What is Falco?


Falco is an open-source runtime security platform that allows you to detect and respond to suspicious behavior within Linux containers and applications.

The Falco cloud-native project, which is currently under the CNCF, was originally designed by Sysdig to work with Kubernetes, but it is not limited to Kubernetes. Falco can also provide runtime security monitoring for other container orchestration platforms and standalone container deployments.

The purpose of Falco is to detect and alert on suspicious activity by monitoring the behavior of the Linux kernel and container runtime. It monitors Linux kernel system calls and flags any unusual activity based on user-defined rules. It can also detect anomalous processes within running containers as well as attempts to exploit container escape vulnerabilities or gain access to sensitive data.

Finally, Falco’s service context feature allows it to track deployments and changes in the environment.

Benefits of Runtime Security

Due to the dynamic and transient nature of some workloads in a Kubernetes environment, static scanning and other traditional security measures are impractical.

Furthermore, because Kubernetes is a complex, dynamic system, it is challenging to stay on top of potential security risks. Runtime security, or the ability to monitor behavior in real-time, is thus required to quickly identify and address security issues.

Runtime security is critical for a number of reasons:

  • For starters, it aids in the prevention of malicious activities such as container breakouts, privilege escalation, and network attacks.
  • Second, it aids in the enforcement of regulations such as HIPAA and PCI DSS.
  • Finally, runtime security adds an extra layer of defense against vulnerabilities and exploits that static analysis or vulnerability scanners may miss.

Runtime security is a significant step for modern organizations because it can protect applications and workloads from unauthorized access, malicious or unintentional changes, and suspicious behavior that could indicate an attack. As a result, Falco adds an extra layer of security to your applications and Kubernetes clusters.

Falco also makes use of plugins to expand its capabilities, providing visibility into key components such as Docker containers and kube-proxy logs.

Finally, with the addition of Falcosidekick – a user interface for displaying all Falco-monitored events – you can gain even more insight into your environment’s activities and feel more confident in its security.

What does Falco do?

With Falco, you will have greater visibility into suspicious activities occurring in your environment and be better able to protect against malicious actors and other threats. Not only does it detect malicious behavior, but it can also help you find performance issues or misconfigurations.

Falco monitors system calls (the low-level interface between the kernel, user applications, and the hardware) and checks them against a set of rules to determine if any activity should be flagged as suspicious.

The system rules tell Falco how to interpret the data that it collects from the syscalls so that it triggers an alert when there is something unusual happening on your system (i.e., when it finds an activity that violates the rules).

Falco works with various elements (such as rules, alerts, and plugins) as well as external components like Falcosidekick. Falco’s rules are open-source and highly extensible, so you can customize them as you wish to meet your specific needs. Additionally, Falco works with plugins to extend its capabilities even further by adding additional data sources for alerts or providing support for more specific types of alerts.

Finally, Falcosidekick is a visualization tool that helps you better understand what’s happening in your environment by visualizing events triggered by Falco alerts in real-time. With this tool, you can quickly identify loud events or detect outliers or trends in alerts over time that could indicate malicious activity or performance issues within your system.

Falco Rules and Alerts explained

When you think of security, you often think of firewalls, antiviruses, and encryption standards. But what about at the application runtime? That’s where Falco comes in! Falco works by monitoring syscalls (system calls) and checking them against its rules.

If something doesn’t match up with Falco’s expected behavior, it triggers an alert so that you can take appropriate action. Falco rules and alerts are the key components of Falco’s runtime security architecture. Rules define the conditions under which an alert will be generated, while alerts are the output generated when a rule violation is detected.

Let’s break this down a bit further:

What are Falco Rules?

Falco rules provide a set of expected behaviors that should be followed. They are written in YAML and define which events should be monitored as well as which actions should be taken when an alert is triggered. Events can range from programs accessing certain files to users executing commands with elevated privileges.

For example, a rule might be triggered if a container attempts to access a file outside of its authorized path, and the action might be to generate an alert and terminate the container.

What are Falco Alerts?

If a monitored event does not match up with what is expected from the defined rules, then an alert is triggered. Alerts can be sent via email or Slack notifications, or they can be sent to another third-party service (such as PagerDuty or Datadog) for further analysis or investigation.

Falco’s alerting mechanism is highly flexible and can be customized to meet specific requirements. For example, alerts can be customized to include additional context such as the name of the Kubernetes namespace or the specific rule that was triggered. Additionally, administrators can configure alerts to be sent to specific channels based on the severity of the rule violation.

By using customizable rules and alerts, Kubernetes administrators can monitor their clusters in real-time, detect potential security threats, and respond quickly to incidents. With these powerful tools at your disposal, you’ll be able to quickly respond to any potential threats and keep your applications secure!

What are the components of Falco?

Falco is built on a modular architecture with various components – the userspace program, configuration, and Falco driver – that work together to provide a comprehensive runtime security solution for Kubernetes and other containerized systems. Here are the key components of Falco:

  1. Userspace program – This is the Falco CLI tool, which allows you to interact with Falco. The userspace program handles signals, parses data from a Falco driver, and sends notifications.
  2. Configuration – The configuration defines how Falco is run, what rules to assert, and how alerts are handled. This includes specifying which rules should be used to monitor system calls and defining how alerts should be sent.
  3. Falco driver – The Falco driver is a kernel module that monitors system calls and sends events to the userspace program. The driver intercepts system calls and forwards them to the userspace program, which then compares them to predefined rules.

