Introducing Falco
Falco is an open source system from Sysdig that adds anomaly detection functionality for pods in Kubernetes clusters. Out of the box, Falco includes a base set of powerful, community-created rules that can monitor a number of potentially malicious events, including the following:
- When a user attempts to modify a file under
/etc
- When a user spawns a shell on a pod
- When a user stores sensitive information in a secret
- When a pod attempts to make a call to the Kubernetes API server
- Any attempts to modify a system ClusterRole
- Or any other custom rule you create to meet your needs
When Falco is running on a Kubernetes cluster it watches events, and based on a set of rules, it logs events on the Falco pod that can be picked up by a system such as Fluentd, which would then forward the event to an external logging system.
In this chapter, we will explain the configuration of Falco using the technical requirements for our...