Member-only story
Kubernetes Security With Falco
Comprehensive runtime security for your containers with a hands-on demo
Falco is an open source runtime security tool that can help you to secure a variety of environments. Sysdig created it and it has been a CNCF project since 2018. Falco reads real-time Linux kernel logs, container logs, Kubernetes logs, etc. against a powerful rules engine to alert users of malicious behaviour.
It is particularly useful for container security — especially if you are using Kubernetes to run them — and it is now the de facto Kubernetes threat detection engine. It ingests Kubernetes API audit logs for runtime threat detection and to understand application behaviour.
It also helps teams understand who did what in the cluster, as it can integrate with Webhooks to raise alerts in a ticketing system or a collaboration engine like Slack.
Falco works by using detection rules that define unexpected behaviour. Though it comes with its own useful default rules, you can extend them to define custom rules to harden your cluster further.
So, some things that Falco can detect are the following:
- Opening of a shell session from a container
- Host path volume mount
- Reading secret and sensitive files…
