Dear Falco Community, today we are happy to announce the release of Falco 0.41.0! This version brings several new features, performance enhancements, and bug fixes that streamline Falco’s detection capabilities. During this release cycle, we merged more than 50 PRs on Falco and around 130 PRs for libs and drivers, version 0.21.0 and version 8.1.0, respectively. Thank you to our maintainers and contributors. This would not have been possible without your support and dedication!| Falco
The recently discovered CVE for the GitHub action tj-actions/changed-files brought to light a topic that is really critical for companies: supply chain attacks. With that, we want to discuss and show a bit about how Falco can help your organization detect this kind of attack and other suspect behaviors inside your CI/CD pipeline. What is Falco? Falco is a cloud native security tool that provides runtime security across hosts, containers, Kubernetes, and cloud environments.| Falco
Detecting threats in a Kubernetes cluster can be challenging, we generally don't know where and how to start. The good news is that we have an amount of valuable logs that can help us to know what is happened in the cluster. Indeed, each action requested or done by a user or an app, in a cluster, is recorded in Audit Logs. Kubernetes events are key to understanding the behavior of a cluster. We already provide plugins that let you parse Audit Logs and use Falco to detect threats from GKE, EKS...| Falco – The Falco blog
Troubleshooting Kubernetes events is challenging due to the multitude of data sources involved: container logs, Kubernetes events, cloud logs, and more. Among these sources, Kubernetes audit logs are especially valuable for identifying threats, as every action passing through the Kubernetes API server is recorded there. We already provide plugins that let you parse and use Falco to detect threats in audit logs from GKE and EKS clusters. With our latest plugin, you'll now have the same powerfu...| Falco
Today, we announce the release of Falco Talon 0.3.0 🦅! Three updates in a row, after Falco and Falcosidekick, it's time for Falco Talon to know a new version. What's new? The key feature this release brings is the new actionner kubernetes:sysdig. For those who are not familiar with sysdig, it's a CLI tool that allows to capture and record the syscalls, like tcpdump does for the network packets. Old brother of Falco, they share the same libs and filters. With this new integration, when a su...| Falco – The Falco blog
The year 2025 is well started now. We saw a few days ago the first release of Falco for the year. It's to let fly out a new version of Falcosidekick, the 2.31.0. New output This release comes with a new output only, the last pillar of the observability with [OpenTelemetry].(https://opentelemetry.io/) that missing in Falcosidekick. OTLP Metrics You can now forward the Falco Events to the OpenTelemetery collector or any received understanding the protocol.| Falco
Dear Falco Community, today we are happy to announce the release of Falco 0.40.0! This version brings several new features, performance improvements, and bug fixes that streamline Falco’s detection capabilities. During this release cycle, we merged more than 52 PRs on Falco and more than 150 PRs for libs and drivers, version 0.20.0 and version 8.0.0 respectively. Thank you to our maintainers and contributors, as this would not happen without your support and dedication!| Falco
A few days after a new release of Falco Talon, our response engine, it's time for our favorite proxy forwarder to do the same. New outputs A new release means new integrations. Thanks to our contributors for their helps. Webex Notify your team on Webex with the integration developed by @k0rventen. OTLP Metrics The adoption of Open Telemetry is bigger and bigger in the Cloud Native ecosystem, @ekoops introduced the OTLP Metrics in Falcosidekick.| Falco
Today we announce the release of Falco Talon 0.2.0 🦅! Falco Talon 0.2.0 is a minor release that includes new actionners and outputs, add parameters to existing actionners, along one small fix on the check and print commands. Features Add gcp:function actionner: Now users can call GCP function to automate GCP tasks, with authentication and authorization out of the box. - action:Invoke GCP functionactionner:gcp:functionadditional_contexts:- awsparameters:gcp_function_name:simple-http-functio...| Falco – The Falco blog
Today we announce the release of Falco 0.39.2 🦅! Fixes Falco's 0.39.2 is a small patch release that includes some important bugfixes for modern eBPF driver: check cred field is not NULL before the access; this enables Falco back with modern eBPF driver to work on GKE address verifier issues on kernel versions >=6.11.4: there was a kernel-breaking change in the tail call ebpf API merged into the 6.11.4 to fix a CVE. Adapt our code to work again on these new versions. Thanks to everyone in t...| Falco – The Falco blog
In today's cloud-native world, securing Kubernetes environments has become increasingly critical as containerized workloads gain complexity. Falco is designed to monitor and detect anomalous activities in Kubernetes clusters and container environments. By continuously observing system calls and enriching event data with metadata, Falco ensures that any suspicious behavior is detected in real-time, protecting against threats like privilege escalations, file tampering, and network anomalies. In...| Falco – The Falco blog
