You are viewing documentation for Falco version: v0.26.2
Falco v0.26.2 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version
The Falco blog
Falcosidekick + Kubeless = a Kubernetes Response Engine
Two years ago, we presented to you a Kubernetes Response Engine based on Falco. The idea was to trigger Kubeless serverless functions for deleting infected pod, start a Sysdig capture or forward the events to GCP PubSub. See the README. To avoid maintaining this custom stack, we worked hard with the community to integrate all components into Falcosidekick and to improve the UX. With the last release 2.20.0 we have the finale piece, the integration of Kubeless as native output.
This fantastic post from @leodido about how has been the previous year 2020 for falco inspired me (link) I wanted to bring everyone up to speed on what we built for falcosidekick in 2020 Aside a lot of improvments and bug fixes, 8 new outputs have been integrated: Rocketchat Mattermost Azure Event Hub Discord AWS SNS GCP PubSub Cloudwatch Logs Apache Kafka What really changed with previous releases was that almost all these outputs have been proposed and developed by other members of the falco community (kindly called the famiglia 😉).
An Introduction to Kubernetes Security using Falco
Let’s talk about Kubernetes security As Kubernetes continues to grow in adoption, it is important for us to know how to secure it. In a dynamic infrastructure platform such as Kubernetes, detecting and addressing threats is important but also challenging at the same time. Falco, the open source cloud native runtime security project, is one of the leading open source Kubernetes threat detection engines. Falco was created by Sysdig in 2016 and is the first runtime security project to join CNCF as an incubation-level project.
Falco on WSL2 with a custom kernel
Nuno do Carmo
Falco on WSL2 You love Falco, just read the awesome blog Falco in 2020 - The Falco Project, and want to be part of this growing and wonderful community. “But” you are on Windows 10 and wonder how to run it? Well, the wait is over! Follow the Corsair on his WSL2 boat. Prerequisites In this blog post, the following technologies will be used: Windows 10 Insiders (Dev channel)
Falco in 2020
Leonardo Di Donato
The scope of this post is to review the progress of Falco and its community during the pandemic year. A year will never forget. I will try to keep it compact, but Falco, and its community, grown so much this year that I feel like this could be a blog posts series. 2020 was the year we completely and finally put the Falco release process in the open! 📖 When Lorenzo and I joined Sysdig in 2019 it was not.
Security boundaries with Kubernetes and systemd
A familiar scenario Imagine installing a security tool that requires privileged access using the Kubernetes API. Now imagine our cluster is compromised. As an attacker, the first thing I would do would be to ensure that whatever security tool you were running in Kubernetes - was turned off. Fortunately if I compromised your cluster there is a very lush toolchain that would make that very easy for me. Why I run Falco directly on Linux Fundamentally I disagree with running a security tool in the same layer of the stack that it hopes to protect.
Falco 0.26.2 a.k.a. "the download.falco.org release"
Leonardo Di Donato, Lorenzo Fontana
Today we announce the release of Falco 0.26.2 🥳 This one is a hotfix release for the Falco 0.26.1 released on October 1st. You can take a look at the set of changes here: 0.26.2 As usual, in case you just want to try out the stable Falco 0.26.2, you can install its packages following the process outlined in the docs: CentOS/Amazon Linux Debian/Ubuntu openSUSE Linux binary package Do you rather prefer using the docker images?
Falco 0.26.1 a.k.a. "the static release"
Leonardo Di Donato, Lorenzo Fontana
Today we announce the release of Falco 0.26.1 🥳 This one is a hotfix release for the Falco 0.26.0 released last week! You can take a look at the set of changes here: 0.26.1 0.26.0 As usual, in case you just want to try out the stable Falco 0.26.1, you can install its packages following the process outlined in the docs: CentOS/Amazon Linux Debian/Ubuntu openSUSE Do you rather prefer using the docker images?
Choosing a Falco driver
Falco works by taking Linux system call information at runtime, and rebuilding the state of the kernel in memory. The Falco engine depends on a driver in order to consume the raw stream of system call information. Currently the Falco project supports 3 different drivers in which the engine can consume this information. A kernel module An eBPF probe A ptrace(2) userspace program This blog will highlight the nuances of each implementation and explain why they exist.
Falco 0.25.0 a.k.a. "the summer release"
Lorenzo Fontana, Leonardo Grasso
Today we announce the release of Falco 0.25 🥳 This one is a small release but a very important one!! You can take a look at the set of changes here: 0.25.0 In case you just want to try out the stable Falco 0.25, you can install its packages following the usual process outlined in the docs: CentOS/Amazon Linux Debian/Ubuntu Do you rather prefer using the docker images?
Falco 0.24.0 a.k.a. "the huge release"
Leonardo Di Donato, Leonardo Grasso
After two long months, look who’s back! Today we announce the release of Falco 0.24 🥳 You can take a look at the huge set of changes here: 0.24.0 In case you just want to try out the stable Falco 0.24, you can install its packages following the usual process outlined in the docs: CentOS/Amazon Linux Debian/Ubuntu Do you rather prefer using the docker images? No problem!
Detect CVE-2020-8557 using Falco
CVE-2020-8557 The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail which acts as DoS attack. Severity Medium Affected Kubernetes Versions kubelet v1.18.0-1.18.5 kubelet v1.
