CNCF announced the graduation of Falco, a tool designed for Linux systems and a de facto Kubernetes threat-detection engine. The project successfully met all graduation requirements, including undergoing the due diligence process, completing a third-party security audit, and obtaining the software licensing approvals.
Falco, created in 2016 by Sysdig, first entered the Cloud Native Computing Foundation (CNCF) sandbox in 2018 and was accepted as an incubation-level project in 2020. The tool provides real-time threat detection across containers, Kubernetes, hosts, and cloud services and uses Linux kernel module and eBPF. The open-source project integrates with over 50 third-party systems for alert notifications, delivered in the JSON format for storing, analysis, and triggering actions/tasks.
Falco Architecture (Source: Falco Website)
Falco allows defining rules that use Sysdig’s filtering expressions to identify potentially suspicious activity. The example rule below detects attempts to start a Bash shell process within the container.
- rule: shell_in_container desc: notice shell activity within a container condition: container.id != host and proc.name = bash output: shell in a container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline) priority: WARNING
In 2022, Falco introduced a plugin system for defining additional event sources and event extractors. The plugin system includes SDKs to simplify development. Plugins can be written in nearly any language as long as they export the required functions. However, the preferred language for plugin development is Go, followed by C++, with SDKs released for both languages.
Falco’s Plugin Framework (Source: Falco Blog)
Loris Degioanni, creator of Falco and CTO and founder of Sysdig, commented on the Falco’s graduation:
The conclusion that led to Falco's development and contribution to CNCF is that runtime security must be widely accessible and seamlessly integrated across cloud-native infrastructure – you need prevention in the cloud, but threat detection is just as important. [...] I am grateful for the incredible Falco community and for surpassing this milestone within CNCF, but the Falco community has never seen graduation as the end goal — rather, just the beginning of expanding Falco use cases through its plugin system.
Chris Aniszczyk, CTO of CNCF, added:
Real-time visibility into the security of cloud-native deployments is invaluable at scale. Falco is helping to push advancements in the open-source cloud native runtime security space with eBPF, and we look forward to seeing progress in this area as the project continues to grow.