falcosecurity/falcoPublic

NotificationsYou must be signed in to change notification settings
Fork922
Star7.7k

Cloud Native Runtime Security

License

Apache-2.0, Apache-2.0 licenses found

Licenses found

7.7k stars 922 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 4,831 Commits
.circleci		.circleci
.github		.github
audits		audits
brand		brand
cmake		cmake
config		config
docker		docker
proposals		proposals
scripts		scripts
semgrep		semgrep
submodules		submodules
tools/local_hooks		tools/local_hooks
unit_tests		unit_tests
userspace		userspace
.clang-format		.clang-format
.clang-format-ignore		.clang-format-ignore
.cmake-format.json		.cmake-format.json
.codespellignore		.codespellignore
.dockerignore		.dockerignore
.git-blame-ignore-revs		.git-blame-ignore-revs
.gitignore		.gitignore
.gitmodules		.gitmodules
.pre-commit-config.yaml		.pre-commit-config.yaml
.yamllint.conf		.yamllint.conf
ADOPTERS.md		ADOPTERS.md
CHANGELOG.md		CHANGELOG.md
CMakeLists.txt		CMakeLists.txt
COPYING		COPYING
Contributing.md		Contributing.md
LICENSE		LICENSE
Makefile		Makefile
OWNERS		OWNERS
README.md		README.md
RELEASE.md		RELEASE.md
falco.yaml		falco.yaml
rules		rules

Repository files navigation

Falco

Falco is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.

At its core, Falco is a kernel monitoring and detection agent that observes events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.

Falco, originally created bySysdig, is agraduated project under theCloud Native Computing Foundation (CNCF) used in production by variousorganisations.

For detailed technical information and insights into the cyber threats that Falco can detect, visit the officialFalco website.

For comprehensive information on the latest updates and changes to the project, please refer to theChange Log.

The Falco Project

The Falco Project codebase is maintained under thefalcosecurity GitHub organization. The primary repository,falcosecurity/falco, holds the source code for the Falco binary, while other sub-projects are hosted in dedicated repositories. This approach of isolating components into specialized repositories enhances modularity and focused development. Notablecore repositories include:

falcosecurity/libs: This repository hosts Falco's core libraries, which constitute the majority of the binary’s source code and provide essential features, such as kernel drivers.
falcosecurity/rules: It contains the official ruleset for Falco, offering pre-defined detection rules for various security threats and abnormal behaviors.
falcosecurity/plugins: This repository supports integration with external services through plugins that extend Falco's capabilities beyond syscalls and container events, with plans for evolving specialized functionalities in future releases.
falcosecurity/falcoctl: A command-line utility designed for managing and interacting with Falco.
falcosecurity/charts: This repository provides Helm charts for deploying Falco and its ecosystem, simplifying the installation and management process.

For further insights into our repositories and additional details about our governance model, please visit the official hub of The Falco Project:falcosecurity/evolution.

Getting Started with Falco

If you're new to Falco, begin your journey with ourGetting Started guide. For production deployments, please refer to our comprehensiveSetup documentation.

As final recommendations before deploying Falco, verify environment compatibility, define your detection goals, optimize performance, choose the appropriate build, and plan for SIEM or data lake integration to ensure effective incident response.

Demo Environment

A demo environment is provided via a docker-compose file that can be started on a docker host which includes falco, falcosidekick, falcosidekick-ui and its required redis database. For more information see thedocker-compose section

Join the Community

To get involved with the Falco Project please visit theCommunity repository to find more information and ways to get involved.

If you have any questions about Falco or contributing, do not hesitate to file an issue or contact the Falco maintainers and community members for assistance.

How to reach out?

Join the#falco channel on theKubernetes Slack.
Join theFalco mailing list.
File anissue or make feature requests.

Commitment to Falco's Own Security

Full reports of various security audits can be foundhere.

In addition, you can refer to thefalco andlibs security sections for detailed updates on security advisories and policies.

To report security vulnerabilities, please follow the community process outlined in the documentation foundhere.

Building

For comprehensive, step-by-step instructions on building Falco from source, please refer to theofficial documentation.

