Convert Figma logo to code with AI

falcosecurity logofalco

Cloud Native Runtime Security

7,328
899
7,328
88

Top Related Projects

22,801

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

9,617

Open Policy Agent (OPA) is an open source, general-purpose policy engine.

20,022

eBPF-based Networking, Security, and Observability

10,656

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Quick Overview

Falco is an open-source cloud-native runtime security tool designed to detect and alert on anomalous behavior in Linux systems, containers, and Kubernetes clusters. It uses system calls to provide detailed behavioral activity monitoring and alerting for applications and containers.

Pros

  • Comprehensive security monitoring for cloud-native environments
  • Highly customizable rules engine for detecting various security threats
  • Integrates well with popular container orchestration platforms like Kubernetes
  • Supports multiple output formats for alerts, including Slack, email, and various logging systems

Cons

  • Can have a learning curve for creating custom rules
  • May introduce some performance overhead, especially with complex rule sets
  • Requires careful tuning to reduce false positives in some environments
  • Limited support for Windows environments compared to Linux

Getting Started

To get started with Falco:

  1. Install Falco on your system:
curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
echo "deb https://download.falco.org/packages/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list
apt-get update -y
apt-get -y install linux-headers-$(uname -r)
apt-get install -y falco
  1. Start Falco:
systemctl start falco
  1. Check Falco's status:
systemctl status falco
  1. View Falco's logs:
journalctl -fu falco

For more advanced configurations and custom rules, refer to the official Falco documentation.

Competitor Comparisons

22,801

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Pros of Trivy

  • Broader scope: Scans containers, filesystems, git repositories, and more
  • Faster scanning speed, especially for large images
  • More comprehensive vulnerability database, including multiple sources

Cons of Trivy

  • Less real-time monitoring capabilities
  • Focused primarily on static analysis, lacking runtime security features
  • Limited system-wide behavioral analysis compared to Falco

Code Comparison

Trivy command for scanning a container image:

trivy image alpine:3.10

Falco rule for detecting a suspicious file access:

- rule: Suspicious File Access
  desc: Detect access to sensitive files
  condition: open_read and sensitive_files
  output: "Sensitive file opened for reading (user=%user.name file=%fd.name)"
  priority: WARNING

Both tools serve different primary purposes: Trivy excels in vulnerability scanning and static analysis, while Falco focuses on runtime security and behavioral monitoring. Trivy is more user-friendly for quick scans, whereas Falco provides deeper insights into system behavior but requires more setup and configuration.

9,617

Open Policy Agent (OPA) is an open source, general-purpose policy engine.

Pros of OPA

  • More versatile, can be used for various policy enforcement scenarios beyond runtime security
  • Easier to integrate into existing systems and workflows
  • Supports multiple policy languages (Rego and JSON) for flexibility

Cons of OPA

  • Less specialized for runtime security and threat detection
  • Requires more setup and configuration for security-specific use cases
  • May have a steeper learning curve for security-focused teams

Code Comparison

Falco rule example:

- rule: Detect Suspicious Shell Activity
  desc: Detect a shell spawned by a web server
  condition: proc.name = httpd and spawned_process.name = bash
  output: "Shell spawned by web server (user=%user.name pid=%proc.pid)"
  priority: WARNING

OPA policy example:

package webserver

deny[msg] {
  input.process.name == "httpd"
  input.child_process.name == "bash"
  msg := sprintf("Shell spawned by web server (user=%s pid=%d)", [input.user.name, input.process.pid])
}

Both examples aim to detect suspicious shell activity, but OPA's policy is more flexible and can be easily adapted for various use cases beyond runtime security.

