falco

Falco is a security monitoring tool for Linux that watches what is happening inside a running system and raises alerts when something looks suspicious or unexpected. It focuses on runtime security, meaning it catches problems while software is actually running, rather than scanning code ahead of time. It was originally created by Sysdig and is now a graduated project under the Cloud Native Computing Foundation, which is the same organization that oversees Kubernetes and many other tools used in modern cloud infrastructure.

At its core, Falco monitors Linux system calls, which are the requests that every program makes to the operating system when it wants to read a file, open a network connection, spawn a new process, or do almost anything that requires the kernel. Falco compares those calls against a set of user-defined rules, and when a call matches a suspicious pattern, it generates an alert. Rules can be written to catch things like a shell being spawned inside a container, a process writing to a sensitive file, or unusual network activity.

Falco is designed for environments that run containers and Kubernetes. It can attach metadata from the container runtime and from the Kubernetes API to each event, so alerts include context like which pod, namespace, or container was involved. Collected events can be forwarded to security information and event management systems or data warehouses for longer-term analysis.

The project is organized across several GitHub repositories. The main Falco binary lives here, but the core libraries, official rules, plugin integrations, and Helm charts for Kubernetes deployment are maintained in separate companion repositories. A command-line management tool called falcoctl handles tasks like installing and updating rules. The project includes audit reports and a documented vulnerability disclosure process.