
Sysdig: Behavioral Activity Monitor With Container Support - Artemis2
http://www.sysdig.org/falco/
======
WestCoastJustin
Sysdig also has a blog post about this @ [https://sysdig.com/blog/sysdig-
falco/](https://sysdig.com/blog/sysdig-falco/)

------
sciurus
Why would you choose to write sysdig rules to alert you about unexpected,
suspicious behavior (e.g. mysql server spawns a process) when you could write
apparmor or selinux policies that would alert you _and_ block it?

------
windowsworkstoo
This is nice, I can see myself using it instead of OSSEC and may have to look
at making a clone for Windows, based on the equivalent APIs/tools in the ETW
stack.

------
simonebrunozzi
Great talk at OSCon in Austin yesterday. Whenever it will be available online,
I suggest to watch it.

------
jbaviat
Interesting. The security facet of the rules turns it into some kind of HIDS
(host intrusion detection system) - I would be curious to see the level of
verbosity this get when scaling across hundreds of containers.

From what I get you also need to plug it to your own alerting system by hand.

~~~
degio
(one of the authors here)

Yes, this currently emits to file or syslog and you need to take care of the
alerting. Of course, this is the very initial release and we plan to improve
it. If you have a specific need or idea, feel free to open an issue or let us
know on the mailing list.

~~~
windowsworkstoo
Frankly, I'd leave it as is - I (and I'm sure lots of other opers) already
have some kind of central log collection that we can alert off. Nothing more
frustrating than all the various monitoring systems each with their own unique
take on alerting ;) Just imho of course.

