content/en/blog/falco-0-41.0/index.md
Dear Falco Community, today we are happy to announce the release of Falco 0.41.0!
This version brings several new features, performance enhancements, and bug fixes that streamline Falco’s detection capabilities. During this release cycle, we merged more than 50 PRs on Falco and around 130 PRs for libs and drivers, version 0.21.0 and version 8.1.0, respectively. Thank you to our maintainers and contributors. This would not have been possible without your support and dedication!
To learn everything about the changes, read on!
Key features:
config_files configuration gained support to specify the merge strategy;sendmmsg and recvmmsg will now make use of bpf_loop eBPF helper where available, boosting their performances;proc.aargs field available, ie: a lookup for an ancestor args field;proc.args gained support for indexed access, to only check a certain argument;json_include_output_fields configuration key for Falco to control whether output fields are included in the JSON message;Key fixes:
-o options do now correctly override included config_files;{{% pageinfo color="warning" %}} This release also comes with breaking changes that you should be aware of before upgrading. {{% /pageinfo %}}
The 0.41.0 release contains a number of features and UX improvements. Here is a list of some of the key new capabilities.
In the Falco 0.41.0 release, the Falco team has completely revised its support for container engines. Key improvements include:
onCreate signal; since onCreate comes way before onStart, we have plenty of time to deliver the container's metadata before the first process in the container is even started;falcoctl;These changes should address all issues related to missing container metadata.
In Falco 0.41.0, we worked hard to create a Falco k8s operator: https://github.com/falcosecurity/falco-operator/. For now, this is considered a technical preview, but we will deliver a fully functional operator very soon. Expect more news in a new blog post!
We are grateful for the suggestions we received from security experts and adopters in our community, and so we implemented the following enhancements:
The modern eBPF probe will no longer store security sensitive settings in the .bss mmapable segment but will use dedicated maps instead. This is a security best practice because it prevents other processes running with elevated privileges from tampering with the map file descriptor, which would be harder to detect. We would like to thank Mouad Kondah for suggesting this change!
Falco will no longer consider rule files or contents of rule directories that do not have a .yml/.yaml extension. This prevents accidental processing of files that are not related to rules. We would like to thank our user Travis Smith for suggesting this change!
This version comes with breaking changes, mostly in the configuration interface.
We removed the already deprecated options -S/--snaplen, -A, and -b, and it is now possible to achieve the same result through the Falco configuration:
-S/--snaplen: falco_libs.snaplen config key;-A: base_syscalls.all config key;-b: buffer_format_base64 config key;The configuration options for the container engines, added in 0.40.0, have been completely dropped in favor of the new plugin init configuration which can be found at https://github.com/falcosecurity/plugins/tree/main/plugins/container#configuration.
You can find more information on breaking changes in the tracking issue.
Falco will now only consider and consequently load rules whose name ends in .yml or .yaml.
syslog related fields were dropped by libs, since they were unused.
Also, as a consequence of the new container plugin, some breaking changes had to take place:
falcosecurity_scap_n_containers and falcosecurity_scap_n_missing_container_images metrics are now moved to the plugin, and their name now have the falcosecurity_plugins_ prefix;-pc and -pk command line options are now ineffective; it is up to the container and k8smeta plugins to declare suggested fields to be used as output fields; consequently, container_image=%container.image.repository and k8s_ns=%k8s.ns.name changed their name to container_image_repository= and k8s_ns_name=;In Falco 0.41.0, we have deprecated the following options:
-p cli flag; the only remaining user for it is gVisor, which will be ported to a plugin sooner or later and will then make use of the suggested output fields plugin API;Interested in trying out the new features? Use the resources below to get started.
falco (DockerHub, AWS ECR Gallery)falco-driver-loader (DockerHub, AWS ECR Gallery)Falco is more mature with each release. Following its graduation, we have published the roadmap for version 1.0.0, which is guiding us in the next steps. For the next release, you can expect more stability, a refined k8s operator, improved performance, and, as always, new detections and fixes.
Join us on social media and in our weekly community calls! It’s always great to have new members in the community, and we’re looking forward to hearing your feedback and ideas.
You can find all the most up-to-date information at https://falco.org/community/.