falco: monitor application behaviour

If you remember sysdig, it’s a highly useful utility to trace and profile a Linux system. The sysdig team has introduced a new utility – falco. falco extends sysdig to monitor behavioral activity on Linux and guard it against any anomalous activity in applications. While falco primarily targets containers, it works directly on Linux too.

falco can detect and alert on any behavior that involves making Linux system calls. The alerts need to be defined and can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. Examples of what falco can detect:

  • A shell is run inside a container
  • A server process spawns a child process of an unexpected type
  • Unexpected read of a sensitive file (like /etc/passwd)
  • A non-device file is written to /dev
  • A standard system binary (like ls) makes an outbound network connection


To install falco on Ubuntu, run:

$ curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add -
$ curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/stable/deb/draios.list
$ apt-get update
$ apt-get -y install linux-headers-$(uname -r)
$ apt-get -y install falco


The starting point should be the sample configuration file. For first hand info on conditions, rules and macros, refer to the readme.

To start falco as a daemon, run:

$ sudo service falco start

On GitHub: falco

Leave a Reply

Your email address will not be published. Required fields are marked *