20,022

eBPF-based Networking, Security, and Observability

Pros of Cilium

  • Provides comprehensive network security and observability for cloud-native environments
  • Offers eBPF-powered networking, security, and observability capabilities
  • Supports multiple container runtimes and orchestrators, including Kubernetes

Cons of Cilium

  • Steeper learning curve due to its complex architecture and eBPF integration
  • May require more resources to run effectively in large-scale environments
  • Configuration can be more challenging compared to simpler security tools

Code Comparison

Cilium (Go):

func (d *Daemon) compileBase() error {
    var args []string
    prog := d.conf.BpfDir + "/bpf_lxc.c"
    args = append(args, []string{"-DSKIP_DEBUG=1", "-DENABLE_IPV4=1"}...)
    args = append(args, bpf.GetCompilerFlags()...)
    args = append(args, []string{"-c", prog, "-o", prog + ".o"}...)
    out, err := exec.Command("clang", args...).CombinedOutput()
    if err != nil {
        return fmt.Errorf("failed to compile %s: %s", prog, err)
    }
    return nil
}

Falco (C++):

int falco_engine::load_rules(const string &rules_content, bool verbose, string &err)
{
    scap_open_args oargs = {};

    if(m_syscall_source)
    {
        m_syscall_source->get_scap_open_args(&oargs);
    }

    return m_rules->load_rules(rules_content, verbose, err, &oargs);
}
10,656

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.

Pros of Wazuh

  • More comprehensive security solution, including SIEM, XDR, and compliance capabilities
  • Offers a user-friendly web interface for easier management and visualization
  • Provides built-in integration with various third-party tools and services

Cons of Wazuh

  • Higher resource consumption due to its broader feature set
  • Steeper learning curve for configuration and customization
  • May be overkill for organizations primarily focused on runtime security

Code Comparison

Falco rule example:

- rule: Detect Unauthorized Process
  desc: Detect when an unauthorized process is run
  condition: spawned_process and not proc.name in (authorized_processes)
  output: "Unauthorized process detected (user=%user.name command=%proc.cmdline)"
  priority: WARNING

Wazuh rule example:

<rule id="100001" level="7">
  <if_sid>530</if_sid>
  <match>^New process detected: </match>
  <description>Unauthorized process detected</description>
</rule>

Both projects use rule-based detection, but Falco focuses on runtime security with a more concise YAML syntax, while Wazuh uses XML for broader security event management.

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Pros of OSSEC-HIDS

  • More comprehensive security features, including file integrity monitoring and rootkit detection
  • Longer history and wider adoption in enterprise environments
  • Supports a broader range of operating systems, including legacy systems

Cons of OSSEC-HIDS

  • Less focus on container and cloud-native environments
  • Configuration and setup can be more complex
  • Updates and releases are less frequent compared to Falco

Code Comparison

OSSEC-HIDS (rules example):

<rule id="100001" level="5">
  <if_sid>530</if_sid>
  <match>^user: root</match>
  <description>Root user logged in.</description>
</rule>

Falco (rules example):

- rule: Root user login
  desc: Detect root user login
  condition: user.name = "root" and evt.type = login
  output: "Root user login detected (user=%user.name)"
  priority: WARNING

Both projects use rule-based systems for threat detection, but Falco's syntax is more concise and uses YAML format, while OSSEC-HIDS uses XML. Falco's rules are more focused on runtime behavior and system calls, while OSSEC-HIDS covers a broader range of security aspects, including file integrity and log analysis.

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Pros of Terrascan

  • Focuses on Infrastructure as Code (IaC) security scanning, covering multiple IaC tools like Terraform, Kubernetes, and Helm
  • Provides a wider range of cloud security checks across various providers (AWS, Azure, GCP)
  • Offers integration with CI/CD pipelines and supports multiple output formats

Cons of Terrascan

  • Limited to static analysis of IaC files, lacking runtime security monitoring capabilities
  • May require more manual configuration and policy customization compared to Falco's out-of-the-box rules
  • Less extensive community-driven rule development and contributions

Code Comparison

Terrascan (policy definition):

resource:
  - aws_s3_bucket
attribute:
  - acl
operator: eq
value: private

Falco (rule definition):

