UPDATE: Sysdig Falco v0.15.1

Three days ago, an updated version – Sysdig Falco v0.15.1 – was released. It has been some time since I last blogged about this open source behavorial activity monitor which has container support.  This release remediates integration issues with Anchore by updating urllib3 and requests Python library versions in addition to others.

What is Sysdig Falco?

Sysdig Falco is an open source, behavioral activity monitor designed to detect anomalous activity in your applications. This is project for intrusion and anomaly detection for Cloud Native platforms such as Kubernetes, Mesosphere, and Cloud Foundry.

Major Changes

• Drop unnecessary events at the kernel level instead of userspace, which should improve performance [#635]

Minor Changes

• Add instructions for k8s audit support in >= 1.13 [#608]
• Fix security issues reported by GitHub on Anchore integration [#592]
• Several docs/readme improvements [#620] [#616] [#631] [#639] [#642]
• Better tracking of rule counts per ruleset [#645]

Bug Fixes

• Handle rule patterns that are invalid regexes [#636]
• Fix kernel module builds on newer kernels [#646] [#sysdig/1413]

Rule Changes in Sysdig Falco v0.15.1

• New rule Launch Remote File Copy Tools in Container could be used to identify exfiltration attacks [#600]
• New rule Create Symlink Over Sensitive Files can help detect attacks like [CVE-2018-15664] [#613] [#637]
• Let etcd-manager write to /etc/hosts. [#613]
• Let additional processes spawned by google-accounts-daemon access sensitive files [#593]
• Add Sematext Monitoring & Logging agents to trusted k8s containers [#594]
• Add additional coverage for Netcat Remote Code Execution in Container rule. [#617]
• Fix egrep typo. [#617]
• Allow Ansible to run using Python 3 [#625]
• Additional Write below etc exceptions for nginx, rancher [#637] [#648] [#652]
• Add rules for running with IBM Cloud Kubernetes Service [#634]

We all know how severe CVE-2018-15664 can be for dockers. This is what NVD has to say about it – “In Docker through 18.06.1-ce-rc2, the API endpoints behind the ‘docker cp’ command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).“

Download Sysdig Falco v0.15.1:

Sysdig Falco v0.15.1  (falco-0.15.1.zip/falco-0.15.1.tar.gz) can be downloaded here. If you want to know how to install Sysdig Falco using containers, refer this page.