falco: monitor application behaviour

If you remember sysdig, it’s a highly useful utility to trace and profile a Linux system. The sysdig team has introduced a new utility – falco. falco extends sysdig to monitor behavioral activity on Linux and guard it against any anomalous activity in applications. While falco primarily targets containers, it works directly on Linux too.

falco can detect and alert on any behavior that involves making Linux system calls. The alerts need to be defined and can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. Examples of what falco can detect:

  • A shell is run inside a container
  • A server process spawns a child process of an unexpected type
  • Unexpected read of a sensitive file (like /etc/passwd)
  • A non-device file is written to /dev
  • A standard system binary (like ls) makes an outbound network connection

Installation

To install falco on Ubuntu, run:

$ curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add -
$ curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/stable/deb/draios.list
$ apt-get update
$ apt-get -y install linux-headers-$(uname -r)
$ apt-get -y install falco

Usage

The starting point should be the sample configuration file. For first hand info on conditions, rules and macros, refer to the readme.

To start falco as a daemon, run:

$ sudo service falco start

On GitHub: falco

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s