Threat-Detection Tool Falco Now Supports Multiple Event Sources, Syscall Selection, and More
MMS • Sergio De Simone
Article originally posted on InfoQ. Visit InfoQ
The latest release of Falco adds the ability to handle multiple simultaneous event sources within the same instance, support for selecting which syscalls to capture, a new Kernel Crawler to collect the most recent supported kernel versions, and more.
Up until version 0.33.0, the only way for Falco to consume events from multiple event sources was to deploy multiple instances of Falco, one for each event source. This was especially limiting in the face of Falco’s plugin system, which allowed to go beyond syscall tracing by adding new kind of event sources starting with Falco 0.32.
This is a huge improvement and also brings back support for running syscall and k8s audit logs in the same Falco instance, for all the folks who were interested in doing so.
This new feature introduces a user-facing change in that each Falco instance enables syscall event sources by default, which means you will need to explicitly disable syscalls if you want a plugin-only deployment.
Falco 0.33 also introduces new libsinsp APIs that make it possible to individually select which kernel syscalls and tracepoint events should be collected. This is a step forward in comparison to the previous “simple consumer mode”, which was able to discard events not useful for runtime security purposes. Selecting individual syscalls and events should improve Falco performance and reduces the amount of dropped events.
Related to this, the new release of Falco further attempts to mitigate the issue of dropped events by giving control over the size of the syscall kernel ring-buffer, which is shared memory where drivers buffer events for Falco to consume them at a later point. By tuning the ring-buffer size, you can control how frequently Falco will drop events.
As mentioned, the Kernel Crawler is a new tool that automatically searches for new kernel versions supported for a number of Linux distros. It should make it easier to adopt Falco by simplifying the task of installing kernel modules and eBPF probes for a given kernel version. The Kernel Crawler is used to populate and maintain a database with the build matrix which lists all kernel versions and distros supported by Falco.
The latest Falco release brings many additional new features and improvements, including new drivers for minikube, improved rate limiting for alerts, and new supported syscalls and security rules. Do not miss the official announcement or the changelog for the full detail.