Today we announce the release of Falco 0.39.1 🦅! Fixes Falco's 0.39.1 is a small patch release that includes some important bugfixes: Fixed a crash when using plugin with event parsing capabilities (eg: k8smeta plugin) Fixed a bug while parsing -o key={object} command line arguments, when the object definition contains a comma Improved config json schema to allow null init_config for plugin info Thanks to everyone in the community for helping us with spotting these annoying bugs and improv...| Falco – The Falco blog
Dear Falco Community, today we are happy to announce the release of Falco 0.39.0! This version brings several new features, performance improvements, and bug fixes that streamline Falco’s detection capabilities. During this release cycle, we merged more than 50 PRs on Falco and more than 100 PRs for libs and drivers, version 0. 18.0 and version 7.3.0 respectively. Thank you to our maintainers and contributors, as this would not happen without your support and dedication! To learn all about ...| Falco – The Falco blog
More than 7 years ago, frustrated by the lack of integrations between Falco and third parties, I created Falcosidekick. The tool evolved much more than expected, with the help of dozens of contributors, individuals or for companies, to have now almost 70 different integrations, and more are coming. Its baby brother came few years later, Falcosidekick UI, helping people to visualize in real time the alerts leveraged by Falco and fine tuning their rules. A frustation remained after all. With Fa...| Falco – The Falco blog
Today we announce the release of Falco 0.38.2 🦅! Fixes Falco's 0.38.2 is a patch release that includes the most important bugfixes addressed this summer ☀️: Fixed a crash when using transformer operators (e.g. tolower()) with a parameter that evaluates to an empty string Fixed a bug and a regression that could result in incorrect comparison between ipv4 addresses and ipv6 subnets and vice versa Fixed an issue that could result in missing exe_upper_layer flag Fixed kernel module build f...| Falco
Hello Falco community, I'm Kiriti, a current GSoC mentee under Falco Security. I have been working diligently to improve the testing and benchmarking capabilities of Falco’s event-generator project. Now that we've reached the midterm of GSoC, I'm eager to share the journey so far. In this blog, I'll delve into the details of my contributions, particularly focusing on two key PRs that have been merged, and outline my plans for the remainder of the program. My Project: Enhancing Falco's Event...| Falco – The Falco blog
Talos Linux is an OS designed for Kubernetes, with in mind to be secure, immutable and minimal. It offers a solution for having secure nodes for your Kubernetes cluster. Running Falco on them requires some configurations we'll see in this blog post. The good news is everything is available to collect the syscalls with eBPF and also the audit logs from the Kubernetes control plane. In this tutorial we'll use a local Talos cluster created with Docker containers for convenience, adapt the config...| Falco
Almost 1 year without a release of Falcosidekick, but version 2.29.0 is finally here. Thanks to all contributors for their patience, you made amazing contributions and we're happy to finally have them available for all users. Like for every releases, a small recap about its adoption. Falcosidekick continues to be adopted, even if the rate is not as high as before, but we're sure it will explode once again with this new fresh version.| Falco
Today we announce the release of Falco 0.38.1 🦅! Fixes Falco's 0.38.1 is a patch release aimed at addressing a few important bugs. It includes the following fixes: A Falco crash while running with plugins and metrics enabled has been solved (https://github.com/falcosecurity/falco/issues/3229) Falco -p output format option can now be passed to plugin events while -pc and -pk can only be used for syscall sources. Fixes an issue that could result in Falco exiting with LOAD_ERR_COMPILE_OUTPUT ...| Falco
Dear Falco Community, today we are happy to announce the release of Falco 0.38.0! This is the first Falco release since its graduation within the CNCF, and, as usual, brings many improvements and features alongside some pretty big changes in its configuration mechanism. This release brings an easier to use mechanism to install and configure your drivers, new rule language features, better support for Falco metrics and many more improvements.| Falco
The number of plugins available for Falco continues to grow thanks to our wonderful community. Thank you all for your help! You can find the list of available plugins here. The vast majority of plugins developed allow Falco to ingest logs from different sources and raise alerts when suspicious elements are identified by its rules. In order to show that any event stream can be a source if you have the right plugin, and to have something fun to show users during my talks, I developed a Falco pl...| Falco
What happened in Falco this week? First of all, you probably already heard it, Falco is now graduated! If you missed this important news, go ahead and give our graduation blog post a read! Let's go through the major changes that happened in various repositories under the falcosecurity organization during the last week. Libs We are approaching the 0.15.0 tag, therefore mostly bugfixes were merged, plus a great new feature and some refactors:| Falco
