The Falco blog
Falco 0.26.2 a.k.a. "the download.falco.org release"
Leonardo Di Donato, Lorenzo Fontana
Today we announce the release of Falco 0.26.2 🥳 This one is a hotfix release for the Falco 0.26.1 released on October 1st. You can take a look at the set of changes here: 0.26.2 As usual, in case you just want to try out the stable Falco 0.26.2, you can install its packages following the process outlined in the docs: CentOS/Amazon Linux Debian/Ubuntu openSUSE Linux binary package Do you rather prefer using the docker images?
Falco 0.26.1 a.k.a. "the static release"
Leonardo Di Donato, Lorenzo Fontana
Today we announce the release of Falco 0.26.1 🥳 This one is a hotfix release for the Falco 0.26.0 released last week! You can take a look at the set of changes here: 0.26.1 0.26.0 As usual, in case you just want to try out the stable Falco 0.26.1, you can install its packages following the process outlined in the docs: CentOS/Amazon Linux Debian/Ubuntu openSUSE Do you rather prefer using the docker images?
Choosing a Falco driver
Falco works by taking Linux system call information at runtime, and rebuilding the state of the kernel in memory. The Falco engine depends on a driver in order to consume the raw stream of system call information. Currently the Falco project supports 3 different drivers in which the engine can consume this information. A kernel module An eBPF probe A ptrace(2) userspace program This blog will highlight the nuances of each implementation and explain why they exist.
Falco 0.25.0 a.k.a. "the summer release"
Lorenzo Fontana, Leonardo Grasso
Today we announce the release of Falco 0.25 🥳 This one is a small release but a very important one!! You can take a look at the set of changes here: 0.25.0 In case you just want to try out the stable Falco 0.25, you can install its packages following the usual process outlined in the docs: CentOS/Amazon Linux Debian/Ubuntu Do you rather prefer using the docker images?
Falco 0.24.0 a.k.a. "the huge release"
Leonardo Di Donato, Leonardo Grasso
After two long months, look who’s back! Today we announce the release of Falco 0.24 🥳 You can take a look at the huge set of changes here: 0.24.0 In case you just want to try out the stable Falco 0.24, you can install its packages following the usual process outlined in the docs: CentOS/Amazon Linux Debian/Ubuntu Do you rather prefer using the docker images? No problem!
Detect CVE-2020-8557 using Falco
CVE-2020-8557 The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail which acts as DoS attack. Severity Medium Affected Kubernetes Versions kubelet v1.18.0-1.18.5 kubelet v1.
Extend Falco outputs with falcosidekick
By default, Falco has 5 outputs for its events: stdout, file, gRPC, shell and http. As you see in the following diagram: Even if they’re convenient, we can quickly be limited to integrating Falco with other components. Here comes falcosidekick, a little daemon that extends that number of possible outputs. The current list of available falcosidekick outputs (version 2.13.0) is: Slack Rocketchat Mattermost Teams Datadog AlertManager Elasticsearch Loki NATS Influxdb AWS Lambda AWS SQS SMTP (email) Opsgenie Webhook Beyond that, it provides metrics about the number of events and let you add custom fields in events, for example environment, region, etc
Falco 0.23.0 a.k.a. "the artifacts scope release"
Leonardo Grasso, Lorenzo Fontana
Another month has passed and Falco continues to grow! Today we announce the release of Falco 0.23 🥳 Wondering why this release is called “The Artifacts Scope” release? Please read more here. You can take a look at the whole set of changes here: 0.23.0 In case you just want to try out the stable Falco 0.23, you can install its packages following the usual process outlined in the docs:
The Scope of Falco
As The Falco Project continues to grow, we are begining to understand the differences in engagement and support for our tooling. Drawing on the history of the now deprecated Kubernetes incubator and the CNCF project maturity levels we began to realize that Falco and Falco integrations were reaching a state where we needed to begin separating sub projects from the Falco core components. This of course started by first declaring the scope of The Falco Project.
