Released on 2024-11-21
- update(cmake): bumped falcoctl to v0.10.1. [#3408] - @FedeDP
- update(cmake): bump yaml-cpp to latest master. [#3394] - @FedeDP
- update(ci): use arm64 CNCF runners for GH actions [#3386] - @LucaGuerra
MERGED PRS | NUMBER |
---|---|
Not user-facing | 1 |
Release note | 2 |
Total | 3 |
Released on 2024-10-09
- fix(engine): allow null init_config for plugin info [#3372] - @LucaGuerra
- fix(engine): fix parsing issues in -o key={object} when the object definition contains a comma [#3363] - @LucaGuerra
- fix(userspace/falco): fix event set selection for plugin with parsing capability [#3368] - @FedeDP
MERGED PRS | NUMBER |
---|---|
Not user-facing | 0 |
Release note | 3 |
Total | 3 |
Released on 2024-10-01
- fix(falco_metrics)!: split tags label into multiple
tag_
-prefixed labels [#3337] - @ekoops - fix(falco_metrics)!: use full name for configs and rules files [#3337] - @ekoops
- update(falco_metrics)!: rearrange
n_evts_cpu
andn_drops_cpu
Prometheus metrics to follow best practices [#3319] - @incertum - cleanup(userspace/falco)!: drop deprecated -t,-T,-D options. [#3311] - @FedeDP
- feat(stats): add host_netinfo networking information stats family [#3344] - @ekoops
- new(falco): add json_include_message_property to have a message field without date and priority [#3314] - @LucaGuerra
- new(userspace/falco,userspace/engine): rule json schema validation [#3313] - @FedeDP
- new(falco): introduce append_output configuration [#3308] - @LucaGuerra
- new(userspace/falco): added --config-schema action to print config schema [#3312] - @FedeDP
- new(falco): enable CLI options with -o key={object} [#3310] - @LucaGuerra
- new(config): add
container_engines
config to falco.yaml [#3266] - @incertum - new(metrics): add host_ifinfo metric [#3253] - @incertum
- new(userspace,unit_tests): validate configs against schema [#3302] - @FedeDP
- update(falco): upgrade libs to 0.18.1 [#3349] - @LucaGuerra
- update(systemd): users can refer to systemd falco services with a consistent unique alias falco.service [#3332] - @ekoops
- update(cmake): bump libs to 0.18.0 and driver to 7.3.0+driver. [#3330] - @FedeDP
- chore(userspace/falco): deprecate
cri
related CLI options. [#3329] - @FedeDP - update(cmake): bumped falcoctl to v0.10.0 and rules to 3.2.0 [#3327] - @FedeDP
- update(falco_metrics): change prometheus rules metric naming [#3324] - @incertum
- fix(falco): allow disable_cri_async from both CLI and config [#3353] - @LucaGuerra
- fix(engine): sync outputs before printing stats at shutdown [#3338] - @LucaGuerra
- fix(falco): allow plugin init_config map in json schema [#3335] - @LucaGuerra
- fix(userspace/falco): properly account for plugin with CAP_PARSING when computing interesting sc set [#3334] - @FedeDP
- feat(cmake): add conditional builds for falcoctl and rules paths [#3305] - @tembleking
- cleanup(falco): ignore lint commit [#3354] - @LucaGuerra
- chore(falco): apply code formatting [#3350] - @poiana
- chore: ignore_some_files for clang format [#3351] - @Andreagit97
- sync: release 0.39.x [#3340] - @FedeDP
- fix(userspace/engine): improve rule json schema to account for
source
andrequired_plugin_versions
[#3328] - @FedeDP - cleanup(falco): use header file for json schema [#3325] - @LucaGuerra
- update(engine): modify append_output format [#3322] - @LucaGuerra
- chore: scaffolding for enabling code formatting [#3321] - @Andreagit97
- update(cmake): bump libs and driver to 0.18.0-rc1. [#3320] - @FedeDP
- fix(ci): restore master and release CI workflow permissions. [#3317] - @FedeDP
- fixed the token-permission and pinned-dependencies issue [#3299] - @harshitasao
- update(cmake): bump falcoctl to v0.10.0-rc1 [#3316] - @alacuku
- ci(insecure-api): update semgrep docker image [#3315] - @francesco-furlan
- Add demo environment instructions and docker-config files [#3295] - @bbl232
- chore(deps): Bump submodules/falcosecurity-rules from
baecf18
tob6ad373
[#3301] - @dependabot[bot] - update(cmake): bump libs and driver to latest master [#3283] - @jasondellaluce
- chore(deps): Bump submodules/falcosecurity-rules from
342b20d
tobaecf18
[#3298] - @dependabot[bot] - chore(deps): Bump submodules/falcosecurity-rules from
068f0f2
to342b20d
[#3288] - @dependabot[bot] - vote: add sgaist to OWNERS [#3264] - @sgaist
- Add Tulip Retail to adopters list [#3291] - @bbl232
- chore(deps): Bump submodules/falcosecurity-rules from
28b98b6
to068f0f2
[#3282] - @dependabot[bot] - chore(deps): Bump submodules/falcosecurity-rules from
c0a9bf1
to28b98b6
[#3267] - @dependabot[bot] - Added the OpenSSF Scorecard Badge [#3250] - @harshitasao
- chore(deps): Bump submodules/falcosecurity-rules from
ea57e78
toc0a9bf1
[#3247] - @dependabot[bot] - update(cmake,userspace): bump libs and driver to latest master. [#3263] - @FedeDP
- If rule compilation fails, return immediately [#3260] - @mstemm
- new(userspace/engine): generalize indexable ruleset [#3251] - @mstemm
- update(cmake): bump libs to master. [#3249] - @FedeDP
- chore(deps): Bump submodules/falcosecurity-rules from
df963b6
toea57e78
[#3240] - @dependabot[bot] - chore(ci): enable dummy tests on the testing framework. [#3233] - @FedeDP
- chore(deps): Bump submodules/falcosecurity-rules from
679a50a
todf963b6
[#3231] - @dependabot[bot] - update(cmake): bump libs and driver to master. [#3225] - @FedeDP
- chore(deps): Bump submodules/falcosecurity-rules from
9e56293
to679a50a
[#3222] - @dependabot[bot] - update(docs): update CHANGELOG for 0.38.0 (master branch) [#3224] - @LucaGuerra
MERGED PRS | NUMBER |
---|---|
Not user-facing | 35 |
Release note | 22 |
Total | 57 |
Released on 2024-08-19
- fix(engine): fix metrics names to better adhere to best practices [#3272] - @incertum
- fix(ci): use vault.centos.org for centos:7 CI build. [#3274] - @FedeDP
Released on 2024-06-19
- cleanup(falco): clarify that --print variants only affect syscalls [#3238] - @LucaGuerra
- update(engine): enable -p option for all sources, -pk, -pc etc only for syscall sources [#3239] - @LucaGuerra
- fix(engine): enable output substitution only for syscall rules, prevent engine from exiting with validation errors when a plugin is loaded and -pc/pk is specified [#3236] - @mrgian
- fix(metrics): allow each metric output channel to be selected independently [#3232] - @incertum
- fix(userspace/falco): fixed
falco_metrics::to_text
implementation when running with plugins [#3230] - @FedeDP
MERGED PRS | NUMBER |
---|---|
Not user-facing | 0 |
Release note | 6 |
Total | 6 |
Released on 2024-05-30
- new(scripts,docker)!: enable automatic driver selection logic in packages and docker images. Modern eBPF is now also the default driver and the highest priority one in the new driver selection logic. [#3154] - @FedeDP
- cleanup(falco.yaml)!: remove some deprecated configs [#3087] - @Andreagit97
- cleanup(docker)!: remove unused builder dockerfile [#3088] - @Andreagit97
More details: https://falco.org/blog/falco-0-38-0/#breaking-changes-and-deprecations
- new(webserver): a metrics endpoint has been added providing prometheus metrics. It can be optionally enabled using the new
metrics.prometheus_enabled
configuration option. It will only be activated if themetrics.enabled
is true as well. [#3140] - @sgaist - new(metrics): add
rules_counters_enabled
option [#3192] - @incertum - new(build): provide signatures for .tar.gz packages [#3201] - @LucaGuerra
- new(engine): add print_enabled_rules_falco_logger when log_level debug [#3189] - @incertum
- new(falco): allow selecting which rules to load from the configuration file or command line [#3178] - @LucaGuerra
- new(metrics): add file sha256sum metrics for loaded config and rules files [#3187] - @incertum
- new(engine): throw an error when an invalid macro/list name is used [#3116] - @mrgian
- new(engine): raise warning instead of error on invalid macro/list name [#3167] - @mrgian
- new(userspace): support split config files [#3024] - @FedeDP
- new(engine): enforce unique exceptions names [#3134] - @mrgian
- new(engine): add warning when appending an exception with no values [#3133] - @mrgian
- feat(metrics): coherent metrics stats model including few metrics naming changes [#3129] - @incertum
- new(config): add
falco_libs.thread_table_size
[#3071] - @incertum - new(proposals): introduce on host anomaly detection framework [#2655] - @incertum
- update(cmake): bump falcoctl to v0.8.0. [#3219] - @FedeDP
- update(rules): update falco-rules to 3.1.0 [#3217] - @LucaGuerra
- refactor(userspace): move falco logger under falco engine [#3208] - @jasondellaluce
- chore(docs): apply features adoption and deprecation proposal to config file keys [#3206] - @FedeDP
- cleanup(metrics): add original rule name as label [#3205] - @incertum
- update(falco): deprecate options -T, -t and -D [#3193] - @LucaGuerra
- refactor: bump libs and driver, support field modifiers [#3186] - @jasondellaluce
- chore(userspace/falco): deprecated old 'rules_file' config key [#3162] - @FedeDP
- chore(falco): update falco libs and driver to master (Apr 8th 2024) [#3158] - @LucaGuerra
- update(build): update libs to 026ffe1d8f1b25c6ccdc09afa2c02afdd3e3f672 [#3151] - @LucaGuerra
- cleanup: minor adjustments to readme, add new testing section [#3072] - @incertum
- refactor(userspace/engine): reduce allocations during rules loading [#3065] - @jasondellaluce
- update(CI): publish wasm package as dev-wasm [#3017] - @Rohith-Raju
- fix(userspace/falco): fix state initialization avoid a crash during hot reload [#3190] - @FedeDP
- fix(userspace/engine): make sure exception fields are not optional in replace mode [#3108] - @jasondellaluce
- fix(docker): added zstd to driver loader images [#3203] - @FedeDP
- fix(engine): raise warning instead of error on not-unique exceptions names [#3159] - @mrgian
- fix(engine): apply output substitutions for all sources [#3135] - @mrgian
- fix(userspace/configuration): make sure that folders that would trigger permission denied are not traversed [#3127] - @sgaist
- fix(engine): logical issue in exceptions condition [#3115] - @mrgian
- fix(cmake): properly let falcoctl cmake module create /usr/share/falco/plugins/ folder. [#3105] - @FedeDP
- update(scripts/falcoctl): bump falco-rules version to 3 [#3128] - @alacuku
- build(deps): Bump submodules/falcosecurity-rules from
59bf03b
to9e56293
[#3212] - @dependabot[bot] - chore(gha): update cosign to v3.5.0 [#3209] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
29c41c4
to59bf03b
[#3207] - @dependabot[bot] - update(cmake): bumped libs to 0.17.0-rc1 and falcoctl to v0.8.0-rc6. [#3204] - @FedeDP
- build(deps): Bump submodules/falcosecurity-rules from
3f668d0
to3cac61c
[#3044] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-testing from
ae3950a
to7abf76f
[#3094] - @dependabot[bot] - fix(ci): enforce bundled deps OFF in build-dev CI [#3118] - @FedeDP
- build(deps): Bump submodules/falcosecurity-rules from
88a40c8
to869c9a7
[#3156] - @dependabot[bot] - update(cmake): bumped falcoctl to v0.8.0-rc5. [#3199] - @FedeDP
- build(deps): Bump submodules/falcosecurity-rules from
4f153f5
to29c41c4
[#3198] - @dependabot[bot] - update(cmake): bump falcoctl to v0.8.0-rc4 [#3191] - @FedeDP
- refactor: smart pointer usage [#3184] - @federico-sysdig
- build(deps): Bump submodules/falcosecurity-rules from
ec255e6
to4f153f5
[#3182] - @dependabot[bot] - update(cmake): bumped libs and driver to latest master. [#3177] - @FedeDP
- chore(cmake): enable modern bpf build by default. [#3180] - @FedeDP
- cleanup(docs): fix typo in license blocks [#3175] - @LucaGuerra
- chore(docker,scripts): set old eBPF probe as lowest priority driver. [#3173] - @FedeDP
- build(deps): Bump submodules/falcosecurity-rules from
869c9a7
toec255e6
[#3170] - @dependabot[bot] - update(app): close inspectors at teardown time [#3169] - @LucaGuerra
- fix(docker): fixed docker entrypoints for driver loading. [#3168] - @FedeDP
- fix(docker,scripts): do not load falcoctl driver loader when installing Falco deb package in docker images [#3166] - @FedeDP
- update(ci): build both release and debug versions [#3161] - @LucaGuerra
- chore(userspace/falco): watch all configs files. [#3160] - @FedeDP
- fix(ci): update scorecard-action to v2.3.1 [#3153] - @LucaGuerra
- cleanup(falco): consolidate falco::grpc::server in one class [#3150] - @LucaGuerra
- new(build): enable ASan and UBSan builds with options and in CI [#3147] - @LucaGuerra
- fix(userspace): variable / function shadowing [#3123] - @sgaist
- build(deps): Bump submodules/falcosecurity-rules from
fbf0a4e
to88a40c8
[#3145] - @dependabot[bot] - fix(cmake): fix USE_BUNDLED_DEPS=ON and BUILD_FALCO_UNIT_TESTS=ON [#3146] - @LucaGuerra
- Add --kernelversion and --kernelrelease options to falco driver loader entrypoint [#3143] - @Sryther
- build(deps): Bump submodules/falcosecurity-rules from
44addef
tofbf0a4e
[#3139] - @dependabot[bot] - chore: bump to latest libs commit [#3137] - @Andreagit97
- refactor: Use FetchContent for integrating three bundled libs [#3107] - @federico-sysdig
- build(deps): Bump submodules/falcosecurity-rules from
dc7970d
to44addef
[#3136] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
f88b991
todc7970d
[#3126] - @dependabot[bot] - refactor(ci): Avoid using command make directly [#3101] - @federico-sysdig
- docs(proposal): 20231220-features-adoption-and-deprecation.md [#2986] - @leogr
- build(deps): Bump submodules/falcosecurity-rules from
b499a1d
tof88b991
[#3125] - @dependabot[bot] - docs(README.md): Falco Graduates within the CNCF [#3124] - @leogr
- build(deps): Bump submodules/falcosecurity-rules from
497e011
tob499a1d
[#3111] - @dependabot[bot] - chore(ci): bumped codeql actions. [#3114] - @FedeDP
- Cleanup warnings and smart ptrs [#3112] - @federico-sysdig
- new(build): add options to use bundled dependencies [#3092] - @mrgian
- fix(ci): test-dev-packages-arm64 needs build-dev-packages-arm64. [#3110] - @FedeDP
- refactor: bump libs and driver, and adopt unique pointers wherever possible [#3109] - @jasondellaluce
- cleanup: falco_engine test fixture [#3099] - @federico-sysdig
- refactor: test AtomicSignalHandler.handle_once_wait_consistency [#3100] - @federico-sysdig
- Cleanup variable use [#3097] - @sgaist
- cleanup(submodules): dropped testing submodule. [#3098] - @FedeDP
- cleanup(ci): make use of falcosecurity/testing provided composite action [#3093] - @FedeDP
- Improve const correctness [#3083] - @sgaist
- Improve exception throwing [#3085] - @sgaist
- fix(ci): update sync in deb and rpm scripts with acl [#3062] - @LucaGuerra
- cleanup(tests): consolidate Falco engine and rule loader tests [#3066] - @LucaGuerra
- cleanup: falco_engine deps and include paths [#3090] - @federico-sysdig
- fix: Some compiler warnings [#3089] - @federico-sysdig
- build(deps): Bump submodules/falcosecurity-rules from
0f60976
to497e011
[#3081] - @dependabot[bot] - fix(c++): add missing explicit to single argument constructors [#3069] - @sgaist
- Improve class initialization [#3074] - @sgaist
- build(deps): Bump submodules/falcosecurity-rules from
6ed2036
to0f60976
[#3078] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
1053b2d
to6ed2036
[#3067] - @dependabot[bot] - fix(c++): add missing overrides [#3064] - @sgaist
- new(build): prune deb-dev and rpm-dev directories [#3056] - @LucaGuerra
- refactor(userspace): align falco to gen-event class family deprecation [#3051] - @jasondellaluce
- build(deps): Bump submodules/falcosecurity-rules from
3cac61c
to1053b2d
[#3047] - @dependabot[bot] - fix: adopt new libsinsp logger [#3026] - @therealbobo
- refactor: cleanup libs relative include paths [#2936] - @therealbobo
- chore(ci): bumped rn2md to latest master. [#3046] - @FedeDP
- Support alternate rules loader [#3008] - @mstemm
- fix(ci): fixed release body driver version. [#3042] - @FedeDP
- build(deps): Bump submodules/falcosecurity-rules from
c39d31a
to3f668d0
[#3039] - @dependabot[bot]
Released on 2024-02-13
- new(docker): added option for insecure http driver download to falco and driver-loader images [#3058] - @toamto94
- update(cmake): bumped falcoctl to v0.7.2 [#3076] - @FedeDP
- update(build): link libelf dynamically [#3048] - @LucaGuerra
- fix(userspace/engine): always consider all rules (even the ones below min_prio) in m_rule_stats_manager [#3060] - @FedeDP
- Added http headers option for driver download in docker images [#3075] - @toamto94
- fix(build): install libstdc++ in the Wolfi image [#3053] - @LucaGuerra
Released on 2024-01-30
-
The deprecated
rate-limiter
mechanism is removed as it is no longer used.- the deprecated
outputs.rate
Falco config is removed. - the deprecated
outputs.max_burst
Falco config is removed.
- the deprecated
-
The deprecated
--userspace
CLI option is removed as it is no longer used. -
The
falco-driver-loader
script will be removed and embedded into falcoctl. The new falcoctl driven implementation will drop:--source-only
CLI option.BPF_USE_LOCAL_KERNEL_SOURCES
environment variable.DRIVER_CURL_OPTIONS
environment variable.FALCO_BPF_PROBE
environment variable is not used by the new falcoctl driver loader, since it is already deprecated and will be removed in the next major version.
Some env vars were renamed:
DRIVERS_REPO
env variable has been replaced byFALCOCTL_DRIVER_NAME
or--name
command line argument forfalcoctl driver
commandDRIVERS_NAME
env variable has been replaced byFALCOCTL_DRIVER_REPOS
, or--repo
command line argument forfalcoctl driver
commandDRIVER_KERNEL_RELEASE
env variable has been replaced by--kernelrelease
command line argument forfalcoctl driver install
commandDRIVER_KERNEL_VERSION
env variable has been replaced by--kernelversion
command line argument forfalcoctl driver install
commandDRIVER_INSECURE_DOWNLOAD
env variable has been replaced by--http-insecure
command line argument forfalcoctl driver install
command
-
Remove
-K/-k
options from Falco in favor of the newk8smeta
plugin. -
Drop plugins shipped with Falco since plugins are now be managed by falcoctl.
