Falco joins CNCF Sandbox.

By Michael Ducy - OCTOBER 10, 2018
Topics: Open Source


Falco joins CNCF Sandbox

Security is a key consideration for any organization seeking to standardize and scale their cloud-native platforms. Falco, the behavioral activity monitoring tool from Sysdig, is becoming a popular option for open source container runtime security on cloud-native platforms built using Kubernetes, Cloud Foundry, and OpenShift. The Falco project has grown massively in the last year, and at Sysdig we’ve been seeking new ways to scale, increase contributions, improve project governance, and enhance the end-user experience. Given that the Cloud Native Computing Foundation (CNCF) is the widely-recognized home for projects seeking to scale their usefulness to the community, we’re excited that moving forward Falco will be hosted by the CNCF as part of their cloud-native Sandbox. Falco joins the CNCF Sandbox providing #cloudnative #container #security Click to tweet

Falco’s approach to cloud-native security.

Falco was born from Sysdig, an open source project originally created by Loris Degioanni. Sysdig takes a revolutionary approach to troubleshooting and performance analysis by combining concepts from tools like strace, DTrace, tcpdump, and Wireshark. Sysdig’s ability to tap into the Linux kernel via tracepoints allows it to treat Linux system calls as an event stream. This event stream is then analyzed in real-time or offline via capture files, much like tcpdump and Wireshark. It also provides a rich filtering language to query event streams for virtually any type of event, file, network connection, container, process, and more. Sysdig also incorporates the ability to pull metadata from various sources, like the container runtime engine, with Kubernetes. This enhances events with information such as the container name and Kubernetes resource information including the pod, deployment, services, namespaces, and more. Falco expands on the concept of a host-level event stream by layering a rules engine on top of the event stream. This engine allows end users to use the Sysdig filter language to write rules that detect abnormal behaviors. When an abnormal event occurs, Falco can send a security alert to a variety of different destinations; including third-party systems. Rules can incorporate the metadata pulled from the container runtime and orchestration platform. This feature allows Falco users to write rules for particular container images, Kubernetes namespaces, Kubernetes deployments, and more. In this example, a Falco rule creates a security alert when it detects a process that is attempting to read a secret file five seconds after the process begins:
- macro: proc_is_new
  condition: proc.duration <= 5000000000

- rule: Read secret file after startup
  desc: >
    an attempt to read any secret file (e.g. files containing user/password/authentication
    information) Processes might read these files at startup, but not afterwards.
  condition: fd.name startswith /etc/secrets and open_read and not proc_is_new
  output: >
    Sensitive file opened for reading after startup (user=%user.name
    command=%proc.cmdline file=%fd.name)
  priority: WARNING
In cloud-native environments where application workloads tend to be highly dynamic and ephemeral, Falco is able to quickly detect new application containers and hosts, apply the appropriate rules, and create a security alert based on abnormal behavior. As container instances are destroyed, Falco can provide teams with an audit trail of any abnormal events that might have occurred during the lifespan of that container. Coupled with other cloud-native projects like Fluentd, NATS, Kubeless, and more; Falco can provide a complete security solution for the runtime environment. To see a real-world example of Falco in action, read what the Cloud.gov team has done to incorporate Falco into their Cloud Foundry-based PaaS offering—or watch innovation specialist Bret Mogilefsky talk about it here.

What this means for the future of Falco.

The CNCF has four goals for its cloud-native Sandbox projects:
  • Encourage public visibility of projects that can add value to the CNCF mission
  • Facilitate alignment with existing CNCF projects
  • Nurture projects
  • Remove possible legal and governance obstacles to adoption and contribution
For Falco, this hopefully means a more vibrant contributor and end-user community. Additionally, we hope to bring to the forefront the security challenges of running a cloud-native platform while continuing to provide education on overcoming these challenges. The Falco team has already embarked upon this mission with their work on defining a cloud-native security landscape. Becoming a member of the CNCF Sandbox project has also inspired us to create some new features to help Falco better integrate into the cloud-native ecosystem. For instance, Kubernetes audit events already provide a rich source of events on activities taking place inside a Kubernetes cluster. That’s why we’ll be adding support for Kubernetes audit events to allow Falco to detect abnormal activity from kubectl and the Kubernetes API server. This will also allow us to expose a metrics endpoint so Prometheus can pull data on Falco alerts. With this update, users will be able to see how many Falco alerts fired, how many alerts fired per rule, and much more useful data. {#whatthismeansforthefutureoffalco}

Falco moves to an Apache license.

As part of entering the CNCF as a Sandbox project, we have moved Falco to Apache License, Version 2.0. We feel this change is positive for the broader cloud-native community as it allows Falco to be incorporated into more platforms with fewer of the challenges associated with disparate licenses. We’ll also be relicensing Falco’s sister project, Sysdig, to an Apache License. {#falcomovestoanapachelicense}

A new home for Falco.

We’re excited to move Falco’s code and website to a new vendor-neutral home! The Falco code base can now be found in the falcosecurity GitHub organization and the redesigned website can be accessed at falco.org. We plan to add a blog and other useful resources to the new-and-improved Falco website in the coming weeks. Eventually, we’ll even move Falco’s Slack channel to a vendor-neutral home, so stay tuned for that. We at Sysdig are very excited to continue and expand our involvement with broader open source communities. Since the early days of tools like Wireshark, WinPcap, and Sysdig our team has passionately supported the open source philosophy. We hope that Falco becoming part of the CNCF Sandbox will expand its potential use cases, expand our contributor base, strengthen our end-user community, and ultimately contribute to making cloud-native applications more secure. Check out the Sysdig blog to learn more about Falco or watch our webinar to learn how to use Falco to secure Kubernetes with Google Kubernetes Engine (GKE). {#anewhomeforfalco}

Subscribe and get the latest updates