Falco - snort, ossec and strace in one
While I can’t shake off associating the word Falco with the Austrian singer from the 80s, this spin off from the main sysdig project is worth investigating (probably worth a column on its own). It’s a behavioural activity monitor designed to “detect anomalous activity in your applications” according to the website.
Running as a daemon, Falco uses sysdig to watch a system for behaviour matching a set of predefined (open source) rules. This makes it similar to Snort, the popular intrusion prevention system, albeit it at the system call level rather than at the network.
As with the rest of the project, much emphasis is placed on the ability to use it with containers (which is fair enough, given the marketplace at the moment). It can be run inside a container itself, of course. Examples of the types of things it can detect are listed on the project wiki. These include an unexpected shell being started inside a container, reads of sensitive files and outbound network connections from binaries like ls (indicating they’ve been replaced by trojans). Falco can also use recorded trace files from sysdig, which can help with rule development (being able to run the same condition as many times as needed to help tweak new rules is very handy). It’s very easy to configure Falco when it comes to handling generated alerts – they can be pushed to syslog, a file, stdout or via an external program – making it a good citizen in terms of fitting in with any enterprise monitoring system.