Open source tool watches Linux systems, containers for suspicious activity

Pro
(Image: Stockfresh)

20 May 2016

Sysdig, which makes monitoring solutions for containers, has released an open source project that watches containers — and the rest of a Linux system as well — for unwanted activity.

Sysdig’s Falco project scans Linux system calls and compares them against a list of rules to determine if unwanted activity is taking place. If, for instance, a shell is spawned inside a container, but your containers shouldn’t be doing that, you’ll be alerted to it.

Rules for Falco are written in a custom language based on the one Sysdig uses for its filtering engine, and the default rule set includes common events container users don’t want happening. Aside from spawning shells in containers, other default flagged actions include unauthorised changes to a container’s namespace.

But the majority of the included rules do not mention containers — that is, rules governing attempts to change usernames or passwords (apart from a few common exceptions like sudo/su). Instead, Falco is intended to be a general system-protection tool that intercepts system calls used by container systems and conventional apps alike. It also means Falco is container-agnostic, although its default rule set includes rules specifically for Docker.

According to the blog post announcing the project, Sysdig sees Falco as a move away from signature-based monitoring, where each individual kind of attack has to be identified separately, and toward behavioral monitoring, where specific activities are flagged. Other features in Falco mirror this thinking. For instance, if you have a Sysdig capture file, you can use that as an event source, and thus build rules to counter behaviors you’ve observed previously.

However, Falco does not yet take specific action against any problematic application or container. Right now it is designed specifically as a reporting tool. Also, because it is a kernel-level agent, it has to be installed on each individual host where you want monitoring to take place.

 

 

IDG News Service

Read More:


Back to Top ↑

TechCentral.ie