Falco, or Sysdig Falco, is a behavior activity monitoring tool for keeping track of what’s going on on your servers in real time. It works similarly to tools like OSSEC, but only detects and alerts, lacking the means to take any action, like block offensive traffic. It’s a kernelspace tool which works by loading a kernel module onto the system and monitors all syscalls the system sees. In this way, Falco keeps track of any activity passing through the system. When Falco is started, it reads settings from a configuration file named falco.yaml, and rules from a file named falco_rules.yaml, both under the etc directory. Falco’s rules determines what the application alerts on, and are very easy to write and customize When a rule is triggered, Falco can log to the display, syslog, a file, and can send alerts via email to an address specified in its configuration file. In this article, you’ll learn how to install Falco and use it to detect WordPress backdoors. Prerequisites To complete this tutorial, you’ll need to have the following in place: An installation of WordPress on any Linux server, but preferably on an Ubuntu 16.04 server, because testing of Falco
Share This