Falco 0.13.0 Released: Kubernetes Audit Events Support

Falco 0.13.0 introduces support for Kubernetes Audit Events, marking a significant enhancement since its initial release, by enabling the detection and notification of suspicious activities within Kubernetes clusters. This update provides a second stream of events, alongside system call events, and allows the integration of additional event sources in the future. The release includes new Kubernetes audit rules that identify notable activities, such as unauthorized user actions, creation of privileged pods, and management of sensitive resources like configmaps with private credentials. Falco’s architecture remains consistent, with events being processed against rule sets, but now includes a civetweb-based webserver to accept Kubernetes audit events through POST requests. The rules are classified into those detecting suspicious activities, tracking resource changes, and displaying audit events, offering enhanced runtime observability. Additional features include better kernel module management, configuration reloads without restarting Falco, and the integration of netcat for easier event management. The release is accessible via various platforms, including RPM/Debian packages, Docker images, and GitHub, with further support available through the Sysdig open-source Slack team.