You are viewing documentation for Falco version: v0.38.2

Falco v0.38.2 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Featured Image for Falcosidekick 2.29.0
Thomas Labarussias

Falcosidekick 2.29.0

Almost 1 year without a release of Falcosidekick, but version 2.29.0 is finally here. Thanks to all contributors for their patience, you made amazing contributions and we're happy to finally have them available for all users.

Like for every releases, a small recap about its adoption. Falcosidekick continues to be adopted, even if the rate is not as high as before, but we're sure it will explode once again with this new fresh version.

Once more, Falcosidekick expands Falco's integrability with a lot of new outputs. That and the introduction of many new features has been possible thanks to the hard work of the community. You can find a comprehensive list of these in the changelog.

New outputs

More and more systems are integrated as outputs in Falcosidekick, more and more often directly by the companies themselves and not their end users. It shows Falco and Falcosidekick are seen as major components in the security fields, and trusted as de facto standards.

Dynatrace

Mario Kahlhofer, aka @blu3r4y, from Dynatrace, integrated the well known observability and security platform he works for. You can even read his blog post about, to discover how to correlate the Falco events with their APM agent events.

Sumologic

Carlo Mencarelli, aka @mencarellic, did the exporter of the Falco events to Sumologic, the SaaS platform for your logs.

OTLP Traces

It started as an internal hackaton at Grafana Labs and became a real integration thanks to JuanJo Ciarlante (@jjo). You can now export the Falco event as traces, to have an automatic correlation between the detected events.

[!WARNING] It works only for the syscall related events.

Quickwit

After a demo of Falco at a CNCF Meetup, the Quickwit team wanted to add their product as a new output for Falcosidekick, and they did it. You can now easily index your Falco events in their search engine thanks to the work of Idriss Neumann (@idrissneumann).

Falco Talon

New born in the Falco ecosystem, trying to complete the last missing piece: the reaction. You can now forward the Falco events to Falco Talon, a tailor made no-code response engine for Falco. The project is still in alpha stage, but moves quickly. Stay tuned.

New features

Aside from new outputs, we introduced very important and useful new features. Let's do a recap of them.

Revamp of the Policy Report output

The Policy Report feature in Kubernetes evolved since its integration in Falcosidekick, it was the time to do some clean up. The report now contains more information, and their displays in the Policy Reporter UI is better.

New outputFieldFormat setting

Some systems perform deduplication of the events, for example the on-call platforms. They use the content of the output to do so, but the current format starting with a timestamp prevents the process to run as expected. A new setting outputFieldFormat is now available allows to "format" the output field of the Falco payload before forwarding it to the outputs.

The default format received from Falco is : <timestamp>: <priority> <output> which corresponds to this:

14:37:27.505989596: Warning Detected ptrace PTRACE_ATTACH attempt (proc_pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)

By removing the <timestamp> and <priority>, you get:

Detected ptrace PTRACE_ATTACH attempt (proc_pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)

If you use the settings customFields and templatedFields of Falcosidekick to inject new elements in the output_fields, it's also possible to have them in the output with the tokens <custom_fields> and <templated_fields>.

Alternative endpoints for AWS S3

Some projects like Minio are S3-compliant, you can now use them as target for the AWS S3 output by changing the endpoint to use. Thanks to @gysel for this feature.

Split of the docs

The main README of the project became really huge over the years, with all those available outputs. We did a big refactor and you can now find one file per output, with more details about the configuration, the default values and some tips. The docs are here, and any help is welcome to make them even better.

Fixes

The contributors fixed several bugs, here's a non exhaustive list of the more important ones:

  • Fix missing root CA for the Kafka output (thanks to @claviola)
  • Fix bug with the extension source in the CloudEvent output
  • Fix panics in the Prometheus output when hostname field is missing
  • Fix locks in the Loki output (thanks to @bsod90)
  • Fix mTLS client verification failures due to missing ClientCAs (thanks to @jgmartinez)
  • Fix wrong env vars for pagerduty output
  • Remove hard settings for usernames in Mattermost and Rocketchat
  • Fix multi lines json in the error lines (thanks to @idrissneumann)
  • Fix duplicated custom headers in clients
  • Fix the labels for the AlertManager output (thanks to @Umaaz)

Conclusion

You can find the full changelog here.

The respective Helm charts are already updated and allow you to test by yourself all these great new features. Just issue the helm repo update; helm upgrade --reuse-values -n falco command to do so.

Once again, thanks to all the adopters and contributors who helped and contributed to this project all these years. We would never have reached this success without you.