The maintainers of Falco announced its latest version: 0.38.0. This is the first release since its graduation within the Cloud Native Computing Foundation CNCF. The key features of this release span from a simplified driver selection and installation via falcoctl
to a better configuration file segmentation for improved manageability. With this release, users can now choose rules at runtime from configuration files or the command line and have enhanced condition expressions for precise event detection. Integration with Prometheus for comprehensive monitoring and the experimental APIs for deeper integration and insights into Falco internals are also released in this version.
Falco provides real-time detection capabilities for environments ranging from individual containers and hosts to Kubernetes and the cloud. It alerts on abnormal behaviour and potential security threats, such as crypto mining, file exfiltration, privilege escalation, and rootkit installs. User-defined Falco rules classify application activity events as malicious or suspicious.
Originally developed by Sysdig, Falco was contributed to the CNCF in 2018, reached the incubating level in 2020, and graduated in 2024.
Throughout this development cycle, the Falco maintainers integrated over 100 PRs and more than 180 PRs for associated libraries and drivers (versions 0.17.0 and 7.2.0, respectively). The most significant features introduced by Falco 0.38.0 are focused on enhancements and user experience improvements.
A revamped falcoctl
simplifies driver installation by auto-selecting compatible drivers based on system specifications, and the automatic kernel header download facilitates seamless driver installation on driverkit supported distributions.
A better organized Falco configuration introduces support for segmenting falco.yaml
into multiple files, allowing for better organization and preservation across upgrades.
The dynamic rule loading allows a new rules
configuration option providing precise control over rule loading, facilitating runtime selection and customization. Until now, the users could change the rule in several ways, including using override
s or specifying command line options such as -D
, -t
and -T.
Thanks to rules
, it is now possible to write a configuration file like this:
rules:
- disable:
rule: "*"
- enable:
rule: Netcat Remote Code Execution in Container
- enable:
rule: Delete or rename shell history
Where all the rules are disabled by default and only two rules are enabled.
The introduction of val()
operator enables comparisons with field values, empowering nuanced condition expressions. Furthermore, it is possible to apply simple transform operators to both sides of the comparison. toupper()
and tolower()
will convert casing as you would expect, and b64()
will decode base64.
With this version, users will be able to streamline performance monitoring and integrate with the existing infrastructure through the integration with Prometheus. Thanks to enhanced plugin capabilities with experimental APIs, it will also be possible to get more metrics and more Falco internal information.
This release introduces several breaking changes, primarily in the configuration interface. Notable changes include the replacement of certain configuration options and the removal of corresponding command line options. In Falco 0.39.0 (the next release), the -D
, -t
, and -T
options will be deprecated, aligning with development team efforts to streamline and simplify Falco usage.