Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Security 2024

Falco 0.37: Runtime Security Enhancements

K8s Guru
2 min read
#falco #security #runtime #ebpf #kubernetes
Falco 0.37: Runtime Security Enhancements

Table of Contents

Introduction

Falco 0.37, released on November 8, 2024, advances runtime security monitoring with improved eBPF support, enhanced detection rules, better performance, and expanded integration capabilities. This release makes Falco more powerful for detecting and responding to security threats.

eBPF Improvements

  • eBPF probe enhancements provide better performance and reliability.
  • Kernel compatibility improvements support more kernel versions.
  • Event collection improvements provide more comprehensive security event coverage.
  • Performance optimizations reduce overhead of eBPF-based monitoring.

Detection Enhancements

  1. Rule improvements provide more accurate detection of security threats.
  2. Custom rules enable creation of custom detection rules for specific use cases.
  3. Rule libraries provide pre-built rules for common security scenarios.
  4. Rule testing improvements enable better validation of detection rules.

Performance Optimizations

  • Event processing improvements reduce latency for security event detection.
  • Resource usage optimizations reduce CPU and memory consumption.
  • Filtering enhancements enable more efficient event filtering.
  • Scaling improvements enable better handling of high-event volumes.

Integration Capabilities

  • Kubernetes integration improvements provide better integration with Kubernetes.
  • Alerting enhancements enable integration with various alerting systems.
  • SIEM integration enables integration with security information and event management systems.
  • API improvements enable better programmatic access to Falco capabilities.

Getting Started

# Install Falco using Helm
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco

Example Falco rule:

- rule: Write below binary dir
  desc: Detect writes to binary directories
  condition: >
    bin_dir and evt.dir = < and open_write
    and not package_mgmt_procs
    and not exe_running_docker_save
    and not python_running_get_pip
    and not python_running_msf
    and not user_known_write_below_binary_dir_activities
  output: >
    File below a known binary directory opened for writing
    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
    file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
  priority: ERROR
  tags: [filesystem, mitre_persistence]

Summary

AspectDetails
Release DateNovember 8, 2024
Headline FeatureseBPF improvements, detection enhancements, performance optimizations, integration capabilities
Why it MattersDelivers powerful runtime security monitoring with enhanced detection and performance

Falco 0.37 continues to be a leading runtime security solution, providing teams with comprehensive security monitoring capabilities.