Digital Developer Conference: Hybrid Cloud. On Sep 22 & 24, start your journey to OpenShift certification. Free registration

Set up container runtime security monitoring with Falco and Kubernetes

About this webcast

Live on Wednesday September 30, 2020 from 9:00 am to 10:00 am PST.

Get a free IBM Cloud account to get started on your projects.

Falco is a CNCF tool for watching syscall events from Linux (and containers) and audit events from Kubernetes. It has an expressive ruleset to identify normal activity from potentially malicious activity, and a rich ecosystem of tools to take action on security events.

In this webcast, Spencer will show off the Falco tool. Falco is a CNCF incubating project with contribution from many companies. It works by watching system calls in Linux at the kernel level. It can work either via a kernel probe or via an eBPF probe. Falco can identify events such as “someone tried to read /etc/shadow” and “a program tried to open port :384”. It compares these events against a rich YAML-based rules system and classifies them into well understood syslog priority events. The events can then be passed to a rich ecosystem of tools, such as Slack, Discord, serverless functions, and beyond. The webcast will cover:

  • Project overview
  • Basic functionality
  • Identifying some scary event
  • Writing a Falco rule to identify the event
  • Tooling and pipeline examples
  • API and extension points

Speaker bio

Spencer is an IBM developer advocate who has worked in several open source communities including Vox Pupuli and OpenStack. Spencer helped with the DevOps meetup in Portland as well as DevOpsDays PDX. Now living in Minneapolis, Spencer is a data scientist in training, working on the rich data produced by competitive esports. Spencer has been speaking and writing on tech since 2013.

About this series

Visit the IBM Developer Webcast Wednesdays show page for more tech talks and sign up for the Developer Webcast newsletter to get notifications for upcoming tech talks.