Changelog

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

v0.38.1

Released on 2024-06-19

Major Changes

• new(metrics): enable plugins metrics [#3228] - @mrgian

Minor Changes

• cleanup(falco): clarify that --print variants only affect syscalls [#3238] - @LucaGuerra
• update(engine): enable -p option for all sources, -pk, -pc etc only for syscall sources [#3239] - @LucaGuerra

Bug Fixes

• fix(engine): enable output substitution only for syscall rules, prevent engine from exiting with validation errors when a plugin is loaded and -pc/pk is specified [#3236] - @mrgian
• fix(metrics): allow each metric output channel to be selected independently [#3232] - @incertum
• fix(userspace/falco): fixed falco_metrics::to_text implementation when running with plugins [#3230] - @FedeDP

Statistics

Release Manager @FedeDP

Download

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

v0.38.0

Released on 2024-05-30

Breaking Changes :warning:

• new(scripts,docker)!: enable automatic driver selection logic in packages and docker images. Modern eBPF is now also the default driver and the highest priority one in the new driver selection logic. [#3154] - @FedeDP
• cleanup(falco.yaml)!: remove some deprecated configs [#3087] - @Andreagit97
• cleanup(docker)!: remove unused builder dockerfile [#3088] - @Andreagit97

Major Changes

• new(webserver): a metrics endpoint has been added providing prometheus metrics. It can be optionally enabled using the new metrics.prometheus_enabled configuration option. It will only be activated if the metrics.enabled is true as well. [#3140] - @sgaist
• new(metrics): add rules_counters_enabled option [#3192] - @incertum
• new(build): provide signatures for .tar.gz packages [#3201] - @LucaGuerra
• new(engine): add print_enabled_rules_falco_logger when log_level debug [#3189] - @incertum
• new(falco): allow selecting which rules to load from the configuration file or command line [#3178] - @LucaGuerra
• new(metrics): add file sha256sum metrics for loaded config and rules files [#3187] - @incertum
• new(engine): throw an error when an invalid macro/list name is used [#3116] - @mrgian
• new(engine): raise warning instead of error on invalid macro/list name [#3167] - @mrgian
• new(userspace): support split config files [#3024] - @FedeDP
• new(engine): enforce unique exceptions names [#3134] - @mrgian
• new(engine): add warning when appending an exception with no values [#3133] - @mrgian
• feat(metrics): coherent metrics stats model including few metrics naming changes [#3129] - @incertum
• new(config): add falco_libs.thread_table_size [#3071] - @incertum
• new(proposals): introduce on host anomaly detection framework [#2655] - @incertum

Minor Changes

• update(cmake): bump falcoctl to v0.8.0. [#3219] - @FedeDP
• update(rules): update falco-rules to 3.1.0 [#3217] - @LucaGuerra
• refactor(userspace): move falco logger under falco engine [#3208] - @jasondellaluce
• chore(docs): apply features adoption and deprecation proposal to config file keys [#3206] - @FedeDP
• cleanup(metrics): add original rule name as label [#3205] - @incertum
• update(falco): deprecate options -T, -t and -D [#3193] - @LucaGuerra
• refactor: bump libs and driver, support field modifiers [#3186] - @jasondellaluce
• chore(userspace/falco): deprecated old 'rules_file' config key [#3162] - @FedeDP
• chore(falco): update falco libs and driver to master (Apr 8th 2024) [#3158] - @LucaGuerra
• update(build): update libs to 026ffe1d8f1b25c6ccdc09afa2c02afdd3e3f672 [#3151] - @LucaGuerra
• cleanup: minor adjustments to readme, add new testing section [#3072] - @incertum
• refactor(userspace/engine): reduce allocations during rules loading [#3065] - @jasondellaluce
• update(CI): publish wasm package as dev-wasm [#3017] - @Rohith-Raju