-
Falco 0.37.0 allows environment variables to be expanded even if they are part of a string. This introduces small breaking changes:
- Previously, environment variables used in YAML that were empty or defined as
“”
would be expanded to the default value. This was not consistent with the way YAML was handled in other cases, where we only returned the default values if the node was not defined. Now expanded env vars retain the same behavior of all other variables. - Falco 0.37.0 will return default value for nodes that cannot be parsed to chosen type.
program_output
command will be env-expanded at init time, instead of lettingpopen
and thus thesh
shell expand it. This is technically a breaking change even if no behavioral change is expected. Also, you can avoid env var expansion by using${{FOO}}
instead of${FOO}
. It will resolve to${FOO}
and won't be resolved to the env var value.
- Previously, environment variables used in YAML that were empty or defined as
- new!: dropped falco-driver-loader script in favor of new falcoctl driver command [#2905] - @FedeDP
- update!: bump libs to latest and deprecation of k8s metadata options and configs [#2914] - @jasondellaluce
- cleanup(falco)!: remove
outputs.rate
andoutputs.max_burst
from Falco config [#2841] - @Andreagit97 - cleanup(falco)!: remove
--userspace
support [#2839] - @Andreagit97 - new(engine): add selective overrides for Falco rules [#2981] - @LucaGuerra
- feat(userspace/falco): falco administrators can now configure the http output to compress the data sent as well as enable keep alive for the connection. Two new fields (compress_uploads and keep_alive) in the http_output block of the
falco.yaml
file can be used for that purpose. Both are disabled by default. [#2974] - @sgaist - new(userspace): support env variable expansion in all yaml, even inside strings. [#2918] - @FedeDP
- new(scripts): add a way to enforce driver kind and falcoctl enablement when installing Falco from packages and dialog is not present. [#2773] - @vjjmiras
- new(falco): print system info when Falco starts [#2927] - @Andreagit97
- new: driver selection in falco.yaml [#2413] - @therealbobo
- new(build): enable compilation on win32 and macOS. [#2889] - @therealbobo
- feat(userspace/falco): falco administrators can now configure the address on which the webserver listen using the new listen_address field in the webserver block of the
falco.yaml
file. [#2890] - @sgaist
- update(userspace/falco): add
engine_version_semver
key in/versions
endpoint [#2899] - @loresuso - update: default ruleset upgrade to version 3.0 [#3034] - @leogr
- update!(config): soft deprecation of drop stats counters in
syscall_event_drops
[#3015] - @incertum - update(cmake): bumped falcoctl tool to v0.7.1. [#3030] - @FedeDP
- update(rule_loader): deprecate the
append
flag in Falco rules [#2992] - @Andreagit97 - cleanup!(cmake): drop bundled plugins in Falco [#2997] - @FedeDP
- update(config): clarify deprecation notices + list all env vars [#2988] - @incertum
- update: now the
watch_config_files
config option monitors file/directory moving and deletion, too [#2965] - @NitroCao - update(userspace): enhancements in rule description feature [#2934] - @jasondellaluce
- update(userspace/falco): add libsinsp state metrics option [#2883] - @incertum
- update(doc): Add Thought Machine as adopters [#2919] - @RichardoC
- update(docs): add Wireshark/Logray as adopter [#2867] - @geraldcombs
- update: engine_version in semver representation [#2838] - @loresuso
- update(userspace/engine): modularize rule compiler, fix and enrich rule descriptions [#2817] - @jasondellaluce
- fix(userspace/metric): minor fixes in new libsinsp state metrics handling [#3033] - @incertum
- fix(userspace/engine): avoid storing escaped strings in engine defs [#3028] - @jasondellaluce
- fix(userspace/engine): cache latest rules compilation output [#2900] - @jasondellaluce
- fix(userspace/engine): solve description of macro-only rules [#2898] - @jasondellaluce
- fix(userspace/engine): fix memory leak [#2877] - @therealbobo
- fix: nlohmann_json lib include path [#3032] - @federico-sysdig
- chore: bump falco rules [#3021] - @Andreagit97
- chore: bump Falco to libs 0.14.1 [#3020] - @Andreagit97
- chore(build): remove outdated development libs [#2946] - @federico-sysdig
- chore(falco): bump Falco to
000d576
libs commit [#2944] - @Andreagit97 - fix(gha): update rpmsign [#2856] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
424b258
to1221b9e
[#3000] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
2ac430b
toc39d31a
[#3019] - @dependabot[bot] - cleanup(falco.yaml): rename
none
innodriver
[#3012] - @Andreagit97 - update(config): graduate outputs_queue to stable [#3016] - @incertum
- update(cmake): bump falcoctl to v0.7.0. [#3009] - @FedeDP
- build(deps): Bump submodules/falcosecurity-rules from
1221b9e
to2ac430b
[#3007] - @dependabot[bot] - chore(ci): bumped rn2md to latest master. [#3006] - @FedeDP
- chore: bump Falco to latest libs [#3002] - @Andreagit97
- chore: bump driver version [#2998] - @Andreagit97
- Add addl source related methods [#2939] - @mstemm
- build(deps): Bump submodules/falcosecurity-rules from
cd33bc3
to424b258
[#2993] - @dependabot[bot] - cleanup(engine): clarify deprecation notice for engines [#2987] - @LucaGuerra
- update(cmake): bumped falcoctl to v0.7.0-rc1. [#2983] - @FedeDP
- chore(ci): revert #2961. [#2984] - @FedeDP
- build(deps): Bump submodules/falcosecurity-testing from
930170b
to9b9630e
[#2980] - @dependabot[bot] - chore: bump Falco to latest libs [#2977] - @Andreagit97
- build(deps): Bump submodules/falcosecurity-rules from
262f569
tocd33bc3
[#2976] - @dependabot[bot] - Allow enabling rules by ruleset id in addition to name [#2920] - @mstemm
- chore(ci): enable aarch64 falco driver loader tests. [#2961] - @FedeDP
- chore(unit_tests): added more tests for yaml env vars expansion. [#2972] - @FedeDP
- chore(falco.yaml): use HOME env var for ebpf probe path. [#2971] - @FedeDP
- chore: bump falco to latest libs [#2970] - @Andreagit97
- build(deps): Bump submodules/falcosecurity-rules from
dd38952
to262f569
[#2969] - @dependabot[bot] - update(readme): add actuated.dev badge [#2967] - @LucaGuerra
- chore(cmake,docker): bumped falcoctl to v0.7.0-beta5. [#2968] - @FedeDP
- build(deps): Bump submodules/falcosecurity-rules from
64e2adb
todd38952
[#2959] - @dependabot[bot] - fix(docker): small fixes in docker entrypoints for new driver loader. [#2966] - @FedeDP
- chore(build): allow usage of non-bundled nlohmann-json [#2947] - @federico-sysdig
- update(ci): enable actuated.dev [#2945] - @LucaGuerra
- cleanup: fix several warnings from a Clang build [#2948] - @federico-sysdig
- chore(docker/falco): add back some deps to falco docker image. [#2932] - @FedeDP
- build(deps): Bump submodules/falcosecurity-testing from
92c313f
to5248e6d
[#2937] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
e206c1a
to8f0520f
[#2904] - @dependabot[bot] - cleanup(falco): remove decode_uri as it is no longer used [#2933] - @LucaGuerra
- update(engine): port decode_uri in falco engine [#2912] - @LucaGuerra
- chore(falco): update to libs on nov 28th [#2929] - @LucaGuerra
- cleanup(falco): remove
init
in the configuration constructor [#2917] - @Andreagit97 - build(deps): Bump submodules/falcosecurity-rules from
8f0520f
to64e2adb
[#2908] - @dependabot[bot] - cleanup(userspace/engine): remove legacy k8saudit implementation [#2913] - @jasondellaluce
- fix(gha): disable branch protection rule trigger for scorecard [#2911] - @LucaGuerra
- chore(gha): set cosign-installer to v3.1.2 [#2901] - @LucaGuerra
- new(docs): sync changelog for 0.36.2. [#2894] - @FedeDP
- Run OpenSSF Scorecard in pipeline [#2888] - @maxgio92
- cleanup: replace banned.h with semgrep [#2881] - @LucaGuerra
- chore(gha): upgrade GitHub actions [#2876] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
a22d0d7
toe206c1a
[#2865] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
d119706
toa22d0d7
[#2860] - @dependabot[bot] - fix(gha): use fedora instead of centos 7 for package publishing [#2854] - @LucaGuerra
- chore(gha): pin versions to hashes [#2849] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
c366d5b
tod119706
[#2847] - @dependabot[bot] - new(ci): properly link libs and driver releases linked to a Falco release [#2846] - @FedeDP
- build(deps): Bump submodules/falcosecurity-rules from
7a7cf24
toc366d5b
[#2842] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
77ba57a
to7a7cf24
[#2836] - @dependabot[bot] - chore(ci): bumped rn2md to latest master. [#2844] - @FedeDP
Released on 2023-10-27
NO CHANGES IN FALCO, ALL CHANGES IN LIBS.
Released on 2023-10-16
Released on 2023-09-26
- The default rules file that is shipped in the Falco image and/or can be downloaded via falcoctl as
falco-rules
is now a stable rule file. This file contains a much smaller number of rules that are less noisy and have been vetted by the community. This serves as a much requested "starter" Falco rule set that covers many common use case. The rest of that file has been expanded and split intofalco-incubating-rules
andfalco-sandbox-rules
. For more information, see the rules repository - The main
falcosecurity/falco
container image and itsfalco-driver-loader
counterpart have been upgraded. Now they are able to compile the kernel module or classic eBPF probe for relatively newer version of the kernel (5.x and above) while we no longer ship toolchains to compile the kernel module for older versions in the default images. Downloading of prebuilt drivers and the modern eBPF will work exactly like before. The older image, meant for compatibility with older kernels (4.x and below), is currently retained asfalcosecurity/falco-driver-loader-legacy
. - The Falco HTTP output no longer logs to stdout by default for performance reasons. You can set stdout logging preferences and restore the previous behavior with the configuration option
http_output.echo
infalco.yaml
. - The
--list-syscall-events
command line option has been replaced by--list-events
which prints all supported system events (syscall, tracepoints, metaevents, internal plugin events) in addition to extra information about flags. - The semantics of
proc.exepath
have changed. Now that field contains the executable path on disk even if the binary was launched from a symbolic link. - The
-d
daemonize option has been removed. - The
-p
option is now changed:- when only
-pc
is set Falco will printcontainer_id=%container.id container_image=%container.image.repository container_image_tag=%container.image.tag container_name=%container.name
- when
-pk
is set it will print as above, but withk8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name
appended
- when only
- new(falco-driver-loader): --source-only now prints the values as env vars [#2353] - @steakunderscore
- new(docker): allow passing options to falco-driver-loader from the driver loader container [#2781] - @LucaGuerra
- new(docker): add experimental falco-distroless image based on Wolfi [#2768] - @LucaGuerra
- new: the legacy falco image is available as driver-loader-legacy [#2718] - @LucaGuerra
- new: added option to enable/disable echoing of server answer to stdout (disabled by default) when using HTTP output [#2602] - @FedeDP
- new: support systemctl reload for Falco services [#2588] - @jabdr
- new(falco/config): add new configurations for http_output that allow mTLS [#2633] - @annadorottya
- new: allow falco to match multiple rules on same event [#2705] - @loresuso
- update(cmake): bumped bundled falcoctl to 0.6.2 [#2829] - @FedeDP
- update(rules)!: major rule update to version 2.0.0 [#2823] - @LucaGuerra
- update(cmake): bumped plugins to latest stable versions [#2820] - @FedeDP
- update(cmake): bumped libs to 0.13.0-rc2 and driver to 6.0.1+driver [#2806] - @FedeDP
- update!: default substitution for
%container.info
is now equalcontainer_id=%container.id container_name=%container.name
[#2793] - @leogr - update!: the --list-syscall-events flag is now called --list-events and lists all events [#2771] - @LucaGuerra
- update!: the Falco base image is now based on Debian 12 with gcc 11-12 [#2718] - @LucaGuerra
- update(docker): the Falco no-driver image is now based on Debian 12 [#2782] - @LucaGuerra
- feat(userspace)!: remove
-d
daemonize option [#2677] - @incertum - build(deps): Bump submodules/falcosecurity-rules from 3f52480 to 0d0e333 [#2693] - @dependabot[bot]
- build(deps): Bump submodules/falcosecurity-rules from 3f52480 to b42893a [#2756] - @dependabot[bot]
- build(deps): Bump submodules/falcosecurity-rules from b42893a to 6ed73fe [#2780] - @dependabot[bot]
- update(cmake): bumped libs to 0.13.0-rc1 and driver to 6.0.0+driver. [#2783] - @FedeDP
- feat: support parsing of system environment variables in yaml [#2562] - @therealdwright
- feat(userspace)!: deprecate stats command args option in favor of metrics configs in falco.yaml [#2739] - @incertum
- update: upgrade
falcoctl
to version 0.6.0 [#2764] - @leogr - cleanup: deprecate rate limiter mechanism [#2762] - @Andreagit97
- cleanup(config): add more info [#2758] - @incertum
- update(userspace/engine): improve skip-if-unknown-filter YAML field [#2749] - @jasondellaluce
- chore: improved HTTP output performance [#2602] - @FedeDP
- update!: HTTP output will no more echo to stdout by default [#2602] - @FedeDP
- chore: remove b64 from falco dependencies [#2746] - @Andreagit97
- update(cmake): support building libs and driver from forks [#2747] - @jasondellaluce
- update:
-p
presets have been updated to reflect the new rules style guide [#2737] - @leogr - feat: Allow specifying explicit kernel release and version for falco-driver-loader [#2728] - @johananl
- cleanup(config): assign Stable to
base_syscalls
config [#2740] - @incertum - update : support build for wasm [#2663] - @Rohith-Raju
- docs(config.yaml): fix wrong severity levels for sinsp logger [#2736] - @Andreagit97
- update(cmake): bump libs and driver to 0.12.0 [#2721] - @jasondellaluce
- update(docker): remove experimental image based on RedHat UBI [#2720] - @leogr
- fix(outputs): expose queue_capacity_outputs config for memory control [#2711] - @incertum
- fix(userspace/falco): cleanup metrics timer upon leaving. [#2759] - @FedeDP
- fix: restore Falco MINIMAL_BUILD and deprecate
userspace
option [#2761] - @Andreagit97 - fix(userspace/engine): support appending to unknown sources [#2753] - @jasondellaluce
- build(deps): Bump submodules/falcosecurity-rules from
69c9be8
to77ba57a
[#2833] - @dependabot[bot] - chore: bump submodule testing to 62edc65 [#2831] - @Andreagit97
- update(gha): add version for rn2md [#2830] - @LucaGuerra
- chore: automatically attach release author to release body. [#2828] - @FedeDP
- new(ci): autogenerate release body. [#2812] - @FedeDP
- fix(dockerfile): remove useless CMD [#2824] - @Andreagit97
- chore: bump to the latest libs [#2822] - @Andreagit97
- update: add SPDX license identifier [#2809] - @leogr
- chore: bump to latest libs [#2815] - @Andreagit97
- build(deps): Bump submodules/falcosecurity-rules from
ee5fb38
tobea364e
[#2814] - @dependabot[bot] - fix(build): set the right bucket and version for driver legacy [#2800] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
43580b4
toee5fb38
[#2810] - @dependabot[bot] - cleanup(userspace): thrown exceptions and avoid multiple logs [#2803] - @Andreagit97
- build(deps): Bump submodules/falcosecurity-rules from
c6e01fa
to43580b4
[#2801] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-testing from
76d1743
to30c3643
[#2802] - @dependabot[bot] - fix(userspace/falco): clearing full output queue [#2798] - @jasondellaluce
- update(docs): add driver-loader-legacy to readme and fix bad c&p [#2799] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
d31dbc2
toc6e01fa
[#2797] - @dependabot[bot] - docs: add LICENSE file [#2796] - @leogr
- build(deps): Bump submodules/falcosecurity-rules from
b6372d2
tod31dbc2
[#2794] - @dependabot[bot] - fix(stats): always initialize m_output field [#2789] - @Andreagit97
- build(deps): Bump submodules/falcosecurity-rules from
6ed73fe
tob6372d2
[#2786] - @dependabot[bot] - update(cmake/modules): bump rules to falco-rules-2.0.0-rc1 [#2775] - @leogr
- update(OWNERS): add LucaGuerra to owners [#2650] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
9126bef
to0328c59
[#2709] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
0d0e333
to64ce419
[#2731] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
3ceea88
to40a9817
[#2745] - @dependabot[bot] - docs(README.md): correct URL [#2772] - @vjjmiras
- #2393 Document why Falco is written in C++ rather than anything else [#2410] - @RichardoC
- chore: bump Falco to latest libs [#2769] - @Andreagit97
- ci: disable falco-driver-loader tests on ARM64 [#2770] - @Andreagit97
- update(userspace/falco): revised CLI help messages [#2755] - @leogr
- fix(engine): fix reorder warning for m_watch_config_files / m_rule_matching [#2767] - @LucaGuerra
- update: introduce new stats updated to the latest libs version [#2766] - @Andreagit97
- ci: support tests on amazon-linux [#2765] - @Andreagit97
- chore: bump Falco to latest libs master [#2754] - @Andreagit97
- build(deps): Bump submodules/falcosecurity-testing from
b39c807
to9110022
[#2760] - @dependabot[bot] - fix: fix "ebpf_enabled" output stat [#2751] - @Andreagit97
- fix(userspace/engine): support both old and new gcc + std::move [#2748] - @jasondellaluce
- cleanup: turn some warnings into errors [#2744] - @Andreagit97
- update(ci): minimize retention days for build-only CI artifacts [#2743] - @jasondellaluce
- cleanup: remove unused
--pidfile
option from systemd units [#2742] - @Andreagit97 - build(deps): Bump submodules/falcosecurity-rules from
bf1639a
to3ceea88
[#2741] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
64ce419
tobf1639a
[#2738] - @dependabot[bot] - Relocate tools on Flatcar in BPF mode [#2729] - @johananl
- build: update versioning with cmake [#2727] - @leogr
- update(userspace/engine): make rule_matching strategy stateless [#2726] - @loresuso
- chore: bump Falco to latest libs version [#2722] - @Andreagit97
- update: enforce bumping engine version whenever appropriate [#2719] - @jasondellaluce
