Federico Calò's Falco Container Security Demo on GitHub: A Hands-on Introduction to Kubernetes and Cloud-Native Application Protection (CNAP) using Ollama.
Educational demo of the Falcon CNCF simulator: it simulates a run-time alert on five Kubernetes scenarios (K8s). Privilege escalation, shell in container, crypto miner and other attack patterns with rules from Falcon, mapped to MITRE ATT&CK and remediations.
14:22:31.847192 Warning Container privilege escalation
(user=root user_uid=0 parent=sudo command=sudo /bin/sh
container_id=a1b2c3d4e5f6 container_name=webapp
image=nginx:1.25 proc.name=sudo proc.pid=3142
evt.type=setuid gparent=bash ggparent=sshd
aname[3]=systemd k8s.ns=production k8s.pod=webapp-7d9f8b-xkp2r)Rule explanation
Falco intercepts raw Linux syscalls via eBPF (or the kernel module) using the sysdig driver. When a process inside a container calls setuid(0) — escalating to root — and that process is not in the known allow-list (known_setuid_binaries), Falco fires this rule at CRITICAL priority. This pattern is a leading indicator of container breakout attempts: an attacker with an unprivileged shell exploit first escalates privileges inside the container before attempting to escape to the host namespace via CAP_SYS_ADMIN or /proc/1/ns/mnt.
Cos'è Falco?
Falco is the open-source runtime security project of CNCF (Cloud Native Computing Foundation), founded by Loris Degioanni and originally created at Sysdig in 2016. It uses either eBPF or a traditional kernel module to intercept Linux syscalls at the kernel level, apply real-time rules, and generate structured alerts on anomalous behavior within containers and Kubernetes.
Unlike vulnerability scanning tools that analyze static images, Falco operates at runtime: it can detect unknown attack techniques (0-days) as long as they exhibit abnormal syscalls patterns. It is complementary to Trivy, OPA/Gateway and Pod Security Admission.