Featured Image for Falco 0.29.0
Massimiliano Giovagnoli

Falco 0.29.0

Today we announce the summer release of Falco 0.29.0 🌱

This version brings a lot of new features and fixes!

Novelties 🆕

Let's now review some of the new things Falco 0.29.0 brings.

New libraries repository!

As per this proposal - and as many of you probably already know - the repo falcosecurity/libs is the new home for libscap, libsinsp, and the Falco drivers.

With this release, also the last missing piece of the libs contribution is done: the building system is now updated to point to the new location and also the driver version is updated.

New libs version!

The update to the drivers version 17f5d brings new features/fixes:

  • support for tracing the userfaultd system calls
  • improvements to how libsinsp gathers Kubernetes pod resources limits and pod IP from the container runtime
  • improvement in libsinsp on pod metadata and namespace retrieval for large cluster scenarios, by getting them directly from container labels which is more efficient and use the K8s API server as a fallback
  • fixes to the issues reported by many users on Falco where you can't have a working BPF probe when compiling with Clang >= 10.0.0
  • fixes to correctly read, when loading the eBPF probe, the license from the BPF binary instead of always reading it from the libscap loader

Improvements on building system

Finally, it introduces necessary adaptations and improvements to make the Falco building system work with changes recently introduced in libs CMakefiles (in particular by PRs #23 and #30).

Updated rules

As usual, we keep improving the existing rules and we added new ones, like removing false positives when detecting non-sudo and non-root setuid calls.

Other false positives has been removed by ignoring additional known Kubernetes service account when watching for service accounts creted in kube-system namespace.

Improvements have been made also for anti-miner detection, by adding additional domains to be detected.

For a complete list please visit the changelog.

On the future

Now that the libscap, libsinsp, and the two Falco drivers have been contributed to the CNCF, we're moving in the direction of enabling people to benefit from those libraries by using them directly in their OSS projects, as now done by Falco.

For this reason we introduced a proposal (thanks to @leodido) about the versioning and the release process of the libs artifacts.


Try it!

As usual, in case you just want to try out the stable Falco 0.29.0, you can install its packages following the process outlined in the docs:

Do you rather prefer using the container images? No problem at all! 🐳

You can read more about running Falco with Docker in the docs.

Notice that thanks to Jonah, one of our Falco Open Infra maintainers, you can find also the Falcosecurity container images on the public AWS ECR gallery:

This makes part of an effort to publish Falco container images on other registries that began while cooking up Falco 0.27.0.

Let's meet 🤝

As always, we meet every week in our community calls, if you want to know the latest and the greatest you should join us there!

If you have any questions

Thanks to all the amazing contributors! Falco reached 100 contributors, but also all the other Falco projects are receiving a vital amount of contributions every day.

Keep up the good work!

Ciao!

Max