Earlier this week the guys over at sysdig announced the availability of Falco, a behavioral security service which is built on top of their core Open Source sysdig engine. As is always the case when I try new things, I launched a Digital Ocean Droplet running CentOS 7.2. Once the Droplet was available I ran the command to get the basics configured on the droplet;

Falco by sysdig 1/6
curl-fsShttps://raw.githubusercontent.com/russmckendrick/DOBootstrap/master/do-bootstrap.sh|bash

Once the Droplet was configured I installed Falco using the repo provided by sysdig by running the following commands;

Falco by sysdig 2/6
rcyypuuumrmml---yyismiipnnossrttt/aaellhtlltct/kfpyeasurl:mnc/.eorlse-3pd.oeasvm.eadlz-d$nr(aauwinsoa.smc.eorme-/prdo)owhntltopa:d./ddroawinolso.acdo.md/rDaRiAoIsO.Sc-oGmP/Gs-tKaEbYl.ep/urbplmi/cdraios.repo

With Falco installed, I started it up with the following command;

Falco by sysdig 3/6
servicefalcostart

and checked that everything was running as expected;

Falco by sysdig 4/6
[fLADPCMMMMMMMM[raocorGaaaaaaaarolatcor2yyyyyyyyoocdisco2otoev:eu022222222t@.desp222222222@ss::ms:4seea:11111111errlan//22222222rvvoc:2su::::::::veiats2ys22222222ercdiy0sr77777777reevs1t/::::::::~det9eb22222224~]emi89999998]#(mE.n#L/rdxs/sssssssssSeu-elfeeeeeeeeeBtnsciarrrrrrrrr:cnySclvvvvvvvvv/isteceeeeeeeeiFrnva/orrrrrrrrcacg-rf........el.)gtammmmmmmmcde=lccccccccfo/sn/cdkkkkkkkkaiieeoaeeeeeeeelsnnrt.ennnnnnnncyicacsmddddddddosteteorrrrrrrrc.rrniiiiiiiisadSrcvcccccccctl/u(.ikkkkkkkkalfn8dc........ta)/epiiiiiiiiuml2iioooooooosoc0ndno1ifsfffffssi)6tiyaaaaayyt.lslllllsso0detcccccttr5/=eoooooeeif/m[[[[[mmn2avd22222ddg2la[22222[[cr10000011a1o/]21211]]g2r:19199::e:su]]]]]n2tnS:::::SSt7a/ttt:rfaFSPS[aa2tarataurr9ltlarnOtt(cicrsKeeBconoteMddSo.gida]TdpinyLL;eiLngrSS=dSiu2BB2eBtfl2::2x:iaesials1FFtFlc2aaaeaiof:llgdlz:r2cco,ceo7ooodSm:su2sstswnf9yyayiisststMl2ccuchae0aasay1ll=lc/6ll0lo2e:/n2tmmSmfcPooUoi1/annCng2friiCiu:asttEtr2leooSoa7cdrrSrt:oii)ii2_rnnno9rugggnul2leaaaf0esgggi1seeel6.fnnne:yrtttao../Fmmealtlfcci/olfeailn/cieott.icya/alfmialzlecdo_wriutlhesc.oynafmilgurationfile/etc/falco.yaml

As you can, it was really straight forward to install. Next up I wanted to trigger a rule, looking through the default ruleset I noticed the following;

Falco by sysdig 5/6
-c-dcopoeourmnrsntiaducdpocil:iurrtettioi:ai:t:ocoynutn:a:si:UdevsWdpriseAur_tprRsomyaNecgwmIr.mbnaN_nty_nGba_paimbargneinoeanycmriaeeinrpsneirsts(eoasgabdrnidadnumassnreoyrtt,hcapodtrmeomlccaua.nsnndearmmr,aeunnaaidgnodeug(trussosuiue,dpre,ss,uoddfepola)cgsorsanowntuodapri)dnnsoe,troc(rounspteearri=mn%ieusrsseiaron.ndnsa.(maesdudcduoosmemaran_ndbdi=sn%uaprraioreces.ceomxrdcllliuondgeei)dn._bAicntairviietsyoirnpcaosnstwadi_nbeirnsariisesalosrosehxacdlouwduetdils_sboimnearcioenst)ainerscreatecustomusersontopofabaselinuxdistributionatstartup.

So I added a user, as you can see it triggered the rule;

Falco by sysdig 6/6
[[MMrraaooyyoott22@@22ssee00rr88vv::ee00rr66::~~55]]88##ddatiidaggdiiiulttsaae-llr2ooccwmeeieaabsnnbslaffegaaellsccoo::USseenrsimtainvaegefmielnetobpiennaerdyfcoormmraenaddirnugnboyutnsoind-etroufstceodntpariongerram(u(suesre=rr=oroototcocmommamnadn=da=daddudsuesrerwiwbibblbel)efile=/etc/shadow)

After this really quick installation and five minutes of messing about with the rules I can already think of several use cases for Falco and will be keeping a close eye on it.

You can find the GitHub repo for Falco at https://github.com/draios/falco and also the announcement post here .