We are happy to announce the release of Falco 0.15.0. This release incorporates a number of improvements, as well as bug fixes, and rules updates. This release also includes a mitigation for CVE-2019-8339, and all users are encouraged to update to this release. You can find more details about the features and improvements in the release notes, but below are a few highlights.
This release also comes on the verge of the 3 year anniversary of the Falco project. Happy Birthday Falco!
Happy Birthday Falco! Falco celebrates 3 years as a project with 0.15.0. Includes support for @containerd and CRI-O, plus @MITREattack tagged rulesClick to tweet
Fix for CVE-2019-8339.
While no project likes to have security vulnerabilities, we do appreciate when community members find these problems and report them to us. This is also our first CVE for Falco, which is a sign the project is growing and maturing. For more details on this CVE, please read our blog post with more details. We are also beginning the process of a security audit for the Falco project, which has kindly been sponsored by the CNCF.
CRI-O and containerd support.
CRI-O and containerd are quickly becoming the preferred container runtime. This release includes changes from the Sysdig project that allows Falco to query container metadata from CRI-O and containerd. This allows users of IBM Kubernetes Service (containerd) and OpenShift 4.0 (cri-o) to take advantage of runtime security with Falco. Thanks to Spencer Krum of IBM for his PR.
Rules tagged for MITRE ATT&CK Framework.
We’ve updated the default Falco rules with tags specific to the MITRE ATT&CK Framework. This allows you to see what tactics, techniques, and procedures Falco rules are related to, and allows you to gain better insight to what a Falco rule is detecting. You can read more about these tags in our blog post.
We’ve also included a number of performance improvements that should help increase the throughput for the Falco engine. This includes asynchronously looking up container (or pod) metadata, as well as improvements on how the kernel ring buffer is processed for system call events. The project is also happy to host a Google Summer of Code student this summer student who will be focused specifically on performance of the Falco engine. We’re excited to have Mattia Lavacca join us for this project, and we thank Google and the CNCF for sponsoring the project.
Users can grab the latest Falco release from our package repositories, or from our Docker hub repository. We are in the process of updating the Falco Helm chart to add support for features such as containerd and CRI-O, and should have a new chart released soon. Kubernetes users leveraging the published daemonset templates can find those updated for the additional container runtimes.