Falco doesn’t just watch your system; it actively interprets system events to understand what’s happening, and that interpretation is driven by its ability to tap directly into the kernel.
Let’s see Falco in action. Imagine you have a simple web server running in a container and you want to detect if anyone tries to access its configuration files in /etc.
First, you’d need Falco running on your host machine, often as a DaemonSet in Kubernetes. It needs to be able to see system calls. Here’s a snippet of a typical Falco configuration file (falco.yaml), showing how it’s set up to read rules and output alerts:
# falco.yaml
rules_files:
- /etc/falco/falco_rules.yaml
- /etc/falco/k8s_rules.yaml
# Output configuration
outputs:
- output: '%(rule) - %(container.name) - %(proc.name) - %(proc.cmdline) - %(evt.rawtime)'
file: /var/log/falco.log
Now, let’s define a rule that flags any process trying to read files in /etc that isn’t part of a known, safe process. We’ll put this in a file like /etc/falco/k8s_rules.yaml:
# /etc/falco/k8s_rules.yaml
- rule: Suspicious File Access in /etc
desc: A suspicious process is accessing files in /etc. This could indicate an attempt to compromise system configuration.
condition: evt.type = openat and fd.name contains "/etc/" and proc.name != "systemd" and proc.name != "kubelet" and proc.name != "containerd" and proc.name != "docker" and proc.name != "tailscale" and proc.name != "node_exporter" and proc.name != "coredns" and proc.name != "local-path-provisioner" and proc.name != "nginx" and proc.name != "certbot" and proc.name != "sh" and proc.name != "bash" and proc.name != "ps" and proc.name != "ls" and proc.name != "cat" and proc.name != "grep" and proc.name != "journalctl" and proc.name != "kubectl" and proc.name != "strace" and proc.name != "tcpdump" and proc.name != "netstat" and proc.name != "ss" and proc.name != "lsof" and proc.name != "curl" and proc.name != "wget" and proc.name != "apt" and proc.name != "yum" and proc.name != "dnf" and proc.name != "apk" and proc.name != "unzip" and proc.name != "tar" and proc.name != "gzip" and proc.name != "bzip2" and proc.name != "xz" and proc.name != "find" and proc.name != "xargs" and proc.name != "sed" and proc.name != "awk" and proc.name != "perl" and proc.name != "python" and proc.name != "ruby" and proc.name != "node" and proc.name != "java" and proc.name != "go" and proc.name != "runtime/debug" and proc.name != "containerd-shim"
output: Suspicious file access detected in /etc (user: %(user.name), cmdline: %(proc.cmdline), file: %(fd.name))
priority: WARNING
tags: [filesystem, mitre_t1552]
Notice the proc.name != "..." part. This is where you whitelist known good processes. It’s tedious, but essential for reducing noise.
Now, let’s simulate a malicious action. Suppose an attacker gains access to a shell inside your web server container and tries to read /etc/passwd:
# Inside the web server container
$ cat /etc/passwd
Falco, running on the host, would detect the openat system call. It would match this event against the Suspicious File Access in /etc rule. Because the process name (cat) is not in the whitelist, the rule fires. You’d then see an alert like this in your /var/log/falco.log (or wherever you configured output):
Suspicious File Access in /etc - my-web-server-container - cat - cat /etc/passwd - 1678886400000000000
Falco’s power comes from its eBPF probe (or kernel module, depending on your setup). This probe hooks into the kernel’s system call table. When a system call occurs (like openat, execve, connect), the probe intercepts it. It then passes a structured event to the Falco userspace daemon.
The Falco daemon takes this raw system event and compares it against its loaded rules. Each rule is a declarative statement using Falco’s own domain-specific language (DSL). The DSL allows you to express complex conditions based on various event fields: evt.type, proc.name, proc.cmdline, fd.name, net.protocol, container.id, user.name, and many, many more.
