github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-27 15:17:50 +00:00
Code Issues Projects Releases Wiki Activity
Cloud Native Runtime Security
2,200 Commits 121 Branches 172 Tags 104 MiB
C++ 83.7%
CMake 8.2%
C 3.5%
Shell 3.1%
Dockerfile 1.2%
Other 0.3%
07abb89f36
Go to file
Mark Stemm 07abb89f36 Pass back warnings when loading rules 
Add the notion of warnings when loading rules, which are printed if
verbose is true:

 - load_rules now returns a tuple (success, required engine version,
   error array, warnings array) instead of (true, required engine
   version) or (false, error string)
 - build_error/build_error_with_context now returns an array instead of
   string value.
 - warnings are combined across calls to load_rules_doc
 - Current warnings include:
   - a rule that contains an unknown filter
   - a macro not referred to by any rule
   - a list not referred to by any rule/macro/list

Any errors/warnings are concatenated into the exception if success was
false. Any errors/warnings will be printed if verbose is true.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2021-01-19 10:37:55 +01:00
.circleci update(.circleci): fix tag definition for ECR image push on releases 2021-01-18 15:45:52 +01:00
.github update(.github): remove stale bot in favor of lifecycle bot (prowjobs) 2020-11-23 11:24:12 -05:00
audits move audit doc 2019-12-17 09:15:41 +01:00
brand docs(brand): documenting Falco color scheme 2020-09-28 15:15:36 +02:00
cmake chore(cmake): remove unnecessary whitespace patch 2021-01-15 14:22:14 +01:00
docker update(docker): correct container labels 2020-11-23 11:26:08 -05:00
proposals docs(proposals/20200828-structured-exception-handling): indentation 2021-01-08 17:53:08 +01:00
rules rule(Create Hidden Files or Directories): Exclude exe_running_docker_save 2021-01-08 19:21:42 +01:00
scripts fix(scripts/falco-driver-loader): lsmod usage 2020-11-10 04:11:07 -05:00
test build: fix build directory for xunit tests 2020-11-05 11:49:40 -05:00
tests build: remove civetweb when minimal build 2020-09-10 15:01:07 +02:00
userspace Pass back warnings when loading rules 2021-01-19 10:37:55 +01:00
.clang-format chore: clang format following the current style 2019-07-03 09:07:00 +02:00
.cmake-format new: cmake format colums to 120 2020-01-17 19:09:31 +01:00
.gitignore chore: clean up lua from dot files 2020-10-13 05:12:00 -04:00
.luacheckrc chore: clean up lua from dot files 2020-10-13 05:12:00 -04:00
.yamllint.conf new: YAML lint configuration 2019-07-10 13:00:03 +02:00
ADOPTERS.md Add GitLab to ADOPTERS.md 2020-06-30 11:45:58 +02:00
CHANGELOG.md docs(CHANGELOG.md): release notes for 0.27.0 2021-01-18 13:15:25 +01:00
CMakeLists.txt chore(cmake/modules): avoid useless rebuild 2020-12-10 13:28:01 -05:00
COPYING docs: update COPYING 2019-10-08 16:02:26 +02:00
falco.yaml docs(falco.yaml): better explanation on "output_timeout" 2020-12-01 04:18:04 -05:00
GOVERNANCE.md docs: markdown governance 2019-09-13 12:57:17 +02:00
OWNERS docs: add myself to owners 2020-07-03 16:37:17 +02:00
README.md docs: fix a broken link of README 2021-01-07 14:58:14 +01:00
RELEASE.md docs(RELEASE.md): link the ecr images in releases 2021-01-18 16:52:02 +01:00

README.md

Cloud Native Runtime Security.

Build Status CII Best Practices Summary GitHub

Want to talk? Join us on the #falco channel in the Kubernetes Slack.

Latest releases

Read the change log.

development stable
rpm rpm-dev rpm
deb deb-dev deb
binary bin-dev bin

The Falco Project, originally created by Sysdig, is an incubating CNCF open source cloud native runtime security tool. Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. Falco has a rich rule set of security rules specifically built for Kubernetes, Linux, and cloud-native. If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.

Installing Falco

If you would like to run Falco in production please adhere to the official installation guide.

Kubernetes
Tool Link Note
Helm Chart Repository The Falco community offers regular helm chart releases.
Minikube Tutorial The Falco driver has been baked into minikube for easy deployment.
Kind Tutorial Running Falco with kind requires a driver on the host system.
GKE Tutorial We suggest using the eBPF driver for running Falco on GKE.

Developing

Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.

Falco has a gRPC endpoint and an API defined in protobuf. The Falco Project supports various SDKs for this endpoint.

SDKs
Language Repository
Go client-go
Rust client-rs
Python client-py

What can Falco detect?

Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:

  • A shell is running inside a container or pod in Kubernetes.
  • A container is running in privileged mode, or is mounting a sensitive path, such as /proc, from the host.
  • A server process is spawning a child process of an unexpected type.
  • Unexpected read of a sensitive file, such as /etc/shadow.
  • A non-device file is written to /dev.
  • A standard system binary, such as ls, is making an outbound network connection.
  • A privileged pod is started in a Kubernetes cluster.

Documentation

The Official Documentation is the best resource to learn about Falco.

Join the Community

To get involved with The Falco Project please visit the community repository to find more.

How to reach out?

Contributing

See the CONTRIBUTING.md.

Security Audit

A third party security audit was performed by Cure53, you can see the full report here.

Reporting security vulnerabilities

Please report security vulnerabilities following the community process documented here.

License Terms

Falco is licensed to you under the Apache 2.0 open source license.