Released on 2023-06-29
- update(userspace): change description of snaplen option stating only performance implications [#2634] - @loresuso
- update(cmake): bump libs to 0.11.3 [#2662] - @jasondellaluce
- cleanup(config): minor config clarifications [#2651] - @incertum
- update(cmake): bump falco rules to v1.0.1 [#2648] - @jasondellaluce
- chore(userspace/falco): make source matching error more expressive [#2623] - @jasondellaluce
- update(.github): integrate Go regression tests [#2437] - @jasondellaluce
- fix(scripts): fixed falco-driver-loader to manage debian kernel rt and cloud flavors. [#2627] - @FedeDP
- fix(userspace/falco): solve live multi-source issues when loading more than two sources [#2653] - @jasondellaluce
- fix(driver-loader): fix ubuntu kernel version parsing [#2635] - @therealbobo
- fix(userspace): switch to timer_settime API for stats writer. [#2646] - @FedeDP
- CI: bump ubuntu version for tests-driver-loader-integration job [#2661] - @Andreagit97
Released on 2023-06-07
-
BREAKING CHANGE: support for metadata enrichment from Mesos has been removed. [#2465] - @leogr
-
new(falco): introduce new metrics w/ Falco internal: metrics snapshot option and new metrics config [#2333] - @incertum
-
new(scripts): properly manage talos prebuilt drivers [#2537] - @FedeDP
-
new(release): released container images are now signed with cosign [#2546] - @LucaGuerra
-
new(ci): ported master and release artifacts publishing CI to gha [#2501] - @FedeDP
-
new(app_actions): introduce base_syscalls user option [#2428] - @incertum
-
new(falco/config): add new configurations for http_output that allow custom CA certificates and stores. [#2458] - @alacuku
-
new(userspace): add a new
syscall_drop_failed
config option to drop failed syscalls exit events [#2456] - @FedeDP
- update(cmake): bump Falco rules to 1.0.0 [#2618] - @loresuso
- update(cmake): bump libs to 0.11.1 [#2614] - @loresuso
- update(cmake): bump plugins to latest versions [#2610] - @loresuso
- update(cmake): bump falco rules to 1.0.0-rc1 [#2609] - @loresuso
- update(cmake): bump libs to 0.11.0 [#2608] - @loresuso
- cleanup(docs): update release.md [#2599] - @incertum
- update(cmake): bump libs to 0.11.0-rc5 and driver to 5.0.1. [#2600] - @FedeDP
- cleanup(docs): adjust falco readme style and content [#2594] - @incertum
- cleanup(userspace, config): improve metrics UX, add include_empty_values option [#2593] - @incertum
- feat: add the curl and jq packages to the falco-no-driver docker image [#2581] - @therealdwright
- update: add missing exception, required_engine_version, required_plugin_version to -L json output [#2584] - @loresuso
- feat: add image source OCI label to docker images [#2592] - @therealdwright
- cleanup(config): improve falco config [#2571] - @incertum
- update(cmake): bump libs and plugins to latest dev versions [#2586] - @jasondellaluce
- chore(userspace/falco): always print invalid syscalls from custom set [#2578] - @jasondellaluce
- update(build): upgrade falcoctl to 0.5.0 [#2572] - @LucaGuerra
- chore(userspace/falco/app): print all supported plugin caps [#2564] - @jasondellaluce
- update: get rules details with
-l
or-L
flags when json output format is specified [#2544] - @loresuso - update!: bump libs version, and support latest plugin features, add --nodriver option [#2552] - @jasondellaluce
- cleanup(actions): now modern bpf support
-A
flag [#2551] - @Andreagit97 - update:
falco-driver-loader
now uses now uses $TMPDIR if set [#2518] - @jabdr - update: improve control and UX of ignored events [#2509] - @jasondellaluce
- update: bump libs and adapt Falco to new libsinsp event source management [#2507] - @jasondellaluce
- new(app_actions)!: adjust base_syscalls option, add base_syscalls.repair [#2457] - @incertum
- update(scripts): support al2022 and al2023 in falco-driver-loader. [#2494] - @FedeDP
- update: sync libs with newest event name APIs [#2471] - @jasondellaluce
- update!: remove
--mesos-api
,-pmesos
, and-pm
command-line flags [#2465] - @leogr - cleanup(unit_tests): try making test_configure_interesting_sets more robust [#2464] - @incertum
- fix: unquote quoted URL's to avoid libcurl errors [#2596] - @therealdwright
- fix(userspace/engine): store alternatives as array in -L json output [#2597] - @loresuso
- fix(userspace/engine): store required engine version as string in -L json output [#2595] - @loresuso
- fix(userspace/falco): report plugin deps rules issues in any case [#2589] - @jasondellaluce
- fix(userspace): hotreload on wrong metrics [#2582] - @therealbobo
- fix(userspace): check the supported number of online CPUs with modern bpf [#2575] - @Andreagit97
- fix(userspace/falco): don't hang on terminating error when multi sourcing [#2576] - @jasondellaluce
- fix(userspace/falco): properly format numeric values in metrics [#2569] - @jasondellaluce
- fix(scripts): properly support debian kernel releases embedded in kernel version [#2377] - @FedeDP
- docs(README.md): add scope/status badge and simply doc structure [#2611] - @leogr
- build(deps): Bump submodules/falcosecurity-rules from
3471984
to16fb709
[#2598] - @dependabot[bot] - docs(proposals): Falco roadmap management [#2547] - @leogr
- build(deps): Bump submodules/falcosecurity-rules from
b2290ad
to3471984
[#2577] - @dependabot[bot] - update(build): libs 0.11.0-rc2 [#2573] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
3f52480
tob2290ad
[#2570] - @dependabot[bot] - update(ci): use repo instead of master branch for reusable workflows [#2568] - @LucaGuerra
- cleanup(ci): cleaned up circleci workflow. [#2566] - @FedeDP
- build(deps): Bump requests from 2.26.0 to 2.31.0 in /test [#2567] - @dependabot[bot]
- fix(ci): simplify and fix multi-arch image publishing process [#2542] - @LucaGuerra
- fix(ci): get the manifest for the correct tag [#2563] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
3f52480
to6da15ae
[#2559] - @dependabot[bot] - fix(ci): properly use
docker save
to store images. [#2560] - @FedeDP - fix(ci): docker arg is named
TARGETARCH
. [#2558] - @FedeDP - fix(ci): set docker TARGET_ARCH [#2557] - @FedeDP
- fix(ci): use normal docker to build docker images, instead of buildx. [#2556] - @FedeDP
- docs: improve documentation and description of base_syscalls option [#2515] - @Happy-Dude
- Updating Falco branding guidelines [#2493] - @aijamalnk
- build(deps): Bump submodules/falcosecurity-rules from
f773578
to6da15ae
[#2553] - @dependabot[bot] - fix(cmake): properly exclude prereleases when fetching latest tag from cmake [#2550] - @FedeDP
- fix(ci): load falco image before building falco-driver-loader [#2549] - @LucaGuerra
- fix(ci): correctly tag slim manifest [#2545] - @LucaGuerra
- cleanup(config): modern bpf is no more experimental [#2538] - @Andreagit97
- new(ci): add RC/prerelease support [#2533] - @LucaGuerra
- fix(ci): configure ECR public region [#2531] - @LucaGuerra
- fix(ci): falco images directory, ecr login [#2528] - @LucaGuerra
- fix(ci): separate rpm/bin/bin-static/deb packages before publication, rename bin-static [#2527] - @LucaGuerra
- fix(ci): add Cloudfront Distribution ID [#2525] - @LucaGuerra
- fix(ci): escape heredoc [#2521] - @LucaGuerra
- chore(ci): build-musl-package does not need to wait for build-packages anymore [#2520] - @FedeDP
- fix: ci Falco version [#2516] - @FedeDP
- fix(ci): fetch version step, download rpms/debs, minor change [#2519] - @LucaGuerra
- chore(ci): properly install recent version of git (needed >= 2.18 by checkout action) [#2514] - @FedeDP
- fix(ci): enable toolset before every make command [#2513] - @LucaGuerra
- fix(ci): remove unnecessary mv [#2512] - @LucaGuerra
- fix(ci): bucket -> bucket_suffix [#2511] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
5857874
to1bd7e4a
[#2478] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
694adf5
to5857874
[#2473] - @dependabot[bot] - cleanup(ci): properly set a concurrency for CI workflows. [#2470] - @FedeDP
- build(deps): Bump submodules/falcosecurity-rules from
e0646a0
to694adf5
[#2466] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
0b0f50f
toe0646a0
[#2460] - @dependabot[bot]
Released on 2023-02-20
- fix(userspace/engine): correctly bump FALCO_ENGINE_VERSION after introduction of new fields [#2418] - @loresuso
Released on 2023-02-07
-
BREAKING CHANGE: if you relied upon
application_rules.yaml
you can download it from https://github.com/falcosecurity/rules/tree/main/rules and manually install it. [#2389] - @leogr -
new(rules): New rule to detect attempts to inject code into a process using PTRACE [#2226] - @Brucedh
-
new(engine): Also include exact locations for rule condition compile errors (missing macros, etc). [#2216] - @mstemm
-
new(scripts): Support older RHEL distros in falco-driver-loader script [#2312] - @gentooise
-
new(scripts): add
falcoctl
config into Falco package [#2390] - @Andreagit97 -
new(userspace/falco): [EXPERIMENTAL] allow modern bpf probe to assign more than one CPU to a single ring buffer [#2363] - @Andreagit97
-
new(userspace/falco): add webserver endpoint for retrieving internal version numbers [#2356] - @jasondellaluce
-
new(falco): add --version-json to print version information in json format [#2331] - @LucaGuerra
-
new(scripts): support multiple drivers in systemd units [#2242] - @FedeDP
-
new(scripts): add bottlerocket support in falco-driver-loader [#2318] - @FedeDP
-
new(falco): add more version fields to --support and --version [#2325] - @LucaGuerra
-
new(config): explicitly add the
simulate_drops
config [#2260] - @Andreagit97
- build: upgrade to
falcoctl
v0.4.0 [#2406] - @loresuso - update(userspace): change
modern_bpf.cpus_for_each_syscall_buffer
default value [#2404] - @Andreagit97 - update(build): update falcoctl to 0.3.0 [#2401] - @LucaGuerra
- update(build): update falcoctl to 0.3.0-rc7 [#2396] - @LucaGuerra
- update(cmake): bump libs to 0.10.3 [#2392] - @FedeDP
- build:
/etc/falco/rules.available
has been deprecated [#2389] - @leogr - build:
application_rules.yaml
is not shipped anymore with Falco [#2389] - @leogr - build: upgrade k8saudit plugin to v0.5.0 [#2381] - @leogr
- build: upgrade cloudtrail plugin to v0.6.0 [#2381] - @leogr
- new!: ship falcoctl inside Falco [#2345] - @FedeDP
- refactor: remove rules and add submodule to falcosecurity/rules [#2359] - @jasondellaluce
- update(scripts): add option for regenerating signatures of all dev and release packages [#2364] - @jasondellaluce
- update: print JSON version output when json_output is enabled [#2351] - @jasondellaluce
- update(cmake): updated libs to 0.10.1 tag. [#2362] - @FedeDP
- Install the certificates of authorities in falco:no-driver docker image [#2355] - @Issif
- update: Mesos support is now deprecated and will be removed in the next version. [#2328] - @leogr
- update(scripts/falco-driver-loader): optimize the resiliency of module download script for air-gapped environments [#2336] - @Dentrax
- doc(userspace): provide users with a correct message when some syscalls are not defined [#2329] - @Andreagit97
- update(ci): update ci jobs to generate Falco images with the modern BPF probe [#2320] - @Andreagit97
- rules: add Falco container lists [#2290] - @oscr
- rules(macro: private_key_or_password): now also check for OpenSSH private keys [#2284] - @oscr
- update(cmake): bump libs and driver to latest RC. [#2302] - @FedeDP
- Ensure that a ruleset object is copied properly in falco_engine::add_source(). [#2271] - @mstemm
- update(userspace/falco): enable using zlib with webserver [#2125] - @jasondellaluce
- update(falco): add container-gvisor and kubernetes-gvisor print options [#2288] - @LucaGuerra
- cleanup: always use bundled libz and libelf in BUNDLED_DEPS mode. [#2277] - @FedeDP
- update: updated libs and driver to version dd443b67c6b04464cb8ee2771af8ada8777e7fac [#2277] - @FedeDP
- update(falco.yaml):
open_params
under plugins configuration is now trimmed from surrounding whitespace [#2267] - @yardenshoham
- fix(engine): Avoid crash related to caching syscall source when the falco engine uses multiple sources at the same time. [#2272] - @mstemm
- fix(scripts): use falco-driver-loader only into install scripts [#2391] - @Andreagit97
- fix(userspace/falco): fix grpc server shutdown [#2350] - @FedeDP
- fix(docker/falco): trust latest GPG key [#2365] - @jasondellaluce
- fix(userspace/engine): improve rule loading validation results [#2344] - @jasondellaluce
- fix: graceful error handling for macros/lists reference loops [#2311] - @jasondellaluce
- rules(tagging): enhanced rules tagging for inventory / threat modeling [#2167] - @incertum
- rule(Outbound Connection to C2 Server): Update the "Outbound connection to C2 server" rule to match both FQDN and IP addresses. Prior to this change, the rule only matched IP addresses and not FQDN. [#2241] - @Nicolas-Peiffer
- rule(Execution from /dev/shm): new rule to detect execution from /dev/shm [#2225] - @AlbertoPellitteri
- rule(Find AWS Credentials): new rule to detect executions looking for AWS credentials [#2224] - @AlbertoPellitteri
- rule(Linux Kernel Module Injection Detected): improve insmod detection within container using CAP_SYS_MODULE [#2305] - @loresuso
- rule(Read sensitive file untrusted): let salt-call read sensitive files [#2291] - @vin01
- rule(macro: rpm_procs): let salt-call write to rpm database [#2291] - @vin01
- fix(ci): fix rpm sign job dependencies [#2324] - @cappellinsamuele
- chore(userspace): add
njson
lib as a dependency forfalco_engine
[#2316] - @Andreagit97 - fix(scripts): force rpm postinstall script to always show dialog, even on upgrade [#2405] - @FedeDP
- fix(scripts): fixed falcoctl config install dir. [#2399] - @FedeDP
- fix(scripts): make /usr writable [#2398] - @therealbobo
- fix(scripts): driver loader insmod [#2388] - @FedeDP
- update(systemd): solve some issues with systemd unit [#2385] - @Andreagit97
- build(cmake): upgrade falcoctl to v0.3.0-rc6 [#2383] - @leogr
- docs(.github): rules are no longer in this repo [#2382] - @leogr
- update(CI): mitigate frequent failure in CircleCI jobs [#2375] - @Andreagit97
- fix(userspace): use the right path for the
cpus_for_each_syscall_buffer
config [#2378] - @Andreagit97 - fix(scripts): fixed incorrect bash var expansion [#2367] - @therealbobo
- update(CI): upgrade toolchain in modern falco builder dockerfile [#2337] - @Andreagit97
- cleanup(ci): move static analysis job from circle CI to GHA [#2332] - @Andreagit97
- update(falco): update cpp-httplib to 0.11.3 [#2327] - @LucaGuerra
- update(script): makes user able to pass custom option to driver-loade… [#1901] - @andreabonanno
- cleanup(ci): remove some unused jobs and remove some
falco-builder
reference where possible [#2322] - @Andreagit97 - docs(proposal): new artifacts distribution proposal [#2304] - @leogr
- fix(cmake): properly fetch dev version by appending latest Falco tag, delta between master and tag, and hash [#2292] - @FedeDP
- chore(deps): Bump certifi from 2020.4.5.1 to 2022.12.7 in /test [#2313] - @dependabot[bot]
- chore: remove string view lite [#2307] - @leogr
- new(CHANGELOG): add entry for 0.33.1 (in master branch this time) [#2303] - @LucaGuerra
- update(docs): add overview and versioning sections to falco release.md [#2205] - @incertum
- Add Xenit AB to adopters [#2285] - @NissesSenap
- fix(userspace/falco): verify engine fields only for syscalls [#2281] - @jasondellaluce
- fix(output): do not print syscall_buffer_size when gvisor is enabled [#2283] - @alacuku
- fix(engine): fix warning about redundant std::move [#2286] - @LucaGuerra
- fix(scripts): force falco-driver-loader script to try to compile the driver anyway even on unsupported platforms [#2219] - @FedeDP
- fix(ci): fixed version bucket for release jobs. [#2266] - @FedeDP
Released on 2022-11-24
- update(falco): fix container-gvisor and kubernetes-gvisor print options [#2288]
- Update libs to 0.9.2, fixing potential CLBO on gVisor+Kubernetes and crash with eBPF when some CPUs are offline [#2299] - @LucaGuerra
Released on 2022-10-19
- new: add a
drop_pct
referred to the global number of events [#2130] - @Andreagit97 - new: print some info about eBPF and enabled sources when Falco starts [#2133] - @Andreagit97
- new(userspace): print architecture information [#2147] - @Andreagit97
- new(CI): add CodeQL security scanning to Falco. [#2171] - @Andreagit97
- new: configure syscall buffer dimension from Falco [#2214] - @Andreagit97
- new(cmdline): add development support for modern BPF probe [#2221] - @Andreagit97
- new(falco-driver-loader):
DRIVERS_REPO
now supports the use of multiple download URLs (comma separated) [#2165] - @IanRobertson-wpe - new(userspace/engine): support alternative plugin version requirements in checks [#2190] - @jasondellaluce
- new: support running multiple event sources in parallel [#2182] - @jasondellaluce
- new(userspace/falco): automatically create paths for grpc unix socket and gvisor endpoint. [#2189] - @FedeDP
- new(scripts): allow falco-driver-loader to properly distinguish any ubuntu flavor [#2178] - @FedeDP
- new: add option to enable event sources selectively [#2085] - @jasondellaluce
- docs(falco-driver-loader): add some comments in
falco-driver-loader
[#2153] - @Andreagit97 - update(cmake): use latest libs tag
0.9.0
[#2257] - @Andreagit97 - update(.circleci): re-enabled cppcheck [#2186] - @leogr
- update(userspace/engine): improve falco files loading performance [#2151] - @VadimZy
- update(cmake): use latest driver tag 3.0.1+driver [#2251] - @Andreagit97
- update(userspace/falco)!: adapt stats writer for multiple parallel event sources [#2182] - @jasondellaluce
- refactor(userspace/engine): remove falco engine APIs that returned a required_engine_version [#2096] - @mstemm
- update(userspace/engine): add some small changes to rules matching that reduce cpu usage with high event volumes (> 1M syscalls/sec) [#2210] - @mstemm
- rules: added process IDs to default rules [#2211] - @spyder-kyle
- update(scripts/debian): falco.service systemd unit is now cleaned-up during (re)install and removal via the DEB and RPM packages [#2138] - @Happy-Dude
