Version 0.36.1-rc1
What’s Changed
- sync: release 0.36.1 by @Andreagit97 in https://github.com/falcosecurity/falco/pull/2868
Full Changelog: https://github.com/falcosecurity/falco/compare/0.36.0...0.36.1-rc1
Version 0.36.0
Packages | Download |
---|---|
rpm-x86_64 | |
deb-x86_64 | |
tgz-x86_64 | |
rpm-aarch64 | |
deb-aarch64 | |
tgz-aarch64 |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.36.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.36.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.0 |
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.36.0 |
docker pull docker.io/falcosecurity/falco-distroless:0.36.0 |
v0.36.0
Released on 2023-09-26
Breaking Changes :warning:
- The default rules file that is shipped in the Falco image and/or can be downloaded via falcoctl as
falco-rules
is now a stable rule file. This file contains a much smaller number of rules that are less noisy and have been vetted by the community. This serves as a much requested “starter” Falco rule set that covers many common use case. The rest of that file has been expanded and split intofalco-incubating-rules
andfalco-sandbox-rules
. For more information, see the rules repository - The main
falcosecurity/falco
container image and itsfalco-driver-loader
counterpart have been upgraded. Now they are able to compile the kernel module or classic eBPF probe for relatively newer version of the kernel (5.x and above) while we no longer ship toolchains to compile the kernel module for older versions in the default images. Downloading of prebuilt drivers and the modern eBPF will work exactly like before. The older image, meant for compatibility with older kernels (4.x and below), is currently retained asfalcosecurity/falco-driver-loader-legacy
. - The Falco HTTP output no longer logs to stdout by default for performance reasons. You can set stdout logging preferences and restore the previous behavior with the configuration option
http_output.echo
infalco.yaml
. - The
--list-syscall-events
command line option has been replaced by--list-events
which prints all supported system events (syscall, tracepoints, metaevents, internal plugin events) in addition to extra information about flags. - The semantics of
proc.exepath
have changed. Now that field contains the executable path on disk even if the binary was launched from a symbolic link. - The
-d
daemonize option has been removed. - The
stats
command line option (-s
,--stats-interval
) has been removed in favor of metrics configs infalco.yaml
- The
-p
option is now changed:- when only
-pc
is set Falco will printcontainer_id=%container.id container_image=%container.image.repository container_image_tag=%container.image.tag container_name=%container.name
- when
-pk
is set it will print as above, but withk8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name
appended
- when only
Major Changes
- new(falco-driver-loader): –source-only now prints the values as env vars [#2353] - @steakunderscore
- new(docker): allow passing options to falco-driver-loader from the driver loader cointainer [#2781] - @LucaGuerra
- new(docker): add experimental falco-distroless image based on Wolfi [#2768] - @LucaGuerra
- new: the legacy falco image is available as driver-loader-legacy [#2718] - @LucaGuerra
- new: added option to enable/disable echoing of server answer to stdout (disabled by default) when using HTTP output [#2602] - @FedeDP
- new: support systemctl reload for Falco services [#2588] - @jabdr
- new(falco/config): add new configurations for http_output that allow mTLS [#2633] - @annadorottya
- new: allow falco to match multiple rules on same event [#2705] - @loresuso
Minor Changes
- update(cmake): bumped bundled falcoctl to 0.6.2 [#2829] - @FedeDP
- update(rules)!: major rule update to version 2.0.0 [#2823] - @LucaGuerra
- update(cmake): bumped plugins to latest stable versions [#2820] - @FedeDP
- update(cmake): bumped libs to 0.13.0-rc2 and driver to 6.0.1+driver [#2806] - @FedeDP
- update!: default substitution for
%container.info
is now equalcontainer_id=%container.id container_name=%container.name
[#2793] - @leogr - update!: the –list-syscall-events flag is now called –list-events and lists all events [#2771] - @LucaGuerra
- update!: the Falco base image is now based on Debian 12 with gcc 11-12 [#2718] - @LucaGuerra
- update(docker): the Falco no-driver image is now based on Debian 12 [#2782] - @LucaGuerra
- feat(userspace)!: remove
-d
daemonize option [#2677] - @incertum - build(deps): Bump submodules/falcosecurity-rules from 3f52480 to 0d0e333 [#2693] - @dependabot[bot]
- build(deps): Bump submodules/falcosecurity-rules from 3f52480 to b42893a [#2756] - @dependabot[bot]
- build(deps): Bump submodules/falcosecurity-rules from b42893a to 6ed73fe [#2780] - @dependabot[bot]
- update(cmake): bumped libs to 0.13.0-rc1 and driver to 6.0.0+driver. [#2783] - @FedeDP
- feat: support parsing of system environment variables in yaml [#2562] - @therealdwright
- feat(userspace)!: deprecate stats command args option in favor of metrics configs in falco.yaml [#2739] - @incertum
- update: upgrade
falcoctl
to version 0.6.0 [#2764] - @leogr - cleanup: deprecate rate limiter mechanism [#2762] - @Andreagit97
- cleanup(config): add more info [#2758] - @incertum
- update(userspace/engine): improve skip-if-unknown-filter YAML field [#2749] - @jasondellaluce
- chore: improved HTTP output performance [#2602] - @FedeDP
- update!: HTTP output will no more echo to stdout by default [#2602] - @FedeDP
- chore: remove b64 from falco dependencies [#2746] - @Andreagit97
- update(cmake): support building libs and driver from forks [#2747] - @jasondellaluce
- update:
-p
presets have been updated to reflect the new rules style guide [#2737] - @leogr - feat: Allow specifying explicit kernel release and version for falco-driver-loader [#2728] - @johananl
- cleanup(config): assign Stable to
base_syscalls
config [#2740] - @incertum - update : support build for wasm [#2663] - @Rohith-Raju
- docs(config.yaml): fix wrong severity levels for sinsp logger [#2736] - @Andreagit97
- update(cmake): bump libs and driver to 0.12.0 [#2721] - @jasondellaluce
Bug Fixes
- fix(outputs): expose queue_capacity_outputs config for memory control [#2711] - @incertum
- fix(userspace/falco): cleanup metrics timer upon leaving. [#2759] - @FedeDP
- fix: restore Falco MINIMAL_BUILD and deprecate
userspace
option [#2761] - @Andreagit97 - fix(userspace/engine): support appending to unknown sources [#2753] - @jasondellaluce
Non user-facing changes
- build(deps): Bump submodules/falcosecurity-rules from
69c9be8
to77ba57a
[#2833] - @dependabot[bot] - chore: bump submodule testing to 62edc65 [#2831] - @Andreagit97
- update(gha): add version for rn2md [#2830] - @LucaGuerra
- chore: automatically attach release author to release body. [#2828] - @FedeDP
- new(ci): autogenerate release body. [#2812] - @FedeDP
- fix(dockerfile): remove useless CMD [#2824] - @Andreagit97
- chore: bump to the latest libs [#2822] - @Andreagit97
- update: add SPDX license identifier [#2809] - @leogr
- chore: bump to latest libs [#2815] - @Andreagit97
- build(deps): Bump submodules/falcosecurity-rules from
ee5fb38
tobea364e
[#2814] - @dependabot[bot] - fix(build): set the right bucket and version for driver legacy [#2800] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
43580b4
toee5fb38
[#2810] - @dependabot[bot] - cleanup(userspace): thrown exceptions and avoid multiple logs [#2803] - @Andreagit97
- build(deps): Bump submodules/falcosecurity-rules from
c6e01fa
to43580b4
[#2801] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-testing from
76d1743
to30c3643
[#2802] - @dependabot[bot] - fix(userspace/falco): clearing full output queue [#2798] - @jasondellaluce
- update(docs): add driver-loader-legacy to readme and fix bad c&p [#2799] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
d31dbc2
toc6e01fa
[#2797] - @dependabot[bot] - docs: add LICENSE file [#2796] - @leogr
- build(deps): Bump submodules/falcosecurity-rules from
b6372d2
tod31dbc2
[#2794] - @dependabot[bot] - fix(stats): always initialize m_output field [#2789] - @Andreagit97
- build(deps): Bump submodules/falcosecurity-rules from
6ed73fe
tob6372d2
[#2786] - @dependabot[bot] - update(cmake/modules): bump rules to falco-rules-2.0.0-rc1 [#2775] - @leogr
- update(OWNERS): add LucaGuerra to owners [#2650] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
9126bef
to0328c59
[#2709] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
0d0e333
to64ce419
[#2731] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
3ceea88
to40a9817
[#2745] - @dependabot[bot] - docs(README.md): correct URL [#2772] - @vjjmiras
- #2393 Document why Falco is written in C++ rather than anything else [#2410] - @RichardoC
- chore: bump Falco to latest libs [#2769] - @Andreagit97
- ci: disable falco-driver-loader tests on ARM64 [#2770] - @Andreagit97
- update(userspace/falco): revised CLI help messages [#2755] - @leogr
- fix(engine): fix reorder warning for m_watch_config_files / m_rule_matching [#2767] - @LucaGuerra
- update: introduce new stats updated to the latest libs version [#2766] - @Andreagit97
- ci: support tests on amazon-linux [#2765] - @Andreagit97
- chore: bump Falco to latest libs master [#2754] - @Andreagit97
- build(deps): Bump submodules/falcosecurity-testing from
b39c807
to9110022
[#2760] - @dependabot[bot] - fix: fix “ebpf_enabled” output stat [#2751] - @Andreagit97
- fix(userspace/engine): support both old and new gcc + std::move [#2748] - @jasondellaluce
- cleanup: turn some warnings into errors [#2744] - @Andreagit97
- update(ci): minimize retention days for build-only CI artifacts [#2743] - @jasondellaluce
- cleanup: remove unused
--pidfile
option from systemd units [#2742] - @Andreagit97 - build(deps): Bump submodules/falcosecurity-rules from
bf1639a
to3ceea88
[#2741] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
