Skip to main content

An official website of the United States government

Here’s how you know

Container threat detection using Falco now enabled

· 3 min read

The Cloud.gov team is excited to announce the integration of Falco security monitoring into the platform, which will allow customers to monitor security events and anomalous behavior in their running containers through Cloud.gov Logs.

What is Falco?

Falco is an open-source, cloud native security tool that detects real-time, anomalous behavior in running containers. Falco identifies potential security threats and abnormal activities. At its core, Falco is a monitoring and detection agent that observes events (such as Linux kernel events) and delivers real-time alerts based on custom rules. These custom rules are inherited from the Falco upstream, and maintained by the Cloud.gov Platform team. Falco helps Cloud.gov proactively defend systems, maintain compliance, and strengthen overall security posture. More details are available here: https://falco.org/.

Falco Integration in Cloud.gov

Falco is installed on all host VMs running your applications. It monitors and evaluates kernel events against an established rule set. Findings based on these rules are displayed in OpenSearch.

Because Falco is integrated at the platform level, you do not need to take any action or change your applications to enable Falco.

What Types of Events Does Falco Monitor?

Falco contains an extensive default rule set that looks for events including but not limited to:

  • Privilege escalation using privileged containers
  • Namespace changes using tools like setns
  • Read/Writes to well-known directories such as /etc, /usr/bin, /usr/sbin, etc

For more details, see the Falco docs: https://falco.org/docs/#what-does-falco-check-for.

Using the Falco Dashboard

A quick way to view Falco security events is to:

  1. Log in to Cloud.gov Logs
  2. Click on "Dashboards" in the left sidebar menu
  3. Enter "Services" in the search bar
  4. Follow the link for "Falco Overview"

How to Search Falco Logs in Cloud.gov Logs

Falco logs are ingested into the logging system with the value @type: falco, which provides an easy way to filter them.

To find your Falco security events in the logging system:

  1. Log in to Cloud.gov Logs
  2. Click on "Discover" in the left sidebar menu
  3. Add a filter for @type: falco to your log search
  4. Apply additional filters on the Falco event fields as desired. For example, to filter for specific rule types, add a filter of falco_rule: [rule_name]

Falco Log Fields

The fields available on Falco security event records are:

  • falco_priority - Classification system to show the priority level of detected event(0 is Emergency,7 is debug)
  • @message - Contains the details of the Falco finding
  • falco_rule - Name of the Falco rule that generated the event (include this when contacting Cloud.gov Support)

The complete list of Falco fields is available here: https://falco.org/docs/reference/rules/supported-fields/.

Retention

Falco events are retained in the logging system for 1 year and in offline storage for 30 months.

GSA.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov