Cloud Native Runtime Security.
# The Falco Project
[](https://circleci.com/gh/falcosecurity/falco) [](https://bestpractices.coreinfrastructure.org/projects/2317) [](COPYING)
### Download
Read the [change log](CHANGELOG.md).
| | development | stable |
|--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
| rpm | [][1] | [][2] |
| deb | [][3] | [][4] |
| binary | [][5] | [][6] |
---
The Falco Project supports a cloud-native runtime security tool, as well as ancillary projects and integrations that surround it.
Falco is a daemon that can run either directly on a host, or in a container.
Falco observes system calls at runtime and builds a model of the system in memory.
As events occur the events are parsed through a rules engine.
If a rule is violated, an alert occurs.
Alerts are dynamic and configurable using the Falco SDKs.
Falco ships with a sane set of default rules. These rules look for things like:
- A shell is running inside a container.
- A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
- A server process is spawning a child process of an unexpected type.
- Unexpected read of a sensitive file, such as `/etc/shadow`.
- A non-device file is written to `/dev`.
- A standard system binary, such as `ls`, is making an outbound network connection.
### Installing Falco
You can find the latest release downloads on the official [release archive](https://bintray.com/falcosecurity)
Furthermore the comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
#### How do you compare Falco with other security tools?
One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco with other tools.
Documentation
---
See [Falco Documentation](https://falco.org/docs/) to quickly get started using Falco.
Join the Community
---
To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.
License Terms
---
Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
Contributing
---
See the [CONTRIBUTING.md](./CONTRIBUTING.md).
Security
---
### Security Audit
A third party security audit was performed by Cure53, you can see the full report [here](./audits/SECURITY_AUDIT_2019_07.pdf).
### Reporting security vulnerabilities
Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).
[1]: https://dl.bintray.com/falcosecurity/rpm-dev
[2]: https://dl.bintray.com/falcosecurity/rpm
[3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
[4]: https://dl.bintray.com/falcosecurity/deb/stable
[5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
[6]: https://dl.bintray.com/falcosecurity/bin/x86_64