Today, the Falco project hit a big milestone: becoming a CNCF Graduated Project! Falco's graduation indicates the project's maturity and dependability, but most importantly, it is the culmination of a fantastic amount of work. The journey for Falco started in 2016 when the first commit was made. Today, Falco has become synonymous with "runtime security" due to its comprehensive approach to securing the highly complex and dynamic environments of the modern cloud era.| Falco
What happened in Falco this week? Let's go through the major changes that happened in various repositories under the falcosecurity organization. Libs Multiple fixes and some cleanups happened in the libs repo: newfstatat syscall is now configured with UF_ALWAYS_DROP: https://github.com/falcosecurity/libs/pull/1683 Fixed null destination address in sendto and sendmsg in modern bpf: https://github.com/falcosecurity/libs/pull/1687 Added a CT_UNKNOWN container type zero value and properly initial...| Falco
Today we announce the release of Falco 0.37.1 🦅! Fixes Falco's 0.37.1 release is a small patch aimed at addressing a few minor bugs. It includes the following: Added --http-insecure flag to driver loader images Added new env variable FALCOCTL_DRIVER_HTTP_HEADERS understood by driver loader images to pass a comma separated list of http headers for driver download, eg: FALCOCTL_DRIVER_HTTP_HEADERS='x-emc-namespace: default,Proxy-Authenticate: Basic' Falcoctl was bumped to v0.7.2, fixing an i...| Falco
Dear Falco Community, today we are happy to announce the release of Falco 0.37.0! This release brings an improved installation experience, a new way to modify Falco rules, and some great UX improvements. There are, as to be expected, a handful of breaking changes. But, rest assured, we've done all we can to help you with any changes you might need to make. During this release cycle, we merged more than 100 PRs on Falco and more than 160 PRs for libs and drivers, version 0.| Falco
What happened in Falco this week? Let's go through the major changes that happened in various repositories under the falcosecurity organization. Libs Libs will need a 0.14.2 tag for the Falco 0.37.0 release, with the revert of https://github.com/falcosecurity/libs/pull/1533 PR. During our release process, we found out that the new std::filesystem based implementaton was up to 8x time slower than the old ones; that's because it supports much more cases and does many more checks.| Falco
What happened in Falco this week? Let's go through the major changes that happened in various repositories under the falcosecurity organization. Libs Libs tag 0.14.1 is out! Try it! It fixes the following things: fix(gvisor): gVisor engine crashes with non-hex container IDs: https://github.com/falcosecurity/libs/issues/1602 fix(gvisor): handle arbitrary sandbox IDs: https://github.com/falcosecurity/libs/pull/1612 fix(libsinsp): modify switch case: https://github.com/falcosecurity/libs/pull/16...| Falco
What happened in Falco this week? Let's go through the major changes that happened in various repositories under the falcosecurity organization. Libs The anticipated 0.14.0 libs tag (and its driver counterpart) are going to be tagged soon, by the end of next week. A xmas present for you all! :christmas_tree: Mostly fixes were merged during this week: Populate labels field for pod sandbox containers: https://github.com/falcosecurity/libs/pull/1564 Improved libscap modern bpf tests and CI check...| Falco
What happened in Falco this week? Let's go through the major changes that happened in various repositories under the falcosecurity organization. Libs The anticipated 0.14.0 libs tag (and its driver counterpart) are still a bit late, unfortunately. Anyway, spring cleaning went on once again this week! cleaned up dup3 flags param: https://github.com/falcosecurity/libs/pull/1469 cleaned up other params inconsistencies in the drivers: https://github.com/falcosecurity/libs/pull/1512 dropped b64 de...| Falco
Another week, another load of improvements everywhere in the falcosecurity! What happened in Falco this week? Let's go through the major changes that happened in various repositories under the falcosecurity organization. Libs The anticipated 0.14.0 libs tag (and its driver counterpart) are a bit late, unfortunately. Anyway, spring cleaning went on this week! removed stopwatch implementation, now unused: https://github.com/falcosecurity/libs/pull/1493 removed unused sinsp_test.cpp file: https:...| Falco
This is the first of a series of weekly blog post whose aim is to give a quick overview about the development of Falco and its related projects. What happened in Falco this week? Let's go through the major changes that happened in various repositories under the falcosecurity organization. Libs Lots of cleanups happened in the libs repo; the most outstanding ones being: udig engine removal (https://github.com/falcosecurity/libs/pull/1485) dropped legacy metadata clients for k8s and mesos (http...| Falco
One of the big advantages of running your workloads on a managed Kubernetes service like Google Kubernetes Engine (GKE) is that Google ensures your clusters are being deployed and managed following industry best practices. While GKE clusters are incredibly secure and reliable, there is always room for improvement. In this blog, we’re going to describe how you can enhance GKE’s already great security by adding runtime threat detection with Falco.| Falco
Detecting Cloud Runtime Threats with Falco (LFS254) is the new Falco training course created by CNCF, Linux Foundation, and Sysdig. We're very excited about this new immersive course designed to enhance your expertise in securing cloud-native applications through hands-on learning. Detecting Cloud Runtime Threats with Falco (LFS254) is a 20-hour course focused on runtime security. It covers what is runtime security and how Falco is a powerful tool designed to detect anomalous activity in appl...| Falco
