Announcing Falco 0.4.0

By on October 25, 2016

Falco Release 0.4.0

Yesterday we released Falco 0.4.0. It’s been a couple of months since 0.3.0, but there are lots of new features!

The biggest change is greatly improved visibility into container and orchestration information when matching events against the set of falco rules. For containers, you can take advantage of new filterchecks %container.privileged and %container.mount.* that allow for detecting events that occur within privileged containers or containers that have specific mounts.

We’ve also added some rules to the default ruleset that take advantage of these features: File Open by Privileged Container and Sensitive Mount by Container. Here are the new rules:

The first rule detects attempts to open files by processes running in privileged containers. The second rule detects attempts to open files by processes running in containers that have mounted a “sensitive” path (currently /proc) from the host. For both rules, there’s a list of known good images in the macro trusted_containers.

Kubernetes and Marathon Support

For orchestration, we’ve brought over the ability to communicate with K8s/Marathon servers to decorate events with appropriate pod/deployment/framework/etc information, which you can then use in rules or output strings. In many rules, %container.info is used in the output string to provide either container-level, k8s-level, or mesos-level information, depending on the context in which the event occurred and how falco was started. For more information, see our wiki page on the topic.

We’ve also added a new test program event_generator and corresponding docker image sysdig/falco-event-generator that allows you to see falco in action. Simply running docker run -it sysdig/falco-event-generator downloads and runs the test program, which does all kinds of evil things like overwriting files below /bin, reading files below /etc, spawning shells in containers, opening network connections from non-network-capable programs like ls, etc. Run falco alongside the event generator and you’ll see it detect all of these activities.

Addition features

We’ve also added lots of new smaller features, including:

  • A glob operator that allows matching against pathnames using wildcards.
  • A pmatch operator that allows testing a subject pathname (i.e. /usr/local/bin/perl) against a set of target pathnames (i.e. /lib/x86_64-linux-gnu/,/var/www/,/etc/, …), to see if the subject is a prefix of any of the targets.
  • Verbose output with -v now includes stats on the number of events processed and dropped.
  • The ability to write trace files with -w. This can be useful to write a trace file in parallel with live event monitoring so you can reproduce it later.
For the full set of changes in this release, you can always look at the changelog at github.

The release is available via the usual channels–rpm/debian packages, docker hub, github.

Finally, if you want the complete story on Falco, head over to the website and read all about it.

Let us know if you have any issues, and enjoy!



Eager to learn more? Check out our online session: Building an Open Source Container Security Stack

On this session Sysdig and Anchore are presenting how using Falco and Anchore Engine you can build a complete open source container security stack for Docker and Kubernetes.

This online session will live demo:

  • Using Falco, NATS and Kubeless to build a Kubernetes response engine and implement real-time attack remediation with security playbooks using FaaS.
  • How Anchore Engine can detect software vulnerabilities in your images, and how can be integrated with Jenkins, Kubernetes and Falco.


Stay up to date!

Get new articles from this blog (weekly)
Or container ecosystem updates (monthly)

Thanks so much for signing up!
Please check your inbox for a confirmation email.