Auditing container activity – A real example with wget and curl using Sysdig Secure.

Sysdig Secure and Sysdig Falco users often seek ways to audit container activity, such as detecting the execution of web fetch programs like curl and wget for compliance and security purposes. The text provides a detailed example of how to use Falco, an open-source runtime security tool, to create rules for detecting such activities. This involves defining lists and macros to identify web fetch programs, capturing their execution, and setting exclusions to focus on container environments. Users are guided to integrate and implement these rules within Sysdig Secure, allowing for actions like killing or pausing containers, and recording system activities for analysis. The example concludes with instructions on creating a Sysdig Secure policy to apply these rules to specific infrastructure areas, enhancing security and compliance monitoring. The article encourages community engagement by sharing rules and seeking assistance via Slack.