docker.recipes

Falco Runtime Security

advanced

Falco for container runtime security with Sidekick for alerts.

Overview

Falco is an open-source runtime security tool originally developed by Sysdig and now maintained by the Cloud Native Computing Foundation (CNCF). It acts as a behavioral activity monitor designed to detect anomalous activity in applications by monitoring kernel system calls and alerting on suspicious behaviors based on configurable rules. Falco excels at identifying container escapes, privilege escalations, unauthorized file access, and network anomalies in real-time. This stack combines Falco's core detection engine with Falcosidekick, which serves as an event forwarding hub that can route Falco alerts to over 50 different outputs including Slack, PagerDuty, Elasticsearch, and webhooks. The Falcosidekick UI provides a web-based dashboard for visualizing security events, viewing rule violations, and analyzing threat patterns over time. Together, these components create a comprehensive runtime security monitoring solution that not only detects threats but also ensures they reach the right people through appropriate channels. Security teams at organizations running containerized workloads will find this stack invaluable for maintaining runtime visibility and compliance. Unlike static security scanning tools that only analyze images before deployment, this combination provides continuous monitoring of actual runtime behavior, making it essential for detecting zero-day exploits, insider threats, and sophisticated attacks that bypass traditional perimeter defenses. The multi-channel alerting ensures critical security events never go unnoticed.

Key Features

  • Real-time kernel syscall monitoring with eBPF and kernel module drivers for comprehensive container behavior analysis
  • Pre-built detection rules for MITRE ATT&CK techniques including container escapes, privilege escalation, and lateral movement
  • Multi-output alert routing through Falcosidekick supporting Slack, Teams, PagerDuty, SIEM systems, and custom webhooks
  • Web-based security dashboard with event visualization, rule violation statistics, and historical trend analysis
  • Custom rule engine supporting Falco's domain-specific language for creating organization-specific security policies
  • Integration with container orchestrators including Docker, Kubernetes, and containerd for runtime context enrichment
  • JSON-formatted structured logging with detailed process genealogy and container metadata for forensic analysis
  • High-performance event processing capable of monitoring thousands of containers with minimal performance impact

Common Use Cases

  • 1Enterprise security teams implementing runtime threat detection for production Kubernetes clusters and container environments
  • 2Financial institutions requiring real-time monitoring for regulatory compliance and detecting unauthorized access to sensitive data
  • 3DevSecOps teams building security-first CI/CD pipelines with runtime behavioral analysis and automated incident response
  • 4Cloud service providers offering managed container platforms with built-in security monitoring and tenant isolation verification
  • 5Healthcare organizations protecting HIPAA-compliant containerized applications from insider threats and data exfiltration
  • 6Government agencies monitoring classified workloads for advanced persistent threats and supply chain attacks
  • 7Managed service providers delivering security operations center (SOC) services with centralized threat detection across multiple clients

Prerequisites

  • Linux host with kernel headers installed and either eBPF support (kernel 4.14+) or ability to load kernel modules
  • Docker Engine with privileged container support enabled for Falco's kernel-level system call monitoring
  • Minimum 512MB RAM for Falco engine plus additional memory based on container density and event volume
  • Understanding of Linux system calls, container security concepts, and familiarity with security incident response procedures
  • Network access on ports 2801 (Falcosidekick API) and 2802 (Falcosidekick UI) with appropriate firewall configurations
  • Administrative privileges to mount host filesystems and access Docker socket for comprehensive container visibility

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  falco: 
3    image: falcosecurity/falco:latest
4    container_name: falco
5    restart: unless-stopped
6    privileged: true
7    volumes: 
8      - /var/run/docker.sock:/host/var/run/docker.sock:ro
9      - /dev:/host/dev:ro
10      - /proc:/host/proc:ro
11      - /boot:/host/boot:ro
12      - /lib/modules:/host/lib/modules:ro
13      - /usr:/host/usr:ro
14      - /etc:/host/etc:ro
15    networks: 
16      - falco-network
17
18  falcosidekick: 
19    image: falcosecurity/falcosidekick:latest
20    container_name: falcosidekick
21    restart: unless-stopped
22    ports: 
23      - "${SIDEKICK_PORT:-2801}:2801"
24    environment: 
25      - WEBUI_URL=http://falcosidekick-ui:2802
26    depends_on: 
27      - falco
28    networks: 
29      - falco-network
30
31  falcosidekick-ui: 
32    image: falcosecurity/falcosidekick-ui:latest
33    container_name: falcosidekick-ui
34    restart: unless-stopped
35    ports: 
36      - "${UI_PORT:-2802}:2802"
37    depends_on: 
38      - falcosidekick
39    networks: 
40      - falco-network
41
42networks: 
43  falco-network: 
44    driver: bridge

