Skip to content
Cloud Native Runtime Security
C++ Shell CMake Lua Dockerfile Python Other
Branch: master
Clone or download
Cannot retrieve the latest commit at this time.
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci chore: use latest falco-tester again Jan 23, 2020
.github update(.github): remove unused kind/* label from PR template Dec 13, 2019
audits move audit doc Dec 17, 2019
brand Adding Glossary Jan 28, 2020
cmake build: fix dep version Jan 23, 2020
docker fix(docker/minimal): libyaml Jan 24, 2020
examples chore: improving naming Nov 14, 2019
integrations update(integrations): switch to 0.19.0 Jan 23, 2020
proposals Update ToC for proposals/20191217-rules-naming-convention.md Jan 7, 2020
rules Let puma reactor spawn shells Feb 3, 2020
scripts fix(scripts/rpm): substitute underscores with dashes for RPM version Jan 21, 2020
test fix(docker/tester): share rules and trace files with docker test runners Jan 23, 2020
tests Add explicit catch2 dependency for tests Oct 8, 2019
userspace fix(userspace/engine): formatting and auto declarations Feb 6, 2020
.clang-format chore: clang format following the current style Jul 3, 2019
.cmake-format new: cmake format colums to 120 Jan 17, 2020
.gitignore Removing Sysdig inc Nov 5, 2019
.luacheckrc new: luacheck basic config Jul 10, 2019
.yamllint.conf new: YAML lint configuration Jul 10, 2019
ADOPTERS.md Add Skyscanner to adopters Jan 14, 2020
CHANGELOG.md docs: update CHANGELOG with last major change for 0.19.0 Jan 23, 2020
CMakeLists.txt build: openssl cmake module (and inclusion) Jan 21, 2020
CODE_OF_CONDUCT.md docs: markdown code of conduct Sep 13, 2019
CONTRIBUTING.md docs(CONTRIBUTING): rule type subsection title Dec 4, 2019
COPYING docs: update COPYING Oct 8, 2019
GOVERNANCE.md docs: markdown governance Sep 13, 2019
OWNERS new: add @kris-nova to owners Aug 13, 2019
README.md docs: update references to branches into README Feb 3, 2020
falco.yaml docs: webserver is now enabled by default Jan 17, 2020

README.md

Cloud Native Runtime Security.


The Falco Project

Latest release

v0.19.0 Read the change log

Build Status CII Best Practices Summary GitHub


Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.

Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the Falco CNCF project proposal.

What kind of behaviors can Falco detect?

Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:

  • A shell is running inside a container.
  • A container is running in privileged mode, or is mounting a sensitive path, such as /proc, from the host.
  • A server process is spawning a child process of an unexpected type.
  • Unexpected read of a sensitive file, such as /etc/shadow.
  • A non-device file is written to /dev.
  • A standard system binary, such as ls, is making an outbound network connection.

Installing Falco

A comprehensive installation guide for Falco is available in the documentation website.

How do you compare Falco with other security tools?

One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a blog post comparing Falco with other tools.

Documentation

See Falco Documentation to quickly get started using Falco.

Join the Community

To get involved with The Falco Project please visit the community repository to find more.

License Terms

Falco is licensed to you under the Apache 2.0 open source license.

Contributing

See the CONTRIBUTING.md.

Security

Security Audit

A third party security audit was performed by Cure53, you can see the full report here.

Reporting security vulnerabilities

Please report security vulnerabilities following the community process documented here.

You can’t perform that action at this time.