Falco
Definition
Falco is an open-source runtime security tool designed to detect anomalous activity in containerized environments. It monitors system calls and other events within a Kubernetes cluster to identify suspicious behavior, such as unexpected network connections, file access, or privilege escalations. By leveraging rules defined in YAML format, Falco can alert administrators to potential security incidents in real-time, enhancing the security posture of cloud-native applications.
Secure Settings Example
rules:
- rule: Write below etc
desc: Detect any write below /etc directory
condition: evt.type = write and fd.name startswith /etc
output: "File below /etc directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)"
priority: WARNING
tags: [filesystem, mitre_persistence]
Insecure Settings Example
rules:
- rule: Allow all writes
desc: Allow any file write operation
condition: evt.type = write
output: "File write operation detected (user=%user.name command=%proc.cmdline file=%fd.name)"
priority: INFO
tags: [filesystem]