SysFlow 0.6.0

Today we announce the release of SysFlow 0.6.0!

What’s Changed?

In this release, we added several new improvements including the addition of CO-RE eBPF support. We also refactored the processor so that it can support new rules languages (e.g., Falco, Sigma), and use different data sources with our policy engine. Furthermore, we bumped the falco libs to version 0.12 and driver 5.1.0 and upgraded the underlying container UBI images to 9. More details are below.

CO-RE eBPF support

This new release adds support to CO-RE eBPF in the collector. This means that for systems running kernels 5.8 or newer, you no longer need to download or compile a driver or install kernel headers, improving portability. The CO-RE driver is compiled directly into the collector binary, which means that a driver loader script is not required when the collector is executed using the CO-RE eBPF driver.

To choose a driver, use the following new command line argument to the collector:

-k <driver type> The driver type to load. Can be ebpf, ebpf-core, or kmod

It’s also accessible through the Docker image using the environment variable: DRIVER_TYPE. This variable is prepopulated to ebpf in the docker compose deployments here and are configurable.

With the helm chart, set the following variable in the values.yaml to the desired driver. Thanks to Marco C. and the folks from Cisco for the PR submission to fix issues with the helm. Your contributions are greatly appreciated!

Processor Refactor and Sigma Rules Engine Implementation

We refactored the SysFlow Processor to decouple the policy engine from SysFlow so that it can be used with different data sources (e.g., Open Telemetry, auditd, etc.) and interpret different detection rule languages (e.g., Sigma, Falco). To improve code reuse, we upgraded the Processor to Go 1.19 and refatored our key interfaces to use Go Generics. Along with this refactoring, we built an experimental Sigma language interpreter into the processor. Now you can use Sigma rules with SysFlow or create your own rule language interpreter, and implement a driver plugin for other data sources. The documentation on this feature isn’t complete, but if you would like to implement a new rules engine, data source, or use Sigma, please reach out to us on the SysFlow slack channel. We are excited for contributions in this area and are working on an Open Telemetry data source option for the policy engine. We are also implementing Kafka support.

Docker Image upgrade to UBI 9

The docker images have all been upgraded to UBI 9 as UBI 8 will soon reach EOL. This change will not affect most people’s usage of SysFlow, but it does impact folks that use the collector on older Linux kernels with the kernel module driver. When you use the kernel driver, you must compile it with the same gcc compiler version as the kernel it is running on. To support all kernels, we’d have to install many old gcc compiler versions into the image. We decided not to do that at this time as it creates security issues and image bloat. Currently, we have gcc’s 11 and 12 installed in the image which should support kernels 5 and 6. For all kernels, we recommend using the CO-RE eBPF driver if it is supported (5.8+), followed by the eBPF driver (4.14+), and then finally the kernel module if the other drivers are not supported. eBPF is more secure and does not have the same compiler issues that the kernel module does. If you require a kernel module and things are not working, please reach out to us at the slack channel and we can brainstorm on a solution for your use case. SysFlow releases pre-packages systemd binary packages (RPM, DEB, and TGZ) that could work as alternatives for a legacy deployment.

Contributing

SysFlow is maturing into a fully-featured ecosystem for cloud-native telemetry and security analytics. We are an inclusive project and welcome contributions from the community! Let’s grow it together!

If you enjoy coding and designing scalable software, and likes the project’s vision, read our contribution guideline and CoC, and consider becoming a contributor. Look for open or help wanted tags in our issue tracker. Commenting and helping us triage git issues are also great ways to help. Help with documentation is welcome. Our projects are written in C++, Go, and Python, so there is room for everyone!

If you are using SysFlow in your projects, academic or otherwise, please shoot us a message on Slack. We would love to hear about it! If you published a research paper or talk in which you used SysFlow, please let us know or send a PR to include the citation in our talks and publications list ;)

Please file bug reports using our git issue tracker.

Connect with us on Slack! If you have any questions about SysFlow, we will be there to help.

Cheers!

– The SysFlow Team ♥