Falco
Falco is an open-source runtime security tool that monitors Linux system calls to detect suspicious activity such as unexpected shell executions, container escapes, and privilege escalations.
This compose file deploys Falco with access to the host's /proc,
/dev, /etc, and kernel tracing filesystem. Alerts are forwarded over HTTP to
Falco Sidekick, which
routes notifications of notice priority and above to a Discord webhook.
Docker Compose
# compose.yaml
services:
falco:
image: falcosecurity/falco:latest
container_name: falco
restart: unless-stopped
privileged: true
pid: host
# ports:
# - 8765:8765
networks:
- falco
command:
- falco
- -o
- http_output.enabled=true
- -o
- http_output.url=http://falcosidekick:2801
volumes:
- /var/run/docker.sock:/host/var/run/docker.sock:ro
- /proc:/host/proc:ro
- /dev:/host/dev:ro
- /etc:/host/etc:ro
- /sys/kernel/tracing:/sys/kernel/tracing:ro
environment:
TZ: Europe/London
falcosidekick:
image: falcosecurity/falcosidekick:latest
container_name: falcosidekick
restart: unless-stopped
# ports:
# - 2801:2801
networks:
- falco
environment:
FALCO_SIDECAR_FALCO_URL: http://falco:8765
DISCORD_WEBHOOKURL: ${DISCORD_WEBHOOK_URL}
DISCORD_MINIMUMPRIORITY: notice
TZ: Europe/London
networks:
falco:
name: falco
Environment Variables
# .env
DISCORD_WEBHOOK_URL=