Falco Release 0.4.0
Yesterday we released Falco 0.4.0. It’s been a couple of months since 0.3.0, but there are lots of new features!
The biggest change is greatly improved visibility into container and orchestration information when matching events against the set of falco rules. For containers, you can take advantage of new filterchecks %container.privileged and %container.mount.* that allow for detecting events that occur within privileged containers or containers that have specific mounts.
We’ve also added some rules to the default ruleset that take advantage of these features: File Open by Privileged Container and Sensitive Mount by Container. Here are the new rules:
The first rule detects attempts to open files by processes running in privileged containers. The second rule detects attempts to open files by processes running in containers that have mounted a “sensitive” path (currently /proc) from the host. For both rules, there’s a list of known good images in the macro trusted_containers.
Kubernetes and Marathon Support
For orchestration, we’ve brought over the ability to communicate with K8s/Marathon servers to decorate events with appropriate pod/deployment/framework/etc information, which you can then use in rules or output strings. In many rules, %container.info is used in the output string to provide either container-level, k8s-level, or mesos-level information, depending on the context in which the event occurred and how falco was started. For more information, see our wiki page on the topic.
We’ve also added a new test program event_generator and corresponding docker image sysdig/falco-event-generator that allows you to see falco in action. Simply running docker run -it sysdig/falco-event-generator downloads and runs the test program, which does all kinds of evil things like overwriting files below /bin, reading files below /etc, spawning shells in containers, opening network connections from non-network-capable programs like ls, etc. Run falco alongside the event generator and you’ll see it detect all of these activities.
We’ve also added lots of new smaller features, including:
- A glob operator that allows matching against pathnames using wildcards.
- A pmatch operator that allows testing a subject pathname (i.e. /usr/local/bin/perl) against a set of target pathnames (i.e. /lib/x86_64-linux-gnu/,/var/www/,/etc/, …), to see if the subject is a prefix of any of the targets.
- Verbose output with -v now includes stats on the number of events processed and dropped.
- The ability to write trace files with -w. This can be useful to write a trace file in parallel with live event monitoring so you can reproduce it later. For the full set of changes in this release, you can always look at the
Finally, if you want the complete story on Falco, head over to the website and read all about it.
Let us know if you have any issues, and enjoy!