What are Falco plugins?

Falco plugins are optional extensions that can be used to extend the Falco runtime security system’s functionality. Plugins are modular and user-friendly, and they can be used to add new rules, outputs, or APIs to the system.

These plugins can be used to send notifications and store alerts by integrating with third-party applications and services such as Slack, PagerDuty, or MySQL. Furthermore, Falco plugins enable enhanced monitoring capabilities such as HTTP traffic analysis or Kubernetes log output to connect the full context of an alert.

When administrators use these plugins in conjunction with Falco, they can monitor system-level behavior in any application. By leveraging the extensibility provided by Falco plugins, they can gain greater visibility into system activities – whether they are working with a third-party application or internally developed microservices.

Administrators can also customize Falco using plugins to meet their specific security needs, making it a versatile and powerful tool for securing Kubernetes environments. Some of the most popular options for integrating Falco with external systems include:

  • Slack: Use this plugin to send notifications via Slack when an alert is triggered.
  • PagerDuty: Integrate PagerDuty with Falco using this plugin to access additional features such as scheduling and escalations.
  • MySQL: Load data into a MySQL database using this plugin to continuously store your alert information.
  • HTTP Traffic Analysis: Track HTTP requests with this plugin to analyze requests across different applications.

What is Falcosidekick?

Falcosidekick is a component that works in tandem with Falco to add functionality for processing and handling alerts, making it simpler to configure and operate. Falcosidekick carries out two primary tasks: it converts rules into the proper format and then executes the rules as necessary.

It handles the communication between Falco and the server and offers a safe channel for alert message transmission. You can use Falcosidekick to send alerts to a variety of output channels, like email, Slack, or webhooks. Additionally, it can be used to give context to warnings, like metadata from the Kubernetes API.

In essence, Falcosidekick guarantees that rules are designed properly and that alerts are received promptly, making it a crucial part of running Falco in production. Without it, you wouldn’t be able to fully take advantage of the features that make Falco so powerful, such as monitoring system calls and verifying against rules to uncover malicious activity.

How to install Falco and Falcosidekick in a Kubernetes cluster using Helm

To install Falco and Falcosidekick in a Kubernetes cluster using Helm, you can follow these steps:

1. Add the Helm chart repository for Falco and Falcosidekick:

helm repo add falcosecurity https://falcosecurity.github.io/charts

2. Update your local Helm chart repository cache:

helm repo update

3. Create a values.yaml file that defines the configuration values for your Falco and Falcosidekick installation. For example:

    repository: falcosecurity/falco
    tag: 0.31.0
  jsonOutput: true
    enabled: true
    enabled: true
    enabled: true
    url: http://falcosidekick:2801/

    repository: falcosecurity/falcosidekick
    tag: 1.4.4
      - type: alertmanager
          url: http://alertmanager:9093Code language: JavaScript (javascript)

This values.yaml file configures Falco to use version 0.31.0, enables JSON output, rules, and the security module, and sends alerts to a webhook URL that points to Falcosidekick. It also configures Falcosidekick to use version 1.4.4 and sends alerts to an alertmanager instance running in the cluster.

4. Install Falco and Falcosidekick using Helm:

helm install falco falcosecurity/falco -f values.yaml

This will create a new Kubernetes namespace called falco and deploy Falco and Falcosidekick in it.

5. Verify that Falco and Falcosidekick are running:

kubectl get pods -n falco

After this, you should see two pods, one for Falco and one for Falcosidekick.

6. Configure your Kubernetes cluster to use Falco by creating a new DaemonSet:

 apiVersion: apps/v1
kind: DaemonSet
  name: falco
  namespace: falco
      app: falco
        app: falco
      - name: falco
        image: falcosecurity/falco:0.31.0
        imagePullPolicy: IfNotPresent
          privileged: true
            - AUDIT_CONTROL
            - AUDIT_READ
        - name: FALCO_JSON_OUTPUT
          value: "true"
        - name: FALCO_LOG_LEVEL
          value: "info"
        - name: host-filesystem
          mountPath: /host
        - name: var-run
          mountPath: /var/run
        - name: var-lib
          mountPath: /var/lib/falco
      - name: host-filesystem
          path: /
      - name: var-run
          path: /var/run
      - name: var-lib
          path: /var/lib/falco

This DaemonSet will run a new instance of Falco on each node in your Kubernetes cluster and configure it to send alerts to Falcosidekick.

With these steps, you should have Falco and Falcosidekick installed in your Kubernetes cluster and also be able to receive alerts.


In conclusion, Falco is an invaluable tool for ensuring runtime security in Kubernetes clusters. It monitors system calls, checks against rules, and sends alerts when it detects suspicious or malicious activities.

Falco rules provide a way for users to define what constitutes suspicious activity, and Falco plugins allow for the customization of alerts.

Falcosidekick offers an easy way to install and manage Falco in a Kubernetes cluster. By following the steps laid out in this article, you can quickly and easily get Falco up and running. Then, you can begin reaping the benefits of improved runtime security.