Bug Fixes

• fix(userspace/falco): fix state initialization avoid a crash during hot reload [#3190] - @FedeDP
• fix(userspace/engine): make sure exception fields are not optional in replace mode [#3108] - @jasondellaluce
• fix(docker): added zstd to driver loader images [#3203] - @FedeDP
• fix(engine): raise warning instead of error on not-unique exceptions names [#3159] - @mrgian
• fix(engine): apply output substitutions for all sources [#3135] - @mrgian
• fix(userspace/configuration): make sure that folders that would trigger permission denied are not traversed [#3127] - @sgaist
• fix(engine): logical issue in exceptions condition [#3115] - @mrgian
• fix(cmake): properly let falcoctl cmake module create /usr/share/falco/plugins/ folder. [#3105] - @FedeDP

Non user-facing changes

• update(scripts/falcoctl): bump falco-rules version to 3 [#3128] - @alacuku
• build(deps): Bump submodules/falcosecurity-rules from 59bf03b to 9e56293 [#3212] - @dependabot[bot]
• chore(gha): update cosign to v3.5.0 [#3209] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from 29c41c4 to 59bf03b [#3207] - @dependabot[bot]
• update(cmake): bumped libs to 0.17.0-rc1 and falcoctl to v0.8.0-rc6. [#3204] - @FedeDP
• build(deps): Bump submodules/falcosecurity-rules from 3f668d0 to 3cac61c [#3044] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-testing from ae3950a to 7abf76f [#3094] - @dependabot[bot]
• fix(ci): enforce bundled deps OFF in build-dev CI [#3118] - @FedeDP
• build(deps): Bump submodules/falcosecurity-rules from 88a40c8 to 869c9a7 [#3156] - @dependabot[bot]
• update(cmake): bumped falcoctl to v0.8.0-rc5. [#3199] - @FedeDP
• build(deps): Bump submodules/falcosecurity-rules from 4f153f5 to 29c41c4 [#3198] - @dependabot[bot]
• update(cmake): bump falcoctl to v0.8.0-rc4 [#3191] - @FedeDP
• refactor: smart pointer usage [#3184] - @federico-sysdig
• build(deps): Bump submodules/falcosecurity-rules from ec255e6 to 4f153f5 [#3182] - @dependabot[bot]
• update(cmake): bumped libs and driver to latest master. [#3177] - @FedeDP
• chore(cmake): enable modern bpf build by default. [#3180] - @FedeDP
• cleanup(docs): fix typo in license blocks [#3175] - @LucaGuerra
• chore(docker,scripts): set old eBPF probe as lowest priority driver. [#3173] - @FedeDP
• build(deps): Bump submodules/falcosecurity-rules from 869c9a7 to ec255e6 [#3170] - @dependabot[bot]
• update(app): close inspectors at teardown time [#3169] - @LucaGuerra
• fix(docker): fixed docker entrypoints for driver loading. [#3168] - @FedeDP
• fix(docker,scripts): do not load falcoctl driver loader when installing Falco deb package in docker images [#3166] - @FedeDP
• update(ci): build both release and debug versions [#3161] - @LucaGuerra
• chore(userspace/falco): watch all configs files. [#3160] - @FedeDP
• fix(ci): update scorecard-action to v2.3.1 [#3153] - @LucaGuerra
• cleanup(falco): consolidate falco::grpc::server in one class [#3150] - @LucaGuerra
• new(build): enable ASan and UBSan builds with options and in CI [#3147] - @LucaGuerra
• fix(userspace): variable / function shadowing [#3123] - @sgaist
• build(deps): Bump submodules/falcosecurity-rules from fbf0a4e to 88a40c8 [#3145] - @dependabot[bot]
• fix(cmake): fix USE_BUNDLED_DEPS=ON and BUILD_FALCO_UNIT_TESTS=ON [#3146] - @LucaGuerra
