- Reordering a rule condition’s operators to put likely-to-fail operators at the beginning and expensive operators at the end. This allows rules to shortcut early when they don’t match.
- Adding the ability to perform x in (a, b, c, ...) as a single set membership test instead of individual comparisons between x=a, x=b, etc.
- Avoid unnecessary string manipulations.
- Using startswith as a string comparison operator when possible.
- Use is_open_read/is_open_write when possible instead of searching through open flags.
- Group rules by event type, which allows for an initial filter using event type before going through each rule’s condition.
- Phoronix‘s pts/apache and pts/dbench tests.
- Sysdig Cloud Kubernetes Demo: Starts a kubernetes environment using docker with apache and wordpress instances + synthetic workloads.
- Juttle-engine examples: Several elasticsearch, node.js, logstash, mysql, postgres, influxdb instances run under docker-compose.
[table id=1 /]This release also has some other handy changes:
- Add a new output type “program” that writes a formatted event to a configurable program. Each notification results in one invocation of the program. A common use of this output type would be to send an email for every falco notification.
- Add the ability to run falco on all events, including events that are flagged with EF_DROP_FALCO. EF_DROP_FALCO events are high-volume, low-value events that are ignored by default to improve performance.
The release is available via the usual channels–rpm/debian packages, docker hub, github.
Finally, if you want the complete story on Falco, head over to the website and read all about it.
Let us know if you have any issues, and enjoy!
Read the Report for Gartner's Recommendations on rethinking:
- How services can be securely deployed and maintained
- How service access can be protected from attacks
- How sensitive information can be protected
- How service delivery incidents - including security - can be handled
Download the Gartner Report now http://bit.ly/2OBE6Es