64ce419
tobf1639a
[#2738] - @dependabot[bot] - Relocate tools on Flatcar in BPF mode [#2729] - @johananl
- build: update versioning with cmake [#2727] - @leogr
- update(userspace/engine): make rule_matching strategy stateless [#2726] - @loresuso
- chore: bump Falco to latest libs version [#2722] - @Andreagit97
Statistics
MERGED PRS | NUMBER |
---|---|
Not user-facing | 48 |
Release note | 38 |
Total | 86 |
Release Manager @LucaGuerra
Version 0.36.0-rc3
Packages | Download |
---|---|
rpm-x86_64 | |
deb-x86_64 | |
tgz-x86_64 | |
rpm-aarch64 | |
deb-aarch64 | |
tgz-aarch64 |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.36.0-rc3 |
docker pull public.ecr.aws/falcosecurity/falco:0.36.0-rc3 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.0-rc3 |
docker pull docker.io/falcosecurity/falco-no-driver:0.36.0-rc3 |
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.0-rc3 |
docker pull docker.io/falcosecurity/falco-distroless:0.36.0-rc3 |
Release Candidate for Falco 0.36.0. To see what’s included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/30
Version 0.36.0-rc2
Packages | Download |
---|---|
rpm-x86_64 | |
deb-x86_64 | |
tgz-x86_64 | |
rpm-aarch64 | |
deb-aarch64 | |
tgz-aarch64 |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.36.0-rc2 |
docker pull public.ecr.aws/falcosecurity/falco:0.36.0-rc2 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.0-rc2 |
docker pull docker.io/falcosecurity/falco-no-driver:0.36.0-rc2 |
Second Release Candidate for Falco 0.36.0. To see what’s included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/30
Version 0.36.0-rc1
Version 0.35.1
Packages | Download |
---|---|
rpm-x86_64 | |
deb-x86_64 | |
tgz-x86_64 | |
rpm-aarch64 | |
deb-aarch64 | |
tgz-aarch64 |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.35.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.35.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.35.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.35.1 |
Major Changes
Minor Changes
- update(userspace): change description of snaplen option stating only performance implications [#2634] - @loresuso
- update(cmake): bump libs to 0.11.3 [#2662] - @jasondellaluce
- cleanup(config): minor config clarifications [#2651] - @incertum
- update(cmake): bump falco rules to v1.0.1 [#2648] - @jasondellaluce
- chore(userspace/falco): make source matching error more expressive [#2623] - @jasondellaluce
- update(.github): integrate Go regression tests [#2437] - @jasondellaluce
Bug Fixes
- fix(scripts): fixed falco-driver-loader to manage debian kernel rt and cloud flavors. [#2627] - @FedeDP
- fix(userspace/falco): solve live multi-source issues when loading more than two sources [#2653] - @jasondellaluce
- fix(driver-loader): fix ubuntu kernel version parsing [#2635] - @therealbobo
- fix(userspace): switch to timer_settime API for stats writer. [#2646] - @FedeDP
Non user-facing changes
- CI: bump ubuntu version for tests-driver-loader-integration job [#2661] - @Andreagit97
Release Manager @jasondellaluce
Version 0.35.0
Packages | Download |
---|---|
rpm-x86_64 | |
deb-x86_64 | |
tgz-x86_64 | |
rpm-aarch64 | |
deb-aarch64 | |
tgz-aarch64 |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.35.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.35.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.35.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.35.0 |
Major Changes
- BREAKING CHANGE: support for metadata enrichment from Mesos has been removed. [#2465] - @leogr
- new(falco): introduce new metrics w/ Falco internal: metrics snapshot option and new metrics config [#2333] - @incertum
- new(scripts): properly manage talos prebuilt drivers [#2537] - @FedeDP
- new(release): released container images are now signed with cosign [#2546] - @LucaGuerra
- new(ci): ported master and release artifacts publishing CI to gha [#2501] - @FedeDP
- new(app_actions): introduce base_syscalls user option [#2428] - @incertum
- new(falco/config): add new configurations for http_output that allow custom CA certificates and stores. [#2458] - @alacuku
- new(cmake): bumped libs to c8b0d6a8fdc1bb3ea9067bc2fdc3ae5858cff48f [#2456] - @FedeDP
- new(userspace): add a new
syscall_drop_failed
config option to drop failed syscalls exit events [#2456] - @FedeDP
Minor Changes
- update(cmake): bump Falco rules to 1.0.0 [#2618] - @loresuso
- update(cmake): bump libs to 0.11.1 [#2614] - @loresuso
- update(cmake): bump plugins to latest versions [#2610] - @loresuso
- update(cmake): bump falco rules to 1.0.0-rc1 [#2609] - @loresuso
- update(cmake): bump libs to 0.11.0 [#2608] - @loresuso
- cleanup(docs): update release.md [#2599] - @incertum
- update(cmake): bump libs to 0.11.0-rc5 and driver to 5.0.1. [#2600] - @FedeDP
- cleanup(docs): adjust falco readme style and content [#2594] - @incertum
- cleanup(userspace, config): improve metrics UX, add include_empty_values option [#2593] - @incertum
- feat: add the curl and jq packages to the falco-no-driver docker image [#2581] - @therealdwright
- update: add missing exception, required_engine_version, required_plugin_version to -L json output [#2584] - @loresuso
- feat: add image source OCI label to docker images [#2592] - @therealdwright
- cleanup(config): improve falco config [#2571] - @incertum
- update(cmake): bump libs and plugins to latest dev versions [#2586] - @jasondellaluce
- chore(userspace/falco): always print invalid syscalls from custom set [#2578] - @jasondellaluce
- update(build): upgrade falcoctl to 0.5.0 [#2572] - @LucaGuerra
- chore(userspace/falco/app): print all supported plugin caps [#2564] - @jasondellaluce
- update: get rules details with
-l
or-L
flags when json output format is specified [#2544] - @loresuso - update!: bump libs version, and support latest plugin features, add –nodriver option [#2552] - @jasondellaluce
- cleanup(actions): now modern bpf support
-A
flag [#2551] - @Andreagit97 - update:
falco-driver-loader
now uses now uses $TMPDIR if set [#2518] - @jabdr - update: improve control and UX of ignored events [#2509] - @jasondellaluce
- update: bump libs and adapt Falco to new libsinsp event source management [#2507] - @jasondellaluce
- new(app_actions)!: adjust base_syscalls option, add base_syscalls.repair [#2457] - @incertum
- update(scripts): support al2022 and al2023 in falco-driver-loader. [#2494] - @FedeDP
- update: sync libs with newest event name APIs [#2471] - @jasondellaluce
- update!: remove
--mesos-api
,-pmesos
, and-pm
command-line flags [#2465] - @leogr - cleanup(unit_tests): try making test_configure_interesting_sets more robust [#2464] - @incertum
Bug Fixes
- fix: unquote quoted URL’s to avoid libcurl errors [#2596] - @therealdwright
- fix(userspace/engine): store alternatives as array in -L json output [#2597] - @loresuso
- fix(userspace/engine): store required engine version as string in -L json output [#2595] - @loresuso
- fix(userspace/falco): report plugin deps rules issues in any case [#2589] - @jasondellaluce
- fix(userspace): hotreload on wrong metrics [#2582] - @therealbobo
- fix(userspace): check the supported number of online CPUs with modern bpf [#2575] - @Andreagit97
- fix(userspace/falco): don’t hang on terminating error when multi sourcing [#2576] - @jasondellaluce
- fix(userspace/falco): properly format numeric values in metrics [#2569] - @jasondellaluce
- fix(scripts): properly support debian kernel releases embedded in kernel version [#2377] - @FedeDP
Non user-facing changes
- docs(README.md): add scope/status badge and simply doc structure [#2611] - @leogr
- build(deps): Bump submodules/falcosecurity-rules from
3471984
to16fb709
[#2598] - @dependabot[bot] - docs(proposals): Falco roadmap management [#2547] - @leogr
- build(deps): Bump submodules/falcosecurity-rules from
b2290ad
to3471984
[#2577] - @dependabot[bot] - update(build): libs 0.11.0-rc2 [#2573] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
3f52480
tob2290ad
[#2570] - @dependabot[bot] - update(ci): use repo instead of master branch for reusable workflows [#2568] - @LucaGuerra
- cleanup(ci): cleaned up circleci workflow. [#2566] - @FedeDP
- build(deps): Bump requests from 2.26.0 to 2.31.0 in /test [#2567] - @dependabot[bot]
- fix(ci): simplify and fix multi-arch image publishing process [#2542] - @LucaGuerra
- fix(ci): get the manifest for the correct tag [#2563] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
3f52480
to6da15ae
[#2559] - @dependabot[bot] - fix(ci): properly use
docker save
to store images. [#2560] - @FedeDP - fix(ci): docker arg is named
TARGETARCH
. [#2558] - @FedeDP - fix(ci): set docker TARGET_ARCH [#2557] - @FedeDP
- fix(ci): use normal docker to build docker images, instead of buildx. [#2556] - @FedeDP
- docs: improve documentation and description of base_syscalls option [#2515] - @Happy-Dude
- Updating Falco branding guidelines [#2493] - @aijamalnk
- build(deps): Bump submodules/falcosecurity-rules from
f773578
to6da15ae
[#2553] - @dependabot[bot] - fix(cmake): properly exclude prereleases when fetching latest tag from cmake [#2550] - @FedeDP
- fix(ci): load falco image before building falco-driver-loader [#2549] - @LucaGuerra
- fix(ci): correctly tag slim manifest [#2545] - @LucaGuerra
- cleanup(config): modern bpf is no more experimental [#2538] - @Andreagit97
- new(ci): add RC/prerelease support [#2533] - @LucaGuerra
- fix(ci): configure ECR public region [#2531] - @LucaGuerra
- fix(ci): falco images directory, ecr login [#2528] - @LucaGuerra
- fix(ci): separate rpm/bin/bin-static/deb packages before publication, rename bin-static [#2527] - @LucaGuerra
- fix(ci): add Cloudfront Distribution ID [#2525] - @LucaGuerra
- fix(ci): escape heredoc [#2521] - @LucaGuerra
- chore(ci): build-musl-package does not need to wait for build-packages anymore [#2520] - @FedeDP
- fix: ci Falco version [#2516] - @FedeDP
- fix(ci): fetch version step, download rpms/debs, minor change [#2519] - @LucaGuerra
- chore(ci): properly install recent version of git (needed >= 2.18 by checkout action) [#2514] - @FedeDP
- fix(ci): enable toolset before every make command [#2513] - @LucaGuerra
- fix(ci): remove unnecessary mv [#2512] - @LucaGuerra
- fix(ci): bucket -> bucket_suffix [#2511] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
5857874
to1bd7e4a
[#2478] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
694adf5
to5857874
[#2473] - @dependabot[bot] - cleanup(ci): properly set a concurrency for CI workflows. [#2470] - @FedeDP
- build(deps): Bump submodules/falcosecurity-rules from
e0646a0
to694adf5
[#2466] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
0b0f50f
toe0646a0
[#2460] - @dependabot[bot]
Release Manager @FedeDP
Version 0.35.0-rc2
Version 0.35.0-rc1
Version 0.35.0-alpha5
Version 0.35.0-alpha4
Version 0.35.0-alpha3
Version 0.35.0-alpha2
Version 0.35.0-alpha1
Version 0.34.1
Packages | Download |
---|---|
rpm-x86_64 | |
deb-x86_64 | |
tgz-x86_64 | |
rpm-aarch64 | |
deb-aarch64 | |
tgz-aarch64 |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.34.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.34.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.34.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.34.1 |
docker pull docker.io/falcosecurity/falcoctl:0.4.0 |
Minor Changes
- fix(userspace/engine): correctly bump FALCO_ENGINE_VERSION after introduction of new fields [#2418] - @loresuso
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 1 |
Release note | 1 |
Total | 2 |
Release Manager
@alacuku
Version 0.34.0
Packages | Download |
---|---|
rpm-x86_64 | |
deb-x86_64 | |
tgz-x86_64 | |
rpm-aarch64 | |
deb-aarch64 | |
tgz-aarch64 |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.34.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.34.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.34.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.34.0 |
docker pull docker.io/falcosecurity/falcoctl:0.4.0 |
Major Changes
- BREAKING CHANGE: if you relied upon
application_rules.yaml
you can download it from https://github.com/falcosecurity/rules/tree/main/rules and manually install it. [#2389] - @leogr - new(rules): New rule to detect attempts to inject code into a process using PTRACE [#2226] - @Brucedh
- new(engine): Also include exact locations for rule condition compile errors (missing macros, etc). [#2216] - @mstemm
- new(scripts): Support older RHEL distros in falco-driver-loader script [#2312] - @gentooise
- new(scripts): add
falcoctl
config into Falco package [#2390] - @Andreagit97 - new(userspace/falco): [EXPERIMENTAL] allow modern bpf probe to assign more than one CPU to a single ring buffer [#2363] - @Andreagit97
- new(userspace/falco): add webserver endpoint for retrieving internal version numbers [#2356] - @jasondellaluce
- new(falco): add –version-json to print version information in json format [#2331] - @LucaGuerra
- new(scripts): support multiple drivers in systemd units [#2242] - @FedeDP
- new(scripts): add bottlerocket support in falco-driver-loader [#2318] - @FedeDP
- new(falco): add more version fields to –support and –version [#2325] - @LucaGuerra
- new(config): explicitly add the
simulate_drops
config [#2260] - @Andreagit97
Minor Changes
- build: upgrade to
falcoctl
v0.4.0 [#2406] - @loresuso - update(userspace): change
modern_bpf.cpus_for_each_syscall_buffer
default value [#2404] - @Andreagit97 - update(build): update falcoctl to 0.3.0 [#2401] - @LucaGuerra
- update(build): update falcoctl to 0.3.0-rc7 [#2396] - @LucaGuerra
- update(cmake): bump libs to 0.10.3 [#2392] - @FedeDP
- build:
/etc/falco/rules.available
has been deprecated [#2389] - @leogr - build:
application_rules.yaml
is not shipped anymore with Falco [#2389] - @leogr - build: upgrade k8saudit plugin to v0.5.0 [#2381] - @leogr
- build: upgrade cloudtrail plugin to v0.6.0 [#2381] - @leogr
- new!: ship falcoctl inside Falco [#2345] - @FedeDP
- refactor: remove rules and add submodule to falcosecurity/rules [#2359] - @jasondellaluce
- update(scripts): add option for regenerating signatures of all dev and release packages [#2364] - @jasondellaluce
- update: print JSON version output when json_output is enabled [#2351] - @jasondellaluce
- update(cmake): updated libs to 0.10.1 tag. [#2362] - @FedeDP
- Install the certificates of authorities in falco:no-driver docker image [#2355] - @Issif
- update: Mesos support is now deprecated and will be removed in the next version. [#2328] - @leogr
- update(scripts/falco-driver-loader): optimize the resiliency of module download script for air-gapped environments [#2336] - @Dentrax
- doc(userspace): provide users with a correct message when some syscalls are not defined [#2329] - @Andreagit97
- update(ci): update ci jobs to generate Falco images with the modern BPF probe [#2320] - @Andreagit97
- rules: add Falco container lists [#2290] - @oscr
- rules(macro: private_key_or_password): now also check for OpenSSH private keys [#2284] - @oscr
- update(cmake): bump libs and driver to latest RC. [#2302] - @FedeDP
- Ensure that a ruleset object is copied properly in falco_engine::add_source(). [#2271] - @mstemm
- update(userspace/falco): enable using zlib with webserver [#2125] - @jasondellaluce
- update(falco): add container-gvisor and kubernetes-gvisor print options [#2288] - @LucaGuerra
- cleanup: always use bundled libz and libelf in BUNDLED_DEPS mode. [#2277] - @FedeDP
- update: updated libs and driver to version dd443b67c6b04464cb8ee2771af8ada8777e7fac [#2277] - @FedeDP
- update(falco.yaml):
open_params
under plugins configuration is now trimmed from surrounding whitespace [#2267] - @yardenshoham
Bug Fixes
- fix(engine): Avoid crash related to caching syscall source when the falco engine uses multiple sources at the same time. [#2272] - @mstemm
- fix(scripts): use falco-driver-loader only into install scripts [#2391] - @Andreagit97
- fix(userspace/falco): fix grpc server shutdown [#2350] - @FedeDP
- fix(docker/falco): trust latest GPG key [#2365] - @jasondellaluce
- fix(userspace/engine): improve rule loading validation results [#2344] - @jasondellaluce
- fix: graceful error handling for macros/lists reference loops [#2311] - @jasondellaluce
Rule Changes
- rules(tagging): enhanced rules tagging for inventory / threat modeling [#2167] - @incertum
- rule(Outbound Connection to C2 Server): Update the “Outbound connection to C2 server” rule to match both FQDN and IP addresses. Prior to this change, the rule only matched IP addresses and not FQDN. [#2241] - @Nicolas-Peiffer
- rule(Execution from /dev/shm): new rule to detect execution from /dev/shm [#2225] - @AlbertoPellitteri
- rule(Find AWS Credentials): new rule to detect executions looking for AWS credentials [#2224] - @AlbertoPellitteri
- rule(Linux Kernel Module Injection Detected): improve insmod detection within container using CAP_SYS_MODULE [#2305] - @loresuso
- rule(Read sensitive file untrusted): let salt-call read sensitive files [#2291] - @vin01
- rule(macro: rpm_procs): let salt-call write to rpm database [#2291] - @vin01
Non user-facing changes
- fix(ci): fix rpm sign job dependencies [#2324] - @cappellinsamuele
- chore(userspace): add
njson
lib as a dependency forfalco_engine
[#2316] - @Andreagit97 - fix(scripts): force rpm postinstall script to always show dialog, even on upgrade [#2405] - @FedeDP
- fix(scripts): fixed falcoctl config install dir. [#2399] - @FedeDP
- fix(scripts): make /usr writable [#2398] - @therealbobo
- fix(scripts): driver loader insmod [#2388] - @FedeDP
- update(systemd): solve some issues with systemd unit [#2385] - @Andreagit97
- build(cmake): upgrade falcoctl to v0.3.0-rc6 [#2383] - @leogr
- docs(.github): rules are no longer in this repo [#2382] - @leogr
- update(CI): mitigate frequent failure in CircleCI jobs [#2375] - @Andreagit97
- fix(userspace): use the right path for the
cpus_for_each_syscall_buffer
config [#2378] - @Andreagit97 - fix(scripts): fixed incorrect bash var expansion [#2367] - @therealbobo
- update(CI): upgrade toolchain in modern falco builder dockerfile [#2337] - @Andreagit97
- cleanup(ci): move static analysis job from circle CI to GHA [#2332] - @Andreagit97
- update(falco): update cpp-httplib to 0.11.3 [#2327] - @LucaGuerra
- update(script): makes user able to pass custom option to driver-loade… [#1901] - @andreabonanno
- cleanup(ci): remove some unused jobs and remove some
falco-builder
reference where possible [#2322] - @Andreagit97 - docs(proposal): new artifacts distribution proposal [#2304] - @leogr
- fix(cmake): properly fetch dev version by appending latest Falco tag, delta between master and tag, and hash [#2292] - @FedeDP
- chore(deps): Bump certifi from 2020.4.5.1 to 2022.12.7 in /test [#2313] - @dependabot[bot]
- chore: remove string view lite [#2307] - @leogr
- new(CHANGELOG): add entry for 0.33.1 (in master branch this time) [#2303] - @LucaGuerra
- update(docs): add overview and versioning sections to falco release.md [#2205] - @incertum
- Add Xenit AB to adopters [#2285] - @NissesSenap
- fix(userspace/falco): verify engine fields only for syscalls [#2281] - @jasondellaluce
- fix(output): do not print syscall_buffer_size when gvisor is enabled [#2283] - @alacuku
- fix(engine): fix warning about redundant std::move [#2286] - @LucaGuerra
- fix(scripts): force falco-driver-loader script to try to compile the driver anyway even on unsupported platforms [#2219] - @FedeDP
- fix(ci): fixed version bucket for release jobs. [#2266] - @FedeDP
- fix(cmake): fixed tag fetching fallback (that is indeed needed) [#2409] - @FedeDP
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 30 |
Release note | 53 |
Total | 83 |
Release Manager
@LucaGuerra
Version 0.33.1
Packages | Download |
---|---|
rpm-x86_64 | |
deb-x86_64 | |
tgz-x86_64 | |
rpm-aarch64 | |
deb-aarch64 | |
