Falco Estimated Reading Time: 2 Minutes What is Falco? Falco is an open-source, cloud-native security tool designed for real-time threat detection. It operates at runtime across various environments, including hosts, containers, Kubernetes, and the cloud. By leveraging technologies like eBPF to tap into Linux kernel events, Falco can monitor system activity, detect abnormal behavior, and alert on potential security threats and compliance violations based on a customizable set of rules. Falco and File Integrity Monitoring in Ubersmith Monitoring File System Events: Falco can monitor system calls related to file access and modification. This includes detecting when files are opened, read, written to, or when their attributes are changed. Rule-Based Detection: You can create specific Falco rules to watch critical files and directories. For example, you can set up a rule to trigger an alert whenever a file in /etc, /bin, or a specific application directory is modified. Real-Time Alerts: Falco provides immediate notifications when a rule is triggered. This allows security teams to respond quickly to unauthorized or suspicious file changes, which is a cornerstone of effective FIM. Context-Rich Alerts: Falco's alerts include rich contextual information, such as the user, process, and container that initiated the file change. This context is crucial for investigating security incidents and determining if a change was legitimate or malicious. Ubersmith's Falco Configuration Ubersmith comes installed with a default configuration which will monitor for changes to the Ubersmith codebase or Ubersmith configuration. These rules can be found in /usr/local/ubersmith/conf/falco/. An example follows: - macro: uber_dir condition: (fd.directory in (/var/www/ubersmith_root, /var/lib/docker/volumes/ubersmith_webroot/_data, /usr/local/ubersmith)) - rule: Write below Ubersmith directory desc: > Trying to write to any file below Ubersmith directories. This is an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases. condition: > open_write and evt.dir=< and uber_dir output: File below Ubersmith directory opened for writing (file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: ERROR This rule will log any changes to files within the Ubersmith configuration directory (/usr/local/ubersmith) or the Ubersmith webroot (/var/www/ubersmith_root). These logs can be viewed using journalctl: journalctl -f -t ubersmith/falco In older versions of Ubersmith, these logs can be found in: /var/log/ubersmith/falco/docker.log Custom Configuration If you would like to define custom Falco rules for your Ubersmith installation, you can do so by following the Falco Rules Documentation. Add your rules to a separate file in /usr/local/ubersmith/conf/falco/ and restart the Falco container: cd /usr/local/ubersmith docker compose restart falco