Falco, Sysdig's open source project for monitoring container runtimes, is slated to join the Cloud Native Computing Foundation on Wednesday, becoming the first runtime security tool to be added to the Cloud Native Sandbox project, a home for early stage projects.

The CNCF, which is part of the Linux Foundation, characterizes the adoption of Falco as a way to build awareness of container-related security issues and to encourage the CNCF community to develop more secure cloud-native apps. The intent is also to help Falco play nicely with other CNCF projects, to help it mature and to remove potential legal and governance issues that might inhibit the project's ability to attract contributors.

The move also brings a change of license, from GPLv2 to an Apache v2, because cloud-oriented companies have issues with GPLv2 requirements.

"This allows Falco to be incorporated into more and more platforms, without some of the challenges that come with a GPLv2 license," said Michael Ducy, director of community and evangelism at Sysdig, in a blog post provided to The Register. He added that Falco's sister project, sysdig, is also shifting to Apache v2.

Google sets Kubernetes free with $9m in its pocket for expenses READ MORE

Falco is getting a new vendor-neutral home, too, at Microsoft's GitHub.

The software is designed to make security issues in containers and microservices more obvious by monitoring system calls from the Linux kernel. It provides a mechanism to write rules using the Sysdig filter language to catch unusual behavior and take action.

For example, it can be used to craft a rule that issues an alert whenever a process attempts to read a file with secrets (e.g. passwords) after the process has been running for some amount of time.

Ducy explained that upon detection of an anomalous event, Falco can dispatch various alerts that can be ingested by third-party systems. Falco rules may make use of metadata from the container runtimes and orchestration platform, which is probably Kubernetes.

The ability to take action in more or less real time is essential with containerized apps because cloud-native environments can change rapidly.

Cloud.gov, which provides US government agencies, contractors and employees with a platform for running cloud native apps, openly proclaims its use of Falco. The site says that when its rules detect suspicious behavior in an application container, the software will record the event to app log files. Users of the platform are advised to configure alerts in response to log events, in order to monitor their code for signs of intrusion.

Ducy would like to see Falco flourish in its new home. "For Falco this will hopefully lead to a more vibrant contributor and end user communities for the project," he said. ®