tgz-aarch64 |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.33.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.33.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.33.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.33.1 |
Minor Changes
- update(falco): fix container-gvisor and kubernetes-gvisor print options [#2288]
- Update libs to 0.9.2, fixing potential CLBO on gVisor+Kubernetes and crash with eBPF when some CPUs are offline [#2299] - @LucaGuerra
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 1 |
Release note | 2 |
Total | 3 |
Release Manager
@LucaGuerra
Version 0.33.0
Packages | Download |
---|---|
rpm-x86_64 | |
deb-x86_64 | |
tgz-x86_64 | |
rpm-aarch64 | |
deb-aarch64 | |
tgz-aarch64 |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.33.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.33.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.33.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.33.0 |
Major Changes
- new: add a
drop_pct
referred to the global number of events [#2130] - @Andreagit97 - new: print some info about eBPF and enabled sources when Falco starts [#2133] - @Andreagit97
- new(userspace): print architecture information [#2147] - @Andreagit97
- new(CI): add CodeQL security scanning to Falco. [#2171] - @Andreagit97
- new: configure syscall buffer dimension from Falco [#2214] - @Andreagit97
- new(cmdline): add development support for modern BPF probe [#2221] - @Andreagit97
- new(falco-driver-loader):
DRIVERS_REPO
now supports the use of multiple download URLs (comma separated) [#2165] - @IanRobertson-wpe - new(userspace/engine): support alternative plugin version requirements in checks [#2190] - @jasondellaluce
- new: support running multiple event sources in parallel [#2182] - @jasondellaluce
- new(userspace/falco): automatically create paths for grpc unix socket and gvisor endpoint. [#2189] - @FedeDP
- new(scripts): allow falco-driver-loader to properly distinguish any ubuntu flavor [#2178] - @FedeDP
- new: add option to enable event sources selectively [#2085] - @jasondellaluce
Minor Changes
- docs(falco-driver-loader): add some comments in
falco-driver-loader
[#2153] - @Andreagit97 - update(cmake): use latest libs tag
0.9.0
[#2257] - @Andreagit97 - update(.circleci): re-enabled cppcheck [#2186] - @leogr
- update(userspace/engine): improve falco files loading performance [#2151] - @VadimZy
- update(cmake): use latest driver tag 3.0.1+driver [#2251] - @Andreagit97
- update(userspace/falco)!: adapt stats writer for multiple parallel event sources [#2182] - @jasondellaluce
- refactor(userspace/engine): remove falco engine APIs that returned a required_engine_version [#2096] - @mstemm
- update(userspace/engine): add some small changes to rules matching that reduce cpu usage with high event volumes (> 1M syscalls/sec) [#2210] - @mstemm
- rules: added process IDs to default rules [#2211] - @spyder-kyle
- update(scripts/debian): falco.service systemd unit is now cleaned-up during (re)install and removal via the DEB and RPM packages [#2138] - @Happy-Dude
- update(userspace/falco): move on from deprecated libs API for printing event list [#2253] - @jasondellaluce
- chore(userspace/falco): improve cli helper and log options with debug level [#2252] - @jasondellaluce
- update(userspace): minor pre-release improvements [#2236] - @jasondellaluce
- update: bumped libs to fd46dd139a8e35692a7d40ab2f0ed2016df827cf. [#2201] - @FedeDP
- update!: gVisor sock default path changed from
/tmp/gvisor.sock
to/run/falco/gvisor.sock
[#2163] - @vjjmiras - update!: gRPC server sock default path changed from
/run/falco.sock.sock
to/run/falco/falco.sock
[#2163] - @vjjmiras - update(scripts/falco-driver-loader): minikube environment is now correctly detected [#2191] - @alacuku
- update(rules/falco_rules.yaml):
required_engine_version
changed to 13 [#2179] - @incertum - refactor(userspace/falco): re-design stats writer and make it thread-safe [#2109] - @jasondellaluce
- refactor(userspace/falco): make signal handlers thread safe [#2091] - @jasondellaluce
- refactor(userspace/engine): strengthen and document thread-safety guarantees of falco_engine::process_event [#2082] - @jasondellaluce
- update(userspace/falco): make webserver threadiness configurable [#2090] - @jasondellaluce
- refactor(userspace/falco): reduce app actions dependency on app state and inspector [#2097] - @jasondellaluce
- update(userspace/falco): use move semantics in falco logger [#2095] - @jasondellaluce
- update: use
FALCO_HOSTNAME
env var to override the hostname value [#2174] - @leogr - update: bump libs and driver versions to 6599e2efebce30a95f27739d655d53f0d5f686e4 [#2177] - @jasondellaluce
- refactor(userspace/falco): make output rate limiter optional and output engine explicitly thread-safe [#2139] - @jasondellaluce
- update(falco.yaml)!: notification rate limiter disabled by default. [#2139] - @jasondellaluce
Bug Fixes
- fix: compute the
drop ratio
in the right way [#2128] - @Andreagit97 - fix(falco_service): falco service needs to write under /sys/module/falco [#2238] - @Andreagit97
- fix(userspace): cleanup output of ruleset validation result [#2248] - @jasondellaluce
- fix(userspace): properly print ignored syscalls messages when not in
-A
mode [#2243] - @jasondellaluce - fix(falco): clarify pid/tid and container info in gvisor [#2223] - @LucaGuerra
- fix(userspace/engine): avoid reading duplicate exception values [#2200] - @jasondellaluce
- fix: hostname was not present when
json_output: true
[#2174] - @leogr
Rule Changes
- rule(macro: known_gke_mount_in_privileged_containers): add new macro [#2198] - @hi120ki
- rule(Mount Launched in Privileged Container): add GKE default pod into allowlist in Mount Launched of Privileged Container rule [#2198] - @hi120ki
- rule(list: known_binaries_to_read_environment_variables_from_proc_files): add new list [#2193] - @hi120ki
- rule(Read environment variable from /proc files): add rule to detect an attempt to read process environment variables from /proc files [#2193] - @hi120ki
- rule(macro: k8s_containers): add falco no-driver images [#2234] - @jasondellaluce
- rule(macro: open_file_failed): add new macro [#2118] - @incertum
- rule(macro: directory_traversal): add new macro [#2118] - @incertum
- rule(Directory traversal monitored file read): add new rule [#2118] - @incertum
- rule(Modify Container Entrypoint): new rule created to detect CVE-2019-5736 [#2188] - @darryk10
- rule(Program run with disallowed http proxy env)!: disabled by default [#2179] - @incertum
- rule(Container Drift Detected (chmod))!: disabled by default [#2179] - @incertum
- rule(Container Drift Detected (open+create))!: disabled by default [#2179] - @incertum
- rule(Packet socket created in container)!: removed consider_packet_socket_communication macro [#2179] - @incertum
- rule(macro: consider_packet_socket_communication)!: remove unused macro [#2179] - @incertum
- rule(Interpreted procs outbound network activity)!: disabled by default [#2166] - @incertum
- rule(Interpreted procs inbound network activity)!: disabled by default [#2166] - @incertum
- rule(Contact cloud metadata service from container)!: disabled by default [#2166] - @incertum
- rule(macro: consider_interpreted_outbound)!: remove unused macro [#2166] - @incertum
- rule(macro: consider_interpreted_inbound)!: remove unused macro [#2166] - @incertum
- rule(macro: consider_metadata_access)!: remove unused macro [#2166] - @incertum
- rule(Unexpected outbound connection destination)!: disabled by default [#2168] - @incertum
- rule(Unexpected inbound connection source)!: disabled by default [#2168] - @incertum
- rule(Read Shell Configuration File)!: disabled by default [#2168] - @incertum
- rule(Schedule Cron Jobs)!: disabled by default [#2168] - @incertum
- rule(Launch Suspicious Network Tool on Host)!: disabled by default [#2168] - @incertum
- rule(Create Hidden Files or Directories)!: disabled by default [#2168] - @incertum
- rule(Outbound or Inbound Traffic not to Authorized Server Process and Port)!: disabled by default [#2168] - @incertum
- rule(Network Connection outside Local Subnet)!: disabled by default [#2168] - @incertum
- rule(macro: consider_all_outbound_conns)!: remove unused macro [#2168] - @incertum
- rule(macro: consider_all_inbound_conns)!: remove unused macro [#2168] - @incertum
- rule(macro: consider_shell_config_reads)!: remove unused macro [#2168] - @incertum
- rule(macro: consider_all_cron_jobs)!: remove unused macro [#2168] - @incertum
- rule(macro: consider_all_inbound_conns)!: remove unused macro [#2168] - @incertum
- rule(macro: consider_hidden_file_creation)!: remove unused macro [#2168] - @incertum
- rule(macro: allowed_port)!: remove unused macro [#2168] - @incertum
- rule(macro: enabled_rule_network_only_subnet)!: remove unused macro [#2168] - @incertum
- rule(macro: consider_userfaultfd_activities)!: remove unused macro [#2168] - @incertum
- rule(macro: consider_all_chmods)!: remove unused macro [#2168] - @incertum
- rule(Set Setuid or Setgid bit)!: removed consider_all_chmods macro [#2168] - @incertum
- rule(Container Drift Detected (chmod))!: removed consider_all_chmods macro [#2168] - @incertum
- rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process)!: removed consider_userfaultfd_activities macro [#2168] - @incertum
Non user-facing changes
- new(userspace): support
SCAP_FILTERED_EVENT
return code [#2148] - @Andreagit97 - chore(test/utils): remove unused script [#2157] - @Andreagit97
- Enrich pull request template [#2162] - @Andreagit97
- vote: update(OWNERS): add Andrea Terzolo to owners [#2185] - @Andreagit97
- fix(CI): codespell should ignore
ro
word [#2173] - @Andreagit97 - chore: bump plugin version [#2256] - @Andreagit97
- fix(userspace/falco): avoid using CPU when main thread waits for parallel event sources [#2255] - @jasondellaluce
