Falco Project v0.34 Released: OSS Security Tool Adds Downloadable Rules and eBPF Probe

The Falco project has released version 0.34.0, an open-source runtime security tool that includes support for older RHEL distributions, the ability to download and update Falco rules at runtime, and an experimental eBPF probe. Codenamed "The Honeybee", this release provides a separate repository for Falco rules, allowing for dedicated versioning. The new version of Falco Helm Chart (3.0.0) includes a feature for automatic rules updates.

Falco 0.34.0 also introduces falcoctl, a CLI tool for administering the security tool. The release includes support for multiple architectures, including x86_64 and arm64, and an experimental modern eBPF probe. The eBPF probe is not yet production-ready, but it implements around 80 syscalls. The release also includes new eBPF features, such as the compile-once-run-everywhere (CO-RE) paradigm, global variables, and ring buffers.

Additional checks have been introduced in Falco rules to detect potentially malicious executables, and new fields have been added to process spawn events to improve tracking and incident response.