- rule: Detect S3 Bucket Public Access
  desc: Detect when an S3 bucket is made publicly accessible
  condition: evt.type = s3 and evt.action = PutBucketAcl and evt.result = success and s3.bucket.acl = "public-read"
  output: "S3 bucket made public (bucket=%s.bucket.name)"
  priority: WARNING

Both projects aim to enhance cloud security, but Terrascan focuses on IaC static analysis, while Falco provides runtime monitoring and broader system-level security checks. Terrascan may be more suitable for early-stage security in the development lifecycle, whereas Falco excels in real-time threat detection during runtime.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Falco

Latest release Supported Architectures License Docs

Falco Core Repository Stable OpenSSF Scorecard OpenSSF Best Practices Arm CI sponsored by Actuated

Falco

Falco is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.

At its core, Falco is a kernel monitoring and detection agent that observes events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.

Falco, originally created by Sysdig, is a graduated project under the Cloud Native Computing Foundation (CNCF) used in production by various organisations.

For detailed technical information and insights into the cyber threats that Falco can detect, visit the official Falco website.

For comprehensive information on the latest updates and changes to the project, please refer to the Change Log. Additionally, we have documented the Release Process for delivering new versions of Falco.

Falco Repo: Powering the Core of The Falco Project

This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its libs and the falco.yaml configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following core repositories:

  • falcosecurity/libs: Falco's libraries are key to its fundamental operations, making up the greater portion of the source code of the Falco binary and providing essential features such as kernel drivers.
  • falcosecurity/rules: Contains the official ruleset for Falco, providing pre-defined detection rules for various security threats and abnormal behaviors.
  • falcosecurity/plugins: Falco plugins facilitate integration with external services, expand Falco's capabilities beyond syscalls and container events, and are designed to evolve with specialized functionality in future releases.
  • falcosecurity/falcoctl: Command-line utility for managing and interacting with Falco.

For more information, visit the official hub of The Falco Project: falcosecurity/evolution. It provides valuable insights and information about the project's repositories.

Getting Started with Falco

Carefully review and follow the Official Documentation.

Considerations and guidance for Falco adopters:

  1. Understand dependencies: Assess the environment where you'll run Falco and consider kernel versions and architectures.

  2. Define threat detection objectives: Clearly identify the threats you want to detect and evaluate Falco's strengths and limitations.

  3. Consider performance and cost: Assess compute performance overhead and align with system administrators or SREs. Budget accordingly.

  4. Choose build and customization approach: Decide between the open source Falco build or creating a custom build pipeline. Customize the build and deployment process as necessary, including incorporating unique tests or approaches, to ensure a resilient deployment with fast deployment cycles.

  5. Integrate with output destinations: Integrate Falco with SIEM, data lake systems, or other preferred output destinations to establish a robust foundation for comprehensive data analysis and enable effective incident response workflows.

Demo Environment

A demo environment is provided via a docker-compose file that can be started on a docker host which includes falco, falcosidekick, falcosidekick-ui and its required redis database. For more information see the docker-compose section

How to Contribute

Please refer to the Contributing guide and the Code of Conduct for more information on how to contribute.

Join the Community

To get involved with the Falco Project please visit the Community repository to find more information and ways to get involved.

If you have any questions about Falco or contributing, do not hesitate to file an issue or contact the Falco maintainers and community members for assistance.

How to reach out?

Commitment to Falco's Own Security

Full reports of various security audits can be found here.

In addition, you can refer to the falco and libs security sections for detailed updates on security advisories and policies.

To report security vulnerabilities, please follow the community process outlined in the documentation found here.

What's next for Falco?

Stay updated with Falco's evolving capabilities by exploring the Falco Roadmap, which provides insights into the features currently under development and planned for future releases.

License

Falco is licensed to you under the Apache 2.0 open source license.

