Introduction to Falco: A Guide to Runtime Security
Learn how to use Falco for real-time threat detection in Kubernetes and cloud environments. This guide covers installation, rule writing, and alert management.
What is Falco? The Runtime Security Engine
While tools like OPA Gatekeeper and Kyverno secure your cluster *before* workloads are created (admission control), **Falco** protects them while they are *running*. Falco is the de facto open source tool for cloud-native runtime security. It taps into kernel system calls to detect and alert on anomalous or malicious behavior inside your containers and nodes in real-time.
🎯 Core Concept
Think of Falco as a security camera with an intelligent alarm system for your running applications. It watches everything happening at the lowest level and alerts you instantly if it sees something that violates your security rules.
The Architecture of Falco
Falco's architecture is a streamlined pipeline for processing system events and generating security alerts.
Data Source: Kernel Events
Falco uses a driver, typically a kernel module or an eBPF probe, to capture a stream of system call data from the Linux kernel. This is the raw feed of every action happening on the system.
The Falco Engine
A user-space daemon processes the high-volume stream of kernel events, enriching them with metadata from Kubernetes and the container runtime (e.g., pod name, namespace, image).
Rule Processing
The enriched events are filtered through a set of rules written in a simple YAML-based syntax. If an event matches a rule's condition, Falco flags it as a security event.
Alerting
When a rule is triggered, Falco generates an alert. These alerts can be sent to multiple outputs, such as standard output, syslog, or a webhook for integration with tools like Slack or a SIEM.
Installation on Kubernetes
The official Helm chart is the easiest way to deploy Falco to a Kubernetes cluster. It automatically configures Falco to run as a DaemonSet, ensuring it protects every node.
# 1. Add the Falco Helm repository
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
# 2. Install Falco
helm install falco falcosecurity/falco \
--namespace falco \
--create-namespace
# 3. Check the logs of a Falco pod to see events
kubectl logs -n falco -l app.kubernetes.io/name=falco -fAnatomy of a Falco Rule
Falco's power comes from its flexible rule language. Understanding the structure of a rule is key to customizing Falco for your environment. Let's break down a default rule.
- rule: Write below binary dir
desc: an attempt to write to any file below a set of binary directories
condition: >
(open_write) and
(fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)) and
(not proc.name in (user_known_write_below_binary_dir_procs))
output: >
File created below binary directory by process (proc.name=%proc.name parent=%proc.pname cmdline=%proc.cmdline file=%fd.name)
priority: ERROR
tags: [filesystem, mitre_persistence]rule
A unique, descriptive name for the rule.
desc
A human-readable description of what the rule detects.
condition
The core logic. This expression is evaluated against incoming events. If it returns true, the rule triggers.
output
The format of the alert message. You can use fields like %proc.name to include details from the event.
priority
The severity level of the alert (e.g., `CRITICAL`, `ERROR`, `WARNING`).
tags
Keywords that help categorize the rule, often used for filtering or mapping to compliance frameworks.
Writing Your First Custom Rules
You can add your own rules by creating a `custom-rules.yaml` file and loading it via Helm values. Here are some practical examples.
1. Detect a Shell in a Container
This is one of the most important rules. A shell running in a container is often a sign of an interactive debugging session or an attacker who has gained access.
- rule: Shell in a container
desc: A shell was spawned in a container with an attached terminal.
condition: container.id != host and proc.name in (bash, sh, zsh) and spawned_process and tty != 0
output: "Shell spawned in a container (user=%user.name container_id=%container.id container_name=%container.name proc_name=%proc.name cmdline=%proc.cmdline)"
priority: WARNING
tags: [shell, container]2. Detect Writes to `/etc`
Changes to files in `/etc` can indicate an attempt to modify system configuration, add users, or alter SSH settings.
- rule: Write below /etc
desc: An attempt to write to a file below /etc
condition: open_write and fd.directory = /etc and not proc.name in (user_known_write_etc_procs)
output: "File created or modified in /etc by process (proc.name=%proc.name parent=%proc.pname cmdline=%proc.cmdline file=%fd.name)"
priority: ERROR
tags: [filesystem, mitre_persistence]3. Detect Unexpected Outbound Network Connections
This rule can help detect data exfiltration attempts. It triggers if a process that isn't `curl` or `wget` makes an outbound connection on a common web port.
- rule: Unexpected outbound web connection
desc: A non-HTTP client process makes an outbound HTTP/HTTPS connection.
condition: >
outbound and
(fd.port in (80, 443)) and
(container.id != host) and
(not proc.name in (curl, wget))
output: >
Unexpected outbound connection (proc.name=%proc.name container=%container.name cmdline=%proc.cmdline connection=%fd.name)
priority: NOTICE
tags: [network]Configuring and Managing Alerts
By default, Falco logs alerts to standard output. For production use, you'll want to send these alerts to a centralized location. You can configure this in your Helm chart's `values.yaml` or directly in `falco.yaml`.
# Example falco.yaml configuration for outputs
json_output: true
json_include_output_property: true
syslog_output:
enabled: true
http_output:
enabled: true
url: "https://my-webhook-endpoint.com/falco-alerts"
# You can also configure Falcosidekick for easy integration
# with Slack, Fluentd, AWS Lambda, and more.🎉 Congratulations!
You now understand the fundamentals of cloud-native runtime security with Falco. You've learned:
- ✅ How Falco uses kernel events to detect real-time threats.
- ✅ How to install Falco on a Kubernetes cluster.
- ✅ The structure of a Falco rule, including conditions and outputs.
- ✅ How to write custom rules to detect specific malicious behaviors.