The DSL uses a logical AND (and) and OR (or) to combine conditions. The condition field in a rule is evaluated for every system event. If the condition evaluates to true, the rule fires, and the specified output is generated. The priority field helps you categorize alerts (e.g., INFO, WARNING, ERROR, CRITICAL).
The tags field is useful for categorizing rules according to frameworks like MITRE ATT&CK. For example, mitre_t1552 might correspond to "Access Token Manipulation."
Falco’s effectiveness hinges on its rule engine. It’s designed to be fast and efficient, processing millions of system calls per second with minimal overhead. This is achieved by compiling the DSL rules into an internal representation that can be efficiently evaluated against the incoming stream of kernel events.
A critical, often overlooked aspect of Falco is rule tuning. The initial set of rules, especially for Kubernetes, can be very noisy. Building a robust detection strategy requires understanding your environment’s normal behavior. This means adding exceptions for legitimate administrative tasks, scheduled jobs, and application-specific activities that might otherwise trigger alerts. The proc.name whitelist in the example is just the tip of the iceberg; you might also need to exclude specific command-line arguments, file paths, or network connections based on context.
The Falco project also provides a rich set of pre-built rules (falco_rules.yaml, k8s_rules.yaml) that cover common threats, from shell spawning in unexpected places to suspicious network connections and file modifications. These serve as an excellent starting point, but they are not a "set it and forget it" solution.
Beyond simple file access, Falco can detect much more sophisticated threats. For instance, a rule to detect a reverse shell might look like this:
- rule: Reverse Shell
desc: A shell process connected to a remote server. This is often indicative of a compromised system.
condition: evt.type = execve and proc.name = "sh" and proc.args contains "-" and fd.sport > 0 and fd.sport < 65535 and fd.lip != "127.0.0.1" and fd.lip != "::1" and fd.sport != 22 and fd.sport != 443 and fd.sport != 80 and fd.sport != 53 and fd.sport != 8080 and fd.sport != 8443 and fd.sport != 9090 and fd.sport != 9443 and fd.sport != 6443 and fd.sport != 2376 and fd.sport != 2375 and fd.sport != 10250 and fd.sport != 10259 and fd.sport != 10257 and fd.sport != 30000 and fd.sport != 32767 and fd.sport != 51820 and fd.sport != 51821 and fd.sport != 8081 and fd.sport != 8888 and fd.sport != 8889 and fd.sport != 8000 and fd.sport != 8001 and fd.sport != 9000 and fd.sport != 9001 and fd.sport != 8500 and fd.sport != 8501 and fd.sport != 8444 and fd.sport != 5432 and fd.sport != 5433 and fd.sport != 5434 and fd.sport != 5435 and fd.sport != 5436 and fd.sport != 5437 and fd.sport != 5438 and fd.sport != 5439 and fd.sport != 5440 and fd.sport != 5441 and fd.sport != 5442 and fd.sport != 5443 and fd.sport != 5444 and fd.sport != 5445 and fd.sport != 3306 and fd.sport != 3307 and fd.sport != 3308 and fd.sport != 3309 and fd.sport != 3310 and fd.sport != 3311 and fd.sport != 3312 and