Sysdig has contributed the sysdig kernel module, eBPF probe, and Falco libraries to the Cloud Native Computing Foundation (CNCF). This extended Berkeley Packet Filter (eBPF) contribution is the first eBPF project to be added to the CNCF and it is one of the largest eBPF code bases in the open.
The contributed source code has taken more than 100,000 hours to write and with the announcement today, it has moved into the Falco organization.
Falco, the only runtime security project in the CNCF, was contributed by Sysdig in October 2018. Falco has nearly 24 million Docker Hub downloads, an increase of nearly three million in the last two months, and a 300 percent increase over last year.
Sysdig said that the company is committed to the open source community and open standards, and this move will ensure Falco is fully owned by the community.
This contribution includes the core components at the base of Falco and open source sysdig and it will live in the falcosecurity github repository. Open source sysdig is an incident response and troubleshooting tool for containers, Kubernetes, and Linux. While there are other tools in the CNCF that help developers use eBPF, this is the first that uses eBPF.
According to the company, this contribution includes powerful security building blocks that implement a sophisticated and extremely efficient system call capture framework in the Linux kernel. It includes system call capture functionality with full support for capture file abstraction and a battle-tested kernel event enrichment library with more than 70,000 lines of code.
eBPF allows organizations to run programs in the Linux kernel without changing the kernel code or loading a module. This allows users to access kernel activity without risking system stability or security.