81c53a8d29
So I might be wrong here, but I believe this is missing. I tried to build to the `docker/falco/Dockerfile` locally and push to GKE and was running into some errors getting Falco started. I checked both the GKE node, as well as the running pod and I couldn't find the script. So I think we want to include the script directly into the container. Anyway I was able to now use this Dockerfile to run my local version of Falco in GKE and load a BPF probe fine. Other thoughts: Do we want to consider pull the flags from the `falco-driver-loader` script up to the container image as an ENV or something? Other thoughts: It looks like the other container images all are based on this one so this should naturally flow down to the others. If we don't need this feel free to ignore/close. :) Signed-off-by: Kris Nova <kris@nivenly.com>
Cloud Native Runtime Security.
The Falco Project
Latest releases
Read the change log.
| development | stable | |
|---|---|---|
| rpm |  |
 |
| deb |  |
 |
| binary |  |
 |
Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the Falco CNCF project proposal.
What kind of behaviors can Falco detect?
Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:
- A shell is running inside a container.
- A container is running in privileged mode, or is mounting a sensitive path, such as
/proc, from the host. - A server process is spawning a child process of an unexpected type.
- Unexpected read of a sensitive file, such as
/etc/shadow. - A non-device file is written to
/dev. - A standard system binary, such as
ls, is making an outbound network connection.
Installing Falco
You can find the latest release downloads on the official release archive
Furthermore the comprehensive installation guide for Falco is available in the documentation website.
How do you compare Falco with other security tools?
One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a blog post comparing Falco with other tools.
Documentation
See Falco Documentation to quickly get started using Falco.
Join the Community
To get involved with The Falco Project please visit the community repository to find more.
License Terms
Falco is licensed to you under the Apache 2.0 open source license.
Contributing
See the CONTRIBUTING.md.
Security
Security Audit
A third party security audit was performed by Cure53, you can see the full report here.
Reporting security vulnerabilities
Please report security vulnerabilities following the community process documented here.