• Add --kernelversion and --kernelrelease options to falco driver loader entrypoint [#3143] - @Sryther
• build(deps): Bump submodules/falcosecurity-rules from 44addef to fbf0a4e [#3139] - @dependabot[bot]
• chore: bump to latest libs commit [#3137] - @Andreagit97
• refactor: Use FetchContent for integrating three bundled libs [#3107] - @federico-sysdig
• build(deps): Bump submodules/falcosecurity-rules from dc7970d to 44addef [#3136] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from f88b991 to dc7970d [#3126] - @dependabot[bot]
• refactor(ci): Avoid using command make directly [#3101] - @federico-sysdig
• docs(proposal): 20231220-features-adoption-and-deprecation.md [#2986] - @leogr
• build(deps): Bump submodules/falcosecurity-rules from b499a1d to f88b991 [#3125] - @dependabot[bot]
• docs(README.md): Falco Graduates within the CNCF [#3124] - @leogr
• build(deps): Bump submodules/falcosecurity-rules from 497e011 to b499a1d [#3111] - @dependabot[bot]
• chore(ci): bumped codeql actions. [#3114] - @FedeDP
• Cleanup warnings and smart ptrs [#3112] - @federico-sysdig
• new(build): add options to use bundled dependencies [#3092] - @mrgian
• fix(ci): test-dev-packages-arm64 needs build-dev-packages-arm64. [#3110] - @FedeDP
• refactor: bump libs and driver, and adopt unique pointers wherever possible [#3109] - @jasondellaluce
• cleanup: falco_engine test fixture [#3099] - @federico-sysdig
• refactor: test AtomicSignalHandler.handle_once_wait_consistency [#3100] - @federico-sysdig
• Cleanup variable use [#3097] - @sgaist
• cleanup(submodules): dropped testing submodule. [#3098] - @FedeDP
• cleanup(ci): make use of falcosecurity/testing provided composite action [#3093] - @FedeDP
• Improve const correctness [#3083] - @sgaist
• Improve exception throwing [#3085] - @sgaist
• fix(ci): update sync in deb and rpm scripts with acl [#3062] - @LucaGuerra
• cleanup(tests): consolidate Falco engine and rule loader tests [#3066] - @LucaGuerra
• cleanup: falco_engine deps and include paths [#3090] - @federico-sysdig
• fix: Some compiler warnings [#3089] - @federico-sysdig
• build(deps): Bump submodules/falcosecurity-rules from 0f60976 to 497e011 [#3081] - @dependabot[bot]
• fix(c++): add missing explicit to single argument constructors [#3069] - @sgaist
• Improve class initialization [#3074] - @sgaist
• build(deps): Bump submodules/falcosecurity-rules from 6ed2036 to 0f60976 [#3078] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 1053b2d to 6ed2036 [#3067] - @dependabot[bot]
• fix(c++): add missing overrides [#3064] - @sgaist
• new(build): prune deb-dev and rpm-dev directories [#3056] - @LucaGuerra
• refactor(userspace): align falco to gen-event class family deprecation [#3051] - @jasondellaluce
• build(deps): Bump submodules/falcosecurity-rules from 3cac61c to 1053b2d [#3047] - @dependabot[bot]
• fix: adopt new libsinsp logger [#3026] - @therealbobo
• refactor: cleanup libs relative include paths [#2936] - @therealbobo
• chore(ci): bumped rn2md to latest master. [#3046] - @FedeDP
• Support alternate rules loader [#3008] - @mstemm
• fix(ci): fixed release body driver version. [#3042] - @FedeDP
• build(deps): Bump submodules/falcosecurity-rules from c39d31a to 3f668d0 [#3039] - @dependabot[bot]

