support plugin to be statically-linked at compilation time and so released as bundled in the Falco binary. Although no work started yet in this direction, this would solve most issues you reported and would provide a totally-static binary too. Of course, this would not be compatible with dynamic loading anymore, but it may be a viable solution for our static-build flavor of Falco.
- Memory safety is definitely a concern and we try our best to keep an high level of quality even though C++ is quite error prone. For instance, we try to use smart pointers whenever possible, we build the libraries with an address sanitizer in our CI, we run Falco through Valgrind before each release, and have ways to stress-test it to detect performance regressions or weird memory usage (e.g. https://github.com/falcosecurity/event-generator). On top of that, we also have third parties auditing the codebase by time to time. None of this make a perfect safety standpoint of course, but we try to maximize our odds. Go would definitely make our life easier from this perspective, however the tradeoffs never made it worth it so far due to the points above.
- The C++ codebase of falcosecurity/libs, which is at the core of Falco, is quite large and complex. Porting all that code to another language would be a major effort requiring lots of development resource and with an high chance of failure and regression. As such, our approach so far has been to choose refactors and code polishing instead, up until we'll reach an optimal level of stability, quality, and modularity, on that portion of code. This would allow further developments to be smoother and more feasibile in the future.
Resources
Top Related Projects
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Open Policy Agent (OPA) is an open source, general-purpose policy engine.
eBPF-based Networking, Security, and Observability
Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot