Case Studies

Blog Post

Falco 0.10.0 released.

We are happy to announce the release of Falco 0.10.0. This release incorporates a number of improvements focused on making Falco easier to deploy, improvements with rules, and improvements in the system call events Falco supports.

Deployment Improvements

Rules Directory Support

With this release, you can specify a rules directory and Falco will read all rules files in that directory, loading them in alphabetical order. The default packaging includes an (empty) rules directory in /etc/falco/rules.d. In future releases, we plan on providing specific rulesets that can be copied/symlinked into /etc/falco/rules.d.

Sample Puppet Module

We’ve added a sample Puppet Module to manage Falco. This module configures the main Falco configuration file /etc/falco/falco.yaml, providing templates for all configuration options. It installs Falco using Debian/rpm packages and installs/manages it as a systemd service.

We’ve also pushed this module to Puppet Forge.

Log Rotation Support

If you’d like to set up automatic log rotation for Falco, we’ve included an example logrotate config and changed Falco to close/reopen its log files when signalled with USR1.

Rule Improvements

Like every release, we’ve updated the set of rules to improve coverage and reduce false positives based on feedback from the community. In addition, there are a few new rules:

  • Disallowed SSH Connection detects ssh connection attempts to hosts outside of an expected set. In order to be effective, you need to override the macro allowed_ssh_hosts in a user rules file. 
  • Unexpected K8s NodePort Connection detects attempts to contact the Kubernetes NodePort range from a program running inside a container. In order to be effective, you need to override the macro nodeport_containers in a user rules file.
  • Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. It’s somewhat FP-prone, so it must be explicitly enabled by overriding the macro do_unexpected_udp_check in a user rules file.

Updated Support for Syscalls

We’ve added support for all syscalls supported by Sysdig, including those that do not have automatic parameter extraction by the kernel module. Previously, this had limited support but might not have worked in all cases. In addition, to improve resource usage, we further restricted the set of system calls available to Falco. You can continue to have access to all system calls with -A, and you can now see the specific set of skipped system calls with -i.

Cryptojacking Example

We’ve added an example of how an overly permissive Docker configuration can be exploited by malicious cryptojacking software and how Falco detects the attack. This is related to our blog post from January, which discussed the same topic in the context of Kubernetes.

Other Changes

Some other improvements include:

  • Allowing validation of multiple rules files on one command line with -V.
  • More compact json output that skips the preformatted output field.
  • Add the ability to suppress warnings about event type use on a rule-by-rule basis.
  • Fix fd.net so it can work with groups of netmasks e.g. evt.type=connect and fd.net in ("127.0.0.1/24").
  • Fixing use of keep-alive when using both program and file outputs.
  • Fixing bugs related to rule order and skipped rules.

Further Information

For the full set of changes in this release, please look at the release’s changelog on github.The release is available via the usual channels–rpm/Debian packages, Falco Docker images and GitHub.

Let us know if you have any issues over in the Sysdig open source Slack team, and enjoy!




Eager to learn more? Join our webinar Secure Kubernetes with GKE + Falco

Platforms such as Kubernetes make it easy to provide development teams access to the infrastructure resources they need to run their applications in a Cloud Native and scalable fashion. But what happens after your initial platform deployment and how can you provide a secure platform for development teams?

In this webinar we’ll cover how to get started using Google Cloud’s managed Kubernetes offering, Google Kubernetes Engine. We’ll deploy a GKE cluster then show how to secure it using Sysdig’s open source project for intrusion and abnormality detect, Falco. We’ll cover the common concerns around security on Cloud Native platforms, and show how Falco provides the additional layer of security for the container runtime environment. Finally, we’ll show how to integrate Falco with Google Cloud Security Console to provide a consolidated view of security across your entire Google Cloud infrastructure.

Register now!

Share This

Stay up to date

Sign up to recieve our newest.

Related Posts

Getting Started Writing Falco Rules

Detecting Cryptojacking with Sysdig’s Falco

Runtime Security for Kubernetes with Sysdig Falco