Sysdig

The Behavioral Activity Monitor
With Container Support

Get it Now

Sysdig falco is an open source, behavioral activity monitor designed to detect anomalous activity in your applications. Falco lets you continuously monitor and detect container, application, host, and network activity... all in one place, from one source of data, with one set of customizable rules.

Think of falco as an easy to use combination of snort, ossec and strace.

A little taste of what falco can detect...

Falco
 
A shell is run in a container
container.id != host and proc.name = bash
Unexpected outbound Elasticsearch connection
user.name = elasticsearch and outbound and not fd.sport=9300
Write to directory holding system binaries
fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write
Non-authorized container namespace change
syscall.type = setns and not proc.name in (docker, sysdig)
Non-device files written in /dev (some rootkits do this)
(evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null
Process other than skype/webex tries to access camera
evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
See the entire ruleset

Falco was hatched from an important realization: the rich data within system calls can be used to secure your applications, even inside containers. And as opposed to other approaches falco could do it in a simpler, unified way that is accessible to everyone.

See everything

Falco gives you instant access to a treasure trove of data buried within your system, with one instrumentation point. Easily build rules around process spawning, file access, logs, network activity - your entire system - and get informed immediately.

Designed for the rest of us

Too often, security tools and intrusion detection systems are powerful but too complex for everyone to use. Falco is designed to make you productive in minutes.

Adapts to your environment

Augment the base rules to meet your security requirements. Flexible outputs mean you can pipe Falco alerts to a broad collection of other tools and systems.

Container-native

Secure your containers from the outside. Falco’s rules are docker and rkt aware, so you can make container-specific rules.

Back-test rules

Create rules and then test them on historical system capture files. Know exactly what you’re going to get, before you go into production!

Stable core

Falco leverages the sysdig kernel probe which has been in use for years, across hundreds of thousands of hosts.
Get it Now
  • “Whatever problem I have @sysdig always saves my ass. ALWAYS.

  • “Sysdig is amazing. Detailed,system-wide tracing that’s actually stable,low overhead, and easy to use.”

    Grzegorz Nosek
    Chief Tinkering Officer, MegiTeam
  • This looks promising and I believe can help more to drive trust than other more brittle security methods used today.

    @derekcollison
  • “Sysdig is developing intoa serious swiss army knife,and you should give it a try.”

    Lukas Pustina
    Performance Engineer, codecentric