The Cloud Native Computing Foundation (CNCF) has embraced Falco, an open source container security runtime developed by Sysdig, as a Cloud Native Sandbox project.
Falco taps into the Linux kernel and creates a stream of system call events that Falco compares against a set of rules that, if violated, will result in an action being taken to reduce the possibility of a security breach. Falco can kill containers that violate policies, notify teams of violations and actions and isolate Kubernetes nodes. Falco also captures metadata from sources such as the Kubernetes API server to enhance the data provided by the Linux kernel. That metadata can be employed to create rules based on Kubernetes metadata that can be applied to specific Kubernetes namespaces, deployments or individual pods in near real time.
The overarching goal of the Falco project is to reduce security incident detection and response time cycles by providing a runtime to detect abnormal behavior at the application, file, system and network levels.
Michael Ducy, director of community and evangelism, says being accepted as a sandbox project will make it easier for Sysdig to collaborate with the rest of the open source container community that revolves around the CNCF. The development road map for Falco already includes expanded Kubernetes integrations, including the addition of Kubernetes audit events as a Falco event source and Kubernetes network policy support. Integration with Prometheus container monitoring software, a top-level CNCF project, which will result in detailed security metrics delivered in an OpenMetrics format, is also planned. Sysdig earlier this month also connected support for Prometheus as a complementary back-end source of data for surfacing metrics.
Ducy notes the Falco project also now will benefit from the guidance and governance processes that the CNCF puts in place around all its projects, says Ducy. To become a member of the CNCF, however, Sysdig has been required to change the open source licenses under which the technologies it develops has been made available to the open source community. Both Falco and sysdig, the container monitoring software on which Sysdig primarily relies on, is moving from a GPLv2 license to an Apache License v2.
Falco still has a way to go before it might become a major CNCF project. There may come a day when Falco will function as a generic sensor for containers. But by accepting Falco as a Cloud Native Sandbox project, the CNCF is signaling that the community is starting to focus more on container security issues. But it’s not like Falco hasn’t stood the test of time: Falco, which has been downloaded over 1.5 million times, has been around as an open source project since 2013. Sysdig makes use of Falco within a suite of container management applications that are delivered as a service.
It may take a while for the CNCF community to build some consensus around container security runtimes. But it’s clear that as containers continue to find their way into production environments, more than a few cybersecurity professionals are starting to ask questions about how containers and microservices are secured. As projects such as Falco continue to evolve, there may even come a day when developers will be able to answer those questions in the exact same way.