Aldo Lacuku, Luca Guerra, Federico Di Pierro Oct 1, 2024

Introducing Falco 0.39.0

Dear Falco Community, today we are happy to announce the release of Falco 0.39.0!

This version brings several new features, performance improvements, and bug fixes that streamline Falco’s detection capabilities. During this release cycle, we merged more than 50 PRs on Falco and more than 100 PRs for libs and drivers, version 0. 18.0 and version 7.3.0 respectively. Thank you to our maintainers and contributors, as this would not happen without your support and dedication!

To learn all about these changes, read on!

What’s new? TL;DR

Key features:

Basename operator retrieves the basename of a given path;
New fields added in proc and fd classes #1916 #1936;
Regular expression operator can be used to match values in string fields;
Append output allows to add output text or fields to a subset of loaded rules;
Schema validation for config and rules files allows Falco to warn users when unknown keys are used;
Improved engine selection in Kubernetes environments driver loader will automatically pick the most compatible driver for each node in the cluster.

This release also comes with breaking changes that you should be aware of before upgrading.

Major features and improvements

The 0.39.0 release contains a number of feature and UX improvements, here are list of some of the key new capabilities.

New Operators

The basename() transformer operator extracts the base name, i.e. the filename without directory, of the input field. Note that the behavior ofbasename() in Falco is slightly different from the Unix basename program. For instance, basename (proc.exepath) will evaluate to "cat" for /usr/bin/cat but will evaluate to an empty string ("") for /usr/bin/. This allows, for instance, to write expressions like basename(proc.exepath) = cat to match against the original executable name even if it has been symlinked without knowing the full path, or any other file name based detection.

The regex operator checks if a string field matches a regular expression. Please note that the regex operator is considerably slower (up to an order of magnitude) than the above operators that work with strings, which are highly recommended for simple comparisons. The supported regex flavor is from the Google RE2 library. Example: fd.name regex [a-z]*/proc/[0-9]+/cmdline.

Introducing the Append Output Feature

In response to long-standing community requests, Falco has introduced a new feature in version 0.39.0 that allows users to add custom outputs and fields to events generated by Falco. This new functionality, called append_output, gives users greater control over the data produced by Falco rules.

With the append_output option, you can now easily add extra output to rules based on source, tag, or rule name—or even apply it to all rules without conditions. This option is configurable in the falco.yaml file and works by specifying a list of append entries, which are applied in the order they appear.

Here’s an example configuration:

append_output:
  - match:
      source: syscall
    extra_output: "on CPU %evt.cpu"
    extra_fields:
      - home_directory: "${HOME}"
      - evt.hostname

In this example, any rule with the syscall source will have the string on CPU %evt.cpu appended to the end of the default output line. Additionally, extra fields such as home_directory and evt.hostname will be visible in the JSON output under the output_fieldskey but won’t appear in the regular text output. Notably, environment variables are also supported.

This option is also available on the command line using the -o flag. For example:

falco ... -o 'append_output[]={"match": {"source": "syscall"}, "extra_fields": ["evt.hostname"], "extra_output": "on CPU %evt.cpu"}'

The introduction of append_output offers Falco users a flexible way to enrich event outputs, providing deeper visibility and customization tailored to their monitoring needs.

Dynamic Driver Selection in Falco with Helm: Simplifying Multi-Node Deployments

Deploying across diverse Kubernetes environments just got easier! When using the official Falco Helm chart and setting driver.kind=auto, the driver loader now intelligently handles the heavy lifting for you.

Here's how it works: the driver loader will automatically generate a new Falco configuration file and select the correct engine driver based on the specific node Falco is deployed on. This means whether you're using eBPF, kmod, or a modern eBPF driver, Falco will configure itself dynamically depending on the environment.

In many Kubernetes clusters, nodes can differ in terms of kernel versions, capabilities, and driver compatibility. With this new auto-selection feature, you can seamlessly deploy different Falco drivers across various nodes within the same cluster. Here’s a simple illustration:

+-------------------------------------------------------+
| Kubernetes Cluster                                    |
|                                                       |
|  +-------------------+  +-------------------+         |
|  | Node 1             |  | Node 2             |       |
|  |                    |  |                    |       |
|  | Falco (eBPF probe) |  | Falco (kmod)       |       |
|  +-------------------+  +-------------------+         |
|                                                       |
|                 +-------------------+                 |
|                 | Node 3             |                |
|                 |                    |                |
|                 | Falco (modern eBPF)|                |
|                 +-------------------+                 |
+-------------------------------------------------------+

In this example:

Node 1 is configured with the eBPF probe driver.
Node 2 uses the kmod (kernel module) driver.
Node 3 leverages the modern eBPF driver for cutting-edge performance.

This setup gives you flexibility and ensures that each node in your Kubernetes cluster is running Falco in the most optimized way possible, without manual configuration. Simply set driver.kind=auto in the Helm chart and let Falco do the rest.

Breaking changes and deprecations ⚠️

This version comes with breaking changes, mostly in the configuration interface

Removed command line options and equivalent configuration options

We removed the already deprecated options -D, -t, -T and is now possible to achieve the same result through the Falco configuration You con still use the -o command line option:

-T : use -o rules[].disable.tag=<tag> instead. Turn off any rules with a tag=<tag>. This option can be passed multiple times. This option can not be mixed with -t;
-t : use -o rules[].disable.rule=* -o rules[].enable.tag=<tag> instead. Only enable those rules with a tag=<tag>. This option can be passed multiple times;
D : use -o rules[].disable.rule=<wildcard-pattern> instead. Turn off any rules with names having the substring . This option can be passed multiple times.

You can find more information on breaking changes in the tracking issue.

Notable Bug Fixes

Prometheus Compliant metrics: some metrics have been reworked to follow the prometheus best practices #3319;
Fixed ebpf drivers to use the correct memory barrier primitive for ARM64, preventing to read incomplete data from the ring buffers #2067;
Fixed an issue where stats messages were written to stdout and could mix with regular Falco event output #3338;
fs.path fields now account for dirfd, fixing discrepancies with fd.name #1993;

Deprecations

In Falco 0.39.0, the --cri and --disable-cri-async options were deprecated, and they will be completely removed in Falco 0.40.0. Moving forward, configuring container runtimes should be done through the falco.yaml file. Below is an example of the new configuration format:

container_engines:
  docker:
    enabled: true
  cri:
    enabled: true
    sockets: ["/run/containerd/containerd.sock", "/run/crio/crio.sock", "/run/k3s/containerd/containerd.sock"]
    disable_async: false
  podman:
    enabled: true
  lxc:
    enabled: true
  libvirt_lxc:
    enabled: true
  bpm:
    enabled: true

Try it out

Interested in trying out the new features? Use the resources below to get started.

Container Images
- falco (DockerHub, AWS ECR Gallery)
- falco-no-driver (DockerHub, AWS ECR Gallery)
- falco-driver-loader (DockerHub, AWS ECR Gallery)
CentOS/Amazon Linux
Debian/Ubuntu
openSUSE
Linux binary package

What’s next?

Falco is more mature with each release. Following its graduation we have published the roadmap for version 1.0.0 which is guiding us in the next steps. For the next release, you can expect more stability, streamlined container images, refinements to our rule syntax, new detections and plugins.

Stay connected

Join us on social media and in our weekly community calls! It’s always great to have new members in the community, and we’re looking forward to hearing your feedback and ideas.

You can find all the most up-to-date information at https://falco.org/community/.

←Previous