- fix(scripts): inject kmod script fails with some systemd versions [#2250] - @Andreagit97
- chore(userspace/falco): make logging optional when terminating, restarting, and reopening outputs [#2249] - @jasondellaluce
- chore: bump libs version [#2244] - @Andreagit97
- update(userspace): solve warnings and performance tips from cppcheck [#2247] - @jasondellaluce
- fix(userspace/falco): make signal termination more robust with multi-threading [#2235] - @jasondellaluce
- fix(userspace/falco): make termination and signal handlers more stable [#2239] - @jasondellaluce
- fix(userspace): safely check string bounded access [#2237] - @jasondellaluce
- chore: bump libs/driver to the latest release branch commit [#2232] - @Andreagit97
- fix(userspace/falco): check plugin requirements when validating rule files [#2233] - @jasondellaluce
- fix(userspace): add explicit constructors and initializations [#2229] - @jasondellaluce
- Add StackRox to adopters [#2187] - @Molter73
- fix(process_events): check the return value of
open_live_inspector
[#2215] - @Andreagit97 - fix(userspace/engine): properly include stdexcept header to fix build. [#2197] - @FedeDP
- refactor(userspace/engine): split rule loader classes for a more testable design [#2206] - @jasondellaluce
- chore(OWNERS): cleanup inactive reviewer [#2204] - @leogr
- fix(circleci): falco-driver-loader image build must be done starting from just-pushed falco master image. [#2194] - @FedeDP
- Support condition parse errors in rule loading results [#2155] - @mstemm
- docs: readme update [#2183] - @leogr
- cleanup: rename legacy references [#2180] - @jasondellaluce
- refactor(userspace/engine): increase const coherence in falco engine [#2081] - @jasondellaluce
- Rules result handle multiple files [#2158] - @mstemm
- fix: print full rule load errors/warnings without verbose/-v [#2156] - @mstemm
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 29 |
Release note | 50 |
Total | 79 |
Release Manager @jasondellaluce
Version 0.32.2
Packages | Download |
---|---|
rpm-x86_64 | |
deb-x86_64 | |
tgz-x86_64 | |
rpm-aarch64 | |
deb-aarch64 | |
tgz-aarch64 |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.32.2 |
docker pull public.ecr.aws/falcosecurity/falco:0.32.2 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.2 |
docker pull docker.io/falcosecurity/falco-no-driver:0.32.2 |
Bug Fixes
- fix: Added ARCH to bpf download URL [#2142] - @eric-engberg
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 0 |
Release note | 1 |
Total | 1 |
Release Manager @Andreagit97
Version 0.32.1
Packages | Download |
---|---|
rpm | |
deb | |
tgz | |
rpm-arm64 | |
deb-arm64 | |
tgz-arm64 |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.32.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.32.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.32.1 |
Major Changes
- new(falco): add gVisor support [#2078] - @LucaGuerra
- new(docker,scripts): add multiarch images and ARM64 packages [#1990] - @FedeDP
Minor Changes
- update(build): Switch from RSA/SHA1 to RSA/SHA256 signature in the RPM package [#2044] - @vjjmiras
- refactor(userspace/engine): drop macro source field in rules and rule loader [#2094] - @jasondellaluce
- build: introduce
DRIVER_VERSION
that allows setting a driver version (which may differ from the falcosecurity/libs version) [#2086] - @leogr - update: add more info to
--version
output [#2086] - @leogr - build(scripts): publish deb repo has now a InRelease file [#2060] - @FedeDP
- update(userspace/falco): make plugin init config optional and add –plugin-info CLI option [#2059] - @jasondellaluce
- update(userspace/falco): support libs logging [#2093] - @jasondellaluce
- update(falco): update libs to 0.7.0 [#2119] - @LucaGuerra
Bug Fixes
- fix(userspace/falco): ensure that only rules files named with
-V
are loaded when validating rules files. [#2088] - @mstemm - fix(rules): use exit event in reverse shell detection rule [#2076] - @alacuku
- fix(scripts): falco-driver-loader script will now seek for drivers in driver/${ARCH}/ for x86_64 too. [#2057] - @FedeDP
- fix(falco-driver-loader): building falco module with DKMS on Flatcar and supporting fetching pre-built module/eBPF probe [#2043] - @jepio
Rule Changes
- rule(Redirect STDOUT/STDIN to Network Connection in Container): changed priority to NOTICE [#2092] - @leogr
- rule(Java Process Class Download): detect potential log4shell exploitation [#2041] - @pirxthepilot
Non user-facing changes
- remove kaizhe from falco rule owner [#2050] - @Kaizhe
- docs(readme): added arm64 mention + packages + badge. [#2101] - @FedeDP
- new(circleci): enable integration tests for arm64. [#2099] - @FedeDP
- chore(cmake): bump plugins versions [#2102] - @Andreagit97
- fix(docker): fixed deb tester sub image. [#2100] - @FedeDP
- fix(ci): fix sign script - avoid interpreting ‘{*}$argv’ too soon [#2075] - @vjjmiras
- fix(tests): make tests run locally (take 2) [#2089] - @LucaGuerra
- fix(ci): creates ~/sign instead of ./sign [#2072] - @vjjmiras
- fix(ci): sign arm64 rpm packages. [#2069] - @FedeDP
- update(falco_scripts): Change Flatcar dynlinker path [#2066] - @jepio
- fix(scripts): fixed path in publish-deb script. [#2062] - @FedeDP
- fix(build): docker-container buildx engine does not support retagging images. Tag all images together. [#2058] - @FedeDP
- fix(build): fixed publish-docker-dev job context. [#2056] - @FedeDP
- Correct linting issue in rules [#2055] - @stephanmiehe
- Fix falco compilation issues with new libs [#2053] - @alacuku
- fix(scripts): forcefully create packages dir for debian packages. [#2054] - @FedeDP
- fix(build): removed leftover line in circleci config. [#2052] - @FedeDP
- fix(build): fixed circleCI artifacts publish for arm64. [#2051] - @FedeDP
- update(docker): updated falco-builder to fix multiarch support. [#2049] - @FedeDP
- fix(build): use apt instead of apk when installing deps for aws ecr publish [#2047] - @FedeDP
- fix(build): try to use root user for cimg/base [#2045] - @FedeDP
- update(build): avoid double build of docker images when pushing to aws ecr [#2046] - @FedeDP
- chore(k8s_audit_plugin): bump k8s audit plugin version [#2042] - @Andreagit97
- fix(tests): make run_regression_tests.sh work locally [#2020] - @LucaGuerra
- Circle CI build job for ARM64 [#1997] - @odidev
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 25 |
Release note | 16 |
Total | 41 |
Release Manager @LucaGuerra
Version 0.32.0
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.32.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.32.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.32.0 |
Major Changes
- new: added new
watch_config_files
config option, to trigger a Falco restart whenever a change is detected in the rules or config files [#1991] - @FedeDP - new(rules): add rule to detect excessively capable container [#1963] - @loresuso
- new(rules): add rules to detect pods sharing host pid and IPC namespaces [#1951] - @loresuso
- new(image): add Falco image based on RedHat UBI [#1943] - @araujof
- new(falco): add –markdown and –list-syscall-events [#1939] - @LucaGuerra
Minor Changes
- update(build): updated plugins to latest versions. [#2033] - @FedeDP
- refactor(userspace/falco): split the currently monolithic falco_init into smaller “actions”, managed by the falco application’s action manager. [#1953] - @mstemm
- rules: out of the box ruleset for OKTA Falco Plugin [#1955] - @darryk10
- update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b [#2031] - @FedeDP
- update!: moving out plugins ruleset files [#1995] - @leogr
- update: added
hostname
as a field in JSON output [#1989] - @Milkshak3s - refactor!: remove K8S audit logs from Falco [#1952] - @jasondellaluce
- refactor(userspace/engine): use supported_operators helper from libsinsp filter parser [#1975] - @jasondellaluce
- refactor!: deprecate PSP regression tests and warn for unsafe usage of in k8s audit filters [#1976] - @jasondellaluce
- build(cmake): upgrade catch2 to 2.13.9 [#1977] - @leogr
- refactor(userspace/engine): reduce memory usage for resolving evttypes [#1965] - @jasondellaluce
- refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader [#1966] - @jasondellaluce
- refactor(userspace/engine): decoupling ruleset reading, parsing, and compilation steps [#1970] - @jasondellaluce
- refactor: update definitions of falco_common [#1967] - @jasondellaluce
- update: improved Falco engine event processing performance [#1944] - @deepskyblue86
- refactor(userspace/engine): use libsinsp filter parser and compiler inside rule loader [#1947] - @jasondellaluce
Bug Fixes
- fix(userspace/engine): skip rules with unknown sources that also have exceptions, and skip macros with unknown sources. [#1920] - @mstemm
- fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled [#2019] - @jasondellaluce
Rule Changes
- rule(Launch Excessively Capable Container): fix typo in description [#1996] - @mmonitz
- rule(macro: known_shell_spawn_cmdlines): add
sh -c /usr/share/lighttpd/create-mime.conf.pl
to macro [#1996] - @mmonitz - rule(macro net_miner_pool): additional syscall for detection [#2011] - @beryxz
- rule(macro truncate_shell_history): include .ash_history [#1956] - @bdashrad
- rule(macro modify_shell_history): include .ash_history [#1956] - @bdashrad
- rule(Detect release_agent File Container Escapes): new rule created to detect an attempt to exploit a container escape using release_agent file [#1969] - @darryk10
- rule(k8s: secret): detect
get
attempts for both successful and unsuccessful attempts [#1949] - @Dentrax - rule(K8s Serviceaccount Created/Deleted): Fixed output for the rules [#1973] - @darryk10
- rule(Disallowed K8s User): exclude allowed EKS users [#1960] - @darryk10
- rule(Launch Ingress Remote File Copy Tools in Container): Removed use cases not triggering the rule [#1968] - @darryk10
