Skip to main content
HashnodeSanchit Pandit | DevOps & Security BlogSanchit Pandit | DevOps & Security Blog

Command Palette

Search for a command to run...

Runtime Container Security: Falco, AppArmor, and seccomp Explained

Docker Security Series – Part 4

Updated
4 min read
Runtime Container Security: Falco, AppArmor, and seccomp Explained
S
Sanchit Pandit

As a seasoned system administrator with a passion for technology and problem-solving, I bring 6 Years of hands-on experience in managing and maintaining IT infrastructure. My journey in the field began with a deep curiosity for computers and systems, which has evolved into a fulfilling career dedicated to ensuring the smooth operation of critical business systems.

Part of seriesContainer Security Deep Dive

So far in this series:

  • Part 1: Hardened Docker Images

  • Part 2: Dockerfile Security Best Practices

  • Part 3: Scanning Docker Images with Trivy

In this article, we move to the next critical layer: runtime container security.

Even if your images are secure, threats can still occur during runtime. This is where tools like Falco, AppArmor, and seccomp play a key role.

What is Runtime Container Security?

Runtime security focuses on monitoring and controlling container behavior while it is running.

It helps detect:

  • Unauthorized system calls

  • Suspicious processes

  • File system tampering

  • Privilege escalation attempts

Why Runtime Security Matters

Static security (image scanning) is not enough.

At runtime:

  • Containers interact with the OS

  • Processes can behave unexpectedly

  • Attackers can exploit runtime vulnerabilities

Runtime protection ensures real-time detection and response.

1. Falco: Runtime Threat Detection

Image Image Image Image Image

Falco is an open-source runtime security tool that monitors system calls and detects suspicious behavior.

Install Falco (Docker)

docker run -d --name falco \
--privileged \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
falcosecurity/falco

Example Detection

Falco can detect events like:

  • Shell opened inside a container

  • Unexpected file access

  • Privilege escalation

Example alert:

Warning Shell opened inside container

Use Cases

  • Detect reverse shells

  • Monitor container activity

  • Alert on suspicious behavior

2. seccomp: Restrict System Calls

Image Image Image Image

seccomp (Secure Computing Mode) restricts the system calls a container can make.

Why seccomp?

  • Limits kernel attack surface

  • Prevents dangerous syscalls

  • Enforces least privilege

Example: Run Container with seccomp

docker run --security-opt seccomp=default.json nginx

Custom seccomp Profile

You can define allowed syscalls in JSON:

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "syscalls": [
    {
      "names": ["read", "write", "exit"],
      "action": "SCMP_ACT_ALLOW"
    }
  ]
}

3. AppArmor: Enforce Security Policies

Image Image Image Image Image

AppArmor is a Linux security module that restricts program capabilities using profiles.

Why AppArmor?

  • Controls file access

  • Restricts capabilities

  • Enforces application-level policies

Example: Run Container with AppArmor

docker run --security-opt apparmor=docker-default nginx

Example Policy

deny /bin/sh ix,
deny /usr/bin/top ix,

This prevents execution of specific binaries.

Combining Falco, seccomp, and AppArmor

Each tool solves a different problem:

  • Falco → Detects suspicious activity

  • seccomp → Restricts system calls

  • AppArmor → Enforces access policies

Together, they provide layered runtime security.

Best Practices for Runtime Security

  • Enable seccomp profiles for all containers

  • Use AppArmor or similar LSM (SELinux)

  • Deploy Falco for monitoring and alerts

  • Avoid running privileged containers

  • Limit container capabilities

Common Mistakes

  • Running containers with --privileged unnecessarily

  • Not monitoring runtime behavior

  • Ignoring alerts from Falco

  • Using default configurations without review

Docker Security Series

  • Part 1: Hardened Docker Images

  • Part 2: Dockerfile Security Best Practices

  • Part 3: Scan Docker Images with Trivy

  • Part 4: Runtime Container Security (current)

Conclusion

Runtime container security is essential for protecting workloads in production.

By combining Falco, seccomp, and AppArmor, you can:

  • Detect threats in real time

  • Restrict dangerous operations

  • Enforce strong security policies

Security does not stop at build time. It must continue at runtime.

FAQ

What is Falco used for?

Falco is used for runtime threat detection by monitoring system calls in containers.

What does seccomp do in Docker?

seccomp restricts system calls to reduce the kernel attack surface.

What is AppArmor in container security?

AppArmor enforces security policies that limit what applications can access.

Should I use all three together?

Yes, combining detection and prevention mechanisms provides stronger security.

#docker#devops#cybersecurity#container-security#kubernetes#linux#falco
1 views

Comments

Join the discussion

No comments yet. Be the first to comment.

Container Security Deep Dive

Part 4 of 4

A practical series focused on securing Docker containers in real-world environments. Learn how to harden images, reduce attack surfaces, manage vulnerabilities, and follow DevSecOps best practices for production-ready systems.

Start from the beginning

Hardened Docker Images: Building Secure Containers for Production

Containers have transformed how we build and deploy applications. But with great convenience comes great responsibility—security.

More from this blog

S

Sanchit Pandit | DevOps & Security Blog

17 posts

Welcome to Sanchit Pandit | DevOps & Security Blog. This blog shares practical guides and real-world insights on DevOps, Docker, Kubernetes, Linux, and infrastructure security. Focused on hands-on learning, it helps SysAdmins and DevOps engineers build secure, scalable, and reliable systems.