Security with Falco by Lorenzo David

The talk is presented by Lorenzo David, who’s working as Senior Software Engineer at Sysdig in San Francisco, the first startup to provide an unified monitoring and security platform for containerized infrastructure.

Lorenzo’s presentation revolves around Falco, an open source project that started at Sysdig and is now part of the CNCF. Falco is a runtime detection engine that aims to provide visibility into the behavior of containers and applications. In particular, Falco provides great value while trying to detect a class of activities that cannot be clearly categorized as authorized or unauthorized, but that may be suspicious.

Here’s an example of an activity that is worth reporting to the system operator: a spawned shell into a container.

On the top we see a terminal where Falco is running, while on the bottom we see the activity coming from a user running on the same host (either a Virtual or Physical machine).

By explaining how Falco is able to detect this infrastructure event, we cover the main design principles of Falco, taking the journey of the system calls from the moment that the user types the commands to the Falco alert.

Falco is able to transparently intercept systems with a very small overhead. This instrumentation has traditionally been performed by a Linux Kernel Module. Recently Sysdig announced the availability of an eBPF solution, relying on a standard Just-In-Time In-Kernel Virtual Machine provided by the upstreams Linux Kernel.

Once a system call is intercepted, its context is immediately copied to the user-space Falco process. Internally, Falco keeps an infrastructure state context, that allows to map for instance that a given system call is coming from a container with a given set of attributes, like process and container id for instance.

Given this internal infrastructure state, Falco is able to provide a very powerful rule engine, that is capable of matching complex events like the one in the example. The matching condition is expressed with a rich rule grammar, relying on the Sysdig Filter Syntax.

Going beyond system calls, we show the integration between Falco and a container orchestrator like Kubernetes, where we can further enrich Falco’s knowledge of the infrastructure to a rich set container metadata, as well as with Kubernetes audit events.

In the final part of the talk, Lorenzo shows how Falco can be used as a building block in conjunction with other open source components like the EFK stack to create dashboards. But clearly it doesn’t stop here, the great power of open source is its capabilities of allowing creativity and empowering new use cases and innovation!

The speaker

Lorenzo David

Senior Software Engineer at Sysdig (at CNCF Italy)