Falco 0.32.0
Today we announce the release of Falco 0.32.0 ๐ฆ !
Novelties ๐
Let's review some of the highlights of the new release. This is one of the biggest releases ever, with around 200 commits on Falco and 230 on libs.
The Falco community once again proved to be super active, and we wanted to say a huge THANK YOU ๐ ๐ to everyone involved.
New features
This new release comes with a ton of inner rework; let's start with the foremost important change: Lua is no more a dependency of Falco!
Ok, calm down now. Basically, the Falco rule loader was rewritten in C++, to achieve better performance. Moreover, the entire rule engine has been rewritten too.
This work reduces the workarounds in Falco, as it is now fully using libsinsp-provided filter parsers and compiler; finally, the new grammar fixes many minor and not-so-minor bugs.
Thanks to Jason Dellaluce for his amazing work!
Another effort by Jason was the porting of K8s Audit Log support to a plugin; consequently, there is no K8s Audit Log related code in Falco anymore.
Moreover, a new --list-syscall-events
CLI option is now available, to print list of supported syscalls.
Users and groups management is now dynamic: newly added users/groups will be properly fetched by Falco. On host, their full informations will be retrieved; instead, on containers, only the uid and gid will be retrieved as there is no stable API to fetch user/group info. Moreover, Falco won't mix host and container users anymore.
Another big refactor happened on how Falco handles its CLI and config options, with the concept of "app actions". While this has no user facing changes, it is a big and noteworthy change.
Falco is now able to detect changes to ruleset or config file, and automatically restart itself. This behavior is enabled by default.
Two new operators were developed: bcontains
and bstartswith
. These are useful to perform byte matching on events raw data.
It allows better detection for log4shell like vulnerabilities.
Finally, all the Falco CI that is not involving any output artifact, has been ported to github actions. This frees up credits for CircleCI builds, mitigating various CI issues; moreover, it is now quicker.
New syscalls
As always, hard work was also spent on hardening the system, supporting new syscalls:
io_uring
family of syscallsmlock
family of syscallscapset
syscallopen_by_handle_at
syscall
Increased maturity of plugins
Plugins API reached stable 1.0.0, with tons of work to improve the API and its performance, eventually fixing any bug encountered. It means that the contract is now stable and you can start developing your own plugin; we eagerly wait for it!
GO Plugin Sdk was updated and all plugins were ported to new sdk.
Moreover, with this release, plugin related rules are shipped together with their plugin.
A couple of new plugins are now officially supported:
And more came from the community:
We are really pleased to see new plugins coming; hopefully Plugin API 1.0.0 will give it a boost!
Fixes
Multiple bugs were fixed:
- a bug that caused Falco memory usage to skyrocket was solved. We are sorry for the inconvenience.
- multiple issues with container events were fixed.
- number of reported drops was mistakenly doubled while using the eBPF probe. This is now fixed.
- multiple eBPF verifier issues were solved, resulting in a much more resilient probe.
...and much more!
Security Content ๐
Bundled dependencies were upgraded, namely openssl
to 1.1.1o and libcurl
to 7.83.1, fixing a ton of CVEs!
Moreover, gRPC
was also bumped to 1.44.0.
Rules update ๐ก๏ธ
This release also includes updates to the default ruleset: ๐
- Include .ash_history in rule: Delete or rename shell history
- rule(Anonymous Request Allowed): exclude {/livez, /readyz}
- rule(k8s): secret get detection for both successful and unsuccessful attempts
- rules: whitelist GCP's container threat detection image
- Fixed ouput Rules K8s Serviceaccount Created/Deleted
- rule(falco_rules) Removed use cases not triggering macro curl_download
- rule(Disallowed K8s User): exclude allowed eks users
- Add user_known_mount_in_privileged_containers macro
- Allow to whitelist shell config modifiers
Moreover, new rules were added: ๐
- New Rule Detect Linux Cgroup Container Escape Vulnerability (CVE-2022-0492)
- new(rules): add rule to detect excessively capable container
- rules: detect pods sharing host pid and IPC namespaces
Try it!
As usual, to try out the stable Falco 0.32.0, you can install its packages following the process outlined in the docs:
Do you prefer using the container images? No problem at all! ๐ณ
You can read more about running Falco with Docker in the docs.
You can also find the Falcosecurity container images on the public AWS ECR gallery:
What's next ๐ฎ
Don't worry, we are still very hungry for improvements!
Current work is involving arm64 support (https://github.com/falcosecurity/falco/pull/1997, https://github.com/falcosecurity/falco/pull/1990, https://github.com/falcosecurity/driverkit/pull/143), gvisor event source support, and libs versioning with proper tags.
Moreover, a proposal for a shiny new eBPF probe was merged, and we anticipate the new probe will come to life very soon!
It will make use of modern eBPF features like CO-RE, ringbuffer API and new tracing program; together, these features will relax our support matrix while boosting performances.
Finally, maintainers are discussing about releasing a patch release (0.32.1), once arm64 support is complete.
We will keep you posted!
In the end, as always, the best is yet to come ๐
Let's meet ๐ค
We meet every week in our community calls, if you want to know the latest and the greatest you should join us there!
If you have any questions
- Join the #falco channel on the Kubernetes Slack
- Join the Falco mailing list
Thanks to all the amazing contributors!
Enjoy! ๐ฅณ
Federico