Falco v0.18 releases: Behavioral Activity Monitoring With Container Support

Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by sysdig’s system call capture infrastructure, Falco lets you continuously monitor and detect container, application, host, and network activity… all in one place, from one source of data, with one set of rules.

Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and micro services-oriented, consider joining the CNCF. For details read the Falco CNCF project proposal.

What kind of behaviors can Falco detect?

Falco can detect and alert on any behavior that involves making Linux system calls. Thanks to Sysdig’s core decoding and state tracking functionality, Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, you can easily detect things like:

• A shell is run inside a container
• A container is running in privileged mode or is mounting a sensitive path like /proc from the host.
• A server process spawns a child process of an unexpected type
• Unexpected read of a sensitive file (like /etc/shadow)
• A non-device file is written to /dev
• A standard system binary (ls) makes an outbound network connection

How you use it

Falco is deployed as a long-running daemon. You can install it as a Debian/rpm package on a regular host or container host, or you can deploy it as a container.

Falco is configured via a rules file defining the behaviors and events to watch for, and a general configuration file. Rules are expressed in a high-level, human-readable language. We’ve provided a sample rule file ./rules/falco_rules.yaml as a starting point – you can (and will likely want!) to adapt it to your environment.

When developing rules, one helpful feature is Falco’s ability to read trace files saved by sysdig. This allows you to “record” the offending behavior once, and replay it with Falco as many times as needed while tweaking your rules.

Once deployed, Falco uses the Sysdig kernel module and userspace libraries to watch for any events matching one of the conditions defined in the rule file. If a matching event occurs, a notification is written to the configured output(s).

Falco Alerts

When Falco detects suspicious behavior, it sends alerts via one or more of the following channels:

• Writing to standard error
• Writing to a file
• Writing to syslog
• Pipe to a spawned program. A common use of this output type would be to send an email for every Falco notification.

More details on these alerts are described [here](Falco Alerts).

Changelog v0.18

Major Changes

• falco grpc api server implementation, contains a subscribe method to subscribe to outputs from any grpc capable language [#822]
• add support for converting k8s pod security policies (psps) into set of falco rules that can be used to evaluate the conditions specified in the psp. [#826]
• initial redesign container images to remove build tools and leverage init containers for kernel module delivery. [#776]
• add flags to disable syscall event source or k8s_audit event source [#779]

Minor Changes

• allow for unique names for psp converted rules/macros/lists/rule names as generated by falcoctl 0.0.3 [#895]
• make it easier to run regression tests without necessarily using the falco-tester docker image. [#808]
• fix falco engine compatibility with older k8s audit rules files. [#893]
• add tests for psp conversions with names containing spaces/dashes. [#899]

Bug Fixes

• handle multi-document yaml files when reading rules files. [#760]
• improvements to how the webserver handles incoming invalid inputs [#759]
• fix: make lua state access thread-safe [#867]
• fix compilation on gcc 5.4 by working around gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56480 [#873]
• add explicit dependency between tests and catch2 header file. [#879]
• fix: stable dockerfile libgcc-6-dev dependencies [#830]
• fix: build dependencies for the local dockerfile [#782]
• fix: a crash bug that could result from reading more than ~6 rules files [#906] [#907]

Rule Changes

• rules: add calico/node to trusted privileged container list [#902]
• rules: add macro calico_node_write_envvars to exception list of write below etc [#902]
• rules: add exception for rule write below rpm, this is a fp caused by amazon linux 2 yum. [#755]
• rules: ignore sensitive mounts from the ecs-agent [#881]
• rules: add rules to detect crypto mining activities [#763]
• rules: add back rule delete bash history for backport compatibility [#864]
• rule: syscalls are used to detect suid and sgid [#765]
• rules: delete bash history is renamed to delete or rename shell history [#762]
• rules: add image fluent/fluentd-kubernetes-daemonset to clear log trusted images [#852]
• rules: include default users created by kops. [#898]
• rules: delete or rename shell history: when deleting a shell history file now the syscalls are taken into account rather than just the commands deleting the files [#762]
• rules: delete or rename shell history: history deletion now supports fish and zsh in addition to bash [#762]
• rules: “create hidden files or directories” and “update package repository” now trigger also if the files are moved and not just if modified or created. [#766]

Install & Tutorial

Copyright (C) mstemm