Testing

Expand Testing Instructions

Falco's Build Falco from source is the go-to resource to understand how to build Falco from source. In addition, the falcosecurity/libs repository offers additional valuable information about tests and debugging of Falco's underlying libraries and kernel drivers.

Here's an example of a cmake command that will enable everything you need for all unit tests of this repository:

cmake \
-DUSE_BUNDLED_DEPS=ON \
-DBUILD_LIBSCAP_GVISOR=ON \
-DBUILD_BPF=ON \
-DBUILD_DRIVER=ON \
-DBUILD_FALCO_MODERN_BPF=ON \
-DCREATE_TEST_TARGETS=ON \
-DBUILD_FALCO_UNIT_TESTS=ON ..;

Build and run the unit test suite:

nproc=$(grep processor /proc/cpuinfo | tail -n 1 | awk '{print $3}');
make -j$(($nproc-1)) falco_unit_tests;
# Run the tests
sudo ./unit_tests/falco_unit_tests;

Optionally, build the driver of your choice and test run the Falco binary to perform manual tests.

Lastly, The Falco Project has moved its Falco regression tests to falcosecurity/testing.


Why is Falco in C++ rather than Go or {language}?

Expand Information
  1. The first lines of code at the base of Falco were written some time ago, where Go didn't yet have the same level of maturity and adoption as today.
  2. The Falco execution model is sequential and mono-thread due to the statefulness requirements of the tool, and so most of the concurrency-related selling points of the Go runtime would not be leveraged at all.
  3. The Falco code deals with very low-level programming in many places (e.g. some headers are shared with the eBPF probe and the Kernel module), and we all know that interfacing Go with C is possible but brings tons of complexity and tradeoffs to the table.
  4. As a security tool meant to consume a crazy high throughput of events per second, Falco needs to squeeze performance in all hot paths at runtime and requires deep control on memory allocation, which the Go runtime can't provide (there's also garbage collection involved).
  5. Although Go didn't suit the engineering requirements of the core of Falco, we still thought that it could be a good candidate for writing Falco extensions through the plugin system. This is the main reason we gave special attention and high priority to the development of the plugin-sdk-go.
  6. Go is not a requirement for having statically-linked binaries. In fact, we provide fully-static Falco builds since few years. The only issue with those is that the plugin system can't be supported with the current dynamic library model we currently have.
  7. The plugin system has been envisioned to support multiple languages, so on our end maintaining a C-compatible codebase is the best strategy to ensure maximum cross-language compatibility.
  8. In general, plugins have GLIBC requirements/dependencies because they have low-level C bindings required for dynamic loading. A potential solution for the future could be to also support plugin to be statically-linked at compilation time and so released as bundled in the Falco binary. Although no work started yet in this direction, this would solve most issues you reported and would provide a totally-static binary too. Of course, this would not be compatible with dynamic loading anymore, but it may be a viable solution for our static-build flavor of Falco.
  9. Memory safety is definitely a concern and we try our best to keep an high level of quality even though C++ is quite error prone. For instance, we try to use smart pointers whenever possible, we build the libraries with an address sanitizer in our CI, we run Falco through Valgrind before each release, and have ways to stress-test it to detect performance regressions or weird memory usage (e.g. https://github.com/falcosecurity/event-generator). On top of that, we also have third parties auditing the codebase by time to time. None of this make a perfect safety standpoint of course, but we try to maximize our odds. Go would definitely make our life easier from this perspective, however the tradeoffs never made it worth it so far due to the points above.
  10. The C++ codebase of falcosecurity/libs, which is at the core of Falco, is quite large and complex. Porting all that code to another language would be a major effort requiring lots of development resource and with an high chance of failure and regression. As such, our approach so far has been to choose refactors and code polishing instead, up until we'll reach an optimal level of stability, quality, and modularity, on that portion of code. This would allow further developments to be smoother and more feasibile in the future.

Resources