SELinux, Seccomp, Sysdig Falco, and you: A technical discussion

Sysdig Falco is a behavioral activity monitor that detects anomalous activities in applications by using policies that act on a stream of system calls from the kernel, differing from other security tools like SELinux, Seccomp, and AppArmor. These tools are categorized into enforcement and auditing groups, with enforcement tools such as Seccomp, Seccomp-bpf, SELinux, and AppArmor preventing system calls from succeeding, while auditing tools like Auditd and Falco monitor and notify when behavior deviates from policy. Seccomp provides basic sandboxing by restricting system calls, while its extension, seccomp-bpf, allows more flexible policy-based sandboxing. SELinux and AppArmor offer system-wide enforcement of policies, focusing on actors, actions, and targets, whereas Auditd monitors access and logs detailed actions. Falco, operating in user space, utilizes a kernel module for system call data, allowing it to leverage richer contextual information from sources like Kubernetes or Mesos, and despite being a "softer target" than kernel-level tools, offers a more straightforward policy language, enabling easier implementation of complex security policies.