Testing

Expand Testing Instructions

Falco'sBuild Falco from source is the go-to resource to understand how to build Falco from source. In addition, thefalcosecurity/libs repository offers additional valuable information about tests and debugging of Falco's underlying libraries and kernel drivers.

Here's an example of acmake command that will enable everything you need for all unit tests of this repository:

cmake \-DUSE_BUNDLED_DEPS=ON \-DBUILD_LIBSCAP_GVISOR=ON \-DBUILD_BPF=ON \-DBUILD_DRIVER=ON \-DBUILD_FALCO_MODERN_BPF=ON \-DCREATE_TEST_TARGETS=ON \-DBUILD_FALCO_UNIT_TESTS=ON ..;

Build and run the unit test suite:

nproc=$(grep processor /proc/cpuinfo| tail -n 1| awk'{print $3}');make -j$(($nproc-1)) falco_unit_tests;# Run the testssudo ./unit_tests/falco_unit_tests;

Optionally, build the driver of your choice and test run the Falco binary to perform manual tests.

Lastly, The Falco Project has moved its Falco regression tests tofalcosecurity/testing.

How to Contribute

Please refer to theContributing guide and theCode of Conduct for more information on how to contribute.

FAQs

Why is Falco in C++ rather than Go or {language}?

Expand Information

The first lines of code at the base of Falco were written some time ago, where Go didn't yet have the same level of maturity and adoption as today.
The Falco execution model is sequential and mono-thread due to the statefulness requirements of the tool, and so most of the concurrency-related selling points of the Go runtime would not be leveraged at all.
The Falco code deals with very low-level programming in many places (e.g. some headers are shared with the eBPF probe and the Kernel module), and we all know that interfacing Go with C is possible but brings tons of complexity and tradeoffs to the table.
As a security tool meant to consume a crazy high throughput of events per second, Falco needs to squeeze performance in all hot paths at runtime and requires deep control on memory allocation, which the Go runtime can't provide (there's also garbage collection involved).
Although Go didn't suit the engineering requirements of the core of Falco, we still thought that it could be a good candidate for writing Falco extensions through the plugin system. This is the main reason we gave special attention and high priority to the development of the plugin-sdk-go.
Go is not a requirement for having statically-linked binaries. In fact, we provide fully-static Falco builds since few years. The only issue with those is that the plugin system can't be supported with the current dynamic library model we currently have.
The plugin system has been envisioned to support multiple languages, so on our end maintaining a C-compatible codebase is the best strategy to ensure maximum cross-language compatibility.
In general, plugins have GLIBC requirements/dependencies because they have low-level C bindings required for dynamic loading. A potential solution for the future could be to also support plugin to be statically-linked at compilation time and so released as bundled in the Falco binary. Although no work started yet in this direction, this would solve most issues you reported and would provide a totally-static binary too. Of course, this would not be compatible with dynamic loading anymore, but it may be a viable solution for our static-build flavor of Falco.
Memory safety is definitely a concern and we try our best to keep an high level of quality even though C++ is quite error prone. For instance, we try to use smart pointers whenever possible, we build the libraries with an address sanitizer in our CI, we run Falco through Valgrind before each release, and have ways to stress-test it to detect performance regressions or weird memory usage (e.g.https://github.com/falcosecurity/event-generator). On top of that, we also have third parties auditing the codebase by time to time. None of this make a perfect safety standpoint of course, but we try to maximize our odds. Go would definitely make our life easier from this perspective, however the tradeoffs never made it worth it so far due to the points above.
The C++ codebase of falcosecurity/libs, which is at the core of Falco, is quite large and complex. Porting all that code to another language would be a major effort requiring lots of development resource and with an high chance of failure and regression. As such, our approach so far has been to choose refactors and code polishing instead, up until we'll reach an optimal level of stability, quality, and modularity, on that portion of code. This would allow further developments to be smoother and more feasibile in the future.

What's next for Falco?

Stay updated with Falco's evolving capabilities by exploring theFalco Roadmap, which provides insights into the features currently under development and planned for future releases.