Troubleshooting Kubernetes events is challenging due to the multitude of data sources involved: container logs, Kubernetes events, cloud logs, and more. Among these sources, Kubernetes audit logs are especially valuable for identifying threats, as every action passing through the Kubernetes API server is recorded there. We already provide plugins that let you parse and use Falco to detect threats in audit logs from GKE and EKS clusters. With our latest plugin, you'll now have the same powerfu...| Falco
Dear Falco Community, today we are happy to announce the release of Falco 0.40.0! This version brings several new features, performance improvements, and bug fixes that streamline Falco’s detection capabilities. During this release cycle, we merged more than 52 PRs on Falco and more than 150 PRs for libs and drivers, version 0.20.0 and version 8.0.0 respectively. Thank you to our maintainers and contributors, as this would not happen without your support and dedication!| Falco
Talos Linux is an OS designed for Kubernetes, with in mind to be secure, immutable and minimal. It offers a solution for having secure nodes for your Kubernetes cluster. Running Falco on them requires some configurations we'll see in this blog post. The good news is everything is available to collect the syscalls with eBPF and also the audit logs from the Kubernetes control plane. In this tutorial we'll use a local Talos cluster created with Docker containers for convenience, adapt the config...| Falco
Today we announce the release of Falco 0.38.1 🦅! Fixes Falco's 0.38.1 is a patch release aimed at addressing a few important bugs. It includes the following fixes: A Falco crash while running with plugins and metrics enabled has been solved (https://github.com/falcosecurity/falco/issues/3229) Falco -p output format option can now be passed to plugin events while -pc and -pk can only be used for syscall sources. Fixes an issue that could result in Falco exiting with LOAD_ERR_COMPILE_OUTPUT ...| Falco
Dear Falco Community, today we are happy to announce the release of Falco 0.38.0! This is the first Falco release since its graduation within the CNCF, and, as usual, brings many improvements and features alongside some pretty big changes in its configuration mechanism. This release brings an easier to use mechanism to install and configure your drivers, new rule language features, better support for Falco metrics and many more improvements.| Falco
The number of plugins available for Falco continues to grow thanks to our wonderful community. Thank you all for your help! You can find the list of available plugins here. The vast majority of plugins developed allow Falco to ingest logs from different sources and raise alerts when suspicious elements are identified by its rules. In order to show that any event stream can be a source if you have the right plugin, and to have something fun to show users during my talks, I developed a Falco pl...| Falco
Use Falco to detect when malicious code may have been added to a Lambda function.| Falco
What happened in Falco this week? First of all, you probably already heard it, Falco is now graduated! If you missed this important news, go ahead and give our graduation blog post a read! Let's go through the major changes that happened in various repositories under the falcosecurity organization during the last week. Libs We are approaching the 0.15.0 tag, therefore mostly bugfixes were merged, plus a great new feature and some refactors:| Falco
Today, the Falco project hit a big milestone: becoming a CNCF Graduated Project! Falco's graduation indicates the project's maturity and dependability, but most importantly, it is the culmination of a fantastic amount of work. The journey for Falco started in 2016 when the first commit was made. Today, Falco has become synonymous with "runtime security" due to its comprehensive approach to securing the highly complex and dynamic environments of the modern cloud era.| Falco
What happened in Falco this week? Let's go through the major changes that happened in various repositories under the falcosecurity organization. Libs Multiple fixes and some cleanups happened in the libs repo: newfstatat syscall is now configured with UF_ALWAYS_DROP: https://github.com/falcosecurity/libs/pull/1683 Fixed null destination address in sendto and sendmsg in modern bpf: https://github.com/falcosecurity/libs/pull/1687 Added a CT_UNKNOWN container type zero value and properly initial...| Falco
Today we announce the release of Falco 0.37.1 🦅! Fixes Falco's 0.37.1 release is a small patch aimed at addressing a few minor bugs. It includes the following: Added --http-insecure flag to driver loader images Added new env variable FALCOCTL_DRIVER_HTTP_HEADERS understood by driver loader images to pass a comma separated list of http headers for driver download, eg: FALCOCTL_DRIVER_HTTP_HEADERS='x-emc-namespace: default,Proxy-Authenticate: Basic' Falcoctl was bumped to v0.7.2, fixing an i...| Falco
Block Suspicious Network Traffic with Talon and NetworkPolicies| Falco
Dear Falco Community, today we are happy to announce the release of Falco 0.37.0! This release brings an improved installation experience, a new way to modify Falco rules, and some great UX improvements. There are, as to be expected, a handful of breaking changes. But, rest assured, we've done all we can to help you with any changes you might need to make. During this release cycle, we merged more than 100 PRs on Falco and more than 160 PRs for libs and drivers, version 0.| Falco
What happened in Falco this week? Let's go through the major changes that happened in various repositories under the falcosecurity organization. Libs Libs will need a 0.14.2 tag for the Falco 0.37.0 release, with the revert of https://github.com/falcosecurity/libs/pull/1533 PR. During our release process, we found out that the new std::filesystem based implementaton was up to 8x time slower than the old ones; that's because it supports much more cases and does many more checks.| Falco
What happened in Falco this week? Let's go through the major changes that happened in various repositories under the falcosecurity organization. Libs Libs tag 0.14.1 is out! Try it! It fixes the following things: fix(gvisor): gVisor engine crashes with non-hex container IDs: https://github.com/falcosecurity/libs/issues/1602 fix(gvisor): handle arbitrary sandbox IDs: https://github.com/falcosecurity/libs/pull/1612 fix(libsinsp): modify switch case: https://github.com/falcosecurity/libs/pull/16...| Falco
What happened in Falco this week? Let's go through the major changes that happened in various repositories under the falcosecurity organization. Libs The anticipated 0.14.0 libs tag (and its driver counterpart) are going to be tagged soon, by the end of next week. A xmas present for you all! :christmas_tree: Mostly fixes were merged during this week: Populate labels field for pod sandbox containers: https://github.com/falcosecurity/libs/pull/1564 Improved libscap modern bpf tests and CI check...| Falco
Detect Atomic Red tests in Real Time with Falco| Falco
What happened in Falco this week? Let's go through the major changes that happened in various repositories under the falcosecurity organization. Libs The anticipated 0.14.0 libs tag (and its driver counterpart) are still a bit late, unfortunately. Anyway, spring cleaning went on once again this week! cleaned up dup3 flags param: https://github.com/falcosecurity/libs/pull/1469 cleaned up other params inconsistencies in the drivers: https://github.com/falcosecurity/libs/pull/1512 dropped b64 de...| Falco
Learn how Falco plugin is used for Identity Threat Detection| Falco
Since the launch of the plugin framework in January 2022, our adopters have requested an out-of-the-box solution to manage the lifecycle of rules (installation, updates). We heard your request and also created a guide to help you smoothly install the plugins. The Falco maintainers proposed the following solution to help with these issues: falcoctl. Falcoctl is a CLI tool that performs several useful tasks for Falco. This blog post describes key concepts around falcoctl to help you get started.| Falco