- update(userspace/falco): move on from deprecated libs API for printing event list [#2253] - @jasondellaluce
- chore(userspace/falco): improve cli helper and log options with debug level [#2252] - @jasondellaluce
- update(userspace): minor pre-release improvements [#2236] - @jasondellaluce
- update: bumped libs to fd46dd139a8e35692a7d40ab2f0ed2016df827cf. [#2201] - @FedeDP
- update!: gVisor sock default path changed from
/tmp/gvisor.sock
to/run/falco/gvisor.sock
[#2163] - @vjjmiras - update!: gRPC server sock default path changed from
/run/falco.sock.sock
to/run/falco/falco.sock
[#2163] - @vjjmiras - update(scripts/falco-driver-loader): minikube environment is now correctly detected [#2191] - @alacuku
- update(rules/falco_rules.yaml):
required_engine_version
changed to 13 [#2179] - @incertum - refactor(userspace/falco): re-design stats writer and make it thread-safe [#2109] - @jasondellaluce
- refactor(userspace/falco): make signal handlers thread safe [#2091] - @jasondellaluce
- refactor(userspace/engine): strengthen and document thread-safety guarantees of falco_engine::process_event [#2082] - @jasondellaluce
- update(userspace/falco): make webserver threadiness configurable [#2090] - @jasondellaluce
- refactor(userspace/falco): reduce app actions dependency on app state and inspector [#2097] - @jasondellaluce
- update(userspace/falco): use move semantics in falco logger [#2095] - @jasondellaluce
- update: use
FALCO_HOSTNAME
env var to override the hostname value [#2174] - @leogr - update: bump libs and driver versions to 6599e2efebce30a95f27739d655d53f0d5f686e4 [#2177] - @jasondellaluce
- refactor(userspace/falco): make output rate limiter optional and output engine explicitly thread-safe [#2139] - @jasondellaluce
- update(falco.yaml)!: notification rate limiter disabled by default. [#2139] - @jasondellaluce
- fix: compute the
drop ratio
in the right way [#2128] - @Andreagit97 - fix(falco_service): falco service needs to write under /sys/module/falco [#2238] - @Andreagit97
- fix(userspace): cleanup output of ruleset validation result [#2248] - @jasondellaluce
- fix(userspace): properly print ignored syscalls messages when not in
-A
mode [#2243] - @jasondellaluce - fix(falco): clarify pid/tid and container info in gvisor [#2223] - @LucaGuerra
- fix(userspace/engine): avoid reading duplicate exception values [#2200] - @jasondellaluce
- fix: hostname was not present when
json_output: true
[#2174] - @leogr
- rule(macro: known_gke_mount_in_privileged_containers): add new macro [#2198] - @hi120ki
- rule(Mount Launched in Privileged Container): add GKE default pod into allowlist in Mount Launched of Privileged Container rule [#2198] - @hi120ki
- rule(list: known_binaries_to_read_environment_variables_from_proc_files): add new list [#2193] - @hi120ki
- rule(Read environment variable from /proc files): add rule to detect an attempt to read process environment variables from /proc files [#2193] - @hi120ki
- rule(macro: k8s_containers): add falco no-driver images [#2234] - @jasondellaluce
- rule(macro: open_file_failed): add new macro [#2118] - @incertum
- rule(macro: directory_traversal): add new macro [#2118] - @incertum
- rule(Directory traversal monitored file read): add new rule [#2118] - @incertum
- rule(Modify Container Entrypoint): new rule created to detect CVE-2019-5736 [#2188] - @darryk10
- rule(Program run with disallowed http proxy env)!: disabled by default [#2179] - @incertum
- rule(Container Drift Detected (chmod))!: disabled by default [#2179] - @incertum
- rule(Container Drift Detected (open+create))!: disabled by default [#2179] - @incertum
- rule(Packet socket created in container)!: removed consider_packet_socket_communication macro [#2179] - @incertum
- rule(macro: consider_packet_socket_communication)!: remove unused macro [#2179] - @incertum
- rule(Interpreted procs outbound network activity)!: disabled by default [#2166] - @incertum
- rule(Interpreted procs inbound network activity)!: disabled by default [#2166] - @incertum
- rule(Contact cloud metadata service from container)!: disabled by default [#2166] - @incertum
- rule(macro: consider_interpreted_outbound)!: remove unused macro [#2166] - @incertum
- rule(macro: consider_interpreted_inbound)!: remove unused macro [#2166] - @incertum
- rule(macro: consider_metadata_access)!: remove unused macro [#2166] - @incertum
- rule(Unexpected outbound connection destination)!: disabled by default [#2168] - @incertum
- rule(Unexpected inbound connection source)!: disabled by default [#2168] - @incertum
- rule(Read Shell Configuration File)!: disabled by default [#2168] - @incertum
- rule(Schedule Cron Jobs)!: disabled by default [#2168] - @incertum
- rule(Launch Suspicious Network Tool on Host)!: disabled by default [#2168] - @incertum
- rule(Create Hidden Files or Directories)!: disabled by default [#2168] - @incertum
- rule(Outbound or Inbound Traffic not to Authorized Server Process and Port)!: disabled by default [#2168] - @incertum
- rule(Network Connection outside Local Subnet)!: disabled by default [#2168] - @incertum
- rule(macro: consider_all_outbound_conns)!: remove unused macro [#2168] - @incertum
- rule(macro: consider_all_inbound_conns)!: remove unused macro [#2168] - @incertum
- rule(macro: consider_shell_config_reads)!: remove unused macro [#2168] - @incertum
- rule(macro: consider_all_cron_jobs)!: remove unused macro [#2168] - @incertum
- rule(macro: consider_all_inbound_conns)!: remove unused macro [#2168] - @incertum
- rule(macro: consider_hidden_file_creation)!: remove unused macro [#2168] - @incertum
- rule(macro: allowed_port)!: remove unused macro [#2168] - @incertum
- rule(macro: enabled_rule_network_only_subnet)!: remove unused macro [#2168] - @incertum
- rule(macro: consider_userfaultfd_activities)!: remove unused macro [#2168] - @incertum
- rule(macro: consider_all_chmods)!: remove unused macro [#2168] - @incertum
- rule(Set Setuid or Setgid bit)!: removed consider_all_chmods macro [#2168] - @incertum
- rule(Container Drift Detected (chmod))!: removed consider_all_chmods macro [#2168] - @incertum
- rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process)!: removed consider_userfaultfd_activities macro [#2168] - @incertum
- new(userspace): support
SCAP_FILTERED_EVENT
return code [#2148] - @Andreagit97 - chore(test/utils): remove unused script [#2157] - @Andreagit97
- Enrich pull request template [#2162] - @Andreagit97
- vote: update(OWNERS): add Andrea Terzolo to owners [#2185] - @Andreagit97
- fix(CI): codespell should ignore
ro
word [#2173] - @Andreagit97 - chore: bump plugin version [#2256] - @Andreagit97
- fix(userspace/falco): avoid using CPU when main thread waits for parallel event sources [#2255] - @jasondellaluce
- fix(scripts): inject kmod script fails with some systemd versions [#2250] - @Andreagit97
- chore(userspace/falco): make logging optional when terminating, restarting, and reopening outputs [#2249] - @jasondellaluce
- chore: bump libs version [#2244] - @Andreagit97
- update(userspace): solve warnings and performance tips from cppcheck [#2247] - @jasondellaluce
- fix(userspace/falco): make signal termination more robust with multi-threading [#2235] - @jasondellaluce
- fix(userspace/falco): make termination and signal handlers more stable [#2239] - @jasondellaluce
- fix(userspace): safely check string bounded access [#2237] - @jasondellaluce
- chore: bump libs/driver to the latest release branch commit [#2232] - @Andreagit97
- fix(userspace/falco): check plugin requirements when validating rule files [#2233] - @jasondellaluce
- fix(userspace): add explicit constructors and initializations [#2229] - @jasondellaluce
- Add StackRox to adopters [#2187] - @Molter73
- fix(process_events): check the return value of
open_live_inspector
[#2215] - @Andreagit97 - fix(userspace/engine): properly include stdexcept header to fix build. [#2197] - @FedeDP
- refactor(userspace/engine): split rule loader classes for a more testable design [#2206] - @jasondellaluce
- chore(OWNERS): cleanup inactive reviewer [#2204] - @leogr
- fix(circleci): falco-driver-loader image build must be done starting from just-pushed falco master image. [#2194] - @FedeDP
- Support condition parse errors in rule loading results [#2155] - @mstemm
- docs: readme update [#2183] - @leogr
- cleanup: rename legacy references [#2180] - @jasondellaluce
- refactor(userspace/engine): increase const coherence in falco engine [#2081] - @jasondellaluce
- Rules result handle multiple files [#2158] - @mstemm
- fix: print full rule load errors/warnings without verbose/-v [#2156] - @mstemm
Released on 2022-08-09
- fix: Added ARCH to bpf download URL [#2142] - @eric-engberg
Released on 2022-07-11
- new(falco): add gVisor support [#2078] - @LucaGuerra
- new(docker,scripts): add multiarch images and ARM64 packages [#1990] - @FedeDP
- update(build): Switch from RSA/SHA1 to RSA/SHA256 signature in the RPM package [#2044] - @vjjmiras
- refactor(userspace/engine): drop macro source field in rules and rule loader [#2094] - @jasondellaluce
- build: introduce
DRIVER_VERSION
that allows setting a driver version (which may differ from the falcosecurity/libs version) [#2086] - @leogr - update: add more info to
--version
output [#2086] - @leogr - build(scripts): publish deb repo has now a InRelease file [#2060] - @FedeDP
- update(userspace/falco): make plugin init config optional and add --plugin-info CLI option [#2059] - @jasondellaluce
- update(userspace/falco): support libs logging [#2093] - @jasondellaluce
- update(falco): update libs to 0.7.0 [#2119] - @LucaGuerra
- fix(userspace/falco): ensure that only rules files named with
-V
are loaded when validating rules files. [#2088] - @mstemm - fix(rules): use exit event in reverse shell detection rule [#2076] - @alacuku
- fix(scripts): falco-driver-loader script will now seek for drivers in driver/${ARCH}/ for x86_64 too. [#2057] - @FedeDP
- fix(falco-driver-loader): building falco module with DKMS on Flatcar and supporting fetching pre-built module/eBPF probe [#2043] - @jepio
- rule(Redirect STDOUT/STDIN to Network Connection in Container): changed priority to NOTICE [#2092] - @leogr
- rule(Java Process Class Download): detect potential log4shell exploitation [#2041] - @pirxthepilot
- remove kaizhe from falco rule owner [#2050] - @Kaizhe
- docs(readme): added arm64 mention + packages + badge. [#2101] - @FedeDP
- new(circleci): enable integration tests for arm64. [#2099] - @FedeDP
- chore(cmake): bump plugins versions [#2102] - @Andreagit97
- fix(docker): fixed deb tester sub image. [#2100] - @FedeDP
- fix(ci): fix sign script - avoid interpreting '{*}$argv' too soon [#2075] - @vjjmiras
- fix(tests): make tests run locally (take 2) [#2089] - @LucaGuerra
- fix(ci): creates ~/sign instead of ./sign [#2072] - @vjjmiras
- fix(ci): sign arm64 rpm packages. [#2069] - @FedeDP
- update(falco_scripts): Change Flatcar dynlinker path [#2066] - @jepio
- fix(scripts): fixed path in publish-deb script. [#2062] - @FedeDP
- fix(build): docker-container buildx engine does not support retagging images. Tag all images together. [#2058] - @FedeDP
- fix(build): fixed publish-docker-dev job context. [#2056] - @FedeDP
- Correct linting issue in rules [#2055] - @stephanmiehe
- Fix falco compilation issues with new libs [#2053] - @alacuku
- fix(scripts): forcefully create packages dir for debian packages. [#2054] - @FedeDP
- fix(build): removed leftover line in circleci config. [#2052] - @FedeDP
- fix(build): fixed circleCI artifacts publish for arm64. [#2051] - @FedeDP
- update(docker): updated falco-builder to fix multiarch support. [#2049] - @FedeDP
- fix(build): use apt instead of apk when installing deps for aws ecr publish [#2047] - @FedeDP
- fix(build): try to use root user for cimg/base [#2045] - @FedeDP
- update(build): avoid double build of docker images when pushing to aws ecr [#2046] - @FedeDP
- chore(k8s_audit_plugin): bump k8s audit plugin version [#2042] - @Andreagit97
- fix(tests): make run_regression_tests.sh work locally [#2020] - @LucaGuerra
- Circle CI build job for ARM64 [#1997] - @odidev
Released on 2022-06-03
- new: added new
watch_config_files
config option, to trigger a Falco restart whenever a change is detected in the rules or config files [#1991] - @FedeDP - new(rules): add rule to detect excessively capable container [#1963] - @loresuso
- new(rules): add rules to detect pods sharing host pid and IPC namespaces [#1951] - @loresuso
- new(image): add Falco image based on RedHat UBI [#1943] - @araujof
- new(falco): add --markdown and --list-syscall-events [#1939] - @LucaGuerra
- update(build): updated plugins to latest versions. [#2033] - @FedeDP
- refactor(userspace/falco): split the currently monolithic falco_init into smaller "actions", managed by the falco application's action manager. [#1953] - @mstemm
- rules: out of the box ruleset for OKTA Falco Plugin [#1955] - @darryk10
- update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b [#2031] - @FedeDP
- update!: moving out plugins ruleset files [#1995] - @leogr
- update: added
hostname
as a field in JSON output [#1989] - @Milkshak3s - refactor!: remove K8S audit logs from Falco [#1952] - @jasondellaluce
- refactor(userspace/engine): use supported_operators helper from libsinsp filter parser [#1975] - @jasondellaluce
- refactor!: deprecate PSP regression tests and warn for unsafe usage of in k8s audit filters [#1976] - @jasondellaluce
- build(cmake): upgrade catch2 to 2.13.9 [#1977] - @leogr
- refactor(userspace/engine): reduce memory usage for resolving evttypes [#1965] - @jasondellaluce
- refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader [#1966] - @jasondellaluce
- refactor(userspace/engine): decoupling ruleset reading, parsing, and compilation steps [#1970] - @jasondellaluce
- refactor: update definitions of falco_common [#1967] - @jasondellaluce
- update: improved Falco engine event processing performance [#1944] - @deepskyblue86
- refactor(userspace/engine): use libsinsp filter parser and compiler inside rule loader [#1947] - @jasondellaluce
- fix(userspace/engine): skip rules with unknown sources that also have exceptions, and skip macros with unknown sources. [#1920] - @mstemm
- fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled [#2019] - @jasondellaluce
- rule(Launch Excessively Capable Container): fix typo in description [#1996] - @mmonitz
- rule(macro: known_shell_spawn_cmdlines): add
sh -c /usr/share/lighttpd/create-mime.conf.pl
to macro [#1996] - @mmonitz - rule(macro net_miner_pool): additional syscall for detection [#2011] - @beryxz
- rule(macro truncate_shell_history): include .ash_history [#1956] - @bdashrad
- rule(macro modify_shell_history): include .ash_history [#1956] - @bdashrad
- rule(Detect release_agent File Container Escapes): new rule created to detect an attempt to exploit a container escape using release_agent file [#1969] - @darryk10
- rule(k8s: secret): detect
get
attempts for both successful and unsuccessful attempts [#1949] - @Dentrax - rule(K8s Serviceaccount Created/Deleted): Fixed output for the rules [#1973] - @darryk10
- rule(Disallowed K8s User): exclude allowed EKS users [#1960] - @darryk10
- rule(Launch Ingress Remote File Copy Tools in Container): Removed use cases not triggering the rule [#1968] - @darryk10
- rule(Mount Launched in Privileged Container): added allowlist macro user_known_mount_in_privileged_containers. [#1930] - @mmoyerfigma
- rule(macro user_known_shell_config_modifiers): allow to allowlist shell config modifiers [#1938] - @claudio-vellage
- new: update plugins [#2023] - @FedeDP
- update(build): updated libs version for Falco 0.32.0 release. [#2022] - @FedeDP
- update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 [#2024] - @FedeDP
- chore(userspace/falco): do not print error code in process_events.cpp [#2030] - @alacuku
- fix(falco-scripts): remove driver versions with
dkms-3.0.3
[#2027] - @Andreagit97 - chore(userspace/falco): fix punctuation typo in output message when loading plugins [#2026] - @alacuku
- refactor(userspace): change falco engine design to properly support multiple sources [#2017] - @jasondellaluce
- update(userspace/falco): improve falco termination [#2012] - @Andreagit97
- update(userspace/engine): introduce new
check_plugin_requirements
API [#2009] - @Andreagit97 - fix(userspace/engine): improve rule loader source checks [#2010] - @Andreagit97
- fix: split filterchecks per source-idx [#1999] - @FedeDP
- new: port CI builds to github actions [#2000] - @FedeDP
- build(userspace/engine): cleanup unused include dir [#1987] - @leogr
- rule(Anonymous Request Allowed): exclude {/livez, /readyz} [#1954] - @sledigabel
- chore(falco_scripts): Update
falco-driver-loader
cleaning phase [#1950] - @Andreagit97 - new(userspace/falco): use new plugin caps API [#1982] - @FedeDP
- build: correct conffiles for DEB packages [#1980] - @leogr
- Fix exception parsing regressions [#1985] - @mstemm
- Add codespell GitHub Action [#1962] - @invidian
- build: components opt-in mechanism for packages [#1979] - @leogr
- add gVisor to ADOPTERS.md [#1974] - @kevinGC
- rules: whitelist GCP's container threat detection image [#1959] - @clmssz
- Fix some typos [#1961] - @invidian
- chore(rules): remove leftover [#1958] - @leogr
- docs: readme update and plugins [#1940] - @leogr
Released on 2022-03-09
- new: add a new drop category
n_drops_scratch_map
[#1916] - @Andreagit97 - new: allow to specify multiple --cri options [#1893] - @FedeDP
- refactor(userspace/falco): replace direct getopt_long() cmdline option parsing with third-party cxxopts library. [#1886] - @mstemm
- update: driver version is b7eb0dd [#1923] - @LucaGuerra
- fix(userspace/falco): correct plugins init config conversion from YAML to JSON [#1907] - @jasondellaluce
- fix(userspace/engine): for rules at the informational level being loaded at the notice level [#1885] - @mike-stewart
- chore(userspace/falco): fixes truncated -b option description. [#1915] - @andreabonanno
- update(falco): updates usage description for -o, --option [#1903] - @andreabonanno
- Fix for a TOCTOU issue that could lead to rule bypass (CVE-2022-26316). For more information, see the advisory.