.env Template

.env
1# Falco Runtime Security
2SIDEKICK_PORT=2801
3UI_PORT=2802

Usage Notes

  1. 1Sidekick UI at http://localhost:2802
  2. 2Requires privileged mode
  3. 3Monitors syscalls in real-time
  4. 4Configure alerting outputs in Sidekick

Individual Services(3 services)

Copy individual services to mix and match with your existing compose files.

falco
falco:
  image: falcosecurity/falco:latest
  container_name: falco
  restart: unless-stopped
  privileged: true
  volumes:
    - /var/run/docker.sock:/host/var/run/docker.sock:ro
    - /dev:/host/dev:ro
    - /proc:/host/proc:ro
    - /boot:/host/boot:ro
    - /lib/modules:/host/lib/modules:ro
    - /usr:/host/usr:ro
    - /etc:/host/etc:ro
  networks:
    - falco-network
falcosidekick
falcosidekick:
  image: falcosecurity/falcosidekick:latest
  container_name: falcosidekick
  restart: unless-stopped
  ports:
    - ${SIDEKICK_PORT:-2801}:2801
  environment:
    - WEBUI_URL=http://falcosidekick-ui:2802
  depends_on:
    - falco
  networks:
    - falco-network
falcosidekick-ui
falcosidekick-ui:
  image: falcosecurity/falcosidekick-ui:latest
  container_name: falcosidekick-ui
  restart: unless-stopped
  ports:
    - ${UI_PORT:-2802}:2802
  depends_on:
    - falcosidekick
  networks:
    - falco-network

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  falco:
5    image: falcosecurity/falco:latest
6    container_name: falco
7    restart: unless-stopped
8    privileged: true
9    volumes:
10      - /var/run/docker.sock:/host/var/run/docker.sock:ro
11      - /dev:/host/dev:ro
12      - /proc:/host/proc:ro
13      - /boot:/host/boot:ro
14      - /lib/modules:/host/lib/modules:ro
15      - /usr:/host/usr:ro
16      - /etc:/host/etc:ro
17    networks:
18      - falco-network
19
20  falcosidekick:
21    image: falcosecurity/falcosidekick:latest
22    container_name: falcosidekick
23    restart: unless-stopped
24    ports:
25      - "${SIDEKICK_PORT:-2801}:2801"
26    environment:
27      - WEBUI_URL=http://falcosidekick-ui:2802
28    depends_on:
29      - falco
30    networks:
31      - falco-network
32
33  falcosidekick-ui:
34    image: falcosecurity/falcosidekick-ui:latest
35    container_name: falcosidekick-ui
36    restart: unless-stopped
37    ports:
38      - "${UI_PORT:-2802}:2802"
39    depends_on:
40      - falcosidekick
41    networks:
42      - falco-network
43
44networks:
45  falco-network:
46    driver: bridge
47EOF
48
49# 2. Create the .env file
50cat > .env << 'EOF'
51# Falco Runtime Security
52SIDEKICK_PORT=2801
53UI_PORT=2802
54EOF
55
56# 3. Start the services
57docker compose up -d
58
59# 4. View logs
60docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/falco-runtime-security/run | bash

Troubleshooting

  • Falco fails to start with 'unable to load kernel module': Install kernel headers matching your kernel version or enable eBPF support with FALCO_BPF_PROBE environment variable
  • High CPU usage and performance degradation: Tune Falco rules to reduce noise by disabling overly verbose rules or adjusting syscall sampling rates in falco.yaml configuration
  • Falcosidekick UI shows no events despite Falco running: Verify Falco is configured to send events to Falcosidekick by adding '--http_output.url=http://falcosidekick:2801' to Falco startup parameters
  • Permission denied errors accessing /dev, /proc, or /sys: Ensure Falco container runs in privileged mode and all required host paths are mounted with appropriate read permissions
  • Missing events from specific containers: Check that Docker socket is properly mounted and Falco has visibility into the container runtime by verifying /var/run/docker.sock accessibility
  • Falcosidekick webhook delivery failures: Configure retry policies and verify target endpoint SSL certificates, network connectivity, and authentication credentials in Falcosidekick environment variables

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

falcofalcosidekickfalcosidekick-ui

Tags

#falco#runtime-security#container-security#monitoring#alerting

Category

Security & Networking

Related Recipes

Ad Space