Threat Detection Tool Falco Now Supports Multiple Event Sources Syscall Option And More

Until version 0.33.0, the only way for Falco to consume events from multiple event sources was to deploy multiple instances of Falco, one for each event source. This was particularly limiting with Falco’s plugin system, which allowed syscall tracing to be bypassed by adding new kinds of event sources starting with Falco 0.32.

This is a huge improvement and also brings back support for running syscall and k8s audit logs on the same Falco instance, for all the people who were interested in doing that.

This new feature introduces a user-facing change, as every Falco instance enables syscall event sources by default, which means you’ll have to explicitly disable syscalls if you want a plugin-only deployment. Falco 0.33 also introduces new libsinsp APIs that make it possible to individually select which kernel syscalls and watchpoint events will be collected. This is a step forward compared to the previous “simple consumer function”, which was able to discard events that were not useful for runtime safety reasons. Selecting individual syscalls and events will improve Falco’s performance and reduce the number of dropped events. Related to this, the new version of Falco further attempts to mitigate the dropped events problem by giving control over the size of the kernel syscall ring-buffer, which is shared memory where drivers store events for Falco to consume at a later point . By tuning the size of the ring-buffer, you can control how often Falco will throw events. As mentioned, Kernel Crawler is a new tool that automatically searches for new supported kernel versions for a number of Linux distributions. It should ease the adoption of Falco by simplifying the task of installing kernel modules and eBPF probes for a given kernel version. The kernel crawler is used to populate and maintain a build matrix database that lists all kernel versions and distributions supported by Falco. The latest version of Falco brings many additional new features and improvements, such as new drivers for minikube, improved rate limiting for notifications, and new supported syscalls and security rules. Don’t miss the official announcement or changelog for the full details.