CME-1003
Falco / eBPF Runtime Security
Description
Kernel-level runtime security using eBPF or kernel modules to detect anomalous behavior: unexpected shell spawns, sensitive file reads, network connections from unusual processes.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Attack Complexity (AC) | L → H | Compensating control: exploit post-exploitation behavior triggers alerts |
Verification
Verify Falco is running with rules loaded
$ systemctl is-active falco
# Expected: active
# Expected: active
Platform: linux
$ falco --list 2>/dev/null | head -5
# Expected: rule names
# Expected: rule names
Platform: linux