We are happy to announce the release of Falco 0.10.0. This release incorporates a number of improvements focused on making Falco easier to deploy, improvements with rules, and improvements in the system call events Falco supports.
Rules Directory Support
With this release, you can specify a rules directory and Falco will read all rules files in that directory, loading them in alphabetical order. The default packaging includes an (empty) rules directory in
/etc/falco/rules.d. In future releases, we plan on providing specific rulesets that can be copied/symlinked into
Sample Puppet Module
We’ve added a sample Puppet Module to manage Falco. This module configures the main Falco configuration file
/etc/falco/falco.yaml, providing templates for all configuration options. It installs Falco using Debian/rpm packages and installs/manages it as a systemd service.
We’ve also pushed this module to Puppet Forge.
Log Rotation Support
If you’d like to set up automatic log rotation for Falco, we’ve included an example logrotate config and changed Falco to close/reopen its log files when signalled with USR1.
Like every release, we’ve updated the set of rules to improve coverage and reduce false positives based on feedback from the community. In addition, there are a few new rules:
Disallowed SSH Connectiondetects ssh connection attempts to hosts outside of an expected set. In order to be effective, you need to override the macro
allowed_ssh_hostsin a user rules file.
Unexpected K8s NodePort Connectiondetects attempts to contact the Kubernetes NodePort range from a program running inside a container. In order to be effective, you need to override the macro
nodeport_containersin a user rules file.
Unexpected UDP Trafficchecks for udp traffic not on a list of expected ports. It’s somewhat FP-prone, so it must be explicitly enabled by overriding the macro
do_unexpected_udp_checkin a user rules file.
Updated Support for Syscalls
We’ve added support for all syscalls supported by Sysdig, including those that do not have automatic parameter extraction by the kernel module. Previously, this had limited support but might not have worked in all cases. In addition, to improve resource usage, we further restricted the set of system calls available to Falco. You can continue to have access to all system calls with
-A, and you can now see the specific set of skipped system calls with
We’ve added an example of how an overly permissive Docker configuration can be exploited by malicious cryptojacking software and how Falco detects the attack. This is related to our blog post from January, which discussed the same topic in the context of Kubernetes.
Some other improvements include:
- Allowing validation of multiple rules files on one command line with
- More compact json output that skips the preformatted
- Add the ability to suppress warnings about event type use on a rule-by-rule basis.
fd.netso it can work with groups of netmasks e.g.
evt.type=connect and fd.net in ("127.0.0.1/24").
- Fixing use of keep-alive when using both program and file outputs.
- Fixing bugs related to rule order and skipped rules.
For the full set of changes in this release, please look at the release’s changelog on github.The release is available via the usual channels–rpm/Debian packages, Falco Docker images and GitHub.
Let us know if you have any issues over in the Sysdig open source Slack team, and enjoy!