- rule(Detect outbound connections to common miner pool ports): fix url in rule output [#1918] - @jsoref
- rule(macro somebody_becoming_themself): renaming macro to somebody_becoming_themselves [#1918] - @jsoref
- rule(list package_mgmt_binaries):
npm
added [#1866] - @rileydakota - rule(Launch Package Management Process in Container): support for detecting
npm
usage [#1866] - @rileydakota - rule(Polkit Local Privilege Escalation Vulnerability): new rule created to detect CVE-2021-4034 [#1877] - @darryk10
- rule(macro: modify_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [#1832] - @m4wh6k
- rule(macro: truncate_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [#1832] - @m4wh6k
- rule(macro sssd_writing_krb): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [#1825] - @mac-chaffee
- rule(macro write_etc_common): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [#1825] - @mac-chaffee
- upgrade macro(keepalived_writing_conf) [#1742] - @pabloopez
- rule_output(Delete Bucket Public Access Block) typo [#1888] - @pabloopez
- fix(build): fix civetweb linking in cmake module [#1919] - @LucaGuerra
- chore(userspace/engine): remove unused lua functions and state vars [#1908] - @jasondellaluce
- fix(userspace/falco): applies FALCO_INSTALL_CONF_FILE as the default … [#1900] - @andreabonanno
- fix(scripts): correct typo in
falco-driver-loader
help message [#1899] - @leogr - update(build)!: replaced various
PROBE
withDRIVER
where necessary. [#1887] - @FedeDP - Add Fairwinds to the adopters list [#1917] - @sudermanjr
- build(cmake): several cmake changes to speed up/simplify builds for external projects and copying files from source-to-build directories [#1905] - @mstemm
Released on 2022-01-31
- new: add support for plugins to extend Falco functionality to new event sources and custom fields [#1753] - @mstemm
- new: add ability to set User-Agent http header when sending http output. Provide default value of 'falcosecurity/falco'. [#1850] - @yoshi314
- new(configuration): support defining plugin init config as a YAML [#1852] - @jasondellaluce
- rules: add the official Falco ECR repository to rules [#1817] - @calvinbui
- build: update CircleCI machine image for eBPF tests to a newer version of ubuntu [#1764] - @mstemm
- update(engine): refactor Falco engine to be agnostic to specific event sources [#1715] - @mstemm
- build: upgrade civetweb to v1.15 [#1782] - @FedeDP
- update: driver version is 319368f1ad778691164d33d59945e00c5752cd27 now [#1861] - @FedeDP
- build: allow using local libs source dir by setting
FALCOSECURITY_LIBS_SOURCE_DIR
in cmake [#1791] - @jasondellaluce - build: the statically linked binary package is now published with the
-static
suffix [#1873] - @LucaGuerra - update!: removed "--alternate-lua-dir" cmdline option as lua scripts are now embedded in Falco executable. [#1872] - @FedeDP
- build: switch to dynamic build for the binary package (
.tar.gz
) [#1853] - @LucaGuerra - update: simpleconsumer filtering is now being done at kernel level [#1846] - @FedeDP
- update(scripts/falco-driver-loader): first try to load the latest kmod version, then fallback to an already installed if any [#1863] - @leogr
- refactor: clean up --list output with better formatting and no duplicate sections across event sources. [#1816] - @mstemm
- update: embed .lua files used to load/compile rules into the main falco executable, for simplicity and to avoid tampering. [#1843] - @mstemm
- update: support non-enumerable event sources in gRPC outputs service [#1840] - @jasondellaluce
- docs: add jasondellaluce to OWNERS [#1818] - @jasondellaluce
- chore: --list option can be used to selectively list fields related to new sources that are introduced by plugins [#1839] - @loresuso
- update(userspace/falco): support arbitrary-depth nested values in YAML configuration [#1792] - @jasondellaluce
- build: bump FakeIt version to 2.0.9 [#1797] - @jasondellaluce
- update: allow append of new exceptions to rules [#1780] - @sai-arigeli
- update: Linux packages are now signed with SHA256 [#1758] - @twa16
- fix(scripts/falco-driver-loader): fix for SELinux insmod denials [#1756] - @dwindsor
- fix(scripts/falco-driver-loader): correctly clean loaded drivers when using
--clean
[#1795] - @jasondellaluce - fix(userspace/falco): in case output_file cannot be opened, throw a falco exception [#1773] - @FedeDP
- fix(userspace/engine): support jsonpointer escaping in rule parser [#1777] - @jasondellaluce
- fix(scripts/falco-driver-loader): support kernel object files in
.zst
and.gz
compression formats [#1863] - @leogr - fix(engine): correctly format json output in json_event [#1847] - @jasondellaluce
- fix: set http output content type to text/plain when json output is disabled [#1829] - @FedeDP
- fix(userspace/falco): accept 'Content-Type' header that contains "application/json", but it is not strictly equal to it [#1800] - @FedeDP
- fix(userspace/engine): supporting enabled-only overwritten rules [#1775] - @jasondellaluce
- rule(Create Symlink Over Sensitive File): corrected typo in rule output [#1820] - @deepskyblue86
- rule(macro open_write): add support to openat2 [#1796] - @jasondellaluce
- rule(macro open_read): add support to openat2 [#1796] - @jasondellaluce
- rule(macro open_directory): add support to openat2 [#1796] - @jasondellaluce
- rule(Create files below dev): add support to openat2 [#1796] - @jasondellaluce
- rule(Container Drift Detected (open+create)): add support to openat2 [#1796] - @jasondellaluce
- rule(macro sensitive_mount): add containerd socket [#1815] - @loresuso
- rule(macro spawned_process): monitor also processes spawned by
execveat
[#1868] - @Andreagit97 - rule(Create Hardlink Over Sensitive Files): new rule to detect hard links created over sensitive files [#1810] - @sberkovich
- rule(Detect crypto miners using the Stratum protocol): add
stratum2+tcp
andstratum+ssl
protocols detection [#1810] - @sberkovich - rule(Sudo Potential Privilege Escalation): correct special case for the CVE-2021-3156 exploit [#1810] - @sberkovich
- rule(list falco_hostnetwork_images): moved to k8s_audit_rules.yaml to avoid a warning when using falco_rules.yaml only [#1681] - @leodido
- rule(list deb_binaries): remove
apt-config
[#1860] - @Andreagit97 - rule(Launch Remote File Copy Tools in Container): add additional binaries: curl and wget. [#1771] - @ec4n6
- rule(list known_sa_list): add coredns, coredns-autoscaler, endpointslicemirroring-controller, horizontal-pod-autoscaler, job-controller, node-controller (nodelifecycle), persistent-volume-binder, pv-protection-controller, pvc-protection-controller, root-ca-cert-publisher and service-account-controller as allowed service accounts in the kube-system namespace [#1760] - @sboschman
- fix: force-set evt.type for plugin source events [#1878] - @FedeDP
- fix: updated some warning strings; properly refresh lua files embedded in falco [#1864] - @FedeDP
- style(userspace/engine): avoid creating multiple versions of methods only to assume default ruleset. Use a default argument instead. [#1754] - @FedeDP
- add raft in the adopters list [#1776] - @teshsharma
- build: always populate partial version variables [#1778] - @dnwe
- build: updated cloudtrail plugin to latest version [#1865] - @FedeDP
- replace ".." concatenation with table.concat [#1834] - @VadimZy
- fix(userspace/engine): actually make m_filter_all_event_types useful by properly using it as fallback when no filter event types is provided [#1875] - @FedeDP
- fix(build): do not show plugin options in musl optimized builds [#1871] - @LucaGuerra
- fix(aws_cloudtrail_rules.yaml): correct required plugin versions [#1867] - @FedeDP
- docs: fix priority level "info" to "informational" [#1858] - @Andreagit97
- Field properties changes [#1838] - @mstemm
- update(build): updated libs to latest master version; updated plugins versions [#1856] - @FedeDP
- Add Giant Swarm to Adopters list [#1842] - @stone-z
- update(tests): remove
token_bucket
unit tests [#1798] - @jasondellaluce - fix(build): use consistent 7-character build abbrev sha [#1830] - @LucaGuerra
- add Phoenix to adopters list [#1806] - @kaldyka
- remove unused files in test directory [#1801] - @jasondellaluce
- drop Falco luajit module, use the one provided by libs [#1788] - @FedeDP
- chore(build): update libs version to 7906f7e [#1790] - @LucaGuerra
- Add SysFlow to list of libs adopters [#1747] - @araujof
- build: dropped centos8 circleci build because it is useless [#1882] - @FedeDP
Released on 2021-10-01
- new: add
--k8s-node
command-line options, which allows filtering by a node when requesting metadata of pods to the K8s API server [#1671] - @leogr - new(outputs): expose rule tags and event source in gRPC and json outputs [#1714] - @jasondellaluce
- new(userspace/falco): add customizable metadata fetching params [#1667] - @zuc
- update: bump driver version to 3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4 [#1744] - @zuc
- docs: clarify that previous Falco drivers will remain available at https://download.falco.org and no automated cleanup is run anymore [#1738] - @leodido
- update(outputs): add configuration option for tags in json outputs [#1733] - @jasondellaluce
- fix(scripts): correct standard output redirection in systemd config (DEB and RPM packages) [#1697] - @chirabino
- fix(scripts): correct lookup order when trying multiple
gcc
versions in thefalco-driver-loader
script [#1716] - @Spartan-65
- rule(list miner_domains): add new miner domains [#1729] - @AlbertoPellitteri
- rule(list https_miner_domains): add new miner domains [#1729] - @AlbertoPellitteri
- add Qonto as adopter [#1717] - @Issif
- docs(proposals): proposal for a libs plugin system [#1637] - @ldegio
- build: remove unused
ncurses
dependency [#1658] - @leogr - build(.circleci): use new Debian 11 package names for python-pip [#1712] - @zuc
- build(docker): adding libssl-dev, upstream image reference pinned to
debian:buster
[#1719] - @michalschott - fix(test): avoid output_strictly_contains failures [#1724] - @jasondellaluce
- Remove duplicate allowed ecr registry rule [#1725] - @TomKeyte
- docs(RELEASE.md): switch to 3 releases per year [#1711] - @leogr
Released on 2021-06-29
- rule(list user_known_userfaultfd_processes): list to exclude processes known to use userfaultfd syscall [#1675] - @leodido
- rule(macro consider_userfaultfd_activities): macro to gate the "Unprivileged Delegation of Page Faults Handling to a Userspace Process" rule [#1675] - @leodido
- rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process): new rule to detect successful unprivileged userfaultfd syscalls [#1675] - @leodido
- rule(Linux Kernel Module Injection Detected): adding container info to the output of the rule [#1675] - @leodido
Released on 2021-06-21
- rule(list miner_domains): add rx.unmineable.com for anti-miner detection [#1676] - @fntlnz
- rule(Change thread namespace and Set Setuid or Setgid bit): disable by default [#1632] - @Kaizhe
- rule(list known_sa_list): add namespace-controller, statefulset-controller, disruption-controller, job-controller, horizontal-pod-autoscaler and persistent-volume-binder as allowed service accounts in the kube-system namespace [#1659] - @sboschman
- rule(Non sudo setuid): check user id as well in case user name info is not available [#1665] - @Kaizhe
- rule(Debugfs Launched in Privileged Container): fix typo in description [#1657] - @Kaizhe
- Fix link to CONTRIBUTING.md in the Pull Request Template [#1679] - @tspearconquest
- fetch libs and drivers from the new repo [#1552] - @leogr
- build(test): upgrade urllib3 to 1.26.5 [#1666] - @leogr
- revert: add notes for 0.28.2 release [#1663] - @maxgio92
- changelog: add notes for 0.28.2 release [#1661] - @maxgio92
- docs(release.md): add blog announcement to post-release tasks [#1652] - @maxgio92
- add Yahoo!Japan as an adopter [#1651] - @ukitazume
- Add Replicated to adopters [#1649] - @diamonwiggins
- docs(proposals): fix libs contribution name [#1641] - @leodido
Released on 2021-05-07
- new:
--support
output now includes info about the Falco engine version [#1581] - @mstemm - new: Falco outputs an alert in the unlikely situation it's receiving too many consecutive timeouts without an event [#1622] - @leodido
- new: configuration field
syscall_event_timeouts.max_consecutive
to configure after how many consecutive timeouts without an event Falco must alert [#1622] - @leodido
- fix: do not stop the webserver for k8s audit logs when invalid data is coming in the event to be processed [#1617] - @fntlnz
- rule(macro: allowed_aws_ecr_registry_root_for_eks): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
- rule(macro: aws_eks_core_images): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
- rule(macro: aws_eks_image_sensitive_mount): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
- rule(list
falco_privileged_images
): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92 - rule(list
falco_sensitive_mount_images
): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92 - rule(macro
k8s_containers
): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92 - rule(macro: python_running_sdchecks): macro removed [#1620] - @leogr
- rule(Change thread namespace): remove python_running_sdchecks exception [#1620] - @leogr
- urelease/docs: fix link and small refactor in the text [#1636] - @cpanato
- Add Secureworks to adopters [#1629] - @dwindsor-scwx
- regression test for malformed k8s audit input (FAL-01-003) [#1624] - @leodido
- Add mathworks to adopterlist [#1621] - @natchaphon-r
- adding known users [#1623] - @danpopSD
- docs: update link for HackMD community call notes [#1614] - @leodido
Released on 2021-04-12
- BREAKING CHANGE: Bintray is deprecated, no new packages will be published at https://dl.bintray.com/falcosecurity/ [#1577] - @leogr
- BREAKING CHANGE: SKIP_MODULE_LOAD env variable no more disables the driver loading (use SKIP_DRIVER_LOADER env variable introduced in Falco 0.24) [#1599] - @leodido
- BREAKING CHANGE: the init.d service unit is not shipped anymore in deb/rpm packages in favor of a systemd service file [#1448] - @jenting
- new: add support for exceptions as rule attributes to provide a compact way to add exceptions to Falco rules [#1427] - @mstemm
- new: falco-no-driver container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-no-driver) [#1519] - @jonahjon
- new: falco-driver-loader container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-driver-loader) [#1519] - @jonahjon
- new: add healthz endpoint to the webserver [#1546] - @cpanato
- new: introduce a new configuration field
syscall_event_drops.threshold
to tune the drop noisiness [#1586] - @leodido - new: falco-driver-loader script can get a custom driver name from DRIVER_NAME env variable [#1488] - @leodido
- new: falco-driver-loader know the Falco version [#1488] - @leodido
- docs(proposals): libraries and drivers donation [#1530] - @leodido
- docs(docker): update links to the new Falco website URLs [#1545] - @cpanato
- docs(test): update links to new Falco website URLs [#1563] - @shane-lawrence
- build: now Falco packages are published at https://download.falco.org [#1577] - @leogr
- update: lower the
syscall_event_drops.max_burst
default value to 1 [#1586] - @leodido - update: falco-driver-loader tries to download a Falco driver before then compiling it on the fly for the host [#1599] - @leodido
- docs(test): document the prerequisites for running the integration test suite locally [#1609] - @fntlnz
- update: Debian/RPM package migrated from init to systemd [#1448] - @jenting
- fix(userspace/engine): properly handle field extraction over lists of containers when not all containers match the specified sub-properties [#1601] - @mstemm
- fix(docker/falco): add flex and bison dependency to container image [#1562] - @schans
- fix: ignore action can not be used with log and alert ones (
syscall_event_drops
config) [#1586] - @leodido - fix(userspace/engine): allows fields starting with numbers to be parsed properly [#1598] - @mstemm
- rule(Write below monitored dir): improve rule description [#1588] - @stevenshuang
- rule(macro allowed_aws_eks_registry_root): macro to match the official eks registry [#1555] - @ismailyenigul
- rule(macro aws_eks_image): match aws image repository for eks [#1555] - @ismailyenigul
- rule(macro aws_eks_image_sensitive_mount): match aws cni images [#1555] - @ismailyenigul
- rule(macro k8s_containers): include fluent/fluentd-kubernetes-daemonset and prom/prometheus [#1555] - @ismailyenigul
- rule(Launch Privileged Container): exclude aws_eks_image [#1555] - @ismailyenigul
- rule(Launch Sensitive Mount Container): exclude aws_eks_image_sensitive_mount [#1555] - @ismailyenigul
- rule(Debugfs Launched in Privileged Container): new rule [#1583] - @Kaizhe
- rule(Mount Launched in Privileged Container): new rule [#1583] - @Kaizhe
- rule(Set Setuid or Setgid bit): add k3s-agent in the whitelist [#1583] - @Kaizhe
- rule(macro user_ssh_directory): using glob operator [#1560] - @shane-lawrence
- rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud [#1337] - @nibalizer
- rule(list rpm_binaries): add rhsmcertd [#1385] - @epcim
- rule(list deb_binaries): add apt.systemd.daily [#1385] - @epcim
- rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156 [#1543] - @darryk10
- rule(list allowed_k8s_users): add
eks:node-manager
[#1536] - @ismailyenigul - rule(list mysql_mgmt_binaries): removed [#1602] - @fntlnz
- rule(list db_mgmt_binaries): removed [#1602] - @fntlnz
- rule(macro parent_ansible_running_python): removed [#1602] - @fntlnz
- rule(macro parent_bro_running_python): removed [#1602] - @fntlnz
- rule(macro parent_python_running_denyhosts): removed [#1602] - @fntlnz
- rule(macro parent_linux_image_upgrade_script): removed [#1602] - @fntlnz
- rule(macro parent_java_running_echo): removed [#1602] - @fntlnz
- rule(macro parent_scripting_running_builds): removed [#1602] - @fntlnz
- rule(macro parent_Xvfb_running_xkbcomp): removed [#1602] - @fntlnz
- rule(macro parent_nginx_running_serf): removed [#1602] - @fntlnz
- rule(macro parent_node_running_npm): removed [#1602] - @fntlnz
- rule(macro parent_java_running_sbt): removed [#1602] - @fntlnz
- rule(list known_container_shell_spawn_cmdlines): removed [#1602] - @fntlnz
- rule(list known_shell_spawn_binaries): removed [#1602] - @fntlnz
- rule(macro run_by_puppet): removed [#1602] - @fntlnz
- rule(macro user_privileged_containers): removed [#1602] - @fntlnz
- rule(list rancher_images): removed [#1602] - @fntlnz
- rule(list images_allow_network_outside_subnet): removed [#1602] - @fntlnz
- rule(macro parent_python_running_sdchecks): removed [#1602] - @fntlnz
- rule(macro trusted_containers): removed [#1602] - @fntlnz
- rule(list authorized_server_binaries): removed [#1602] - @fntlnz
- chore(test): replace bucket url with official distribution url [#1608] - @fntlnz
- adding asapp as an adopter [#1611] - @Stuxend
- update: fixtures URLs [#1603] - @leogr
- cleanup publishing jobs [#1596] - @leogr
- fix(falco/test): bump pyyaml from 5.3.1 to 5.4 [#1595] - @leodido
- fix(.circleci): tar must be present in the image [#1594] - @leogr
- fix: publishing jobs [#1591] - @leogr
- Pocteo as an adopter [#1574] - @pocteo-labs
- build: fetch build deps from download.falco.org [#1572] - @leogr
- adding shapesecurity to adopters [#1566] - @irivera007
- Use default pip version to get avocado version [#1565] - @shane-lawrence
- Added Swissblock to list of adopters [#1551] - @bygui86
- Fix various typos in markdown files. [#1514] - @didier-durand
- docs: move governance to falcosecurity/.github [#1524] - @leogr
- ci: fix missing infra context to publish stable Falco packages [#1615] - @leodido
Released on 2021-01-18
- new: Added falco engine version to grpc version service [#1507] - @nibalizer
- BREAKING CHANGE: Users who run Falco without a config file will be unable to do that any more, Falco now expects a configuration file to be passed all the times. Developers may need to adjust their processes. [#1494] - @nibalizer
- new: asynchronous outputs implementation, outputs channels will not block event processing anymore [#1451] - @leogr
- new: slow outputs detection [#1451] - @leogr
- new:
output_timeout
config option for slow outputs detection [#1451] - @leogr
- build: bump b64 to v2.0.0.1 [#1441] - @fntlnz
- rules(macro container_started): reuse
spawned_process
macro insidecontainer_started
macro [#1449] - @leodido - docs: reach out documentation [#1472] - @fntlnz
- docs: Broken outputs.proto link [#1493] - @deepskyblue86
- docs(README.md): correct broken links [#1506] - @leogr
- docs(proposals): Exceptions handling proposal [#1376] - @mstemm
- docs: fix a broken link of README [#1516] - @oke-py
- docs: adding the kubernetes privileged use case to use cases [#1484] - @fntlnz
- rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggered when a container is created. [#1386] - @jhwbarlow
- rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggered when a container is created. [#1386] - @jhwbarlow
- docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [#1518] - @leodido
- build: falcosecurity/falco:master also available on the AWS ECR Public registry [#1512] - @leodido
- build: falcosecurity/falco:latest also available on the AWS ECR Public registry [#1512] - @leodido
- update: gRPC clients can now subscribe to drop alerts via gRCP API [#1451] - @leogr
- macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s [#1444] - @fntlnz
- fix(userspace/falco): use given priority in falco_outputs::handle_msg() [#1450] - @leogr
- fix(userspace/engine): free formatters, if any [#1447] - @leogr
- fix(scripts/falco-driver-loader): lsmod usage [#1474] - @dnwe
- fix: a bug that prevents Falco driver to be consumed by many Falco instances in some circumstances [#1485] - @leodido
- fix: set
HOST_ROOT=/host
environment variable for thefalcosecurity/falco-no-driver
container image by default [#1492] - @leogr
- rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list [#1501] - @Kaizhe
- rule(Container Run as Root User): new rule created [#1500] - @Kaizhe
- rule(Linux Kernel Module injection detected): adds a new rule that detects when an LKM module is injected using
insmod
from a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [#1478] - @d1vious - rule(macro multipath_writing_conf): create and use the macro [#1475] - @nmarier-coveo
- rule(list falco_privileged_images): add calico/node without registry prefix to prevent false positive alerts [#1457] - @czunker
- rule(Full K8s Administrative Access): use the right list of admin users (fix) [#1454] - @mstemm
- chore(cmake): remove unnecessary whitespace patch [#1522] - @leogr
- remove stale bot in favor of the new lifecycle bot [#1490] - @leodido
- chore(cmake): mark some variables as advanced [#1496] - @deepskyblue86
- chore(cmake/modules): avoid useless rebuild [#1495] - @deepskyblue86
- build: BUILD_BYPRODUCTS for civetweb [#1489] - @fntlnz
- build: remove duplicate item from FALCO_SOURCES [#1480] - @leodido
- build: make our integration tests report clear steps for CircleCI UI [#1473] - @fntlnz
- further improvements outputs impl. [#1443] - @leogr
- fix(test): make integration tests properly fail [#1439] - @leogr
- Falco outputs refactoring [#1412] - @leogr
Released on 2020-11-10
- update: DRIVERS_REPO now defaults to https://download.falco.org/driver [#1460] - @leodido
Released on 2020-10-01
- rule(Delete or rename shell history): fix warnings/FPs + container teardown [#1423] - @mstemm
- rule(Write below root): ensure proc_name_exists too [#1423] - @mstemm
Released on 2020-24-09
- new: address several sources of FPs, primarily from GKE environments. [#1372] - @mstemm
- new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [#1410] - @leogr
- new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [#1408] - @fntlnz
- new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [#1377] - @leogr
- update: bump Falco engine version to 7 [#1381] - @leogr
- update: the required_engine_version is now on by default [#1381] - @leogr
- update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [#1377] - @leogr
- docs(proposals): artifacts storage [#1375] - @leodido
- docs(proposals): artifacts cleanup [#1375] - @leodido
- rule(macro inbound_outbound): add brackets to disambiguate operator precedence [#1373] - @ldegio
- rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [#1373] - @ldegio
- rule(macro run_by_foreman): add brackets to disambiguate operator precedence [#1373] - @ldegio
- rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [#1402] - @rung
- rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [#1393] - @mstemm
- rule(Disallowed K8s User): quote colons in user names [#1393] - @mstemm
- rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [#1394] - @bgeesaman
- rule: adds user.loginuid to the default Falco rules that also contain user.name [#1369] - @csschwe
Released on 2020-08-25
- new(userspace/falco): print the Falco and driver versions at the very beginning of the output. [#1303] - @leogr
- new: libyaml is now bundled in the release process. Users can now avoid installing libyaml directly when getting Falco from the official release. [#1252] - @fntlnz
- docs(test): step-by-step instructions to run integration tests locally [#1313] - @leodido
- update: renameat2 syscall support [#1355] - @fntlnz
- update: support for 5.8.x kernels [#1355] - @fntlnz
- fix(userspace/falco): correct the fallback mechanism for loading the kernel module [#1366] - @leogr
- fix(falco-driver-loader): script crashing when using arguments [#1330] - @antoinedeschenes
- rule(macro user_trusted_containers): add
sysdig/node-image-analyzer
andsysdig/agent-slim
[#1321] - @Kaizhe - rule(macro falco_privileged_images): add
docker.io/falcosecurity/falco
[#1326] - @nvanheuverzwijn - rule(EphemeralContainers Created): add new rule to detect ephemeral container created [#1339] - @Kaizhe
- rule(macro user_read_sensitive_file_containers): replace endswiths with exact image repo name [#1349] - @Kaizhe
- rule(macro user_trusted_containers): replace endswiths with exact image repo name [#1349] - @Kaizhe
- rule(macro user_privileged_containers): replace endswiths with exact image repo name [#1349] - @Kaizhe
- rule(macro trusted_images_query_miner_domain_dns): replace endswiths with exact image repo name [#1349] - @Kaizhe
- rule(macro falco_privileged_containers): append "/" to quay.io/sysdig [#1349] - @Kaizhe
- rule(list falco_privileged_images): add images docker.io/sysdig/agent-slim and docker.io/sysdig/node-image-analyzer [#1349] - @Kaizhe
- rule(list falco_sensitive_mount_images): add image docker.io/sysdig/agent-slim [#1349] - @Kaizhe
- rule(list k8s_containers): prepend docker.io to images [#1349] - @Kaizhe
- rule(macro exe_running_docker_save): add better support for centos [#1350] - @admiral0
- rule(macro rename): add
renameat2
syscall [#1359] - @leogr - rule(Read sensitive file untrusted): add trusted images into whitelist [#1327] - @Kaizhe
- rule(Pod Created in Kube Namespace): add new list k8s_image_list as white list [#1336] - @Kaizhe
- rule(list allowed_k8s_users): add "kubernetes-admin" user [#1323] - @leogr
Released on 2020-07-16
- new: Falco now supports userspace instrumentation with the -u flag [#1195]
- BREAKING CHANGE: --stats_interval is now --stats-interval [#1308]
- new: auto threadiness for gRPC server [#1271]
- BREAKING CHANGE: server streaming gRPC outputs method is now
falco.outputs.service/get
[#1241] - new: new bi-directional async streaming gRPC outputs (
falco.outputs.service/sub
) [#1241] - new: unix socket for the gRPC server [#1217]
- update: driver version is 85c88952b018fdbce2464222c3303229f5bfcfad now [#1305]
- update:
SKIP_MODULE_LOAD
renamed toSKIP_DRIVER_LOADER
[#1297] - docs: add leogr to OWNERS [#1300]
- update: default threadiness to 0 ("auto" behavior) [#1271]
- update: k8s audit endpoint now defaults to /k8s-audit everywhere [#1292]
- update(falco.yaml):
webserver.k8s_audit_endpoint
default value changed from/k8s_audit
to/k8s-audit
[#1261] - docs(test): instructions to run regression test suites locally [#1234]
- fix: --stats-interval correctly accepts values >= 999 (ms) [#1308]
- fix: make the eBPF driver build work on CentOS 8 [#1301]
- fix(userspace/falco): correct options handling for
buffered_output: false
which was not honored for thestdout
output [#1296] - fix(userspace/falco): honor -M also when using a trace file [#1245]
- fix: high CPU usage when using server streaming gRPC outputs [#1241]
- fix: missing newline from some log messages (eg., token bucket depleted) [#1257]
- rule(Container Drift Detected (chmod)): disabled by default [#1316]
- rule(Container Drift Detected (open+create)): disabled by default [#1316]
- rule(Write below etc): allow snapd to write its unit files [#1289]
- rule(macro remote_file_copy_procs): fix reference to remote_file_copy_binaries [#1224]
- rule(list allowed_k8s_users): whitelisted kube-apiserver-healthcheck user created by kops >= 1.17.0 for the kube-apiserver-healthcheck sidecar [#1286]
- rule(Change thread namespace): Allow
protokube
,dockerd
,tini
andaws
binaries to change thread namespace. [#1222] - rule(macro exe_running_docker_save): to filter out cmdlines containing
/var/run/docker
. [#1222] - rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs [#1294]
- rule(Schedule Cron Jobs): exclude known cron jobs [#1294]
- rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update [#1294]
- rule(Update Package Registry): exclude known package registry update [#1294]
- rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info [#1294]
- rule(Read ssh information): do not throw for activities known to read SSH info [#1294]
- rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files [#1294]
- rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files [#1294]
- rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files [#1294]
- rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database [#1294]
- rule(Write below rpm database): do not throw for activities known to write RPM database [#1294]
- rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB [#1294]
- rule(DB program spawned process): do not throw for processes known to spawn DB [#1294]
- rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories [#1294]
- rule(Modify binary dirs): do not throw for activities known to modify bin directories [#1294]
- rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories [#1294]
- rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories [#1294]
- rule(macro user_known_system_user_login): new macro to exclude known system user logins [#1294]
- rule(System user interactive): do not throw for known system user logins [#1294]
- rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities [#1294]
- rule(User mgmt binaries): do not throw for activities known to do user managements activities [#1294]
- rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev [#1294]
- rule(Create files below dev): do not throw for activities known to create files below dev [#1294]
- rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server [#1294]
- rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server [#1294]
- rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools [#1294]
- rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools [#1294]
- rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands [#1294]
- rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands [#1294]
- rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files [#1294]
- rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files [#1294]
- rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers) [#1294]
- rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers) [#1294]
- rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers [#1294]
- rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers [#1294]
- rule(Container Drift Detected (open+create)): do not throw for activities known to create executables in containers [#1294]
- rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s) [#1294]
- rule(Create NodePort Service): do not throw for services known to start with a NopePort service type (k8s) [#1294]
- rule(macro user_known_exec_pod_activities): do not throw for activities known to attach/exec to a pod (k8s) [#1294]
- rule(Attach/Exec Pod): do not throw for activities known to attach/exec to a pod (k8s) [#1294]
- rule(macro trusted_pod): defines trusted pods by an image list [#1294]
- rule(Pod Created in Kube Namespace): do not throw for trusted pods [#1294]
- rule(macro trusted_sa): define trusted ServiceAccount [#1294]
- rule(Service Account Created in Kube Namespace): do not throw for trusted ServiceAccount [#1294]
- rule(list network_tool_binaries): add zmap to the list [#1284]
- rule(macro root_dir): correct macro to exactly match the
/root
dir and not other with just/root
as a prefix [#1279] - rule(macro user_expected_terminal_shell_in_container_conditions): allow whitelisting terminals in containers under specific conditions [#1154]
- rule(macro user_known_write_below_binary_dir_activities): allow writing to a binary dir in some conditions [#1260]
- rule(macro trusted_logging_images): Add addl fluentd image [#1230]
- rule(macro trusted_logging_images): Let azure-npm image write to /var/log [#1230]
- rule(macro lvprogs_writing_conf): Add lvs as a lvm program [#1230]
- rule(macro user_known_k8s_client_container): Allow hcp-tunnelfront to run kubectl in containers [#1230]
- rule(list allowed_k8s_users): Add vertical pod autoscaler as known k8s users [#1230]
- rule(Anonymous Request Allowed): update to checking auth decision equals to allow [#1267]
- rule(Container Drift Detected (chmod)): new rule to detect if an existing file get exec permissions in a container [#1254]
- rule(Container Drift Detected (open+create)): new rule to detect if a new file with execution permission is created in a container [#1254]
- rule(Mkdir binary dirs): correct condition in macro
bin_dir_mkdir
to catchmkdirat
syscall [#1250] - rule(Modify binary dirs): correct condition in macro
bin_dir_rename
to catchrename
,renameat
, andunlinkat
syscalls [#1250] - rule(Create files below dev): correct condition to catch
openat
syscall [#1250] - rule(macro user_known_set_setuid_or_setgid_bit_conditions): create macro [#1213]
Released on 2020-05-18
- BREAKING CHANGE: the falco-driver-loader script now references
falco-probe.o
andfalco-probe.ko
asfalco.o
andfalco.ko
[#1158] - BREAKING CHANGE: the
falco-driver-loader
script environment variable to use a custom repository to download drivers now uses theDRIVERS_REPO
environment variable instead ofDRIVER_LOOKUP_URL
. This variable must contain the parent URI containing the following directory structure/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]
. e.g: [#1160] - new(scripts): options and command-line usage for
falco-driver-loader
[#1200] - new: ability to specify exact matches when adding rules to Falco engine (only API) [#1185]
- new(docker): add an image that wraps the
falco-driver-loader
with the toolchain [#1192] - new(docker): add
falcosecurity/falco-no-driver
image [#1205]
- update(scripts): improve
falco-driver-loader
output messages [#1200] - update: containers look for prebuilt drivers on the Drivers Build Grid [#1158]
- update: driver version bump to 96bd9bc560f67742738eb7255aeb4d03046b8045 [#1190]
- update(docker): now
falcosecurity/falco:slim-*
alias tofalcosecurity/falco-no-driver:*
[#1205] - docs: instructions to run unit tests [#1199]
- docs(examples): move
/examples
tocontrib
repo [#1191] - update(docker): remove
minimal
image [#1196] - update(integration): move
/integrations
tocontrib
repo [#1157] - https://dl.bintray.com/driver/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]` [#1160]
- update(docker/event-generator): remove the event-generator from Falco repository [#1156]
- docs(examples): set audit level to metadata for object secrets [#1153]
- fix(scripts): upstream files (prebuilt drivers) for the generic Ubuntu kernel contains "ubuntu-generic" [#1212]
- fix: support Falco driver on Linux kernels 5.6.y [#1174]
- rule(Redirect STDOUT/STDIN to Network Connection in Container): correct rule name as per rules naming convention [#1164]
- rule(Redirect STDOUT/STDIN to Network Connection in Container): new rule to detect Redirect stdout/stdin to network connection in container [#1152]
- rule(K8s Secret Created): new rule to track the creation of Kubernetes secrets (excluding kube-system and service account secrets) [#1151]
- rule(K8s Secret Deleted): new rule to track the deletion of Kubernetes secrets (excluding kube-system and service account secrets) [#1151]
Released on 2020-04-17
- Same as v0.22.0
- Same as v0.22.0
- fix: correct driver path (/usr/src/falco-%driver_version%) for RPM package [#1148]
- Same as v0.22.0
Released on 2020-04-16
- new: falco version and driver version are distinct and not coupled anymore [#1111]
- new: flag to disable asynchronous container metadata (CRI) fetch
--disable-cri-async
[#1099]
- docs(integrations): update API resource versions to Kubernetes 1.16 [#1044]
- docs: add new release archive to the
README.md
[#1098] - update: driver version a259b4bf49c3 [#1138]
- docs(integrations/k8s-using-daemonset): --cri flag correct socket path [#1140]
- update: bump driver version to cd3d10123e [#1131]
- update(docker): remove RHEL, kernel/linuxkit, and kernel/probeloader images [#1124]
- update: falco-probe-loader script is falco-driver-loader now [#1111]
- update: using only sha256 hashes when pulling build dependencies [#1118]
- fix(integrations/k8s-using-daemonset): added missing privileges for the apps Kubernetes API group in the falco-cluster-role when using RBAC [#1136]
- fix: connect to docker works also with libcurl >= 7.69.0 [#1138]
- fix: HOST_ROOT environment variable detection [#1133]
- fix(driver/bpf): stricter conditionals while dealing with strings [#1131]
- fix:
/usr/bin/falco-${DRIVER_VERSION}
driver directory [#1111] - fix: FALCO_VERSION env variable inside Falco containers contains the Falco version now (not the docker image tag) [#1111]
- rule(macro user_expected_system_procs_network_activity_conditions): allow whitelisting system binaries using the network under specific conditions [#1070]
- rule(Full K8s Administrative Access): detect any k8s operation by an administrator with full access [#1122]
- rule(Ingress Object without TLS Certificate Created): detect any attempt to create an ingress without TLS certification (rule enabled by default) [#1122]
- rule(Untrusted Node Successfully Joined the Cluster): detect a node successfully joined the cluster outside of the list of allowed nodes [#1122]
- rule(Untrusted Node Unsuccessfully Tried to Join the Cluster): detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes [#1122]
- rule(Network Connection outside Local Subnet): detect traffic to image outside local subnet [#1122]
- rule(Outbound or Inbound Traffic not to Authorized Server Process and Port): detect traffic that is not to authorized server process and port [#1122]
- rule(Delete or rename shell history): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [#1143]
- rule(Delete Bash History): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [#1143]
- rule(Write below root): use pmatch to check against known root directories [#1137]
- rule(Detect outbound connections to common miner pool ports): whitelist sysdig/agent and falcosecurity/falco for query miner domain dns [#1115]
- rule(Service Account Created in Kube Namespace): only detect sa created in kube namespace with success [#1117]
Released on 2020-03-17
- BREAKING CHANGE: the SYSDIG_BPF_PROBE environment variable is now just FALCO_BPF_PROBE (please update your systemd scripts or kubernetes deployments. [#1050]
- new: automatically publish deb packages (from git master branch) to public dev repository [#1059]
- new: automatically publish rpm packages (from git master branch) to public dev repository [#1059]
- new: automatically release deb packages (from git tags) to public repository [#1059]
- new: automatically release rpm packages (from git tags) to public repository [#1059]
- new: automatically publish docker images from master (master, master-slim, master-minimal) [#1059]
- new: automatically publish docker images from git tag (tag, tag-slim, tag-master, latest, latest-slim, latest-minimal) [#1059]
- new: sign packages with falcosecurity gpg key [#1059]
- new: falco_version_prerelease contains the number of commits since last tag on the master [#1086]
- docs: update branding [#1074]
- new(docker/event-generator): add example k8s resource files that allow running the event generator in a k8s cluster. [#1088]
- update: creating *-dev docker images using build arguments at build time [#1059]
- update: docker images use packages from the new repositories [#1059]
- update: docker image downloads old deb dependencies (gcc-6, gcc-5, binutils-2.30) from a new open repository [#1059]
- fix(docker): updating
stable
andlocal
images to run fromdebian:stable
[#1018] - fix(event-generator): the image used by the event generator deployment to
latest
. [#1091] - fix: -t (to disable rules by certain tag) or -t (to only run rules with a certain tag) work now [#1081]
- fix: the falco driver now compiles on >= 5.4 kernels [#1080]
- fix: download falco packages which url contains character to encode - eg,
+
[#1059] - fix(docker): use base name in docker-entrypoint.sh [#981]
- rule(detect outbound connections to common miner pool ports): disabled by default [#1061]
- rule(macro net_miner_pool): add localhost and rfc1918 addresses as exception in the rule. [#1061]
- rule(change thread namespace): modify condition to detect suspicious container activity [#974]
Released on 2020-02-24
- fix: memory leak introduced in 0.18.0 happening while using json events and the kubernetes audit endpoint [#1041]
- new: grpc version api [#872]