- rule(Mount Launched in Privileged Container): added allowlist macro user_known_mount_in_privileged_containers. [#1930] - @mmoyerfigma
- rule(macro user_known_shell_config_modifiers): allow to allowlist shell config modifiers [#1938] - @claudio-vellage
Non user-facing changes
- new: update plugins [#2023] - @FedeDP
- update(build): updated libs version for Falco 0.32.0 release. [#2022] - @FedeDP
- update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 [#2024] - @FedeDP
- chore(userspace/falco): do not print error code in process_events.cpp [#2030] - @alacuku
- fix(falco-scripts): remove driver versions with
dkms-3.0.3
[#2027] - @Andreagit97 - chore(userspace/falco): fix punctuation typo in output message when loading plugins [#2026] - @alacuku
- refactor(userspace): change falco engine design to properly support multiple sources [#2017] - @jasondellaluce
- update(userspace/falco): improve falco termination [#2012] - @Andreagit97
- update(userspace/engine): introduce new
check_plugin_requirements
API [#2009] - @Andreagit97 - fix(userspace/engine): improve rule loader source checks [#2010] - @Andreagit97
- fix: split filterchecks per source-idx [#1999] - @FedeDP
- new: port CI builds to github actions [#2000] - @FedeDP
- build(userspace/engine): cleanup unused include dir [#1987] - @leogr
- rule(Anonymous Request Allowed): exclude {/livez, /readyz} [#1954] - @sledigabel
- chore(falco_scripts): Update
falco-driver-loader
cleaning phase [#1950] - @Andreagit97 - new(userspace/falco): use new plugin caps API [#1982] - @FedeDP
- build: correct conffiles for DEB packages [#1980] - @leogr
- Fix exception parsing regressions [#1985] - @mstemm
- Add codespell GitHub Action [#1962] - @invidian
- build: components opt-in mechanism for packages [#1979] - @leogr
- add gVisor to ADOPTERS.md [#1974] - @kevinGC
- rules: whitelist GCP’s container threat detection image [#1959] - @clmssz
- Fix some typos [#1961] - @invidian
- chore(rules): remove leftover [#1958] - @leogr
- docs: readme update and plugins [#1940] - @leogr
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 27 |
Release note | 34 |
Total | 61 |
Release Manager @FedeDP
Version 0.31.1
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.31.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.31.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.31.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.31.1 |
Major Changes
- new: add a new drop category
n_drops_scratch_map
[#1916] - @Andreagit97 - new: allow to specify multiple –cri options [#1893] - @FedeDP
Minor Changes
- refactor(userspace/falco): replace direct getopt_long() cmdline option parsing with third-party cxxopts library. [#1886] - @mstemm
- update: driver version is b7eb0dd [#1923] - @LucaGuerra
Bug Fixes
- fix(userspace/falco): correct plugins init config conversion from YAML to JSON [#1907] - @jasondellaluce
- fix(userspace/engine): for rules at the informational level being loaded at the notice level [#1885] - @mike-stewart
- chore(userspace/falco): fixes truncated -b option description. [#1915] - @andreabonanno
- update(falco): updates usage description for -o, –option [#1903] - @andreabonanno
Rule Changes
- rule(Detect outbound connections to common miner pool ports): fix url in rule output [#1918] - @jsoref
- rule(macro somebody_becoming_themself): renaming macro to somebody_becoming_themselves [#1918] - @jsoref
- rule(list package_mgmt_binaries):
npm
added [#1866] - @rileydakota - rule(Launch Package Management Process in Container): support for detecting
npm
usage [#1866] - @rileydakota - rule(Polkit Local Privilege Escalation Vulnerability): new rule created to detect CVE-2021-4034 [#1877] - @darryk10
- rule(macro: modify_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [#1832] - @m4wh6k
- rule(macro: truncate_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [#1832] - @m4wh6k
- rule(macro sssd_writing_krb): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [#1825] - @mac-chaffee
- rule(macro write_etc_common): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [#1825] - @mac-chaffee
- upgrade macro(keepalived_writing_conf) [#1742] - @pabloopez
- rule_output(Delete Bucket Public Access Block) typo [#1888] - @pabloopez
Non user-facing changes
- fix(build): fix civetweb linking in cmake module [#1919] - @LucaGuerra
- chore(userspace/engine): remove unused lua functions and state vars [#1908] - @jasondellaluce
- fix(userspace/falco): applies FALCO_INSTALL_CONF_FILE as the default … [#1900] - @andreabonanno
- fix(scripts): correct typo in
falco-driver-loader
help message [#1899] - @leogr - update(build)!: replaced various
PROBE
withDRIVER
where necessary. [#1887] - @FedeDP - Add Fairwinds to the adopters list [#1917] - @sudermanjr
- build(cmake): several cmake changes to speed up/simplify builds for external projects and copying files from source-to-build directories [#1905] - @mstemm
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 11 |
Release note | 13 |
Total | 24 |
Release Manager @LucaGuerra
Version 0.31.0
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.31.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.31.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.31.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.31.0 |
Major Changes
- new: add support for plugins to extend Falco functionality to new event sources and custom fields [#1753] - @mstemm
- new: add ability to set User-Agent http header when sending http output. Provide default value of ‘falcosecurit/falco’. [#1850] - @yoshi314
- new(configuration): support defining plugin init config as a YAML [#1852] - @jasondellaluce
Minor Changes
- rules: add the official Falco ECR repository to rules [#1817] - @calvinbui
- build: update CircleCI machine image for eBPF tests to a newer version of ubuntu [#1764] - @mstemm
- update(engine): refactor Falco engine to be agnostic to specific event sources [#1715] - @mstemm
- build: upgrade civetweb to v1.15 [#1782] - @FedeDP
- update: driver version is 319368f1ad778691164d33d59945e00c5752cd27 now [#1861] - @FedeDP
- build: allow using local libs source dir by setting
FALCOSECURITY_LIBS_SOURCE_DIR
in cmake [#1791] - @jasondellaluce - build: the statically linked binary package is now published with the
-static
suffix [#1873] - @LucaGuerra - update!: removed “–alternate-lua-dir” cmdline option as lua scripts are now embedded in Falco executable. [#1872] - @FedeDP
- build: switch to dynamic build for the binary package (
.tar.gz
) [#1853] - @LucaGuerra - update: simpleconsumer filtering is now being done at kernel level [#1846] - @FedeDP
- update(scripts/falco-driver-loader): first try to load the latest kmod version, then fallback to an already installed if any [#1863] - @leogr
- refactor: clean up –list output with better formatting and no duplicate sections across event sources. [#1816] - @mstemm
- update: embed .lua files used to load/compile rules into the main falco executable, for simplicity and to avoid tampering. [#1843] - @mstemm
- update: support non-enumerable event sources in gRPC outputs service [#1840] - @jasondellaluce
- docs: add jasondellaluce to OWNERS [#1818] - @jasondellaluce
- chore: –list option can be used to selectively list fields related to new sources that are introduced by plugins [#1839] - @loresuso
- update(userspace/falco): support arbitrary-depth nested values in YAML configuration [#1792] - @jasondellaluce
- build: bump FakeIt version to 2.0.9 [#1797] - @jasondellaluce
- update: allow append of new exceptions to rules [#1780] - @sai-arigeli
- update: Linux packages are now signed with SHA256 [#1758] - @twa16
Bug Fixes
- fix(scripts/falco-driver-loader): fix for SELinux insmod denials [#1756] - @dwindsor
- fix(scripts/falco-driver-loader): correctly clean loaded drivers when using
--clean
[#1795] - @jasondellaluce - fix(userspace/falco): in case output_file cannot be opened, throw a falco exception [#1773] - @FedeDP
- fix(userspace/engine): support jsonpointer escaping in rule parser [#1777] - @jasondellaluce
- fix(scripts/falco-driver-loader): support kernel object files in
.zst
and.gz
compression formats [#1863] - @leogr - fix(engine): correctly format json output in json_event [#1847] - @jasondellaluce
- fix: set http output contenttype to text/plain when json output is disabled [#1829] - @FedeDP
- fix(userspace/falco): accept ‘Content-Type’ header that contains “application/json”, but it is not strictly equal to it [#1800] - @FedeDP
- fix(userspace/engine): supporting enabled-only overwritten rules [#1775] - @jasondellaluce
Rule Changes
- rule(Create Symlink Over Sensitive File): corrected typo in rule output [#1820] - @deepskyblue86
- rule(macro open_write): add support to openat2 [#1796] - @jasondellaluce
- rule(macro open_read): add support to openat2 [#1796] - @jasondellaluce
- rule(macro open_directory): add support to openat2 [#1796] - @jasondellaluce
- rule(Create files below dev): add support to openat2 [#1796] - @jasondellaluce
- rule(Container Drift Detected (open+create)): add support to openat2 [#1796] - @jasondellaluce
- rule(macro sensitive_mount): add containerd socket [#1815] - @loresuso
- rule(macro spawned_process): monitor also processes spawned by
execveat
[#1868] - @Andreagit97 - rule(Create Hardlink Over Sensitive Files): new rule to detect hard links created over sensitive files [#1810] - @sberkovich
- rule(Detect crypto miners using the Stratum protocol): add
stratum2+tcp
andstratum+ssl
protocols detection [#1810] - @sberkovich - rule(Sudo Potential Privilege Escalation): correct special case for the CVE-2021-3156 exploit [#1810] - @sberkovich
- rule(list falco_hostnetwork_images): moved to k8s_audit_rules.yaml to avoid a warning when usng falco_rules.yaml only [#1681] - @leodido
- rule(list deb_binaries): remove
apt-config
[#1860] - @Andreagit97 - rule(Launch Remote File Copy Tools in Container): add additional binaries: curl and wget. [#1771] - @ec4n6