Today we announce the release of Falco 0.36.2 🦅! Fixes Falco's 0.36.2 release is a small patch addressing a few bugs. It includes the following: Fixed a possible segfault caused by uninitialized variable in libsinsp::next() method call. (https://github.com/falcosecurity/falco/issues/2878) Improved supported program type detection for modern BPF; this ensures we can actually be sure that our BPF program type is unsupported when returning an error to the user. (https://github.com/falcosecuri...| Falco
If you’re looking to integrate runtime security into your existing environment, Falco is an obvious choice. Falco is a Cloud Native Computing Foundation backed open source project that provides real-time threat detection for cloud, container, and Kubernetes workloads. With over 80 million downloads Falco has been adopted by some of the largest companies in the world. However, what many Falco users discover early on is that Falco’s default event output is rather limited.| Falco
Falco v0.36.0 and the Software Supply Chain (SSC) security The latest stable Falco release, v0.36.0, alongside falcoctl 0.6.1 and the 0.7.0 Helm chart introduced new features and improvements to the security of Falco's software supply chain artifacts. Falco's two main downloadable artifacts are plugins and rule sets. They're shipped in the OCI specification format and distributed through the official Falcosecurity OCI repositories. Software supply chain attacks aim at injecting malicious code...| Falco
Today we announce the release of Falco 0.36.1 🦅! Fixes Falco's 0.36.1 release is a small patch aimed at protecting our uses by addressing a few minor bugs. It includes the following: Address a HIGH severity vulnerability in libcurl CVE-2023-38545, bumping the library to the patched version 8.4.0. You can find more details in the section below. The legacy eBPF probe can now handle systems with CPU hotplug enabled, opening the right number of kernel buffers.| Falco
Falco, an open source innovation, was conceived with the vision of crafting a flexible and robust rules engine atop the Sysdig libraries. This initiative aimed to furnish a potent tool for the detection of aberrant behaviors and intrusions within modern applications, akin to the Snort paradigm but tailored to the realm of system calls and finely tuned for cloud environments. Nevertheless, it's important to recognize that Falco and Wireshark represent distinct facets of this evolutionary process.| Falco
Dear Falco Community, today we are happy to announce the release of Falco 0.36.0! This releases comes as usual with many new features and improvements. Thanks to everyone that worked on all the features, bugfixes and improvements! To read a detailed account of the release, see v0.36.0 in the changelog. During this release cycle, we merged more than 100 PRs on Falco and more than 150 PRs for libs and drivers, version 0.| Falco
Along with many in the community, we were sad to hear the news of Kris Nóva's passing last week. Nóva was a foundational contributor to Falco. She joined the Falco community when Falco was still a CNCF sandbox project. She made many contributions, including working on the input/output interfaces and starting the falcoctl project. She guided the community during the CNCF incubation process, and shepherded the contribution of the falcosecurity/libs to the CNCF.| Falco
There are a few foundational technologies that empower the Cloud Native ecosystem. Containers is one. And one of the basis for containerization is the Linux Kernel itself. With Falco, we are developing a runtime security tool that hooks directly in the kernel to collect information about the system and notifies about malicious behavior. We have found the need to validate our drivers against various versions of the Linux kernel, to properly ensure that with each iteration of our drivers, suppo...| Falco
Not so long ago, we proudly released a new fantastic release of falcosidekick, it's time for its little brother, falcosidekick-ui to know the same, with the version v2.2.0. Let's take a tour to introduce the most important cool new features of this release. Disabling the authentication The previous version introduced a basic auth mechanism to protect access to the dashboard and API. Some complained it broke the access through their reverse proxy.| Falco
Today, we'd like to share with the Falco community the latest contribution we (w/Emin Aktas) made to GitLab Container Registry. We noticed that GitLab Container Registry didn't support Falcoctl OCI Artifact mediaTypes while we were pushing the Falco rules stored from GitHub container registry to GitLab container registry. We decided then to contribute to GitLab Container Registry by adding the support for Falcoctl OCI Artifact mediaTypes. Error: PUT https://registry.gitlab.com/v2/x/falcosecur...| Falco
Since the launch of the plugin framework in January 2022, our adopters have requested an out-of-the-box solution to manage the lifecycle of rules (installation, updates). We heard your request and also created a guide to help you smoothly install the plugins. The Falco maintainers proposed the following solution to help with these issues: falcoctl. Falcoctl is a CLI tool that performs several useful tasks for Falco. This blog post describes key concepts around falcoctl to help you get started.| Falco
