CNCF Adopts Sysdig’s Falco Container Runtime Monitor
Delving into security, the Cloud Native Computing Foundation has accepted Sysdig’s Falco container runtime monitor as an early-stage sandbox project.
CNCF and Sysdig are hoping that this software will spark more conversation about how security should be addressed in the emerging world of cloud native technologies, said Michael Ducy, Sysdig director of community and evangelism.
“People just aren’t being diligent in locking things down,” Ducy said. “There are a lot of exposed Kubernetes dashboards, or exposed Kubelet APIs because people are opening every port to the internet.”
Sysdig created Falco in 2013 as the core of its open source behavioral monitoring software, separating it out in 2016 as “Falco.” Thus far, the software has been deployed by over a million users.
The software is designed to detect anomalous activity in containers, by attaching a sensor module to the Linux kernel that detects all system calls, their arguments, and by properties of the calling process.
Because containers are highly scoped as far as what should be running in them, what files should be manipulated, what ports they should be bound to, developers can a set of generic rules for large sets of containers, Ducy said.
Deploying a filtering language and a rules engine, users can create whitelists of accepted behaviors from the container. A particular container running Node.js, for instance, should only open port 80 or port 443, should only have a single process running and should only read and write to a particular directory. Falco can watch for potentially unusual conditions as well, such as a shell being run inside a container, or a binary makes an outbound connection.
The software sends out notices of unusual behavior, which can be captured by a pub/sub messaging system such as CNCF’s NATS or a stream processing engine such as Kafka. Administrators then can subscribe to those messaging queues for the containers under their purview.
There is work underway to extend this monitoring to CNCF’s Kubernetes container orchestration engine. Currently, users can create rules based on Kubernetes metadata, which can be applied against particular namespaces, deployments, or individual pods. With this information in hand, administrators or scripts can kill offending containers or isolate troublesome Kubernetes nodes.
The project’s leaders also plan to work on Prometheus integration using the OpenMetrics format, two more CNCF technologies.
Falco is not the only open source software providing container runtime monitoring. The U.S. Department of Defense’s SELinux project provides operating system-level oversite, though can be quite cumbersome to set up. Google’s gVisor provides an additional layer of isolation by separating the Linux kernel from the container, by offering a subset of Linux system calls.
With the CNCF adoption, Sysdig is moving Falco from a GPLv2 license to an Apache License v2, to make it more open for the cloud native community.
The Cloud Native Computing Foundation is a sponsor of The New Stack.
Feature image via Pixabay.