Today we released version 0.2.0 of Falco. Falco is our new, open source, behavioral security monitoring agent. The major change in this release was a fairly big rework of the ruleset, adding/changing conditions for many rules to improve detection and reduce false positives. We also added a suite of regression tests to ensure stability for future releases.
This ruleset also takes advantage of some new capabilities added to sysdig 0.10.0, specifically session id tracking and the proc.sname filter, to provide a scope for installation-related policies. We’ll be discussing these features in more detail in an upcoming blog post.
For the full set of changes in this release, you can always look at the changelog at github.
The release is available via the usual channels–rpm/debian packages, docker hub, github.
Finally, if you want the complete story on Falco, head over to the website and read all about it.
Let us know if you have any issues, and enjoy!