Detecting Container Threats with Sysdig Falco: A Hands‑On Guide

Overview

Sysdig Falco is an open‑source runtime security tool that runs in user space, intercepting system calls via a kernel module. It provides container‑aware detection using fields such as container.id, container.image, and namespace metadata.

1. Deploying Falco

Place the configuration files under /etc/falco: falco.yaml – service settings falco_rules.yaml – detection policies

Create a log file for events: touch /var/log/falco_events.log Pull the official Falco Docker image and start the container, mounting the configuration directory and the log file:

docker run -d --name falco \
  -v /etc/falco:/etc/falco \
  -v /var/log/falco_events.log:/var/log/falco_events.log \
  falcosecurity/falco:latest

Restart the container whenever the configuration or rules are updated.

2. Threat Scenarios

Interactive Shell in a Container

Run an Nginx container and exec an interactive shell. Falco’s default rule Shell_Entered_Container generates an event with fields such as proc.name and container identifiers.

docker run -d -P --name example1 nginx
docker exec -it example1 bash

Check the log:

tail -f /var/log/falco_events.log

Unauthorized Process Execution

Define a rule that triggers when a new process is spawned inside a container whose image name starts with nginx but the process name is not in an allowed list. After updating falco_rules.yaml, restart Falco and launch a new container that runs an unexpected binary.

# Example rule fragment (in falco_rules.yaml)
- rule: Unexpected_Process_In_Nginx
  desc: Detect processes other than nginx inside nginx containers
  condition: spawned_process and container and container.image startswith "nginx" and not proc.name in ("nginx", "nginx-helper")
  output: "Unexpected process %proc.name in container %container.id"
  priority: WARNING

Write to Non‑User Data Directory

Use a macro to filter write syscalls ( open / openat) with write mode. The rule alerts when a write occurs outside the allowed /userdata directory.

# Macro definition
- macro: open_write
  condition: (evt.type=open or evt.type=openat) and (evt.arg.flags contains O_WRONLY or evt.arg.flags contains O_RDWR)

- rule: Write_Outside_Userdata
  desc: Detect writes to paths other than /userdata
  condition: open_write and not fd.name startswith "/userdata"
  output: "Write to non‑userdata path %fd.name by %proc.name"
  priority: WARNING

Sensitive Mount Detection

Define a macro listing prohibited host mount points (e.g., /proc, /mnt). The rule fires when a container mounts any of these paths.

# Macro definition
- macro: sensitive_mount
  condition: (evt.type=mount) and (evt.arg.source in ("/proc", "/mnt"))

- rule: Sensitive_Mount
  desc: Detect mounting of sensitive host directories
  condition: sensitive_mount
  output: "Sensitive mount %evt.arg.source in container %container.id"
  priority: CRITICAL

3. Event Generator

Falco provides a synthetic event generator image that exercises all default rules. Pull and run the generator to verify rule coverage. docker run --rm falcosecurity/falco-event-generator Monitor the log to see simulated intrusion attempts.

4. References

Falco documentation: https://github.com/draios/falco/wiki/

Technical discussion on SELinux, Seccomp, and Falco: https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/