Falco Integration Guide

This guide will show you how to integrate Falco into the Secure60 platform. Falco is a cloud-native security tool designed for Linux systems. It employs custom rules on kernel events, which are enriched with container and Kubernetes metadata, to provide real-time alerts. Falco helps you gain visibility into abnormal behavior, potential security threats, and compliance violations, which delivers overall comprehensive runtime security.

Falco can be used across:

• Any Linux infrastructure
• Any Kubernetes infrastructure

Overview

This guide will explain how to transfer data to a Secure60 collector using Falco. As always if you have any additional questions, don’t hesitate to contact Secure60 Support.

Install Falco

1. (Prerequisite) Install the Secure60 Collector
2. Install Falco on linux (Or Kubernetes).
3. Modify the Falco configuration file located at /etc/falco/falco.yaml with the following content:

json_output: true
<....>
http_output:
  enabled: true
  url: http://<S60_COLLECTOR_IP_ADDRESS>:84/falco
  user_agent: "falcosecurity/falco"

Ensure you replace <S60_COLLECTOR_IP_ADDRESS> with the actual IP address of your Secure60 collector.

To restart the Falco service, execute the following commands:

systemctl restart falco

To check the status of Falco, use the command:

systemctl status falco
sudo journalctl _COMM=falco -p warning

Integrate with Secure60 Collector

To enable Falco integration in the S60-collector, modify the .env file as follows:

ENABLE_FALCO_HTTP=true
ENABLE_SYSLOG=true

Logs and alerts can be viewed in the Secure60 portal.