Technology · Ebook
Falco: Runtime Security for Cloud-Native Systems
by Shriira Press
Falco is the leading open-source runtime security tool for cloud-native systems: it watches what your containers, hosts, and Kubernetes actually do and alerts the instant behavior looks dangerous. This free book teaches it from the ground up: runtime-security fundamentals and where Falco fits, how it taps the kernel via eBPF to see syscalls, its event-pipeline architecture, the rules language (conditions, fields, macros, lists, outputs), the default ruleset and writing custom rules, Kubernetes integration and audit-log monitoring, responding to alerts with Falcosidekick and automated response, tuning to defeat alert fatigue, and securing and operating Falco in production. Ten focused chapters with real rules and clear diagrams that show how to detect threats in running systems and act on them.
Contents
- 1Preface
- 2Chapter 1 — What Falco Is
- 3Chapter 2 — Runtime Security Fundamentals
- 4Chapter 3 — How Falco Sees: Syscalls and Drivers
- 5Chapter 4 — Architecture
- 6Chapter 5 — The Rules Language
- 7Chapter 6 — Default Rules and Custom Rules
- 8Chapter 7 — Kubernetes Integration
- 9Chapter 8 — Responding to Alerts
- 10Chapter 9 — Tuning and Reducing Noise
- 11Chapter 10 — Operating Falco and Putting It Together