Falco

License: Apache 2.0

Falco is an open-source cloud-native runtime security tool for Kubernetes. We use Falco to monitor and secure our Kubernetes environments, leveraging its ability to inspect system calls made by the containers and pods in our clusters. Based on a set of rules that we define, Falco will alert on any malicious or unexpected behavior.

Additionally, we use Falco Sidekick and Falco Sidekick-UI to forward events to other tools in our ecosystem, and present a web interface to quickly view the latest Falco events.

Links

• Code

  • https://github.com/falcosecurity/falco
  • https://github.com/falcosecurity/falcosidekick
  • https://github.com/falcosecurity/falcosidekick-ui

• Releases: https://github.com/falcosecurity/falco/releases

• Helm: https://github.com/falcosecurity/charts

• Documentation

  • Getting Started: https://falco.org/docs/getting-started
  • Deployment Guides: https://falco.org/docs/deployment
  • Configuration: https://falco.org/docs/configuration
  • Rules: https://falco.org/docs/rules

• Implementation

  • Config
    https://code.vt.edu/it-common-platform/infrastructure/eks-cluster/-/blob/main/cluster-bootstrap/falco.tf

  • Testing
    https://code.vt.edu/it-common-platform/testing/-/tree/main/infrastructure/eks-cluster/falco

Dashboards

aws-dvlp	falco.dvlp.aws.itcp.cloud.vt.edu	op-dvlp	falco.dvlp.op.itcp.cloud.vt.edu
aws-pprd	falco.pprd.aws.itcp.cloud.vt.edu	op-pprd	falco.pprd.op.itcp.cloud.vt.edu
aws-prod	falco.prod.aws.itcp.cloud.vt.edu	op-prod	falco.prod.op.itcp.cloud.vt.edu

Update Concerns

Falco is still in beta. Before upgrading to v1, make sure to check the online documentation for an upgrade guide.