oci-seccomp-bpf-hook VS falco

I was thinking about how to solve that problem, and I thought of an idea: “What if we record the syscalls that a program makes while it’s running?” I was telling one of my co-workers about my idea, and the next day he sent me a link to a tool he found on GitHub. It turned out that some folks at Red Hat had already made a tool called oci-seccomp-bpf-hook that does exactly what I wanted!

The application should have a seccomp, apparmor or selinux profile according to the principles of least privileges (Udica, Oci-seccomp-bpf-hook, Go2seccomp, Security Profiles Operator)

https://github.com/falcosecurity/falco

Like snort, but looks at system calls.

From one noob to another - I had a lot of fun setting up Falco (https://falco.org) and creating custom policies & alerts.

Falco is a well-known open source security solution originally created by Sysdig. It’s a CNCF incubating project and one of the few (as far as I can tell) options on this list that uses eBPF to scan for vulnerabilities.

Use some kind of SIEM or Falco to alert you to threats (you can't stop them, but a human can always intervene)

Falco, is a security project that can help you detect threats from within your cluster.

https://falco.org/ is a security-focused monitoring and alerting with an eBPF option

On the cgo side I want to highlight two talks: one from Loris Cro about dealing with cross-complition difficulties, that the usage of cgo brings, using the Zig language and the other from Jason Dellaluce and Leonardo Grasso about how to extend Falco, a Kubernetes threat detection engine, which is written in C++, with plugins written in Go, explaining the challenges of integrating cgo in both C and Go.