Falco - Mind Palace

**Falco** is a cloud-native runtime security tool that monitors system calls and [[Kubernetes]] audit logs to detect anomalous, potentially malicious behaviour in containers and VMs. It is the "intrusion detection system" for a hyperscaler's container runtime layer. --- ### First Principle: Container images can be scanned before deployment. But what happens after deployment — inside a running container — is where attacks actually live. [[Trivy]] scans images for known CVEs. [[Open Policy Agent (OPA)]] enforces admission policies. But once a container is running, a successful exploit might spawn a shell, read credentials, or exfiltrate data. Falco detects these behaviours in real time by monitoring kernel syscalls. --- ### Key Considerations - **Syscall Monitoring**: Falco uses eBPF or a kernel module to intercept every syscall made by every process in every container. It evaluates these against a rule set — flagging anomalies like shell spawning, privilege escalation, or reading `/etc/shadow`. - **Pre-Built Rules**: Falco ships with a rich default ruleset covering the most common attack patterns — shell spawned in container, privilege escalation, crypto miner process names, unexpected outbound connections. - **[[Kubernetes]] Audit Integration**: Falco can consume the [[Kubernetes]] audit log — detecting suspicious API activity like `exec` into pods, secret reads, namespace creation, or RBAC changes. - **Alerting**: Falco outputs alerts to stdout, syslog, files, or a gRPC API. Falco Sidekick fans these out to Slack, PagerDuty, [[Loki]], and many more destinations. - **Complementary to [[Trivy]]**: Trivy is pre-deployment (image scanning). Falco is runtime (what the running process is actually doing). --- ### How It Fits ``` Running containers / VMs in [[Kubernetes]] → Falco (eBPF syscall monitoring, runtime detection) → Falco Sidekick (alert routing) → [[Loki]] (alert logs) + PagerDuty (on-call) → [[Trivy]] (complements with pre-deploy image scanning) ``` [[Trivy]] | [[Open Policy Agent (OPA)]] | [[Kubernetes]] | [[Loki]] | [[Open Source Hyperscaler MoC]]