UPDATE: Sysdig Falco v0.15.0

PenTestIT RSS Feed

Three days ago, an updated version – Sysdig Falco v0.15.0 – was released. It has been some time since I last blogged about this open source behavorial activity monitor which has container support. This release incorporates a lot of rule updates that are now also tagged the for MITRE ATT&CK Framework and patches CVE-2019-8339, a medium severity vulnerability.

What is Sysdig Falco?

> Sysdig Falco is an open source, behavioral activity monitor designed to detect anomalous activity in your applications. This is project for intrusion and anomaly detection for Cloud Native platforms such as Kubernetes, Mesosphere, and Cloud Foundry.

Sysdig Falco v0.15.0 Changelog:

Major Changes

• Actions and alerts for dropped events: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. [#561] [#571]
• Support for Containerd/CRI-O: Falco now supports containerd/cri-o containers. [#585] [#591] [#599] [#sysdig/1376] [#sysdig/1310]
• Perform docker metadata fetches asynchronously: When new containers are discovered, fetch metadata about the container asynchronously, which should significantly reduce the likelihood of dropped system call events. [#sysdig/1326] [#550] [#570]
• Better syscall event performance: improve algorithm for reading system call events from kernel module to handle busy event streams [#sysdig/1372]
• HTTP Output: Falco can now send alerts to http endpoints directly without having to use curl. [#523]
• Move Kubernetes Response Engine to own repo: The Kubernetes Response Engine is now in its own github repository. [#539]
• Updated Puppet Module: An all-new puppet module compatible with puppet 4 with a smoother installation process and updated package links. [#537] [#543] [#546]
• RHEL-based falco image: Provide dockerfiles that use RHEL 7 as the base image instead of debian:unstable. [#544]

Minor Changes

• ISO-8601 Timestamps: Add the ability to write timestamps in ISO-8601 w/ UTC, and use this format by default when running falco in a container [#518]
• Docker-based builder/tester: You can now build Falco using the falco-builder docker image, and run regression tests using the falco-tester docker image. [#522] [#584]
• Several small docs changes to improve clarity and readibility [#524] [#540] [#541] [#542]
• Add instructions on how to enable K8s Audit Logging for kops [#535]
• Add a “stale issue” bot that marks and eventually closes old issues with no activity [#548]
• Improvements to sample K8s daemonset/service/etc files [#562]

Bug Fixes

• Fix regression that broke json output [#581]
• Fix errors when building via docker from MacOS [#582]

Rule Changes

• Tag rules using MITRE ATT&CK Framework: Add tags for all relevant rules linking them to the MITRE ATT&CK Framework. We have an associated blog post. [#575] [#578]
• New rules for additional use cases: New rules Schedule Cron Jobs, Update Package Repository, Remove Bulk Data from Disk, Set Setuid or Setgid bit, Detect bash history deletion, Create Hidden Files or Directories look for additional common follow-on activity you might see from an attacker. [#578] [#580]
• Allow docker’s “exe” (usually part of docker save/load) to write to many filesystem locations [#552]
• Let puppet write below /etc [#563
• Add new user_known_write_root_conditions, user_known_non_sudo_setuid_conditions, and user_known_write_monitored_dir_conditions macros to allow those rules to be easily customized in user rules files [#563] [#566]
• Better coverage and exceptions for rancher [#559]
• Allow prometheus to write to its conf directory under etc [#564]
• Better coverage and exceptions for openshift/related tools [#567] [#573]
• Better coverage for cassandra/kubelet/kops to reduce FPs [#551]
• Better coverage for docker, openscap to reduce FPs [#573]
• Better coverage for fluentd/jboss to reduce FPs [#590]
• Add ash (Alpine Linux-related shell) as a shell binary [#597]

Download Sysdig Falco:

Sysdig Falco v0.15.0 (falco-0.15.0.zip/falco-0.15.0.tar.gz) can be downloaded here. If you want to know how to install Sysdig Falco using containers, refer this page.

The post UPDATE: Sysdig Falco v0.15.0 appeared first on PenTestIT.