You are viewing documentation for Falco version: v0.36.2
Falco v0.36.2 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.
Glossary
This glossary is intended to be a comprehensive, standardized list of Falco terminology. It includes technical terms that are specific to Falco, as well as more general terms that provide useful context.
Filter terms according to their tags
Click on the [+] indicators below to get a longer explanation for any particular term.
- Abnormal behaviorLINK
The behavior of an application, container, or other component considered to be suspicious.
- DetectionLINK
Identify a suspicious event or behavior.
- DriversLINK
The global term for the software that sends events from the kernel.
[+]Examples include eBPF probe or the kernel module.
- eBPFLINK
eBPF is a technology to collect metrics and events from the kernel in a secure way.
[+]eBPF is a technology that can run sandboxed programs in a privileged context, such as the operating system kernel. It is used to extend the kernel's capabilities at runtime without requiring to change kernel source code or load kernel modules. It is considered safer than kernel modules since it cannot crash your system.
Ref: https://ebpf.io
- eBPF ProbeLINK
The eBPF probe collects syscall events from the kernel, as the kernel module does.
- FalcoLINK
The name of the project and the main engine on which the rest of the project is built.
[+]Falco is a cloud native runtime security tool for Linux operating systems. It is designed to detect and provide real-time alerts about abnormal behaviors and potential security threats.
At its core, Falco is a kernel monitoring and detection agent that observes events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.
- Falcosdidekick-UILINK
A simple WebUI for displaying the latest events from Falco, it works as an output for Falcosidekick.
[+] - gRPCLINK
gRPC is a modern open source, high-performance Remote Procedure Call (RPC) framework that can run in any environment.
[+]It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking, and authentication. It also applies in the last mile of distributed computing to connect devices, mobile applications, and browsers to backend services.
Ref: https://grpc.io
- IntrusionLINK
Unsolicited presence in a system.
- Kernel Module DriverLINK
The Kernel module collects syscalls events from the kernel, as the eBPF Probe does.
- MacrosLINK
Macros are rule conditions snippets that can be re-used inside rules and even other macros.
[+]Macros provide a way to name common patterns and factor out redundancies in rules.
- Modern eBPF ProbeLINK
More robust eBPF probe, which brings the CO-RE paradigm, better performances, and maintainability.
[+]It will replace the default eBPF probe in the future.
- MonitoringLINK
Observing the evolution of a process over time.
- Runtime SecurityLINK
Runtime security is the process of providing protection for your host, containers, and applications while they’re running.
- TracingLINK
Following the path of a request through several components and/or applications.
- User SpaceLINK
The memory space where all user actions and applications are executed.