Project post by the Falco Team and Nigel Douglas

Falco achieved CNCF Graduation status on February 29, 2024. Following the celebration of this significant milestone at  KubeCon EU in Paris earlier this year, the project has seen several major highlight-worthy updates.

The Falco community’s recent development efforts have focused on enhancing performance and stability to deliver the best possible user experience for Falco adopters. Notable improvements include the integration of a new endpoint for exposing metrics in Prometheus format, automatic selection of the optimal driver for your system, a new collector that enriches captures with Kubernetes metadata, and many other exciting features. 

Here are the key highlights:

Falco Talon

Falco Talon is officially part of the falcosecurity project in Github. Searching for Falco Talon in Helm, you can see it now officially starting off on version 0.1.1. So what is Falco Talon? It’s a dedicated response engine for Falco. Response actions are linked to Falco rules, so when a detection rule is triggered, any of the listed “actionners” can be triggered in response to that unwanted behavior.

helm search repo falcosecurity/falco-talon
NAME                     	CHART      APP VERSION	DESCRIPTION                   
falcosecurity/falco-talon	0.1.1        	0.1.1      	React to the events from Falco

Rethinking how organizations should respond to threats in cloud-native architectures, Talon provides an industry-first, API-driven approach to threat mitigation directly via existing API primitives like networkpolicy, label enforcement. and graceful termination. This is a no-code implementation for threat isolation. Assign Falco rules to Falco actions in YAML, and let the automated API responses work their magic. This is the fastest, most efficient, and most reliable approach in today’s rapidly evolving Kubernetes and Cloud environments. 

New regex operator

The new Regular Expression (RegEx) operator allows you to match patterns in string fields using the Google RE2 library. While powerful, it’s important to note that the regex operator is significantly slower — potentially up to ten times slower — than other string comparison operators, which are recommended for simpler cases. For example, to detect certain patterns in file descriptors, you could use the following: fd.name regex [a-z]*/proc/[0-9]+/cmdline.

It is important that users are mindful of performance impacts when opting for regex over simpler string operations.

New Integrations and Sources

Our community has once again played a vital role in expanding Falco’s capabilities by integrating new alerting targets, including Dynatrace, Sumo Logic, OpenTelemetry Traces, and Quickwit. These integrations provide more flexibility in how users receive and analyze security alerts, allowing Falco to seamlessly connect with existing ecosystem tools.

Additionally, Falco can now collect Kubernetes audit logs from Google Kubernetes Engine (GKE) and logs from journald, providing deeper visibility into cluster activities and system-level events. New data sources, such as Kafka and Keycloak, have also been added, broadening the scope of environments which Falco can collect events from. These enhancements further empower teams to detect threats and monitor compliance across a wider range of architectures.

Field transformers and value comparison in conditions

This applies to the following transform operators: toupper, tolower, b64, and basename. Previously, it was not possible to write conditions that compared a field to another field, such as detecting when “a process deletes its own executable.” This limitation existed because field values couldn’t be used on the right-hand side of conditions. However, in this version, we’ve introduced the val() operator, which solves this issue.

evt.type = unlink and proc.exepath = val(fs.path.name)

This rule will only trigger if the process’s executable path (proc.exepath) matches the unlink target (fs.path.name), effectively detecting when a process attempts to delete its own executable. Additionally, you can apply simple transformation operators to both sides of the comparison: toupper() and tolower() convert the case of strings, while b64() decodes base64-encoded strings. 

Stay tuned as more transformers will be introduced to support additional use cases! For more details, check the documentation on transform operators.

Automatic driver selection

Deploying across diverse Kubernetes environments just got easier! When using the official Falco Helm chart and setting driver.kind=auto, the driver loader now intelligently handles the heavy lifting for you.

Here’s how it works: the driver loader will automatically generate a new Falco configuration file and select the correct engine driver based on the specific node Falco is deployed on. This means whether you’re using eBPF, kmod, or a modern eBPF driver, Falco will configure itself dynamically depending on the environment.

In many Kubernetes clusters, nodes can differ in terms of kernel versions, capabilities, and driver compatibility. With this new auto-selection feature, you can seamlessly deploy different Falco drivers across various nodes within the same cluster.

This setup gives you flexibility and ensures that each node in your Kubernetes cluster is running Falco in the most optimized way possible, without manual configuration. Simply set driver.kind=auto in the Helm chart and let Falco do the rest.

Built-in Prometheus metrics

If you have been following Falco development, you probably know we are constantly improving support for metrics that tell you how the Falco engine is doing. We now have introduced Prometheus support so you can better integrate Falco with your existing performance monitoring infrastructure and paves the way for the community to create an official Grafana dashboard that can be integrated into users’ charts. We integrated the new endpoint to expose a lot of useful metrics in the Prometheus format, which allows for the out-of-the-box Grafana dashboard creation.

Plugins Rust SDK 

The Falco Plugin Rust SDK is a newly developed toolkit designed to allow developers to build Falco plugins using the Rust programming language. Rust, known for its focus on safety, performance, and efficiency, is a natural fit for building high-quality plugins that interact with the Falco ecosystem.

This SDK provides a robust framework for creating Falco plugins, offering flexibility for different plugin types. Developers can create both dynamically and statically linked plugins:

The SDK simplifies plugin development and extends Falco’s functionality, while opening doors for Rust developers to contribute and innovate within the Falco community.

Falco Growth

To close where we began, Falco has seen a boom in growth and usage since achieving CNCF graduation earlier this year. In total, Falco has now been downloaded 130M times, but that’s not all.

When users deploy Falco with its default configuration, Falco checks for community rule updates four times per day. We can derive how many Falco instances run daily using rules download stats from GitHub — in the last month, we have experienced over 120M downloads for the latest ruleset version. In short, Falco currently monitors around 1M active nodes daily using the latest ruleset and subscribed to the community rules feed. This is in addition to many millions more running previous versions.

Thank you for your continued support of the Falco project. We hope to see you at KubeCon + CloudNativeCon North America in Salt Lake City!