- rule(list known_sa_list): add coredns, coredns-autoscaler, endpointslicemirroring-controller, horizontal-pod-autoscaler, job-controller, node-controller (nodelifecycle), persistent-volume-binder, pv-protection-controller, pvc-protection-controller, root-ca-cert-publisher and service-account-controller as allowed service accounts in the kube-system namespace [#1760] - @sboschman
Non user-facing changes
- fix: force-set evt.type for plugin source events [#1878] - @FedeDP
- fix: updated some warning strings; properly refresh lua files embedded in falco [#1864] - @FedeDP
- style(userspace/engine): avoid creating multiple versions of methods only to assume default ruleset. Use a default argument instead. [#1754] - @FedeDP
- add raft in the adopters list [#1776] - @teshsharma
- build: always populate partial version variables [#1778] - @dnwe
- build: updated cloudtrail plugin to latest version [#1865] - @FedeDP
- replace “..” concatenation with table.concat [#1834] - @VadimZy
- fix(userspace/engine): actually make m_filter_all_event_types useful by properly using it as fallback when no filter event types is provided [#1875] - @FedeDP
- fix(build): do not show plugin options in musl optimized builds [#1871] - @LucaGuerra
- fix(aws_cloudtrail_rules.yaml): correct required plugin versions [#1867] - @FedeDP
- docs: fix priority level “info” to “informational” [#1858] - @Andreagit97
- Field properties changes [#1838] - @mstemm
- update(build): updated libs to latest master version; updated plugins versions [#1856] - @FedeDP
- Add Giant Swarm to Adopters list [#1842] - @stone-z
- update(tests): remove
token_bucket
unit tests [#1798] - @jasondellaluce - fix(build): use consistent 7-character build abbrev sha [#1830] - @LucaGuerra
- add Phoenix to adopters list [#1806] - @kaldyka
- remove unused files in test directory [#1801] - @jasondellaluce
- drop Falco luajit module, use the one provied by libs [#1788] - @FedeDP
- chore(build): update libs version to 7906f7e [#1790] - @LucaGuerra
- Add SysFlow to list of libs adopters [#1747] - @araujof
- build: dropped centos8 circleci build because it is useless [#1882] - @FedeDP
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 23 |
Release note | 40 |
Total | 63 |
Release Manager @jasondellaluce
Version 0.30.0
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.30.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.30.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.30.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.30.0 |
Major Changes
- new: add
--k8s-node
command-line options, which allows filtering by a node when requesting metadata of pods to the K8s API server [#1671] - @leogr - new(outputs): expose rule tags and event source in gRPC and json outputs [#1714] - @jasondellaluce
- new(userspace/falco): add customizable metadata fetching params [#1667] - @zuc
Minor Changes
- update: bump driver version to 3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4 [#1744] - @zuc
- docs: clarify that previous Falco drivers will remain available at https://download.falco.org and no automated cleanup is run anymore [#1738] - @leodido
- update(outputs): add configuration option for tags in json outputs [#1733] - @jasondellaluce
Bug Fixes
- fix(scripts): correct standard output redirection in systemd config (DEB and RPM packages) [#1697] - @chirabino
- fix(scripts): correct lookup order when trying multiple
gcc
versions in thefalco-driver-loader
script [#1716] - @Spartan-65
Rule Changes
- rule(list miner_domains): add new miner domains [#1729] - @AlbertoPellitteri
- rule(list https_miner_domains): add new miner domains [#1729] - @AlbertoPellitteri
Non user-facing changes
- add Qonto as adopter [#1717] - @Issif
- docs(proposals): proposal for a libs plugin system [#1637] - @ldegio
- build: remove unused
ncurses
dependency [#1658] - @leogr - build(.circleci): use new Debian 11 package names for python-pip [#1712] - @zuc
- build(docker): adding libssl-dev, upstream image reference pinned to
debian:buster
[#1719] - @michalschott - fix(test): avoid output_strictly_contains failures [#1724] - @jasondellaluce
- Remove duplicate allowed ecr registry rule [#1725] - @TomKeyte
- docs(RELEASE.md): switch to 3 releases per year [#1711] - @leogr
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 10 |
Release note | 9 |
Total | 19 |
Release Manager @araujof
Version 0.29.1
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.29.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.29.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.29.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.29.1 |
Minor Changes
Rule Changes
- rule(list user_known_userfaultfd_processes): list to exclude processes known to use userfaultfd syscall [#1675] - @leodido
- rule(macro consider_userfaultfd_activities): macro to gate the “Unprivileged Delegation of Page Faults Handling to a Userspace Process” rule [#1675] - @leodido
- rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process): new rule to detect successful unprivileged userfaultfd syscalls [#1675] - @leodido
- rule(Linux Kernel Module Injection Detected): adding container info to the output of the rule [#1675] - @leodido
Non user-facing changes
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 2 |
Release note | 1 |
Total | 3 |
Release Manager @leodido
Version 0.29.0
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.29.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.29.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.29.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.29.0 |
Minor Changes
Rule Changes
- rule(list miner_domains): add rx.unmineable.com for anti-miner detection [#1676] - @fntlnz
- rule(Change thread namespace and Set Setuid or Setgid bit): disable by default [#1632] - @Kaizhe
- rule(list known_sa_list): add namespace-controller, statefulset-controller, disruption-controller, job-controller, horizontal-pod-autoscaler and persistent-volume-binder as allowed service accounts in the kube-system namespace [#1659] - @sboschman
- rule(Non sudo setuid): check user id as well in case user name info is not available [#1665] - @Kaizhe
- rule(Debugfs Launched in Privileged Container): fix typo in description [#1657] - @Kaizhe
Non user-facing changes
- Fix link to CONTRIBUTING.md in the Pull Request Template [#1679] - @tspearconquest
- fetch libs and drivers from the new repo [#1552] - @leogr
- build(test): upgrade urllib3 to 1.26.5 [#1666] - @leogr
- revert: add notes for 0.28.2 release [#1663] - @maxgio92
- changelog: add notes for 0.28.2 release [#1661] - @maxgio92
- docs(release.md): add blog announcement to post-release tasks [#1652] - @maxgio92
- add Yahoo!Japan as an adopter [#1651] - @ukitazume
- Add Replicated to adopters [#1649] - @diamonwiggins
- docs(proposals): fix libs contribution name [#1641] - @leodido
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 11 |
Release note | 7 |
Total | 18 |
Release Manager @maxgio92
Version 0.28.1
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.28.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.28.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.28.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.28.1 |
Major Changes
- new:
--support
output now includes info about the Falco engine version [#1581] - @mstemm - new: Falco outputs an alert in the unlikely situation it’s receiving too many consecutive timeouts without an event [#1622] - @leodido
- new: configuration field
syscall_event_timeouts.max_consecutive
to configure after how many consecutive timeouts without an event Falco must alert [#1622] - @leodido
Minor Changes
Bug Fixes
- fix: do not stop the webserver for k8s audit logs when invalid data is coming in the event to be processed [#1617] - @fntlnz
Rule Changes
- rule(macro: allowed_aws_ecr_registry_root_for_eks): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
- rule(macro: aws_eks_core_images): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
- rule(macro: aws_eks_image_sensitive_mount): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
- rule(list
falco_privileged_images
): remove deprecated Falco’s OCI image repositories [#1634] - @maxgio92 - rule(list
falco_sensitive_mount_images
): remove deprecated Falco’s OCI image repositories [#1634] - @maxgio92 - rule(macro
k8s_containers
): remove deprecated Falco’s OCI image repositories [#1634] - @maxgio92 - rule(macro: python_running_sdchecks): macro removed [#1620] - @leogr
- rule(Change thread namespace): remove python_running_sdchecks exception [#1620] - @leogr
Non user-facing changes
- urelease/docs: fix link and small refactor in the text [#1636] - @cpanato
- Add Secureworks to adopters [#1629] - @dwindsor-scwx
- regression test for malformed k8s audit input (FAL-01-003) [#1624] - @leodido
- Add mathworks to adopterlist [#1621] - @natchaphon-r
- adding known users [#1623] - @danpopSD
- docs: update link for HackMD community call notes [#1614] - @leodido
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 7 |
Release note | 7 |
Total | 14 |
Release Manager @cpanato
Version 0.28.0
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.28.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.28.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.28.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.28.0 |
Major Changes
- BREAKING CHANGE: Bintray is deprecated, no new packages will be published at https://dl.bintray.com/falcosecurity/ [#1577] - @leogr
- BREAKING CHANGE: SKIP_MODULE_LOAD env variable no more disables the driver loading (use SKIP_DRIVER_LOADER env variable introduced in Falco 0.24) [#1599] - @leodido
- BREAKING CHANGE: the init.d service unit is not shipped anymore in deb/rpm packages in favor of a systemd service file [#1448] - @jenting
