Falco, an open-source runtime security tool, recently announced their latest release version 0.34.0. Highlights of the latest release include support for older RHEL distros, the ability to download and update Falco rules at runtime, and the experimental release of a modern eBPF probe.
The latest release, codenamed "The Honeybee", contains separate repo for Falco rules, that enables dedicated versioning. At every release, the rules are available as plain files and OCI artifacts. The new version of Falco Helm Chart (3.0.0) has a feature that triggers automatic rules update. When this feature is used, the rules will be updated automatically.
The new release also includes falcoctl a CLI tool providing administrative tooling for Falco. In general, Falco can detect and issue alerts for any behavior that entails the execution of Linux system calls. Here’s the Falco project architecture:
Source: The Falco Project - Getting Started
Supporting multiple architectures beyond x86_64 and arm64, Falco 0.34.0 is embedded with a modern eBPF probe. The driver is experimental as it implements around 80 syscalls. It is not production-ready like the kernel module and existing eBPF probe.
eBPF provides a mechanism for Linux applications to execute code in Linux kernel space. We saw that eBPF was one of the trending topics at CloudNativeSecurityCon 2023. In one of the sessions, Wasiq Muhammad, principal security engineer at AWS, showcased how system calls tracing works with eBPF with the ability to capture system call arguments and processes data.
Source: Finding the Needles in a Haystack: Identifying Suspicious Behaviors... Jeremy Cowan & Wasiq Muhammad
The new eBPF features in Falco 0.34.0 include the compile-once-run-everywhere (CO-RE) paradigm, which allows compiling the eBPF probe once for all kernels. The Falco community has introduced Berkeley Packet Filter (BPF) global variables and ring buffers to improve performance over the traditional eBPF probe.
A few more checks are introduced in Falco rules to detect whether the newly generated executable is malicious. Some new fields are attached with process spawn (execve) events - proc.exe_ino.ctime, proce.exe_ino.mtime, proc.exe_ino.ctime_duration_proc_start, proc.exe_ino.ctime_duration_pidns_start and proc.is_exe_upper_layer. These fields can decrease the search area for tracking spawned processes and aid users in supplementing the available information for incident response The newest version of Falco includes a consolidated artifact distribution management system, designed to simplify the process of accessing artifacts for users.
Initially built by Sysdig, Inc., the Falco Project was donated to the CNCF and is now an incubating project. The Falco community has encouraged feedback and ideas from users. Interested readers can join the Falco community here. The instructions for deploying Falco are available here.