Falco 0.22 a.k.a. "the hard fixes release"
Leonardo Di Donato, Lorenzo Fontana
Another month has passed and Falco continues to grow! Today we announce the release of Falco 0.22 🥳 You can take a look at the whole set of changes here: 0.22.0 - thanks to Leonardo Grasso for his first ever release! 0.22.1 - hotfix by me and Lorenzo Fontana In case you just want to try out the stable Falco 0.22, you can install its packages following the usual process outlined in the docs:
Falco on Kind with Prometheus and Grafana
Kind is a tool for running local Kubernetes clusters using Docker container “nodes”, that may be used for local development or CI. It also offers a convenient and easy way to install Falco in a Kubernetes cluster and play with it locally. We will use Kind to show how to export Falco metrics to Prometheus and Grafana. Create a Kind cluster Running Falco in a Kind cluster is easy, as explained in the documentation.
Falco 0.21.0 is out!
Leonardo Di Donato
Even though there’s the lockdown, Falco 0.21.0 decided to go out! Such a bad guy! Notably, this is the first release that happens with the new build & release process. 🚀 In case you just want Falco 0.21.0, you can find its packages at the following repositories: https://bintray.com/falcosecurity/rpm/falco/0.21.0 https://bintray.com/falcosecurity/deb/falco/0.21.0 https://bintray.com/falcosecurity/bin/falco/0.21.0 Instructions to install using them are already updated on the Falco website: CentOS/Amazon Linux Debian/Ubuntu Instead, for people preferring docker images… 🐳
Minikube 1.8.0 packages the Falco Kernel Module
Minikube is a tool that implements a local Kubernetes cluster on macOS, Linux and Windows via a simple command line, it is vastly used by community members who want to try Falco as well by Falco contributors who want to develop and debug it against new and old Kubernetes versions. Now, thanks to Anders Björklund who proposed PR#6560 every user starting any Kubernetes cluster using Minikube >= 1.8.0 (with the minikube iso, e.
Falco 0.20.0 is released
We’re pleased to announce the release of Falco 0.20.0, our second release of 2020! Falco 0.20.0 consists of a major bug fix, a new feature, two minor bug fixes, and seven rules changes. A total of eight people contributed to this release with a total of thirteen Pull Requests merged in! Everyone is encouraged to update Falco now, especially if you are running Falco 0.18.0 or Falco 0.19.0 and are using Kubernete Audit Events.
Falco Security Audit
Regularly auditing a code base is an important process in releasing secure software. Audits can be particularly important for open source projects that rely on code from a wide variety of contributors. We are happy to announce the release of Falco’s first security audit which was performed through Falco’s participation as a CNCF Sandbox project. A big thanks to the CNCF for sponsoring the audit, and to the Cure53 team who performed the audit.
Cloud Native Security Hub
Falco rules management The Falco community is excited to announce that we will be optimizing how we manage and install security rules for the Falco engine to assert. We have published an open source repository of common security rules that can be used with Falco. You can check out the rules dynamically rendered on securityhub.dev. Installing a rule In this quick example we will be adding runtime detection for CVE-2019-11246.
falcosidekick joins the falcosecurity organization
The Falco Authors
We are pleased to announce that falcosidekick, a Go project aimed to forward Falco outputs to a number of services, joined the falcosecurity organization on GitHub. Along with the project, we also want to welcome Thomas Labarussias, the creator of falcosidekick joining us as maintainer of the Falco project starting from now on. The joining of this project and of Thomas as maintainer is part of a continued effort of involving more people in the Falco project and to get Falco more and more extensible and consumable.
Falco in the open
The call begins, and users sign in so we can track attendance over time. We have a pre-loaded agenda that everyone can edit in between the calls. We work through the agenda item by item, taking note of any action that comes from our time together. The theory is that the calls are were we make decisions as a team, and decisions shouldn’t be made without giving everyone in the SIG an opportunity to voice their opinion.