Sysdig Falco: The Open Source Behavioral Activity Monitor!

Since my last posts (Anchore & Docker Scan) were about Docker security, I thought I should continue the trend and blog about Sysdig Falco, the open source behavioral activity monitor with container support.

Sysdig falco
Sysdig falco

What is Sysdig Falco?

Sysdig Falco lets you continuously monitor and detect container, application, host, and network activity, just like you would use a combination of Snort, OSSEC, tcpdump, htop, iftop, lsof and strace. It has a unique system call capture infrastructure, that lets you continuously monitor and detect container, application, host, and network activity centrally, from one source of data, with an easy to configure and manage policies. Sysdig Falco’s policies are a collection of rules that act directly on a stream of system calls from the kernel and then an alert is logged to files, syslog, JSON output and/or programs. This can also be interfaced onto containers and orchestration frameworks like: container ids, image names, Kubernetes namespaces, services, deployments or Mesos frameworks, etc.

Behaviors can Sysdig Falco can detect:

  • A shell is run inside a container
  • A server process spawns a child process of an unexpected type
  • Unexpected read of a sensitive file (like /etc/shadow)
  • A non-device file is written to /dev (possible rootkit activity)
  • A standard system binary (like ls) makes an outbound network connection
  • Unexpected outbound ElasticSearch connection
  • Non-authorized container namespace change
  • Process other than Skype/Webex tries to access camera
  • Unexpected network inbound traffic to Cassandra

…. and many more!

Sysdig Falco runs as a userspace process on normal RHEL & Debian and CoreOS based systems or containers. If you kill or suspend it’s process you can disable it’s operation. This sure looks like a robust tool with a simple learning curve and has good enough base rules that you can start with. You can easily add some more rules like malicious process spawning, incorrect file access, logs, network activity and get immediate alerts. In my short usage, it was like a swiss-army knife – detailed, stable system-wide while keeping a low overhead.

Download Sysdig Falco:

Sysdig Falco v0.5.0 can be downloaded here.