- new: add support for exceptions as rule attributes to provide a compact way to add exceptions to Falco rules [#1427] - @mstemm
- new: falco-no-driver container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-no-driver) [#1519] - @jonahjon
- new: falco-driver-loader container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-driver-loader) [#1519] - @jonahjon
- new: add healthz endpoint to the webserver [#1546] - @cpanato
- new: introduce a new configuration field
syscall_event_drops.threshold
to tune the drop noisiness [#1586] - @leodido - new: falco-driver-loader script can get a custom driver name from DRIVER_NAME env variable [#1488] - @leodido
- new: falco-driver-loader know the Falco version [#1488] - @leodido
Minor Changes
- docs(proposals): libraries and drivers donation [#1530] - @leodido
- docs(docker): update links to the new Falco website URLs [#1545] - @cpanato
- docs(test): update links to new Falco website URLs [#1563] - @shane-lawrence
- build: now Falco packages are published at https://download.falco.org [#1577] - @leogr
- update: lower the
syscall_event_drops.max_burst
default value to 1 [#1586] - @leodido - update: falco-driver-loader tries to download a Falco driver before then compiling it on the fly for the host [#1599] - @leodido
- docs(test): document the prerequisites for running the integration test suite locally [#1609] - @fntlnz
- update: Debian/RPM package migrated from init to systemd [#1448] - @jenting
Bug Fixes
- fix(userspace/engine): properly handle field extraction over lists of containers when not all containers match the specified sub-properties [#1601] - @mstemm
- fix(docker/falco): add flex and bison dependency to container image [#1562] - @schans
- fix: ignore action can not be used with log and alert ones (
syscall_event_drops
config) [#1586] - @leodido - fix(userspace/engine): allows fields starting with numbers to be parsed properly [#1598] - @mstemm
Rule Changes
- rule(Write below monitored dir): improve rule description [#1588] - @stevenshuang
- rule(macro allowed_aws_eks_registry_root): macro to match the official eks registry [#1555] - @ismailyenigul
- rule(macro aws_eks_image): match aws image repository for eks [#1555] - @ismailyenigul
- rule(macro aws_eks_image_sensitive_mount): match aws cni images [#1555] - @ismailyenigul
- rule(macro k8s_containers): include fluent/fluentd-kubernetes-daemonset and prom/prometheus [#1555] - @ismailyenigul
- rule(Launch Privileged Container): exclude aws_eks_image [#1555] - @ismailyenigul
- rule(Launch Sensitive Mount Container): exclude aws_eks_image_sensitive_mount [#1555] - @ismailyenigul
- rule(Debugfs Launched in Privileged Container): new rule [#1583] - @Kaizhe
- rule(Mount Launched in Privileged Container): new rule [#1583] - @Kaizhe
- rule(Set Setuid or Setgid bit): add k3s-agent in the whitelist [#1583] - @Kaizhe
- rule(macro user_ssh_directory): using glob operator [#1560] - @shane-lawrence
- rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud [#1337] - @nibalizer
- rule(list rpm_binaries): add rhsmcertd [#1385] - @epcim
- rule(list deb_binaries): add apt.systemd.daily [#1385] - @epcim
- rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156 [#1543] - @darryk10
- rule(list allowed_k8s_users): add
eks:node-manager
[#1536] - @ismailyenigul - rule(list mysql_mgmt_binaries): removed [#1602] - @fntlnz
- rule(list db_mgmt_binaries): removed [#1602] - @fntlnz
- rule(macro parent_ansible_running_python): removed [#1602] - @fntlnz
- rule(macro parent_bro_running_python): removed [#1602] - @fntlnz
- rule(macro parent_python_running_denyhosts): removed [#1602] - @fntlnz
- rule(macro parent_linux_image_upgrade_script): removed [#1602] - @fntlnz
- rule(macro parent_java_running_echo): removed [#1602] - @fntlnz
- rule(macro parent_scripting_running_builds): removed [#1602] - @fntlnz
- rule(macro parent_Xvfb_running_xkbcomp): removed [#1602] - @fntlnz
- rule(macro parent_nginx_running_serf): removed [#1602] - @fntlnz
- rule(macro parent_node_running_npm): removed [#1602] - @fntlnz
- rule(macro parent_java_running_sbt): removed [#1602] - @fntlnz
- rule(list known_container_shell_spawn_cmdlines): removed [#1602] - @fntlnz
- rule(list known_shell_spawn_binaries): removed [#1602] - @fntlnz
- rule(macro run_by_puppet): removed [#1602] - @fntlnz
- rule(macro user_privileged_containers): removed [#1602] - @fntlnz
- rule(list rancher_images): removed [#1602] - @fntlnz
- rule(list images_allow_network_outside_subnet): removed [#1602] - @fntlnz
- rule(macro parent_python_running_sdchecks): removed [#1602] - @fntlnz
- rule(macro trusted_containers): removed [#1602] - @fntlnz
- rule(list authorized_server_binaries): removed [#1602] - @fntlnz
Non user-facing changes
- chore(test): replace bucket url with official distribution url [#1608] - @fntlnz
- adding asapp as an adopter [#1611] - @Stuxend
- update: fixtures URLs [#1603] - @leogr
- cleanup publishing jobs [#1596] - @leogr
- fix(falco/test): bump pyyaml from 5.3.1 to 5.4 [#1595] - @leodido
- fix(.circleci): tar must be present in the image [#1594] - @leogr
- fix: publishing jobs [#1591] - @leogr
- Pocteo as an adopter [#1574] - @pocteo-labs
- build: fetch build deps from download.falco.org [#1572] - @leogr
- adding shapesecurity to adopters [#1566] - @irivera007
- Use default pip version to get avocado version [#1565] - @shane-lawrence
- Added Swissblock to list of adopters [#1551] - @bygui86
- Fix various typos in markdown files. [#1514] - @didier-durand
- docs: move governance to falcosecurity/.github [#1524] - @leogr
- ci: fix missing infra context to publish stable Falco packages [#1615] - @leodido
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 17 |
Release note | 24 |
Total | 41 |
Version 0.27.0
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.27.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.27.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.27.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.27.0 |
Major Changes
- new: Added falco engine version to grpc version service [#1507] - @nibalizer
- BREAKING CHANGE: Users who run Falco without a config file will be unable to do that any more, Falco now expects a configuration file to be passed all the times. Developers may need to adjust their processes. [#1494] - @nibalizer
- new: asynchronous outputs implementation, outputs channels will not block event processing anymore [#1451] - @leogr
- new: slow outputs detection [#1451] - @leogr
- new:
output_timeout
config option for slow outputs detection [#1451] - @leogr
Minor Changes
- build: bump b64 to v2.0.0.1 [#1441] - @fntlnz
- rules(macro container_started): re-use
spawned_process
macro insidecontainer_started
macro [#1449] - @leodido - docs: reach out documentation [#1472] - @fntlnz
- docs: Broken outputs.proto link [#1493] - @deepskyblue86
- docs(README.md): correct broken links [#1506] - @leogr
- docs(proposals): Exceptions handling proposal [#1376] - @mstemm
- docs: fix a broken link of README [#1516] - @oke-py
- docs: adding the kubernetes privileged use case to use cases [#1484] - @fntlnz
- rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [#1386] - @jhwbarlow
- rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [#1386] - @jhwbarlow
- docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [#1518] - @leodido
- build: falcosecurity/falco:master also available on the AWS ECR Public registry [#1512] - @leodido
- build: falcosecurity/falco:latest also available on the AWS ECR Public registry [#1512] - @leodido
- update: gRPC clients can now subscribe to drop alerts via gRCP API [#1451] - @leogr
- macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s [#1444] - @fntlnz
Bug Fixes
- fix(userspace/falco): use given priority in falco_outputs::handle_msg() [#1450] - @leogr
- fix(userspace/engine): free formatters, if any [#1447] - @leogr
- fix(scripts/falco-driver-loader): lsmod usage [#1474] - @dnwe
- fix: a bug that prevents Falco driver to be consumed by many Falco instances in some circumstances [#1485] - @leodido
- fix: set
HOST_ROOT=/host
environment variable for thefalcosecurity/falco-no-driver
container image by default [#1492] - @leogr
Rule Changes
- rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list [#1501] - @Kaizhe
- rule(Container Run as Root User): new rule created [#1500] - @Kaizhe
- rule(Linux Kernel Module injection detected): adds a new rule that detects when an LKM module is injected using
insmod
from a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [#1478] - @d1vious - rule(macro multipath_writing_conf): create and use the macro [#1475] - @nmarier-coveo
- rule(list falco_privileged_images): add calico/node without registry prefix to prevent false positive alerts [#1457] - @czunker
- rule(Full K8s Administrative Access): use the right list of admin users (fix) [#1454] - @mstemm
Non user-facing changes
- chore(cmake): remove unnecessary whitespace patch [#1522] - @leogr
- remove stale bot in favor of the new lifecycle bot [#1490] - @leodido
- chore(cmake): mark some variables as advanced [#1496] - @deepskyblue86
- chore(cmake/modules): avoid useless rebuild [#1495] - @deepskyblue86
- build: BUILD_BYPRODUCTS for civetweb [#1489] - @fntlnz
- build: remove duplicate item from FALCO_SOURCES [#1480] - @leodido
- build: make our integration tests report clear steps for CircleCI UI [#1473] - @fntlnz
- further improvements outputs impl. [#1443] - @leogr
- fix(test): make integration tests properly fail [#1439] - @leogr
- Falco outputs refactoring [#1412] - @leogr
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 10 |
Release note | 30 |
Total | 40 |
Version 0.26.2
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.26.2 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.26.2 |
docker pull docker.io/falcosecurity/falco-no-driver:0.26.2 |
Major Changes
- update: DRIVERS_REPO now defaults to https://download.falco.org/driver [#1460] - @leodido