Falco on Ubuntu 24.04 LTS

Azure Security

Falco, the CNCF runtime security engine, watching every syscall on the machine and alerting the moment a process behaves the way an intruder would.

Base
Hardened build
minimal ports, security patches applied at build time
Access
Unique credentials
generated on first boot, readable only by root
Verified
Boots working
services pass a health gate before release
Support
24/7, 365 days
by email and live chat, 24 hour response SLA

Overview

Falco is the graduated Cloud Native Computing Foundation project for runtime threat detection. It taps the kernel's syscall stream, enriches each event with process, user and file context, and evaluates the result against a behavioural rule set, so it alerts on what a program actually did rather than on what it is called or what signature it matches. Its bundled rules already cover a large part of the way real intrusions look from the inside: a sensitive credentials file being read by a program that has no business reading it, an interactive shell appearing where none should exist, a kernel module being loaded, a process attaching a debugger to another process, a new binary written and then immediately executed, private keys or cloud credentials being searched for. Because the detections describe behaviour, they keep working against tooling nobody has catalogued yet.

Runtime detection is the layer that answers a question nothing else on the machine can. Vulnerability scanning tells you what could be exploited, and network controls tell you what can reach you, but neither tells you what an intruder is doing right now on a host that is already running. Falco fills that gap, and it is a natural companion to a network intrusion detection sensor rather than a replacement for one: the network sensor watches the packets, Falco watches the behaviour they lead to. Alerts are written as structured JSON, one object per line, which drops straight into a SIEM, a log pipeline or any alerting tool without parsing work.

Why the cloudimg image

cloudimg delivers Falco installed from the project's own signed package archive, with the signing key pinned by fingerprint and the archive wired into unattended upgrades, so the engine keeps receiving security updates rather than being frozen at whatever version happened to be current at build time. The image ships the modern eBPF driver deliberately: it is compiled once and relocated against the running kernel, so it needs no kernel module, no DKMS and no compiler, and it keeps working after your machine installs a new kernel and reboots. The alternative module based driver would quietly stop seeing events the first time that happened. Every cloudimg change lives in a configuration drop in directory so the packaged configuration files stay byte identical and future upgrades never stall on a configuration conflict. There is no login, no web interface and no user database, so no bootstrap credential exists anywhere in the image to leak, and the engine's only HTTP endpoint is bound to the loopback interface so nothing unauthenticated is ever reachable from the network. The only open port is SSH, using the key you supplied. Alerts are proven to actually fire before the image is ever captured, no build time alert data survives into your machine, and rule updates continue to arrive on your own instance. Backed by 24/7 expert support.

Common uses

  • Detect intrusions and privilege abuse on a running host in real time
  • Feed structured runtime security alerts into a SIEM or log pipeline
  • Satisfy a runtime threat detection control for an audit or compliance regime