github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-22 21:07:41 +00:00
Code Issues Projects Releases Wiki Activity
Cloud Native Runtime Security
1,829 Commits 119 Branches 172 Tags 104 MiB
C++ 83.7%
CMake 8.2%
C 3.5%
Shell 3.1%
Dockerfile 1.2%
Other 0.3%
3386671452
Go to file
Leonardo Di Donato 3386671452 build(cmake/modules): cmake module for string-view-lite 
The CMake module downloads `string-view-lite` from
https://github.com/martinmoene/string-view-lite

It is a single-file header-only version of C++17-like `string_view` for
C++98, C++03, C++11, and later.

Notices it also provides C++20 extensions like:

- empty()
- starts_with()
- ends_with()
- etc.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2020-05-21 18:15:46 +02:00
.circleci build: focal builder generic kernel headers 2020-05-19 16:34:58 +02:00
.github update(.github): remove examples and integrations from PR template 2020-05-15 11:27:18 +02:00
audits move audit doc 2019-12-17 09:15:41 +01:00
brand docs: updating branding 2020-03-05 10:58:43 +01:00
cmake build(cmake/modules): cmake module for string-view-lite 2020-05-21 18:15:46 +02:00
docker update(docker/falco-driver-loader): propagate all args 2020-05-18 15:16:59 +02:00
proposals update(proposals/20200506-artifacts-scope-part-2.md): resolution about image naming 2020-05-12 18:53:46 +02:00
rules rule(list allowed_k8s_users): Add vertical pod autoscaler as known k8s users 2020-05-21 10:57:42 +02:00
scripts fix(scripts/falco-driver-loader): exit when bpf download fails 2020-05-18 15:16:59 +02:00
test fix(test): correct kernel module name 2020-05-18 14:08:25 +02:00
tests new(tests/engine): update socket path 2020-05-21 18:15:46 +02:00
userspace update(userspace/falco): wrap gpr logs into falco logs 2020-05-21 18:15:46 +02:00
.clang-format chore: clang format following the current style 2019-07-03 09:07:00 +02:00
.cmake-format new: cmake format colums to 120 2020-01-17 19:09:31 +01:00
.gitignore update(docker/event-generator): remove the event-generator from the Falco repo 2020-04-24 15:40:50 +02:00
.luacheckrc new: luacheck basic config 2019-07-10 18:49:02 +02:00
.yamllint.conf new: YAML lint configuration 2019-07-10 13:00:03 +02:00
ADOPTERS.md Add Coveo to the list of Falco adopters 2020-02-07 11:47:06 +01:00
CHANGELOG.md fix(CHANGELOG.md): correct typo 2020-05-18 16:56:21 +02:00
CMakeLists.txt fix(scripts): falco-driver-loader must infer the OS ID from the host 2020-04-24 11:28:05 +02:00
CODE_OF_CONDUCT.md docs: markdown code of conduct 2019-09-13 12:57:17 +02:00
CONTRIBUTING.md docs(CONTRIBUTING.md): update slack channel URL 2020-05-20 18:07:51 +02:00
COPYING docs: update COPYING 2019-10-08 16:02:26 +02:00
falco.yaml docs: add grpc notice in falco.yaml 2020-05-21 18:15:46 +02:00
GOVERNANCE.md docs: markdown governance 2019-09-13 12:57:17 +02:00
OWNERS new: add @kris-nova to owners 2019-08-13 22:42:43 +02:00
README.md docs: badges links to bintray repos now 2020-04-08 19:11:44 +02:00
RELEASE.md docs(RELEASE.md): correct typo 2020-05-18 11:41:05 +02:00

README.md

Cloud Native Runtime Security.

The Falco Project

Build Status CII Best Practices Summary GitHub

Latest releases

Read the change log.

development stable
rpm rpm-dev rpm
deb deb-dev deb
binary bin-dev bin

Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.

Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the Falco CNCF project proposal.

What kind of behaviors can Falco detect?

Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:

  • A shell is running inside a container.
  • A container is running in privileged mode, or is mounting a sensitive path, such as /proc, from the host.
  • A server process is spawning a child process of an unexpected type.
  • Unexpected read of a sensitive file, such as /etc/shadow.
  • A non-device file is written to /dev.
  • A standard system binary, such as ls, is making an outbound network connection.

Installing Falco

You can find the latest release downloads on the official release archive

Furthermore the comprehensive installation guide for Falco is available in the documentation website.

How do you compare Falco with other security tools?

One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a blog post comparing Falco with other tools.

Documentation

See Falco Documentation to quickly get started using Falco.

Join the Community

To get involved with The Falco Project please visit the community repository to find more.

License Terms

Falco is licensed to you under the Apache 2.0 open source license.

Contributing

See the CONTRIBUTING.md.

Security

Security Audit

A third party security audit was performed by Cure53, you can see the full report here.

Reporting security vulnerabilities

Please report security vulnerabilities following the community process documented here.