Falco 0.36: Runtime Security for Kubernetes Enhancements

Introduction

Falco 0.36, released on March 22, 2023, is most relevant if you’re hardening clusters without turning every deploy into a support ticket. The real value is in rollout safety: tighter controls with fewer false positives, clearer policy outcomes, and smoother day-2 response when something is blocked.

Rule Engine Improvements

Rule performance optimizations reduce CPU overhead and improve detection speed.
Rule syntax enhancements enable more expressive and flexible security rules.
Rule libraries expansion provides more pre-built rules for common security scenarios.
Rule testing improvements simplify rule development and validation.

Kubernetes Integration

Admission control integration enables policy enforcement at pod creation time.
Service account detection improves identification of containerized applications.
Network policy correlation enables better context for security events.
Resource monitoring provides better visibility into Kubernetes resource access.

Threat Detection

Behavioral analysis improvements detect anomalous activity patterns.
Attack detection enhancements identify known attack techniques and patterns.
Compliance monitoring enables detection of policy violations and misconfigurations.
Incident response improvements provide better alerting and workflow integration.

Observability & Reporting

Metrics expansion exposes detailed security metrics for Prometheus integration.
Event streaming enables real-time security event processing and analysis.
Dashboard integration provides visualization of security events and trends.
Reporting capabilities enable compliance and security reporting.

Getting Started

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco --version 0.36.0

Create a custom rule:

- rule: Detect Shell in Container
  desc: Notice shell activity within a container
  condition: >
    spawned_process and container and
    shell_procs and proc.tty != 0 and
    container_entrypoint
  output: >
    Shell spawned in container (user=%user.name user_loginuid=%user.loginuid %container.info
    shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty
    container_id=%container.id image=%container.image.repository)
  priority: WARNING
  tags: [container, shell, mitre_execution]

Summary

Aspect	Details
Release Date	March 22, 2023
Headline Features	Rule engine improvements, Kubernetes integration enhancements, threat detection improvements
Why it Matters	Delivers comprehensive runtime security with enhanced detection and Kubernetes integration

Falco 0.36 provides teams with powerful runtime security capabilities for detecting and responding to security threats in Kubernetes environments.

Table of Contents