Sysdig, which makes monitoring solutions for containers, has released an open source project that watches containers — and the rest of a Linux system as well — for unwanted activity.
Sysdig’s Falco project scans Linux system calls and compares them against a list of rules to determine if unwanted activity is taking place. If, for instance, a shell is spawned inside a container, but your containers shouldn’t be doing that, you’ll be alerted to it.
Rules for Falco are written in a custom language based on the one Sysdig uses for its filtering engine, and the default rule set includes common events container users don’t want happening. Aside from spawning shells in containers, other default flagged actions include unauthorized changes to a container’s namespace.
Falco doesn’t yet take specific action against any problematic application or container. Right now it’s designed specifically as a reporting tool. Also, because it’s a kernel-level agent, it has to be installed on each individual host where you want monitoring to take place.
Submitted by: Arnfried Walbrecht