- fix: the base64 output format (-b) now works with both json and normal output. [#1033]
- fix: version follows semver 2 bnf [#872]
- rule(write below etc): add "dsc_host" as a ms oms program [#1028]
- rule(write below etc): let mcafee write to /etc/cma.d [#1028]
- rule(write below etc): let avinetworks supervisor write some ssh cfg [#1028]
- rule(write below etc): allow writes to /etc/pki from openshift secrets dir [#1028]
- rule(write below root): let runc write to /exec.fifo [#1028]
- rule(change thread namespace): let cilium-cni change namespaces [#1028]
- rule(run shell untrusted): let puma reactor spawn shells [#1028]
Released on 2020-01-23
- new: security audit [#977]
- instead of crashing, now falco will report the error when an internal error occurs while handling an event to be inspected. the log line will be of type error and will contain the string
error handling inspector event
[#746] - build: bump grpc to 1.25.0 [#939]
- build: (most of) dependencies are bundled dynamically (by default) [#968]
- test: integration tests now can run on different distributions via docker containers, for now CentOS 7 and Ubuntu 18.04 with respective rpm and deb packages [#1012]
- proposal: rules naming convention [#980]
- update: also allow posting json arrays containing k8s audit events to the k8s_audit endpoint. [#967]
- update: add support for k8s audit events to the falco-event-generator container. [#997]
- update: falco-tester base image is fedora:31 now [#968]
- build: switch to circleci [#968]
- build: bundle openssl into falco-builder docker image [#1004]
- build: falco-builder docker image revamp (centos:7 base image) [#1004]
- update: puppet module had been renamed from "sysdig-falco" to "falco" [#922]
- update: adds a hostname field to grpc output [#927]
- build: download grpc from their github repo [#933]
- update: ef_drop_falco is now ef_drop_simple_cons [#922]
- update(docker): use host_root environment variable rather than sysdig_host_root [#922]
- update: ef_drop_falco is now ef_drop_simple_cons [#922]
- fix: providing clang into docker-builder [#972]
- fix: prevent throwing json type error c++ exceptions outside of the falco engine when processing k8s audit events. [#928]
- fix(docker/kernel/linuxkit): correct from for falco minimal image [#913]
- rules(list network_tool_binaries): add some network tools to detect suspicious network activity. [#973]
- rules(write below etc): allow automount to write to /etc/mtab [#957]
- rules(macro user_known_k8s_client_container): when executing the docker client, exclude fluentd-gcp-scaler container running in the
kube-system
namespace to avoid false positives [#962] - rules(the docker client is executed in a container): detect the execution of the docker client in a container and logs it with warning priority. [#915]
- rules(list k8s_client_binaries): create and add docker, kubectl, crictl [#915]
- rules(macro container_entrypoint): add docker-runc-cur [#914]
- rules(list user_known_chmod_applications): add hyperkube [#914]
- rules(list network_tool_binaries): add some network tools to detect suspicious network activity. [#975]
- rules(macro user_known_k8s_client_container): macro to match kube-system namespace [#955]
- rules(contact k8s api server from container): now it can automatically resolve the cluster ip address [#952]
- rules(macro k8s_api_server): new macro to match the default k8s api server [#952]
- rules(macro sensitive_vol_mount): add more sensitive host paths [#929]
- rules(macro sensitive_mount): add more sensitive paths [#929]
- rules(macro consider_metadata_access): macro to decide whether to consider metadata or not (off by default) [#943]
- rules(contact cloud metadata service from container): add rules to detect access to gce instance metadata [#943]
- rules(macro sensitive_vol_mount): align sensitive mounts macro between k8s audit rules and syscall rules [#950]
- rules(macro consider_packet_socket_communication): macro to consider or not packet socket communication (off by default) [#945]
- rules(packet socket created in container): rule to detect raw packets creation [#945]
- rules(macro exe_running_docker_save): fixed false positives in multiple rules that were caused by the use of docker in docker [#951]
- rules(modify shell configuration file): fixed a false positive by excluding "exe_running_docker_save" [#949]
- rules(update package repository): fixed a false positive by excluding "exe_running_docker_save". [#948]
- rules(the docker client is executed in a container): when executing the docker client, exclude containers running in the
kube-system
namespace to avoid false positives [#955] - rules(list user_known_chmod_applications): add kubelet [#944]
- rules(set setuid or setgid bit): fixed a false positive by excluding "exe_running_docker_save" [#946]
- rules(macro user_known_package_manager_in_container): allow users to specify conditions that match a legitimate use case for using a package management process in a container. [#941]
Released 2019-10-28
- falco grpc api server implementation, contains a subscribe method to subscribe to outputs from any grpc capable language [#822]
- add support for converting k8s pod security policies (psps) into set of falco rules that can be used to evaluate the conditions specified in the psp. [#826]
- initial redesign container images to remove build tools and leverage init containers for kernel module delivery. [#776]
- add flags to disable
syscall
event source ork8s_audit
event source [#779]
- allow for unique names for psp converted rules/macros/lists/rule names as generated by falcoctl 0.0.3 [#895]
- make it easier to run regression tests without necessarily using the falco-tester docker image. [#808]
- fix falco engine compatibility with older k8s audit rules files. [#893]
- add tests for psp conversions with names containing spaces/dashes. [#899]
- handle multi-document yaml files when reading rules files. [#760]
- improvements to how the webserver handles incoming invalid inputs [#759]
- fix: make lua state access thread-safe [#867]
- fix compilation on gcc 5.4 by working around gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56480 [#873]
- add explicit dependency between tests and catch2 header file. [#879]
- fix: stable dockerfile libgcc-6-dev dependencies [#830]
- fix: build dependencies for the local dockerfile [#782]
- fix: a crash bug that could result from reading more than ~6 rules files [#906] [#907]
- rules: add calico/node to trusted privileged container list [#902]
- rules: add macro
calico_node_write_envvars
to exception list of write below etc [#902] - rules: add exception for rule write below rpm, this is a fp caused by amazon linux 2 yum. [#755]
- rules: ignore sensitive mounts from the ecs-agent [#881]
- rules: add rules to detect crypto mining activities [#763]
- rules: add back rule delete bash history for backport compatibility [#864]
- rule: syscalls are used to detect suid and sgid [#765]
- rules: delete bash history is renamed to delete or rename shell history [#762]
- rules: add image fluent/fluentd-kubernetes-daemonset to clear log trusted images [#852]
- rules: include default users created by
kops
. [#898] - rules: delete or rename shell history: when deleting a shell history file now the syscalls are taken into account rather than just the commands deleting the files [#762]
- rules: delete or rename shell history: history deletion now supports fish and zsh in addition to bash [#762]
- rules: "create hidden files or directories" and "update package repository" now trigger also if the files are moved and not just if modified or created. [#766]
Released 2019-09-26
- Same as v0.17.0
- Same as v0.17.0
- All in v0.17.0
- Fix a build problem for pre-built kernel probes. [draios/sysdig#1471]
- Same as v0.17.0
Released 2019-07-31
- The set of supported platforms has changed. Switch to a reorganized builder image that uses Centos 7 as a base. As a result, falco is no longer supported on Centos 6. The other supported platforms should remain the same [#719]
-
When enabling rules within the falco engine, use rule substrings instead of regexes. [#743]
-
Additional improvements to the handling and display of rules validation errors [#744] [#747]
-
Fix a problem that would cause prevent container metadata lookups when falco was daemonized [#731]
-
Allow rule priorities to be expressed as lowercase and a mix of lower/uppercase [#737]
-
Fix a parentheses bug with the
shell_procs
macro [#728] -
Allow additional containers to mount sensitive host paths [#733] [#736]
-
Allow additional containers to truncate log files [#733]
-
Fix false positives with the
Write below root
rule on GKE [#739]
Released 2019-07-12
-
Clean up error reporting to provide more meaningful error messages along with context when loading rules files. When run with -V, the results of the validation ("OK" or error message) are sent to standard output. [#708]
-
Improve rule loading performance by optimizing lua parsing paths to avoid expensive pattern matches. [#694]
-
Bump falco engine version to 4 to reflect new fields
ka.useragent
, others. [#710] [#681] -
Add Catch2 as a unit testing framework. This will add additional coverage on top of the regression tests using Avocado. [#687]
-
Add SYSDIG_DIR Cmake option to specify location for sysdig source code when building falco. [#677] [#679] [#702]
-
New field
ka.useragent
reports the useragent from k8s audit events. [#709] -
Add clang formatter for C++ syntax formatting. [#701] [#689]
-
Partial changes towards lua syntax formatting. No particular formatting enforced yet, though. [#718]
-
Partial changes towards yaml syntax formatting. No particular formatting enforced yet, though. [#714]
-
Add cmake syntax formatting. [#703]
-
Token bucket unit tests and redesign. [#692]
-
Update github PR template. [#699]
-
Fix PR template for kind/rule-*. [#697]
-
Remove an unused cmake file. [#700]
-
Misc Cmake cleanups. [#673]
-
Misc k8s install docs improvements. [#671]
-
Allow k8s.gcr.io/kube-proxy image to run privileged. [#717]
-
Add runc to the list of possible container entrypoint parents. [#712]
-
Skip Source RFC 1918 addresses when considering outbound connections. [#685]
-
Add additional
user_XXX
placeholder macros to allow for easy customization of rule exceptions. [#685] -
Let weaveworks programs change namespaces. [#685]
-
Add additional openshift images. [#685]
-
Add openshift as a k8s binary. [#678]
-
Add dzdo as a binary that can change users. [#678]
-
Allow azure/calico binaries to change namespaces. [#678]
-
Add back trusted_containers list for backport compatibility [#675]
-
Add mkdirat as a syscall for mkdir operations. [#667]
-
Add container id/repository to rules that can work with containers. [#667]
Released 2019-06-12
- None.
- None.
- Fix kernel module compilation for kernels < 3.11 [#sysdig/1436]
- None.
Released 2019-06-12
- None.
- Fix compilation of eBPF programs on COS (used by GKE) [#sysdig/1431]
- Rework exceptions lists for
Create Privileged Pod
,Create Sensitive Mount Pod
,Launch Sensitive Mount Container
,Launch Privileged Container
rules to use separate specific lists rather than a single "Trusted Containers" list. [#651]
Released 2019-06-07
- Drop unnecessary events at the kernel level instead of userspace, which should improve performance [#635]
-
Add instructions for k8s audit support in >= 1.13 [#608]
-
Fix security issues reported by GitHub on Anchore integration [#592]
-
Several docs/readme improvements [#620] [#616] [#631] [#639] [#642]
-
Better tracking of rule counts per ruleset [#645]
-
Handle rule patterns that are invalid regexes [#636]
-
Fix kernel module builds on newer kernels [#646] [#sysdig/1413]
-
New rule
Launch Remote File Copy Tools in Container
could be used to identify exfiltration attacks [#600] -
New rule
Create Symlink Over Sensitive Files
can help detect attacks like [CVE-2018-15664] [#613] [#637] -
Let etcd-manager write to /etc/hosts. [#613]
-
Let additional processes spawned by google-accounts-daemon access sensitive files [#593]
-
Add Sematext Monitoring & Logging agents to trusted k8s containers [#594]
-
Add additional coverage for
Netcat Remote Code Execution in Container
rule. [#617] -
Fix
egrep
typo. [#617] -
Allow Ansible to run using Python 3 [#625]
-
Additional
Write below etc
exceptions for nginx, rancher [#637] [#648] [#652] -
Add rules for running with IBM Cloud Kubernetes Service [#634]
Released 2019-05-13
-
Actions and alerts for dropped events: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. Fixes CVE 2019-8339. [#561] [#571]
-
Support for Containerd/CRI-O: Falco now supports containerd/cri-o containers. [#585] [#591] [#599] [#sysdig/1376] [#sysdig/1310] [#sysdig/1399]
-
Perform docker metadata fetches asynchronously: When new containers are discovered, fetch metadata about the container asynchronously, which should significantly reduce the likelihood of dropped system call events. [#sysdig/1326] [#550] [#570]
-
Better syscall event performance: improve algorithm for reading system call events from kernel module to handle busy event streams [#sysdig/1372]
-
HTTP Output: Falco can now send alerts to http endpoints directly without having to use curl. [#523]
-
Move Kubernetes Response Engine to own repo: The Kubernetes Response Engine is now in its own github repository. [#539]
-
Updated Puppet Module: An all-new puppet module compatible with puppet 4 with a smoother installation process and updated package links. [#537] [#543] [#546]
-
RHEL-based falco image: Provide dockerfiles that use RHEL 7 as the base image instead of debian:unstable. [#544]
-
ISO-8601 Timestamps: Add the ability to write timestamps in ISO-8601 w/ UTC, and use this format by default when running falco in a container [#518]
-
Docker-based builder/tester: You can now build Falco using the falco-builder docker image, and run regression tests using the falco-tester docker image. [#522] [#584]
-
Several small docs changes to improve clarity and readability [#524] [#540] [#541] [#542]
-
Add instructions on how to enable K8s Audit Logging for kops [#535]
-
Add a "stale issue" bot that marks and eventually closes old issues with no activity [#548]
-
Improvements to sample K8s daemonset/service/etc files [#562]
-
Tag rules using Mitre Attack Framework: Add tags for all relevant rules linking them to the MITRE Attack Framework. We have an associated blog post. [#575] [#578]
-
New rules for additional use cases: New rules
Schedule Cron Jobs
,Update Package Repository
,Remove Bulk Data from Disk
,Set Setuid or Setgid bit
,Detect bash history deletion
,Create Hidden Files or Directories
look for additional common follow-on activity you might see from an attacker. [#578] [#580] -
Allow docker's "exe" (usually part of docker save/load) to write to many filesystem locations [#552]
-
Let puppet write below /etc [#563
-
Add new
user_known_write_root_conditions
,user_known_non_sudo_setuid_conditions
, anduser_known_write_monitored_dir_conditions
macros to allow those rules to be easily customized in user rules files [#563] [#566] -
Better coverage and exceptions for rancher [#559]
-
Allow prometheus to write to its conf directory under etc [#564]
-
Better coverage and exceptions for openshift/related tools [#567] [#573]
-
Better coverage for cassandra/kubelet/kops to reduce FPs [#551]
-
Better coverage for docker, openscap to reduce FPs [#573]
-
Better coverage for fluentd/jboss to reduce FPs [#590]
-
Add
ash
(Alpine Linux-related shell) as a shell binary [#597]
Released 2019-02-06
-
Rules versioning support: The falco engine and executable now have an engine version that represents the fields they support. Similarly, rules files have an optional required_engine_version: NNN object that names the minimum engine version required to read that rules file. Any time the engine adds new fields, event sources, etc, the engine version will be incremented, and any time a rules file starts using new fields, event sources, etc, the required engine version will be incremented. [#492]
-
Allow SSL for K8s audit endpoint/embedded webserver [#471]
-
Add stale issues bot that automatically flags old github issues as stale after 60 days of inactivity and closes issues after 67 days of inactivity. [#500]
-
Support bundle: When run with
--support
, falco will print a json object containing necessary information like falco version, command line, operating system information, and falco rules files contents. This could be useful when reporting issues. [#517]
-
Support new third-party library dependencies from open source sysdig. [#498]
-
Add CII best practices badge. [#499]
-
Fix kernel module builds when running on centos as a container by installing gcc 5 by hand instead of directly from debian/unstable. [#501]
-
Mount
/etc
when running as a container, which allows container to build kernel module/ebpf program on COS/Minikube. [#475] -
Improved way to specify the source of generic event objects [#480]
-
Readability/clarity improvements to K8s Audit/K8s Daemonset READMEs. [#503]
-
Add additional RBAC permissions to track deployments/daemonsets/replicasets. [#514]
- Fix formatting of nodejs examples README [#502]
-
Remove FPs for
Launch Sensitive Mount Container
rule [#509] -
Update Container rules/macros to use the more reliable
container.image.{repository,tag}
that always return the repository/tag of an image instead ofcontainer.image
, which may not for some docker daemon versions. [#513]
Released 2019-01-16
-
Unbuffer outputs by default. This helps make output readable when used in environments like K8s. [#494]
-
Improved documentation for running Falco within K8s and getting K8s Audit Logging to work with Minikube and Falco as a Daemonset within K8s. [#496]
-
Fix AWS Permissions for Kubernetes Response Engine [#465]
-
Tighten compilation flags to include
-Wextra
and-Werror
[#479] -
Add
k8s.ns.name
to outputs when-pk
argument is used [#472] -
Remove kubernetes-response-engine from system:masters [#488]
-
Ensure
-pc
/-pk
only apply to syscall rules and not k8s_audit rules [#495] -
Fix a potential crash that could occur when using the falco engine and rulesets [#468]
-
Fix a regression where format output options were mistakenly removed [#485]
-
Fix FPs related to calico and writing files below etc [#481]
-
Fix FPs related to
apt-config
/apt-cache
,apk
[#490] -
New rules
Launch Package Management Process in Container
,Netcat Remote Code Execution in Container
,Launch Suspicious Network Tool in Container
look for host-level network tools likenetcat
, package management tools likeapt-get
, or network tool binaries being run in a container. [#490] -
Fix the
inbound
andoutbound
macros so they work with sendto/recvfrom/sendmsg/recvmsg. [#470] -
Fix FPs related to prometheus/openshift writing config below /etc. [#470]
Released 2018-11-09
-
Support for K8s Audit Events : Falco now supports K8s Audit Events as a second stream of events in addition to syscalls. For full details on the feature, see the wiki.
-
Transparent Config/Rule Reloading: On SIGHUP, Falco will now reload all config files/rules files and start processing new events. Allows rules changes without having to restart falco [#457] [#432]
-
The reference integration of falco into a action engine now supports aws actions like lambda, etc. [#460]
-
Add netcat to falco docker images, which allows easier integration of program outputs to external servers [#456] [#433]
-
Links cleanup related to the draios/falco -> falcosecurity/falco move [#447]
-
Properly load/unload kernel module when the falco service is started/stopped [#459] [#418]
-
Better coverage (e.g. reduced FPs) for critical stack, hids systems, ufw, cloud-init, etc. [#445]
-
New rules
Launch Package Management Process in Container
,Netcat Remote Code Execution in Container
, andLaunch Suspicious Network Tool in Container
look for running various suspicious programs in a container. [#461] -
Misc changes to address false positives in GKE, Istio, etc. [#455] [#439]
Released 2018-09-11
- Fig regression in libcurl configure script [#416]
Released 2018-09-11
-
Improved IPv6 Support to fully support use of IPv6 addresses in events, connections and filters [#sysdig/1204]
-
Ability to associate connections with dns names: new filterchecks
fd.*ip.name
allow looking up the DNS name for a connection's IP address. This can be used to identify or restrict connections by dns names e.g.evt.type=connect and fd.sip.name=github.com
. [#412] [#sysdig/1213] -
New filterchecks
user.loginuid
anduser.loginname
can be used to match the login uid, which stays consistent across sudo/su. This can be used to find the actual user running a given process [#sysdig/1189]
- Upgrade zlib to 1.2.11, openssl to 1.0.2n, and libcurl to 7.60.0 to address software vulnerabilities [#402]
- New
endswith
operator can be used for suffix matching on strings [#sysdig/1209]
- Better control of specifying location of lua source code [#406]
- None for this release.