Extend Falco outputs with falcosidekick
By default, Falco has 5 outputs for its events: stdout, file, gRPC, shell and http. As you see in the following diagram: Even if they’re convenient, we can quickly be limited to integrating Falco with other components. Here comes falcosidekick, a little daemon that extends that number of possible outputs. The current list of available falcosidekick outputs (version 2.13.0) is: Slack Rocketchat Mattermost Teams Datadog AlertManager Elasticsearch Loki NATS Influxdb AWS Lambda AWS SQS SMTP (email) Opsgenie Webhook Beyond that, it provides metrics about the number of events and let you add custom fields in events, for example environment, region, etc
Falco 0.23.0 a.k.a. "the artifacts scope release"
Leonardo Grasso, Lorenzo Fontana
Another month has passed and Falco continues to grow! Today we announce the release of Falco 0.23 🥳 Wondering why this release is called “The Artifacts Scope” release? Please read more here. You can take a look at the whole set of changes here: 0.23.0 In case you just want to try out the stable Falco 0.23, you can install its packages following the usual process outlined in the docs:
The Scope of Falco
As The Falco Project continues to grow, we are begining to understand the differences in engagement and support for our tooling. Drawing on the history of the now deprecated Kubernetes incubator and the CNCF project maturity levels we began to realize that Falco and Falco integrations were reaching a state where we needed to begin separating sub projects from the Falco core components. This of course started by first declaring the scope of The Falco Project.
Falco 0.22 a.k.a. "the hard fixes release"
Leonardo Di Donato, Lorenzo Fontana
Another month has passed and Falco continues to grow! Today we announce the release of Falco 0.22 🥳 You can take a look at the whole set of changes here: 0.22.0 - thanks to Leonardo Grasso for his first ever release! 0.22.1 - hotfix by me and Lorenzo Fontana In case you just want to try out the stable Falco 0.22, you can install its packages following the usual process outlined in the docs:
Falco on Kind with Prometheus and Grafana
Kind is a tool for running local Kubernetes clusters using Docker container “nodes”, that may be used for local development or CI. It also offers a convenient and easy way to install Falco in a Kubernetes cluster and play with it locally. We will use Kind to show how to export Falco metrics to Prometheus and Grafana. Create a Kind cluster Running Falco in a Kind cluster is easy, as explained in the documentation.
Falco 0.21.0 is out!
Leonardo Di Donato
Even though there’s the lockdown, Falco 0.21.0 decided to go out! Such a bad guy! Notably, this is the first release that happens with the new build & release process. 🚀 In case you just want Falco 0.21.0, you can find its packages at the following repositories: https://bintray.com/falcosecurity/rpm/falco/0.21.0 https://bintray.com/falcosecurity/deb/falco/0.21.0 https://bintray.com/falcosecurity/bin/falco/0.21.0 Instructions to install using them are already updated on the Falco website: CentOS/Amazon Linux Debian/Ubuntu Instead, for people preferring docker images… 🐳
Minikube 1.8.0 packages the Falco Kernel Module
Minikube is a tool that implements a local Kubernetes cluster on macOS, Linux and Windows via a simple command line, it is vastly used by community members who want to try Falco as well by Falco contributors who want to develop and debug it against new and old Kubernetes versions. Now, thanks to Anders Björklund who proposed PR#6560 every user starting any Kubernetes cluster using Minikube >= 1.8.0 (with the minikube iso, e.
Falco 0.20.0 is released
We’re pleased to announce the release of Falco 0.20.0, our second release of 2020! Falco 0.20.0 consists of a major bug fix, a new feature, two minor bug fixes, and seven rules changes. A total of eight people contributed to this release with a total of thirteen Pull Requests merged in! Everyone is encouraged to update Falco now, especially if you are running Falco 0.18.0 or Falco 0.19.0 and are using Kubernete Audit Events.
Falco Security Audit
Regularly auditing a code base is an important process in releasing secure software. Audits can be particularly important for open source projects that rely on code from a wide variety of contributors. We are happy to announce the release of Falco’s first security audit which was performed through Falco’s participation as a CNCF Sandbox project. A big thanks to the CNCF for sponsoring the audit, and to the Cure53 team who performed the audit.
Cloud Native Security Hub
Falco rules management The Falco community is excited to announce that we will be optimizing how we manage and install security rules for the Falco engine to assert. We have published an open source repository of common security rules that can be used with Falco. You can check out the rules dynamically rendered on securityhub.dev. Installing a rule In this quick example we will be adding runtime detection for CVE-2019-11246.
falcosidekick joins the falcosecurity organization
The Falco Authors
We are pleased to announce that falcosidekick, a Go project aimed to forward Falco outputs to a number of services, joined the falcosecurity organization on GitHub. Along with the project, we also want to welcome Thomas Labarussias, the creator of falcosidekick joining us as maintainer of the Falco project starting from now on. The joining of this project and of Thomas as maintainer is part of a continued effort of involving more people in the Falco project and to get Falco more and more extensible and consumable.
Falco in the open
The call begins, and users sign in so we can track attendance over time. We have a pre-loaded agenda that everyone can edit in between the calls. We work through the agenda item by item, taking note of any action that comes from our time together. The theory is that the calls are were we make decisions as a team, and decisions shouldn’t be made without giving everyone in the SIG an opportunity to voice their opinion.