Falco: A Beginner’s Guide

by | 10.10.2021 | Engineering

The rise of internet applications has evolved hand in hand with strong cybersecurity software that has kept the war against spam, attacks and other unscrupulous behaviour ongoing and effective. Security is an important pillar of modern internet applications and as users will realize, is always treated as a major component on the same lines as development and deployment.

One of the best cloud native applications participating in this fight against cybersecurity threats and attacks is Falco. Inducted into the Cloud Native Computing Foundation’s(CNCF) as the first runtime security project at an incubation level, it was created by Sysdig in 2016. Falco’s primary strength touches on tracking and detecting unexpected occurrences with applications, alerting users and responding with appropriate mitigation measures.

Falco Architecture
Falco and its deployment architecture Source: Sysdig

Falco Facts: Important Details For Beginners

Kubernetes security only grows more complex as it becomes adopted throughout the internet. Security measures for such applications can be grouped under the preventive of detective categories. One of the bigger reasons for this complexity is the presence of multiple moving layers in a cloud native stack, resulting in operators neglecting security early on during development.

Another reason may be the lack of security in some distributions of Kubernetes by default, contrary to what operators assume. Falco shines through in resolving these issues by detecting and alerting any behaviour that makes Linux system calls. This system of alerting rules is made possible with the use of Sysdig’s filtering expressions to detect potentially suspicious activity. Users can also specify alerts for specific calls, arguments related to the calls and through the properties of the calling process.

This makes for some interesting methods such as a shell unit being created inside a container, a container being made to run in privileged mode, or scheduling a disk scan with sensitive files. Falco also allows detection apps to run simultaneously with social channels, platforms and tools such as Slack, Fluentd, and NATS.

Falco also provides intrusion and abnormality detection for platforms and brings cutting edge solutions bridging the defense gap left in Kubernetes clusters. Some of its larger applications include monitoring events directly in clusters including:-

  1. Outgoing connections to specific IPs or domains.
  2. Instances or events that use or mutate sensitive files such as /etc/passwd.
  3. Events where system binary files are executed such as su.
  4. Occurrences where file access privileges are escalated or changed to the namespace.
  5. Major modifications in certain folders such as /sbin

How Falco Does What It Does

Falco utilizes open source Linux kernel instrumentation to monitor the stream of system calls generated by operations and applications through the kernel. Since the system operates in a typical user-space, it has the capabilities to amplify the data it tracks from the streams along with other input streams such as container runtime metrics and Kubernetes metrics.

In the following example, we can see how Falco uses an attrition filter that can be applied to each system call, thus monitoring all attempts and changes that occur in the kernel:-

- rule: shell_in_container
  desc: notice shell activity within a container
  condition: container.id != host and proc.name = bash
  output: shell in a container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)
  priority: WARNING
Falco Defensive System
Structure of defensive systems Source: InfraCloud

Falco also uses a system of  rules contained within macros to apply changes for file access and monitoring. Users can use these methods to declare reusable expression snippets within multiple kernels and track instances as required. Macros can later be referenced by name within conditions and even copied on future kernels. Lists are also a supported syntax type that Falco supports and uses for monitoring changes.

Hits & Misses: What Falco Gets Right And Wrong

Falco is a mammoth of the industry that has shown its merits to defend kernel applications across many industries. It’s no surprise that it’s one of the favored choices for defending and monitoring crypto-applications online along with financial exchange networks and identity logs for user protection. The community has, over time, given the platform an edge by improving upon compatibility issues and plugins for newer systems. It recently applied changes for gRPC compatibility and even released light weight versions that can be run on the most complex of systems. This has given Falco, an almost ‘plug and play’ kind of utilization where users simply need to run a few commands to run it with their current kernels and let the system do its work.

Where Falco does falter currently is from the same pitfalls that most microservice applications suffer from. For one, plugin support for heavier applications with on time processing and abnormality detection is still a far reality but one that the community keeps working on. Users have also in the past also brought to attention, potentials for kernel manipulation and response times against suspicious behavior. All this may stand out as a sore thumb but given the open source nature, means that dealing with errors and issues among the community may not be as expedient, compared to paid applications.

