 Welcome to this CNCS online program. Today, we are going to talk about the FALCO project, and more precisely about FALCO CTL, a tool created by the FALCO maintenance to help you with the management of the FALCO rules and plug-in. A little reminder, FALCO is a CNCS incubation level project. It's a cloud-native runtime security tool that allows you to detect suspicious behaviors and possible intrusions in your containers and Kubernetes environment. It's based on a BPS to collect the C scores from the kernel and apply rules. If you want more details, please watch the webinar made by Loris de Chirini, the creator of FALCO. And as we mentioned the plugins, you can also watch the webinar recorded about one day how and how they extend the possibilities with FALCO. What is FALCO CTL or FALCO CTL? It's the official tool to manage life cycle of the FALCO artifacts. It's available since version 0.34 of FALCO and has been created by the FALCO maintenance following the request made by the community. Right now, we consider two kinds of artifacts, the rules and the plugins, which shows to store them as OCI packages in GitHub packages. These are all available packages and their tag-in versions and with me. FALCO artifacts follow the semantic versioning we see it's useful to track the versions we want to install and follow. The project provides an official index listing the default FALCO rules and the plugins maintained by the FALCO maintenance. You can, of course, set up your own private index and artifacts. All packages will be soon signed following the salsa framework tutorials to ensure the supply chain security. FALCO CTL can be run as a CLI tool and has a team. In CLI mode, you can search for artifacts, rules and plugins and install them. In the mode mode, you can also install the artifacts to specify in FALCO CTL configuration file, track the new versions of the rules and automatically install them and reload FALCO. This mode is used in Kubernetes clusters as a sidecar, manage installations of the plugins and rules and the auto update of the rules. Let's go for a demo. Once you have installed FALCO CTL on your machine, the first step is to install the file official index listing the default rules and official plugins. You can now run the artifacts search sub command with keywords to search for artifacts. You can filter by the type of artifacts you want and display the info about what tags are available with artifact info. In that case, we have taken for the Kubernetes audit logs rule set and we see what available tags are. Let's install a set of rules for Kubernetes audit logs in a specific version. As you can see by installing these rules in a specific version, FALCO CTL has automatically resolved all the dependencies in that case, JSON plugin and the Kubernetes audit log plugin. By default, the latest versions of the artifacts are installed. Let's see now how to use it as a demo to track the new versions of rules and auto install them. First, we need to edit the FALCO CTL config file. You can see the configure index is listed and we also have an artifact section. This section is there to specify which artifacts we want to install and what rules versions we want to track as a frequency. These are there six power. In this example, we install and track the rule set for the Kubernetes audit log plugins in the branch 0.5. It means we'll consider the latest versions within the branch 0.5. I created a basic system unit to show how it works. As you can see, the command to start FALCO as a demo is just FALCO CTL artifact follow. It will use the configuration file which it's made and that's it. FALCO CTL is running and it will automatically download and install new versions for the Kubernetes audit log source. Let's see now how it works with a deployment in Kubernetes. In these clusters, I already installed a FALCO demo section to collect and analyze the C scores. If we see deeper in the board, we see four containers, two FALCO CTL containers and two FALCO containers. The first FALCO CTL containers is completed in it's container. It's there to install the FALCO rules. The second one is there to track the new versions and install them. For FALCO containers, we have the classic unit container to install the drivers and FALCO itself. We can also see the config map and retrieve the FALCO configuration, FALCO CTL configuration. We'll now use M with custom values to install FALCO with only the Kubernetes audit log, no C score collection. We'll use the deployment and we also disable the drivers. It means we disable the C score collections and meta data collection. We configure the plugins we want to use. These plugins will be installed by FALCO CTL and we specify the configuration of FALCO CTL there. We can see the index, the functions of FALCO CTL we want to use, the installations and the following and the artifact we want to install and track. FALCO with the Kubernetes audit log plugins is now installed in my cluster and we can see the differences with the previous spot. No unit container to install the drivers, only the FALCO CTL containers and FALCO and we can once again see the config map with all settings we made for him. A new version of the Kubernetes audit logs rules will be installed as long as they have a tag starting with 0.5. If you want to know more about FALCO CTL and the artifacts, clicking set rules, please take a look at the official repositories. We also wrote a blog post about the basic usages of FALCO CTL. More posts will come to explain more advanced patterns and for future features. If you are interested in contributing to FALCO or in any project in its ecosystem, join us on Slack or in our weekly community call. Thanks.