Open source tool watches Linux systems, containers for suspicious activity

Sysdig, which makes monitoring solutions for containers, has released an open source project that watches containers — and the rest of a Linux system as well — for unwanted activity.

Sysdig’s Falco project scans Linux system calls and compares them against a list of rules to determine if unwanted activity is taking place. If, for instance, a shell is spawned inside a container, but your containers shouldn’t be doing that, you’ll be alerted to it.

Rules for Falco are written in a custom language based on the one Sysdig uses for its filtering engine, and the default rule set includes common events container users don’t want happening. Aside from spawning shells in containers, other default flagged actions include unauthorized changes to a container’s namespace.

But the majority of the included rules don’t mention containers — that is, rules governing attempts to change usernames or passwords (apart from a few common exceptions like sudo/su). Instead, Falco is intended to be a general system-protection tool that intercepts system calls used by container systems and conventional apps alike. It also means Falco is container-agnostic, although its default rule set includes rules specifically for Docker.

According to the blog post announcing the project, Sysdig sees Falco as a move away from signature-based monitoring, where each individual kind of attack has to be identified separately, and toward behavioral monitoring, where specific activities are flagged. Other features in Falco mirror this thinking. For instance, if you have a Sysdig capture file, you can use that as an event source, and thus build rules to counter behaviors you’ve observed previously.

However, Falco doesn’t yet take specific action against any problematic application or container. Right now it’s designed specifically as a reporting tool. Also, because it’s a kernel-level agent, it has to be installed on each individual host where you want monitoring to take place.