github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-08 12:19:09 +00:00
Code Issues Projects Releases Wiki Activity

docs(README.md): moving section on top

Browse Source 
I am co-authoring original authors to keep their credits.

Co-Authored-by: Kris Nova <kris@nivenly.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Co-Authored-By: Massimiliano Giovagnoli <massimiliano.giovagnoli.1992@gmail.com>
Co-Authored-By: Jonah Jones <jonahjones094@gmail.com>
Co-Authored-By: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
This commit is contained in:
Leonardo Grasso 2022-03-15 10:20:32 +01:00 committed by poiana
parent 36acd6dfbf
commit 5ff9101b95
1 changed files with 14 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
README.md
View File

@ -62,6 +62,20 @@ Falco makes it easy to consume kernel events, and enrich those events with infor
Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native. Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native.
If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity. If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.
### What can Falco detect?
Falco can detect and alert on any behavior that involves making Linux system calls.
Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process.
For example, Falco can easily detect incidents including but not limited to:
- A shell is running inside a container or pod in Kubernetes.
- A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
- A server process is spawning a child process of an unexpected type.
- Unexpected read of a sensitive file, such as `/etc/shadow`.
- A non-device file is written to `/dev`.
- A standard system binary, such as `ls`, is making an outbound network connection.
- A privileged pod is started in a Kubernetes cluster.
### Installing Falco ### Installing Falco
If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/getting-started/installation/). If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/getting-started/installation/).
@ -90,21 +104,6 @@ The Falco Project supports various SDKs for this endpoint.
| Rust | [client-rs](https://github.com/falcosecurity/client-rs) | | Rust | [client-rs](https://github.com/falcosecurity/client-rs) |
| Python | [client-py](https://github.com/falcosecurity/client-py) | | Python | [client-py](https://github.com/falcosecurity/client-py) |
### What can Falco detect?
Falco can detect and alert on any behavior that involves making Linux system calls.
Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process.
For example, Falco can easily detect incidents including but not limited to:
- A shell is running inside a container or pod in Kubernetes.
- A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
- A server process is spawning a child process of an unexpected type.
- Unexpected read of a sensitive file, such as `/etc/shadow`.
- A non-device file is written to `/dev`.
- A standard system binary, such as `ls`, is making an outbound network connection.
- A privileged pod is started in a Kubernetes cluster.
### Documentation ### Documentation
The [Official Documentation](https://falco.org/docs/) is the best resource to learn about Falco. The [Official Documentation](https://falco.org/docs/) is the best resource to learn about Falco.