Day 3- Introduction to Falco


In the simplest definition, Falco is the tool to detect events which is suspicious in your environment.

The complex definition is that Falco is a behavioral activity monitor that detects any suspicious activity defined by a set of rules using Sysdig powerful and flexible filtering expression. It supports container and orchestrator and has a flexible notification method using standard output, Syslog, and programs like Slack. On top of that, it’s open-source, so any can contribute.

How Falco works

Once installed, it taps into the stream of system call events. To detect which event is considered an anomaly, Falco uses rules. Falco already has several rules implemented by default, and these rules are defined inside the file(/etc/falco/falco_rules.yaml). Once it detects the event, it sends out the appropriate message.

Falco Ruleset

Falco provides a powerful ruleset that triggers alerts when a certain condition is met. Some of the examples are:

  • If someone is trying to shell inside the container(as shown in the below example)
  • Someone is trying to open the secure file like /etc/shadow

As Falco already provides this powerful ruleset but new rules and macros are easy to create.

Installing Falco in Ubuntu

  • Configure the repository, and update the packages
  • Install kernel headers package
  • Install falco now
  • Start the falco service and enable it on boot
  • Verify in which node it’s running
  • Login to that node and run. This will allow us to inspect the events generated by the Falco service(Make sure you have falco installed on all worker nodes by following the above method).
  • Now try to login to the pod you have created
  • In the journalctl output, you will immediately see the alert that a shell is spawned inside the container.
  • As per the above output, Falco knows that someone has spawned the shell inside the container. Now the question is, how do Falco know about it? Using rules file as discussed above(How Falco works?). Rules for “ A shell spawned inside the container” look like below.
  • As you can the entire file is divided into 5 main section
  • Let’s look at some more use cases of Falco by performing a few more activities inside the Nginx pod. Let open /etc/shadow file
  • Verify the Falco logs. As you can see, Falco saw this as suspicious activity and immediately notified us.
  • Let’s explore one more use case. As this is a Debian-based host, let’s upgrade the package using the below command.
  • Verify the logs to see, again Falco see this as a suspicious activity
  • Opening Sensitive Files
  • Updating Packages


As you can see, using Falco, you can gain complete visibility of your container and application behavior. It’s easy to install and open-source.

AWS Community Builder, Ex-Redhat, Author, Blogger, YouTuber, RHCA, RHCDS, RHCE, Docker Certified,4XAWS, CCNA, MCP, Certified Jenkins, Terraform Certified, 1XGCP