Summary: Runtime Security

As mentioned in our previous post about Falco, Falco is a security tool to monitor kernel events like system calls or Kubernetes audit logs to provide real-time alerts.

In this post I'll show to customize Falco for a specific use case. We would like to monitor the following events:

• An interactive shell is opened in a container
• Log all commands executed in an interactive shell in a container
• Log read and writes to files within an interactive shell inside a container
• Log commands execute via `kubectl/oc exec` which leverage the pod/exec K8s endpoint

Falco is a security tool to monitor kernel events like system calls to provide real-time alerts. In this post I'll document the steps taken to get Open Source Falco running on an OpenShift 4.12 cluster.

UPDATE: Use the falco-driver-loader-legacy image for OpenShift 4.12 deployments.