Falco is a cloud-native security tool for Linux systems that provides real-time alerts on abnormal behaviors and potential security threats by monitoring system calls with custom rules. Key features include threat detection, policy enforcement, compliance monitoring, and integration with DevSecOps practices. The document also outlines Falco's architecture, components, and best practices for etiquette during presentations.

1. Introduction to
Falco
Presenter Name: Mohd Shahenvaz Khan

2. Lack of etiquette and manners is a huge turn off.
KnolX Etiquettes
 Punctuality
Join the session 5 minutes prior to the session start time. We start on
time and conclude on time!
 Feedback
Make sure to submit a constructive feedback for all sessions as it is very
helpful for the presenter.
 Silent Mode
Keep your mobile devices in silent mode, feel free to move out of session
in case you need to attend an urgent call.
 Avoid Disturbance
Avoid unwanted chit chat during the session.

3. 1. Introduction
 What does Falco do?
 Importance of Falco
 What does Falco checks for?
2. Falco Architecture
3. Falco Components
4. Demo

5. Introduction to Falco
 Falco is a cloud-native security tool designed for Linux systems.
 It employs custom rules on kernel events, which are enriched with container and
Kubernetes metadata, to provide real-time alerts.
 Falco helps you gain visibility into abnormal behavior, potential security threats, and
compliance violations, contributing to comprehensive runtime security.
Senstive File
Unauthorized user
Falco Engine
Generate alert
Authorized User
access Generate Alert
Unauthorized user Authorized User
Falco Engine

6. What does Falco Do?
 Falco uses syscalls to monitor a system's activity, by:
01 02
Parsing the
Linux syscalls from
the kernel at runtime
Asserting the stream
against a
powerful rules engine
.
Alerting when a rule
is violated
03

7. Importance Of Falco
 Real-time Threat Detection
 Visibility and Monitoring
 Policy Enforcement
 Compliance Monitoring
 DevSecOps Integration
 Incident Response

8. What does Falco check for?
 Privilege escalation using privileged containers
 Namespace changes using tools like setns
 Read/Writes to well-known directories such as /etc, /usr/bin, /usr/sbin, etc
 Creating symlinks
 Ownership and Mode changes
 Unexpected network connections
 Executing shell binaries such as sh, bash, csh, zsh, etc
 Executing SSH binaries such as ssh, scp, sftp, etc

9. 02

10. Falco Architecture
 Falco operates in both kernel and user space.
 In kernel space, Linux system calls (syscalls) are collected by a driver, for example, the
Falco kernel module or Falco eBPF probe. Next, syscalls are placed in a ring buffer from which
they are moved into user space for processing.
 The events are filtered using a rules engine with a Falco rule set. Falco ships with a default set of
rules, but operators can modify or turn off those rules and add their own. If Falco detects any
suspicious events those are forwarded to various endpoints.

11. 03

12. Basic Components of Falco
1) Events: Events are activity that are generated when we change something in the system.
For example: modifying a file , running new process etc.
2) Rules: Rules are set of conditions that instruct Falco when to generate alerts. A Falco rule file is
a yaml file.
3) Output: It tells what message will be send by Falco to an endpoint.
4) Endpoint: The endpoint is a place where Falco send the alerts.
5) Priority: Every Falco rule has a priority which indicates how serious a violation of the rule is.
 For Eg:
 EMERGENCY
 ALERT, etc.

13. DEMO