Released 2018-07-31
Released 2018-07-24
- EBPF Support (Beta): Falco can now read events via an ebpf program loaded into the kernel instead of the
falco-probe
kernel module. Full docs here. [#365]
- Rules may now have an
skip-if-unknown-filter
property. If set to true, a rule will be skipped if its condition/output property refers to a filtercheck (e.g.fd.some-new-attribute
) that is not present in the current falco version. [#364] [#345] - Small changes to Falco
COPYING
file so github automatically recognizes license [#380] - New example integration showing how to connect Falco with Anchore to dynamically create falco rules based on negative scan results [#390]
- New example integration showing how to connect Falco, nats, and K8s to run flexible "playbooks" based on Falco events [#389]
- Ensure all rules are enabled by default [#379]
- Fix libcurl compilation problems [#374]
- Add gcc-6 to docker container, which improves compatibility when building kernel module [#382] [#371]
- Ensure the /lib/modules symlink to /host/lib/modules is set correctly [#392]
- Add additional binary writing programs [#366]
- Add additional package management programs [#388] [#366]
- Expand write_below_etc handling for additional programs [#388] [#366]
- Expand set of programs allowed to write to
/etc/pki
[#388] - Expand set of root written directories/files [#388] [#366]
- Let pam-config read sensitive files [#388]
- Add additional trusted containers: openshift, datadog, docker ucp agent, gliderlabs logspout [#388]
- Let coreos update-ssh-keys write to /home/core/.ssh [#388]
- Expand coverage for MS OMS [#388] [#387]
- Expand the set of shell spawning programs [#366]
- Add additional mysql programs/directories [#366]
- Let program
id
open network connections [#366] - Opt-in rule for protecting tomcat shell spawns [#366]
- New rule
Write below monitored directory
[#366]
Released 2018-04-24
- Rules Directory Support: Falco will read rules files from
/etc/falco/rules.d
in addition to/etc/falco/falco_rules.yaml
and/etc/falco/falco_rules.local.yaml
. Also, when the argument to-r
/falco.yamlrules_file
is a directory, falco will read rules files from that directory. [#348] [#187] - Properly support all syscalls (e.g. those without parameter extraction by the kernel module) in falco conditions, so they can be included in
evt.type=<name>
conditions. [#352] - When packaged as a container, start building kernel module with gcc 5.0 instead of gcc 4.9. [#331]
- New example puppet module for falco. [#341] [#115]
- When signaled with
USR1
, falco will close/reopen log files. Include a logrotate example that shows how to use this feature for log rotation. [#347] [#266] - To improve resource usage, further restrict the set of system calls available to falco [#351] [draios/sysdig#1105]
- Add gdb to the development Docker image (sysdig/falco:dev) to aid in debugging. [#323]
- You can now specify -V multiple times on the command line to validate multiple rules files at once. [#329]
- When run with
-v
, falco will print dangling macros/lists that are not used by any rules. [#329] - Add an example demonstrating cryptomining attack that exploits an open docker daemon using host mounts. [#336]
- New falco.yaml option
json_include_output_property
controls whether the formatted string "output" is included in the json object when json output is enabled. [#342] - Centralize testing event types for consideration by falco into a single function [draios/sysdig#1105) [#356]
- If a rule has an attribute
warn_evttypes
, falco will not complain aboutevt.type
restrictions on that rule [#355] - When run with
-i
, print all ignored events/syscalls and exit. [#359]
- Minor bug fixes to k8s daemonset configuration. [#325] [#296] [#295]
- Ensure
--validate
can be used interchangeably with-V
. [#334] [#322] - Rule conditions like
fd.net
can now be used with thein
operator e.g.evt.type=connect and fd.net in ("127.0.0.1/24")
. [draios/sysdig#1091] [#343] - Ensure that
keep_alive
can be used both with file and program output at the same time. [#335] - Make it possible to append to a skipped macro/rule without falco complaining [#346] [#305]
- Ensure rule order is preserved even when rules do not contain any
evt.type
restriction. [#354] [#355]
- Make it easier to extend the
Change thread namespace
rule via auser_known_change_thread_namespace_binaries
list. [#324] - Various FP fixes from users. [#321] [#326] [#344] [#350]
- New rule
Disallowed SSH Connection
detects attempts ssh connection attempts to hosts outside of an expected set. In order to be effective, you need to override the macroallowed_ssh_hosts
in a user rules file. [#321] - New rule
Unexpected K8s NodePort Connection
detects attempts to contact the K8s NodePort range from a program running inside a container. In order to be effective, you need to override the macronodeport_containers
in a user rules file. [#321] - Improve
Modify binary dirs
rule to work with new syscalls [#353] - New rule
Unexpected UDP Traffic
checks for udp traffic not on a list of expected ports. Somewhat FP-prone, so it must be explicitly enabled by overriding the macrodo_unexpected_udp_check
in a user rules file. [#320] [#357]
Released 2018-01-18
- Fix driver incompatibility problems with some linux kernel versions that can disable pagefault tracepoints [#sysdig/1034]
- Fix OSX Build incompatibility with latest version of libcurl [#291]
- Updated the Kubernetes example to provide an additional example: Daemon Set using RBAC and a ConfigMap for configuration. Also expanded the documentation for both the RBAC and non-RBAC examples. [#309]
- Refactor the shell-related rules to reduce false positives. These changes significantly decrease the scope of the rules so they trigger only for shells spawned below specific processes instead of anywhere. [#301] [#304]
- Lots of rule changes based on feedback from Sysdig Secure community [#293] [#298] [#300] [#307] [#315]
Released 2017-10-10
- Fix packaging to specify correct built-in config file [#288]
Released 2017-10-10
Important: the location for falco's configuration file has moved from /etc/falco.yaml
to /etc/falco/falco.yaml
. The default rules file has moved from /etc/falco_rules.yaml
to /etc/falco/falco_rules.yaml
. In addition, 0.8.0 has added a local rules file to /etc/falco/falco_rules.local.yaml
. See the documentation for more details.
- Add the ability to append one list to another list by setting an
append: true
attribute. [#264] - Add the ability to append one macro/rule to another list by setting an
append: true
attribute. [#277] - Ensure that falco rules/config files are preserved across package upgrades/removes if modified. [#278]
- Add the notion of a "local" rules file that should contain modifications to the default falco rules file. [#278]
- When using json output, separately include the individual templated fields in the json object. [#282]
- Add the ability to keep a file/program pipe handle open across rule notifications. [#283]
- New argument
-V
validates rules file and immediately exits. [#286]
- Minor updates to falco example programs [#248] [#275]
- Also validate macros at rule parse time. [#257]
- Minor README typo fixes [#276]
- Add a government CLA (contributor license agreement). [#263]
- Add ability to only run rules with a priority >= some threshold [#281]
- Add ability to make output channels unbuffered [#285]
- Fix installation of falco on OSX [#252]
- Fix a bug that caused the trailing whitespace of a quoted string to be accidentally removed [#254]
- When multiple sets of kernel headers are installed, find the one for the running kernel [#260]
- Allow pathnames in rule/macro conditions to contain '.' characters [#262]
- Fix a bug where a list named "foo" would be substituted even if it were a substring of a longer word like "my_foo" [#258]
- Remove extra trailing newlines from rule output strings [#265]
- Improve build pathnames to avoid relative paths when possible [#284]
- Significant changes to default ruleset to address FPs. These changes resulted from hundreds of hours of use in actual customer environments. [#247] [#259]
- Add official gitlab EE docker image to list of known shell spawning images. Thanks @dkerwin! [#270]
- Add keepalived to list of shell spawning binaries. Thanks @dkerwin! [#269]
Released 2017-05-30
- Update the priorities of falco rules to use a wider range of priorities rather than just ERROR/WARNING. More info on the use of priorities in the ruleset can be found here. [#244]
None.
- Fix typos in various markdown files. Thanks @sublimino! [#241]
- Add gitlab-mon as a gitlab binary, which allows it to run shells, etc. Thanks @dkerwin! [#237]
- A new rule Terminal shell in container" that looks for shells spawned in a container with an attached terminal. [#242]
- Fix some FPs related to the sysdig monitor agent. [#243]
- Fix some FPs related to stating containers combined with missed events [#243]
Released 2017-05-15
None
- Update the falco driver to work with kernel 4.11 [#829]
Released 2017-03-29
- Add the notion of tagged falco rules. Full documentation for this feature is available on the wiki. [#58] [#59] [#60] [#206]
- Falco now has its own dedicated kernel module. Previously, it would depend on sysdig being installed and would use sysdig's
sysdig-probe
kernel module. This ensures you can upgrade sysdig and falco without kernel driver compatibility problems. More details on the kernel module and its installation are on the wiki. [#215] [#223] [#224] - When providing multiple rules files by specifying `-r' multiple times, make sure that you can override rules/lists/macros. Previously, a list/macro/rule specified in an earlier file could not be overridden in a later file. [#176] [#177]
- Add example k8s yaml files that show how to run falco as a k8s DaemonSet, and how to run falco-event-generator as a deployment running on one node. [#222] [#225] [#226]
- Update third party libraries to address security vulnerabilities. [#182]
- Falco can now be built on OSX. Like sysdig, on OSX it is limited to reading existing trace files. [#210]
- Several changes to falco-event-generator to improve usability. [#205]
- Switch to a formatter cache provided by sysdig code instead of using our own. [#212]
- Add automated tests that use locally-built docker images. [#188]
- Make sure output strings are not truncated when a given %field expression has a NULL value. [#180] [#181]
- Allow ASSERTs when running travisci tests. [#199]
- Fix make dependencies for lyaml. [#204] [#130]
- (This was a change in sysdig, but affected falco). Prevent hangs when traversing malformed parent thread state. [#208]
- Add confd as a program that can write files below /etc and fleetctl as a program that can spawn shells. [#175]
- Add exechealthz, a k8s liveness checking utility, to the list of shell spawners. [#190]
- Eliminate FPs related to weekly ubuntu cron jobs. [#192]
- Allow shells spawned by ansible, and eliminate FPs when managing machines via ansible. [#193] [#196] [#202]
- Eliminate FPs related to use of other security products. Thanks to @juju4 for the useful rule updates. [#200]
- Add additional possible locations for denyhosts, add PM2 as a shell spawner. [#202]
- Add flanneld as a privileged container, improve grouping for the "x running y" macros, allow denyhosts to spawn shells. [#207]
- Handle systemd changing its name to "(systemd)", add sv (part of runit) as a program that can write below /etc, allow writing to all
/dev/tty*
files. [#209] - Add erl_child_setup as a shell spawner. Thanks to @dkerwin for the useful rule updates. [#218] [#221]
- Add support for gitlab omnibus containers/pods. Thanks to @dkerwin for the useful rule updates. [#220]
Released 2016-12-22
Starting with this release, we're adding a new section "Rule Changes" devoted to changes to the default ruleset falco_rules.yaml
.
- Cache event formatting objects so they are not re-created for every falco notification. This can result in significant speedups when the ruleset results in lots of notifications. [#158]
- Falco notifications are now throttled by a token bucket, preventing a flood of notifications when many events match a rule. Controlled by the
outputs, rate
andoutputs, max_burst
options. [#161]
- When run from a container, you can provide the environment variable
SYSDIG_SKIP_LOAD
to skip the process of building/loading the kernel module. Thanks @carlsverre for the fix. [#145] - Fully implement
USE_BUNDLED_DEPS
within CMakeFiles so you can build with external third-party libraries. [#147] - Improve error messages that result when trying to load a rule with a malformed
output:
attribute [#150] [#151] - Add the ability to write event capture statistics to a file via the
-s <statsfile>
option. [#155] - New configuration option
log_level
controls the verbosity of falco's logging. [#160]
- Improve compatibility with Sysdig Cloud Agent build [#148]
- Add DNF as non-alerting for RPM and package management. Thanks @djcross for the fix. [#153]
- Make
google_containers/kube-proxy
a trusted image, affecting the File Open by Privileged Container/Sensitive Mount by Container rules. [#159] - Add fail2ban-server as a program that can spawn shells. Thanks @jcoetzee for the fix. [#168]
- Add systemd as a program that can access sensitive files. Thanks @jcoetzee for the fix. [#169]
- Add apt/apt-get as programs that can spawn shells. Thanks @jcoetzee for the fix. [#170]
Released 2016-10-25
As falco depends heavily on sysdig, many changes here were actually made to sysdig and pulled in as a part of the build process. Issues/PRs starting with sysdig/#XXX
are sysdig changes.
-
Improved visibility into containers: ** New filter
container.privileged
to match containers running in privileged mode [sysdig/#655] [sysdig/#658] ** New rules utilizing privileged state [#121] ** New filterscontainer.mount*
to match container mount points [sysdig/#655] ** New rules utilizing container mount points [#120] ** New filtercontainer.image.id
to match container image id [sysdig/#661] -
Improved visibility into orchestration environments: ** New k8s.deployment.* and k8s.rs.* filters to support latest kubernetes features [sysdg/#dbf9b5c] ** Rule changes to avoid FPs when monitoring k8s environments [#138] ** Add new options
-pc
/-pk
/-pm
/-k
/-m
analogous to sysdig command line options. These options pull metadata information from k8s/mesos servers and adjust default falco notification outputs to contain container/orchestration information when applicable. [#131] [#134] -
Improved ability to work with file pathnames: ** Added
glob
operator for strings, works as classic shell glob path matcher [sysdig/#653] ** Addedpmatch
operator to efficiently test a subject pathname against a set of target pathnames, to see if the subject is a prefix of any target [sysdig/#660] [#125]
- Add an event generator program that simulates suspicious activity that can be detected by falco. This is also available as a docker image [sysdig/falco-event-generator]. [#113] [#132]
- Changed rule names to be human readable [#116]
- Add Copyright notice to all source files [#126]
- Changes to docker images to make it easier to massage JSON output for webhooks [#133]
- When run with
-v
, print statistics on the number of events processed and dropped [#139] - Add ability to write trace files with
-w
. This can be useful to write a trace file in parallel with live event monitoring so you can reproduce it later. [#140] - All rules can now take an optional
enabled
flag. Withenabled: false
, a rule will not be loaded or run against events. By default all rules are enabled [#119]
- Fixed rule FPs related to docker's
docker
/dockerd
split in 1.12 [#112] - Fixed rule FPs related to sysdigcloud agent software [#141]
- Minor changes to node.js example to avoid falco false positives [#111]
- Fixed regression that broke configurable outputs [#117]. This was not broken in 0.3.0, just between 0.3.0 and 0.4.0.
- Fixed a lua stack leak that could cause problems when matching millions of events against a large set of rules [#123]
- Update docker files to reflect changes to
debian:unstable
docker image [#124] - Fixed logic for detecting config files to ensure config files in
/etc/falco.yaml
are properly detected [#135] [#136] - Don't alert on falco spawning a shell for program output notifications [#137]
Released 2016-08-05
Significantly improved performance, involving changes in the falco and sysdig repositories:
- Reordering a rule condition's operators to put likely-to-fail operators at the beginning and expensive operators at the end. [#95] [#104]
- Adding the ability to perform x in (a, b, c, ...) as a single set membership test instead of individual comparisons between x=a, x=b, etc. [#624] [#98]
- Avoid unnecessary string manipulations. [#625]
- Using
startswith
as a string comparison operator when possible. [#623] - Use
is_open_read
/is_open_write
when possible instead of searching through open flags. [#610] - Group rules by event type, which allows for an initial filter using event type before going through each rule's condition. [#627] [#101]
All of these changes result in dramatically reduced CPU usage. Here are some comparisons between 0.2.0 and 0.3.0 for the following workloads:
- Phoronix's
pts/apache
andpts/dbench
tests. - Sysdig Cloud Kubernetes Demo: Starts a kubernetes environment using docker with apache and wordpress instances + synthetic workloads.
- Juttle-engine examples : Several elasticsearch, node.js, logstash, mysql, postgres, influxdb instances run under docker-compose.
Workload | 0.2.0 CPU Usage | 0.3.0 CPU Usage |
---|---|---|
pts/apache | 24% | 7% |
pts/dbench | 70% | 5% |
Kubernetes-Demo (Running) | 6% | 2% |
Kubernetes-Demo (During Teardown) | 15% | 3% |
Juttle-examples | 3% | 1% |
As a part of these changes, falco now prefers rule conditions that have at least one evt.type=
operator, at the beginning of the condition, before any negative operators (i.e. not
or !=
). If a condition does not have any evt.type=
operator, falco will log a warning like:
Rule no_evttype: warning (no-evttype):
proc.name=foo
did not contain any evt.type restriction, meaning it will run for all event types.
This has a significant performance penalty. Consider adding an evt.type restriction if possible.
If a rule has a evt.type
operator in the later portion of the condition, falco will log a warning like:
Rule evttype_not_equals: warning (trailing-evttype):
evt.type!=execve
does not have all evt.type restrictions at the beginning of the condition,
or uses a negative match (i.e. "not"/"!=") for some evt.type restriction.
This has a performance penalty, as the rule can not be limited to specific event types.
Consider moving all evt.type restrictions to the beginning of the rule and/or
replacing negative matches with positive matches if possible.
- Several sets of rule cleanups to reduce false positives. [#95]
- Add example of how falco can detect abuse of a badly designed REST API. [#97]
- Add a new output type "program" that writes a formatted event to a configurable program. Each notification results in one invocation of the program. A common use of this output type would be to send an email for every falco notification. [#105] [#99]
- Add the ability to run falco on all events, including events that are flagged with
EF_DROP_FALCO
. (These events are high-volume, low-value events that are ignored by default to improve performance). [#107] [#102]
- Add third-party jq library now that sysdig requires it. [#96]
Released 2016-06-09
For full handling of setsid system calls and session id tracking using proc.sname
, falco requires a sysdig version >= 0.10.0.
- Add TravisCI regression tests. Testing involves a variety of positive, negative, and informational trace files with both plain and json output. [#76] [#83]
- Fairly big rework of ruleset to improve coverage, reduce false positives, and handle installation environments effectively [#83] [#87]
- Not directly a code change, but mentioning it here--the Wiki has now been populated with an initial set of articles, migrating content from the README and adding detail when necessary. [#90]
- Improve JSON output to include the rule name, full output string, time, and severity [#89]
Released 2016-05-17
- Initial release. Subsequent releases will have "Major Changes", "Minor Changes", and "Bug Fixes" sections, with links to github issues/pull requests as appropriate.