About this webcast
Live on Wednesday September 30, 2020 from 9:00 am to 10:00 am PST.
Get a free IBM Cloud account to get started on your projects.
Falco is a CNCF tool for watching syscall events from Linux (and containers) and audit events from Kubernetes. It has an expressive ruleset to identify normal activity from potentially malicious activity, and a rich ecosystem of tools to take action on security events.
In this webcast, Spencer will show off the Falco tool. Falco is a CNCF incubating project with contribution from many companies. It works by watching system calls in Linux at the kernel level. It can work either via a kernel probe or via an eBPF probe. Falco can identify events such as “someone tried to read /etc/shadow” and “a program tried to open port :384”. It compares these events against a rich YAML-based rules system and classifies them into well understood syslog priority events. The events can then be passed to a rich ecosystem of tools, such as Slack, Discord, serverless functions, and beyond. The webcast will cover:
- Project overview
- Basic functionality
- Identifying some scary event
- Writing a Falco rule to identify the event
- Tooling and pipeline examples
- API and extension points
Spencer is an IBM developer advocate who has worked in several open source communities including Vox Pupuli and OpenStack. Spencer helped with the DevOps meetup in Portland as well as DevOpsDays PDX. Now living in Minneapolis, Spencer is a data scientist in training, working on the rich data produced by competitive esports. Spencer has been speaking and writing on tech since 2013.