Falco: Watching the Kernel So You Don’t Have To
There are logs, there are metrics — and then there’s what the kernel actually sees. Falco doesn’t work like traditional monitoring tools. It dives into syscalls, watching containers, processes, and file access in real time. Not by polling. Not by scraping. By sitting right at the system’s throat and quietly taking notes.
Originally developed by Sysdig, Falco is now a CNCF project. And it’s become the de facto standard when it comes to runtime security on Linux — especially inside Kubernetes clusters where things move fast and visibility tends to fall apart.
What Makes It Different
It doesn’t care if your app is written in Go, Python, or shell scripts from 2006. Falco looks at behavior — not code.
– Process spawns, unexpected or in the wrong container? Alert.
– File writes to sensitive directories? Alert.
– Shell opened in a container that shouldn’t have one? Yep, alert again.
– All of this without modifying the kernel or using agents per container.
It’s not some SIEM rule engine bolted onto logs. It’s watching the raw system calls, often before other tools even see something’s gone wrong.
What It Does Well (That Others Don’t)
Behavior | Falco Reaction
——–|—————-
`bash` spawned in `nginx` | Suspicious container shell alert
Binary written to `/usr` | Unexpected system change — flagged immediately
Port scan from pod | Triggered on excessive socket connections
New module loaded | Kernel-level tampering warning
`chmod 777` on secrets | Yep, it notices — and it’s mad
You define what “bad” looks like. Falco has sane defaults, but rules are open and YAML-based. Tweak as needed.
How It Fits with the Rest
Falco isn’t Prometheus. It’s not osquery. And it sure isn’t ClamAV. But it plugs into the bigger picture — especially if you already have:
Tool | Role | What Falco Adds
—–|——|—————-
Prometheus | Metrics collection | Falco brings behavioral detection
OpenSnitch | Outbound traffic control | Falco watches system behavior itself
YARA | Static analysis | Falco sees runtime anomalies
Auditd | Raw syscall logs | Falco gives real-time, structured alerts
CrowdSec | Shared IP reputation | Falco catches internal oddities
Installing Falco
Falco supports multiple deployment models, but it shines inside containers. On a regular host:
Install via package (Debian/Ubuntu):
“`
curl -s https://s3.amazonaws.com/download.draios.com/stable/install-falco | sudo bash
“`
Or use Docker:
“`
docker run -i -t –name falco –privileged
-v /var/run/docker.sock:/host/var/run/docker.sock
-v /dev:/host/dev
-v /proc:/host/proc:ro
-v /boot:/host/boot:ro
-v /lib/modules:/host/lib/modules:ro
falcosecurity/falco
“`
Falco needs access to the host kernel — so in Kubernetes, it’s typically run as a privileged DaemonSet.
Use Cases That Actually Happen
– Detecting containers going rogue after a supply-chain compromise
– Flagging internal port scans that never hit the firewall
– Watching for curl/wget/ftp from “clean” base images
– Noticing when devs mount the Docker socket (again)
– Alerting on shell access to pods during production hours
Why It Matters
Logs can be edited. Metrics can be delayed. But syscalls? They’re hard to fake. Falco gives teams a window into what’s actually happening *right now*, deep in the system’s guts.
And that kind of insight — fast, raw, reliable — is exactly what modern infrastructure needs. Especially when the threat isn’t coming from outside anymore, but from inside the cluster.