Monitoring Linux system calls with Falco

Rules and Logs

© Lead Image © hywards, 123RF.com

© Lead Image © hywards, 123RF.com

Article from Issue 299/2025
Author(s):

Create your own rules to detect threats by monitoring system calls.

Strace [1] is a valuable tool for monitoring and troubleshooting system calls. Unfortunately, it is sometimes difficult to understand raw system calls emitted by strace. For instance, the command shown in Listing 1 reveals lots of cryptic information.

Falco [2] is an alternative tool that offers a more intuitive approach for monitoring and detecting system events. Falco is maintained by the Cloud Native Computing Foundation (CNFC) [3] and is designed to operate in distributed, containerized environments. However, you can also use Falco on a single Linux system.

Overview of Linux System Calls

In Linux, userspace programs make requests to the kernel via the glibc library [4]. Otherwise known as the GNU C library, glibc is made up of wrapper functions that invoke or make system calls – on behalf of userspace programs – to the Linux kernel. Other libraries, such as the musl library [5], also exist (see the box entitled "musl and glibc"), but glibc is the default library for most Linux distributions.

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Kernel News

     

    more »
  • File Inspector

    Spotify, the Internet music service, collects data about its users and their taste in music. Mike Schilli requested a copy of his files to investigate them with Go.

    more »
  • Core Technologies

    Look for intruders and study the health of your system with Linux auditing tools.

    more »
  • Security Lessons: auditd

    The auditd tool can provide system logging capabilities to satisfy even the most paranoid users.

    more »
  • Udev

    After three years of hanging around on the sidelines, Udev has finally ousted the legacy Dev-FS system. We take a look under the hood at the Udev device management system inside your Linux system.

    more »
comments powered by Disqus