Falco’s ability to track process lineage in containers isn’t about watching processes; it’s about understanding the why behind their creation by analyzing their parent-child relationships, which is crucial for detecting suspicious activity.
Let’s see Falco in action. Imagine a simple web server running in a container. We’ll use kubectl to deploy a basic Nginx pod.
apiVersion: v1
kind: Pod
metadata:
name: nginx-test
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
Now, let’s say we want to detect if a process unexpectedly spawns a shell inside this container. Falco, running on the Kubernetes node, can monitor this. We’ll define a rule in Falco’s rules file (falco_rules.yaml):
- rule: Spawn Shell in Container
desc: A shell was spawned from a non-shell parent process within a container.
condition: container and proc.name in (sh, bash, ash, zsh) and proc.parent.name != sh and proc.parent.name != bash and proc.parent.name != ash and proc.parent.name != zsh
output: Shell spawned by unexpected parent (container_id=%container.id, proc_name=%proc.name, proc_ppid=%proc.ppid, proc_parent_name=%proc.parent.name)
priority: WARNING
If, for instance, the Nginx process (which is not a shell) were to somehow execute sh, Falco would trigger this rule. The key here is proc.parent.name != sh (and other shells). Falco captures the system calls related to process creation (fork, execve) and, using its knowledge of the container runtime (like Docker or containerd), can correlate these events with the container context.
When this rule triggers, Falco outputs something like:
10:35:15.123456789: Warning: Shell spawned by unexpected parent (container_id=a1b2c3d4e5f6, proc_name=bash, proc_ppid=123, proc_parent_name=nginx)
This tells us that within container a1b2c3d4e5f6, a process named bash (PID 123’s child) was executed, and its parent was nginx. This is precisely the kind of suspicious behavior we want to flag.
The mental model for tracking process lineage in containers with Falco involves understanding these core components:
- System Call Interception: Falco hooks into the kernel to capture system calls like
fork,clone, andexecve. These are the fundamental building blocks of process creation and execution. - Process Tree Reconstruction: From these system calls, Falco reconstructs the parent-child relationships of processes. It doesn’t just see a process; it sees who started it and who it started.
- Container Context Correlation: Crucially, Falco integrates with the container runtime interface (CRI) or directly with Docker/containerd APIs. This allows it to tag every system call and process event with its associated container ID, name, and other metadata. This is what separates container-aware process monitoring from host-level monitoring.
- Rule Engine and Event Matching: Falco’s rules define patterns of system call activity. For process lineage, these rules often look at
proc.name,proc.ppid(parent process ID),proc.parent.name, and thecontainercontext. When a sequence of events matches a rule’scondition, theoutputis generated.
The proc.parent.name field is a direct reflection of the process that invoked execve on a new executable. Falco resolves this by looking at the PID of the newly executed process and then querying the kernel (or its internal state) for the parent of that PID at the time of execution. When combined with the container field, which is populated by Falco’s container runtime integration, we get granular, container-specific process lineage. This allows us to distinguish between legitimate process chains within a container and those that indicate a potential compromise or misconfiguration.
What most people don’t realize is that Falco doesn’t just passively observe system calls; it actively builds and maintains a snapshot of the process tree within each container it monitors. This internal state allows it to perform complex lineage checks even when a parent process might have exited before the child process is fully analyzed. The proc.parent.name attribute isn’t a one-time lookup but a resolved entity based on the captured fork/execve events and the container context.
The next step is to explore how Falco can detect more complex, multi-step attack chains by correlating multiple process lineage events over time.