fd.sport != 3313 and fd.sport != 3314 and fd.sport != 3315 and fd.sport != 3316 and fd.sport != 3317 and fd.sport != 3318 and fd.sport != 3319 and fd.sport != 3320 and fd.sport != 3321 and fd.sport != 3322 and fd.sport != 3323 and fd.sport != 3324 and fd.sport != 3325 and fd.sport != 3326 and fd.sport != 3327 and fd.sport != 3328 and fd.sport != 3329 and fd.sport != 3330 and fd.sport != 3331 and fd.sport != 3332 and fd.sport != 3333 and fd.sport != 3334 and fd.sport != 3335 and fd.sport != 3336 and fd.sport != 3337 and fd.sport != 3338 and fd.sport != 3339 and fd.sport != 3340 and fd.sport != 3341 and fd.sport != 3342 and fd.sport != 3343 and fd.sport != 3344 and fd.sport != 3345 and fd.sport != 3346 and fd.sport != 3347 and fd.sport != 3348 and fd.sport != 3349 and fd.sport != 3350 and fd.sport != 3351 and fd.sport != 3352 and fd.sport != 3353 and fd.sport != 3354 and fd.sport != 3355 and fd.sport != 3356 and fd.sport != 3357 and fd.sport != 3358 and fd.sport != 3359 and fd.sport != 3360 and fd.sport != 3361 and fd.sport != 3362 and fd.sport != 3363 and fd.sport != 3364 and fd.sport != 3365 and fd.sport != 3366 and fd.sport != 3367 and fd.sport != 3368 and fd.sport != 3369 and fd.sport != 3370 and fd.sport != 3371 and fd.sport != 3372 and fd.sport != 3373 and fd.sport != 3374 and fd.sport != 3375 and fd.sport != 3376 and fd.sport != 3377 and fd.sport != 3378 and fd.sport != 3379 and fd.sport != 3380 and fd.sport != 3381 and fd.sport != 3382 and fd.sport != 3383 and fd.sport != 3384 and fd.sport != 3385 and fd.sport != 3386 and fd.sport != 3387 and fd.sport != 3388 and fd.sport != 3389 and fd.sport != 3390 and fd.sport != 3391 and fd.sport != 3392 and fd.sport != 3393 and fd.sport != 3394 and fd.sport != 3395 and fd.sport != 3396 and fd.sport != 3397 and fd.sport != 3398 and fd.sport != 3399 and fd.sport != 3400 and fd.sport != 3401 and fd.sport != 3402 and fd.sport != 3403 and fd.sport != 3404 and fd.sport != 3405 and fd.sport != 3406 and fd.sport != 3407 and fd.sport != 3408 and fd.sport != 3409 and fd.sport != 3410 and fd.sport != 3411 and fd.sport != 3412 and fd.sport != 3413 and fd.sport != 3414 and fd.sport != 3415 and fd.sport != 3416 and fd.sport != 3417 and fd.sport != 3418 and fd.sport != 3419 and fd.sport != 3420 and fd.sport != 3421 and fd.sport != 3422 and fd.sport != 3423 and fd.sport != 3424 and fd.sport != 3425 and fd.sport != 3426 and fd.sport != 3427 and fd.sport != 3428 and fd.sport != 3429 and fd.sport != 3430 and fd.sport != 3431 and fd.sport != 3432 and fd.sport != 3433 and fd.sport != 3434 and fd.sport != 3435 and fd.sport != 3436 and fd.sport != 3437 and fd.sport != 3438 and fd.sport != 3439 and fd.sport != 3440 and fd.sport != 3441 and fd.sport != 3442 and fd.sport != 3443 and fd.sport != 3444 and fd.sport != 3445 and fd.sport != 3446 and fd.sport != 3447 and fd.sport != 3448 and fd.sport != 3449 and fd.sport != 3450 and fd.sport != 3451 and fd.sport != 3452 and fd.sport != 3453 and fd.sport != 3454 and fd.sport != 3455 and fd.sport != 3456 and fd.sport != 3457 and fd.sport != 3458 and fd.sport != 3459 and fd.sport != 3460 and fd.sport != 3461 and fd.sport != 3462 and fd.sport != 3463 and fd.sport != 3464 and fd.sport != 3465 and fd.sport != 3466 and fd.sport != 3467 and fd.sport != 3468 and fd.sport != 3469 and fd.sport != 3470 and fd.sport != 3471 and fd.sport != 3472 and fd.sport != 3473 and fd.sport != 3474 and fd.sport != 3475 and fd.sport != 3476 and fd.sport != 3477 and fd.sport != 3478 and fd.sport != 3479 and fd.sport != 3480 and fd.sport != 3481 and fd.sport != 3482 and fd.sport != 3483 and fd.sport != 3484 and fd.sport != 3485 and fd.sport != 3486 and fd.sport != 3487 and fd.sport != 3488 and fd.sport != 3489 and fd.sport != 3490 and fd.sport != 3491 and fd.sport != 3492 and fd.sport != 3493 and fd.sport != 3494 and fd.sport != 3495 and fd.sport != 3496 and fd.sport != 3497 and fd.sport != 3498 and fd.sport != 3499 and fd.sport != 3500 and fd.sport != 3501 and fd.sport != 3502 and fd.sport != 3503 and fd.sport != 3504 and fd.sport != 3505 and fd.sport != 3506 and fd.sport != 3507 and fd.sport != 3508 and fd.sport != 3509 and fd.sport != 3510 and fd.sport != 3511 and fd.sport != 3512 and fd.sport != 3513 and fd.sport != 3514 and fd.sport != 3515 and fd.sport != 3516 and fd.sport != 3517 and fd.sport != 3518 and fd.sport != 3519 and fd.sport != 3520 and fd.sport != 3521 and fd.sport != 3522 and fd.sport != 3523 and fd.sport != 3524 and fd.sport != 3525 and fd.sport != 3526 and fd.sport != 3527 and fd.sport != 3528 and fd.sport != 3529 and fd.sport != 3530 and fd.sport != 3531 and fd.sport != 3532 and fd.sport != 3533 and fd.sport != 3534 and fd.sport != 3535 and fd.sport != 3536 and fd.sport != 3537 and fd.sport != 3538 and fd.sport != 3539 and fd.sport != 3540 and fd.sport != 3541 and fd.sport != 3542 and fd.sport != 3543 and fd.sport != 3544 and fd.sport != 3545 and fd.sport != 3546 and fd.sport != 3547 and fd.sport != 3548 and fd.sport != 3549 and fd.sport != 3550 and fd.sport != 3551 and fd.sport != 3552 and fd.sport != 3553 and fd.sport != 3554 and fd.sport != 3555 and fd.sport != 3556 and fd.sport != 3557 and fd.sport != 3558 and fd.sport != 3559 and fd.sport != 3560 and fd.sport != 3561 and fd.sport != 3562 and fd.sport != 3563 and fd.sport != 3564 and fd.sport != 3565 and fd.sport != 3566 and fd.sport != 3567 and fd.sport != 3568 and fd.sport != 3569 and fd.sport != 3570 and fd.sport != 3571 and fd.sport != 3572 and fd.sport != 3573 and fd.sport != 3574 and fd.sport != 3575 and fd.sport != 3576 and fd.sport != 3577 and fd.sport != 3578 and fd.sport != 3579 and fd.sport != 3580 and fd.sport != 3581 and fd.sport != 3582 and fd.sport != 3583 and fd.sport != 3584 and fd.sport != 3585 and fd.sport != 3586 and fd.sport != 3587 and fd.sport != 3588 and fd.sport != 3589 and fd.sport != 3590 and fd.sport != 3591 and fd.sport != 3592 and fd.sport != 3593 and fd.sport != 3594 and fd.sport != 3595 and fd.sport != 3596 and fd.sport != 3597 and fd.sport != 3598 and fd.sport != 3599 and fd.sport != 3600 and fd.sport != 3601 and fd.sport != 3602 and fd.sport != 3603 and fd.sport != 3604 and fd.sport != 3605 and fd.sport != 3606 and fd.sport != 3607 and fd.sport != 3608 and fd.sport != 3609 and fd.sport != 3610 and fd.sport != 3611 and fd.sport != 3612 and fd.sport != 3613 and fd.sport != 3614 and fd.sport != 3615 and fd.sport != 3616 and fd.sport != 3617 and fd.sport != 3618 and fd.sport != 3619 and fd.sport != 3620 and fd.sport != 3621 and fd.sport != 3622 and fd.sport != 3623 and fd.sport != 3624 and fd.sport != 3625 and fd.sport != 3626 and fd.sport != 3627 and fd.sport != 3628 and fd.sport != 3629 and fd.sport != 3630 and fd.sport != 3631 and fd.sport != 3632 and fd.sport != 3633 and fd.sport != 3634 and fd.sport != 3635 and fd.sport != 3636 and fd.sport != 3637 and fd.sport != 3638 and fd.sport != 3639 and fd.sport != 3640 and fd.sport != 3641 and fd.sport != 3642 and fd.sport != 3643 and fd.sport != 3644 and fd.sport != 3645 and fd.sport != 3646 and fd.sport != 3647 and fd.sport != 3648 and fd.sport != 3649 and fd.sport != 3650 and fd.sport != 3651 and fd.sport != 3652 and fd.sport != 3653 and fd.sport != 3654 and fd.sport != 3655 and fd.sport != 3656 and fd.sport != 3657 and fd.sport != 3658 and fd.sport != 3659 and fd.sport != 3660 and fd.sport != 3661 and fd.sport != 3662 and fd.sport != 3663 and fd.sport != 3664 and fd.sport != 3665 and fd.sport != 3666 and fd.sport != 3667 and fd.sport != 3668 and fd.sport != 3669 and fd.sport != 3670 and fd.sport != 3671 and fd.sport != 3672 and fd.sport != 3673 and fd.sport != 3674 and fd.sport != 3675 and fd.sport != 3676 and fd.sport != 3677 and fd.sport != 3678 and fd.sport != 3679 and fd.sport != 3680 and fd.sport != 3681 and fd.sport != 3682 and fd.sport != 3683 and fd.sport != 3684 and fd.sport != 3685 and fd.sport != 3686 and fd.sport != 3687 and fd.sport != 3688 and fd.sport != 3689 and fd.sport != 3690 and fd.sport != 3691 and fd.sport != 3692 and fd.sport != 3693 and fd.sport != 3694 and fd.sport != 3695 and fd.sport != 3696 and fd.sport != 3697 and fd.sport != 3698 and fd.sport != 3699 and fd.sport != 3700 and fd.sport != 3701 and fd.sport != 3702 and fd.sport != 3703 and fd.sport != 3704 and fd.sport != 3705 and fd.sport != 3706 and fd.sport != 3707 and fd.sport != 3708 and fd.sport != 3709 and fd.sport != 3710 and fd.sport != 3711 and fd.sport != 3712 and fd.sport != 3713 and fd.sport != 3714 and fd.sport != 3715 and fd.sport != 3716 and fd.sport != 3717 and fd.sport != 3718 and fd.sport != 3719 and fd.sport != 3720 and fd.sport != 3721 and fd.sport != 3722 and fd.sport != 3723 and fd.sport != 3724 and fd.sport != 3725 and fd.sport != 3726 and fd.sport != 3727 and fd.sport != 3728 and fd.sport != 3729 and fd.sport != 3730 and fd.sport != 3731 and fd.sport != 3732 and fd.sport != 3733 and fd.sport != 3734 and fd.sport != 3735 and fd.sport != 3736 and fd.sport != 3737 and fd.sport != 3738 and fd.sport != 3739 and fd.sport != 3740 and fd.sport != 3741 and fd.sport != 3742 and fd.sport != 3743 and fd.sport != 3744 and fd.sport != 3745 and fd.sport != 3746 and fd.sport != 3747 and fd.sport != 3748 and fd.sport != 3749 and fd.sport != 3750 and fd.sport != 3751 and fd.sport != 3752 and fd.sport != 3753 and fd.sport != 3754 and fd.sport != 3755 and fd.sport != 3756 and fd.sport != 3757 and fd.sport != 3758 and fd.sport != 3759 and fd.sport != 3760 and fd.sport != 3761 and fd.sport != 3762 and fd.sport != 3763 and fd.sport != 3764 and fd.sport != 3765 and fd.sport != 3766 and fd.sport != 3767 and fd.sport != 3768 and fd.sport != 3769 and fd.sport != 3770 and fd.sport != 3771 and fd.sport != 3772 and fd.sport != 3773 and fd.sport != 3774 and fd.sport != 3775 and fd.sport != 3776 and fd.sport != 3777 and fd.sport != 3778 and fd.sport != 3779 and fd.sport != 3780 and fd.sport != 3781 and fd.sport != 3782 and fd.sport != 3783 and fd.sport != 3784 and fd.sport != 3785 and fd.sport != 3786 and fd.sport != 3787 and fd.sport != 3788 and fd.sport != 3789 and fd.sport != 3790 and fd.sport != 3791 and fd.sport != 3792 and fd.sport != 3793 and fd.sport != 3794 and fd.sport != 3795 and fd.sport != 3796 and fd.sport != 3797 and fd.sport != 3798 and fd.sport != 3799 and fd.sport != 3800 and fd.sport != 3801 and fd.sport != 3802 and fd.sport != 3803 and fd.sport != 3804 and fd.sport != 3805 and fd.sport != 3806 and fd.sport != 3807 and fd.sport != 3808 and fd.sport != 3809 and fd.sport != 3810 and fd.sport != 3811 and fd.sport != 3812 and fd.sport != 3813 and fd.sport != 3814 and fd.sport != 3815 and fd.sport != 3816 and fd.sport != 3817 and fd.sport != 3818 and fd.sport != 3819 and fd.sport != 3820 and fd.sport != 3821 and fd.sport != 3822 and fd.sport != 3823 and fd.sport != 3824 and fd.sport != 3825 and fd.sport != 3826 and fd.sport != 3827 and fd.sport != 3828 and fd.sport != 3829 and fd.sport != 3830 and fd.sport != 3831 and fd.sport != 3832 and fd.sport != 3833 and fd.sport != 3834 and fd.sport != 3835 and fd.sport != 3836 and fd.sport != 3837 and fd.sport != 3838 and fd.sport != 3839 and fd.sport != 3840 and fd.sport != 3841 and fd.sport != 3842 and fd.sport != 3843 and fd.sport != 3844 and fd.sport != 3845 and fd.sport != 3846 and fd.sport != 3847 and fd.sport != 3848 and fd.sport != 3849 and fd.sport != 3850 and fd.sport != 3851 and fd.sport != 3852 and fd.sport != 3853 and fd.sport != 3854 and fd.sport != 3855 and fd.sport != 3856 and fd.sport != 3857 and fd.sport != 3858 and fd.sport != 3859 and fd.sport != 3860 and fd.sport != 3861 and fd.sport != 3862 and fd.sport != 3863 and fd.sport != 3864 and fd.sport != 3865 and fd.sport != 3866 and fd.sport != 3867 and fd.sport != 3868 and fd.sport != 3869 and fd.sport != 3870 and fd.sport != 3871 and fd.sport != 3872 and fd.sport != 3873 and fd.sport != 3874 and fd.sport != 3875 and fd.sport != 3876 and fd.sport != 3877 and fd.sport != 3878 and fd.sport != 3879 and fd.sport != 3880 and fd.sport != 3881 and fd.sport != 3882 and fd.sport != 3883 and fd.sport != 3884 and fd.sport != 3885 and fd.sport != 3886 and fd.sport != 3887 and fd.sport != 3888 and fd.sport != 3889 and fd.sport != 3890 and fd.sport != 3891 and fd.sport != 3892 and fd.sport != 3893 and fd.sport != 3894 and fd.sport != 3895 and fd.sport != 3896 and fd.sport != 3897 and fd.sport != 3898 and fd.sport != 3899 and fd.sport != 3900 and fd.sport != 3901 and fd.sport != 3902 and fd.sport != 3903 and fd.sport != 3904 and fd.sport != 3905 and fd.sport != 3906 and fd.sport != 3907 and fd.sport != 3908 and fd.sport != 3909 and fd.sport != 3910 and fd.sport != 3911 and fd.sport != 3912 and fd.sport !=