Earlier this week the guys over at sysdig↗announced the availability of Falco, a behavioral security service which is built on top of their core Open Source sysdig engine. As is always the case when I try new things, I launched a Digital Ocean↗Droplet running CentOS 7.2. Once the Droplet was available I ran the command to get the basics configured on the droplet;
Falco by sysdig 1/6
Once the Droplet was configured I installed Falco using the repo provided by sysdig by running the following commands;
Falco by sysdig 2/6
With Falco installed, I started it up with the following command;
Falco by sysdig 3/6
and checked that everything was running as expected;
Falco by sysdig 4/6
As you can, it was really straight forward to install. Next up I wanted to trigger a rule, looking through the default ruleset↗I noticed the following;
Falco by sysdig 5/6
So I added a user, as you can see it triggered the rule;
Falco by sysdig 6/6
After this really quick installation and five minutes of messing about with the rules I can already think of several use cases for Falco and will be keeping a close eye on it.