Falco: Important Components To Keep In Mind

Falco uses Linux at its core and for controlling kernels. It uses its own system of drivers to track system calls and operational changes made by the applications. This is created with the purpose of keeping users well informed about any change that generates a system call and respond in time before serious attacks take effect.

Since containers usually share a kernel together, it is possible to monitor system calls by all the containers that are created or linked through a host. It is important to remind users that such applications cannot be fully realized in the case of more isolated container hosts that lack the ability to share kernels or use different runtimes. This brings us to the major components to keep in minding when running Falco for the first time on a typical Kubernetes Cluster:-

Kernel module (the default)

This is the major user experience interface that consists of a kernel module where users can compile instances and operations for the kernel where Falco will run and monitor changes.

eBPF probe

A sandbox styled application to run kernels on virtual servers as opposed to more streamlined local computers. Users do not  need to load the main kernel module, but it requires a newer kernel that supports eBPF. Not supported on several currently managed services.

Userspace instrumentation

An direct application built in the userspace to check for log files, instances, metadata and other information gathered from kernels. This is where users will interact with plugins and apply changes to nodes that receive alerts for suspicious or strange behavior.

Falco Source
Methods for defensive operations on Falco Source: Sysdig

Final Verdict

A juggernaut of the industry that has yet much to learn and apply from the greats, Falco’s benefits and accomplishments should not be completely forgotten, especially within the context of the CNCF. It’s a well celebrated defensive platform with a ‘swiss army knife’ level of knick-knacks and gadgets for users to protect their applications against spam, malware, hackers and suspicious elements.

Some users may be put off by the sudden jump in learning curves once they begin to master Falco but the payoff is all worth the struggle. As always, check out the community and look through the documentation to get a clearer understanding of how Falco can help you. Tune in again as we discuss some more applications in future editions. Tune into the Hands-on labs to play around and learn Falco.

Happy Learning!


The DevOps Awareness Program

Subscribe to the newsletter

Join 100+ cloud native ethusiasts


Join the community Slack

Discuss all things Kubernetes, DevOps and Cloud Native

Related articles6

Introduction to GitOps

Introduction to GitOps

GitOps serves to make the process of development and operations more developer-centric. It applies DevOps practices with Git as a single source of truth for infrastructure automation and deployment, hence the name “Git Ops.” But before getting deeper into what is...

Kaniko: How Users Can Make The Best Use of Docker

Kaniko: How Users Can Make The Best Use of Docker

Whether you love or hate containers, there are only a handful of ways to work with them properly that ensures proper application use with Docker. While there do exist a handful of solutions on the web and on the cloud to deal with all the needs that come with running...

Cilium: A Beginner’s Guide To Improve Security

Cilium: A Beginner’s Guide To Improve Security

A continuation from the previous series on eBPF and security concerns; it cannot be reiterated enough number of times how important it is for developers to ensure the safety and security of their applications. With the ever expanding reach of cloud and software...

How to clean up disk space occupied by Docker images?

How to clean up disk space occupied by Docker images?

Docker has revolutionised containers even if they weren't the first to walk the path of containerisation. The ease and agility docker provide makes it the preferred engine to explore for any beginner or enterprise looking towards containers. The one problem most of...

Parsing Packages with Porter

Parsing Packages with Porter

Porter works as a containerized tool that helps users to package the elements of any existing application or codebase along with client tools, configuration resources and deployment logic in a single bundle. This bundle can be further moved, exported, shared and distributed with just simple commands.

eBPF – The Next Frontier In Linux (Introduction)

eBPF – The Next Frontier In Linux (Introduction)

The three great giants of the operating system even today are well regarded as Linux, Windows and Mac OS. But when it comes to creating all purpose and open source applications, Linux still takes the reign as a crucial piece of a developer’s toolkit. However, you...