Falco On Track To Version 1.0.0
Written by Nikos Vaggalis   
Tuesday, 02 April 2024

Falco is a cloud native runtime security tool for the Linux operating system, designed to detect abnormal behavior and warn of potential security threats in real-time. Now it's about to release its first stable version.

Falco was originated by SysDig in 2016. It was donated to the Cloud Native Computing Foundation (CNCF) in 2018 as an incubator project and has now attained graduation status. This means that the project has matured enough to be used in production.

As a complete cloud native surveillance system, Falco enables teams to detect and respond to threats, find and prioritize software vulnerabilities, detect and fix misconfigurations, and maximize performance and availability. It does that by employing custom rules on kernel events to provide real-time alerts and help users gain visibility into abnormal behavior, hence contributing to comprehensive runtime security.

The key here is runtime security. Falco monitors the Kernel by enabling an agent that observes syscalls and events based on custom rules. Falco doesn't stop there tough; it can enhance these events by integrating metadata from the container runtime and Kubernetes. These alerts can easily be forwarded to more than 50+ third parties using the JSON format which allows for storing, analysis, or triggering reactions easily. The collected data can be analyzed off-host in SIEM or data lake systems.

Before adopting it for your own needs, first you have to take care of some considerations:

  • Understand dependencies: Assess the environment where you'll run Falco and consider kernel versions and architectures.

  • Define threat detection objectives: Clearly identify the threats you want to detect and evaluate Falco's strengths and limitations.

  • Consider performance and cost: Assess compute performance overhead and align with system administrators or SREs. Budget accordingly.

  • Choose build and customization approach: Decide between the open source Falco build or creating a custom build pipeline. Customize the build and deployment process as necessary, including incorporating unique tests or approaches, to ensure a resilient deployment with fast deployment cycles.

  • Integrate with output destinations: Integrate Falco with SIEM, data lake systems, or other preferred output destinations to establish a robust foundation for comprehensive data analysis and enable effective incident response workflows.

After getting the stamp of approval from CFNF, Falco is on track to release its 1.0.0 version and is the following objectives:

  • Standardizing on feature adoption and deprecation in the Falco engine

  • Building more robust key features and updating the Yaml structure

  • Adding new constructs to address the most commonly requested features from users

  • Making the modern eBPF probe the default driver

  • Package consolidation, following Linux distribution best practices

  • Complete supply chain security best practice efforts

For the full details check the project's roadmap.


More Information


Related Articles

Sysdig Exposes The Risk and Cost Of Cloud Usage

Happy Birthday To Wolfi Linux Undistro  


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


BusyBeaver(5) Is 47,176,870

The thing about the BusyBeaver function is that it is very easy to understand, but very difficult to compute. We now know its value up to 5, which isn't much progress for more than 50 years work.

Learn Cryptography Without The Math

Are you sick of the math associated with cryptography?
You don't have to be any more. Applied Cryptography from the University of Tartu shows cryptography without the math! At last, a hands-o [ ... ]

More News

kotlin book



or email your comment to: comments@i-programmer.info