Statistics

Release Manager @LucaGuerra

Download

Download

Download

Download

Download

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

v0.37.1

Released on 2024-02-13

Major Changes

• new(docker): added option for insecure http driver download to falco and driver-loader images [#3058] - @toamto94

Minor Changes

• update(cmake): bumped falcoctl to v0.7.2 [#3076] - @FedeDP
• update(build): link libelf dynamically [#3048] - @LucaGuerra

Bug Fixes

• fix(userspace/engine): always consider all rules (even the ones below min_prio) in m_rule_stats_manager [#3060] - @FedeDP

Non user-facing changes

• sync(docs): cherrypick CHANGELOG entry for 0.37.1 [#3080] - @FedeDP
• Added http headers option for driver download in docker images [#3075] - @toamto94
• fix(build): install libstdc++ in the Wolfi image [#3053] - @LucaGuerra

Statistics

Release Manager @FedeDP

Download

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

v0.37.0

Released on 2024-01-30

Breaking Changes :warning:

• new!: dropped falco-driver-loader script in favor of new falcoctl driver command [#2905] - @FedeDP
• update!: bump libs to latest and deprecation of k8s metadata options and configs [#2914] - @jasondellaluce
• cleanup(falco)!: remove outputs.rate and outputs.max_burst from Falco config [#2841] - @Andreagit97
• cleanup(falco)!: remove --userspace support [#2839] - @Andreagit97

Major Changes

• new(engine): add selective overrides for Falco rules [#2981] - @LucaGuerra
• feat(userspace/falco): falco administrators can now configure the http output to compress the data sent as well as enable keep alive for the connection. Two new fields (compress_uploads and keep_alive) in the http_output block of the falco.yaml file can be used for that purpose. Both are disabled by default. [#2974] - @sgaist
• new(userspace): support env variable expansion in all yaml, even inside strings. [#2918] - @FedeDP
• new(scripts): add a way to enforce driver kind and falcoctl enablement when installing Falco from packages and dialog is not present. [#2773] - @vjjmiras
• new(falco): print system info when Falco starts [#2927] - @Andreagit97
• new: driver selection in falco.yaml [#2413] - @therealbobo
• new(build): enable compilation on win32 and macOS. [#2889] - @therealbobo
• feat(userspace/falco): falco administrators can now configure the address on which the webserver listen using the new listen_address field in the webserver block of the falco.yaml file. [#2890] - @sgaist

Minor Changes

• update(userspace/falco): add engine_version_semver key in /versions endpoint [#2899] - @loresuso
• update: default ruleset upgrade to version 3.0 [#3034] - @leogr
• update!(config): soft deprecation of drop stats counters in syscall_event_drops [#3015] - @incertum
• update(cmake): bumped falcoctl tool to v0.7.1. [#3030] - @FedeDP
• update(rule_loader): deprecate the append flag in Falco rules [#2992] - @Andreagit97
• cleanup!(cmake): drop bundled plugins in Falco [#2997] - @FedeDP
• update(config): clarify deprecation notices + list all env vars [#2988] - @incertum
• update: now the watch_config_files config option monitors file/directory moving and deletion, too [#2965] - @NitroCao
• update(userspace): enhancements in rule description feature [#2934] - @jasondellaluce
• update(userspace/falco): add libsinsp state metrics option [#2883] - @incertum
• update(doc): Add Thought Machine as adopters [#2919] - @RichardoC
• update(docs): add Wireshark/Logray as adopter [#2867] - @geraldcombs
• update: engine_version in semver representation [#2838] - @loresuso
• update(userspace/engine): modularize rule compiler, fix and enrich rule descriptions [#2817] - @jasondellaluce

Bug Fixes

• fix(userspace/metric): minor fixes in new libsinsp state metrics handling [#3033] - @incertum
• fix(userspace/engine): avoid storing escaped strings in engine defs [#3028] - @jasondellaluce
• fix(userspace/engine): cache latest rules compilation output [#2900] - @jasondellaluce
• fix(userspace/engine): solve description of macro-only rules [#2898] - @jasondellaluce
• fix(userspace/engine): fix memory leak [#2877] - @therealbobo

Non user-facing changes

• new(docs): add changelog for 0.37.0 [#3041] - @Andreagit97
• fix: nlohmann_json lib include path [#3032] - @federico-sysdig
• chore: bump falco rules [#3021] - @Andreagit97
• chore: bump Falco to libs 0.14.1 [#3020] - @Andreagit97
• chore(build): remove outdated development libs [#2946] - @federico-sysdig
• chore(falco): bump Falco to 000d576 libs commit [#2944] - @Andreagit97
• fix(gha): update rpmsign [#2856] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from 424b258 to 1221b9e [#3000] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 2ac430b to c39d31a [#3019] - @dependabot[bot]
• cleanup(falco.yaml): rename none in nodriver [#3012] - @Andreagit97
• update(config): graduate outputs_queue to stable [#3016] - @incertum
• update(cmake): bump falcoctl to v0.7.0. [#3009] - @FedeDP
• build(deps): Bump submodules/falcosecurity-rules from 1221b9e to 2ac430b [#3007] - @dependabot[bot]
• chore(ci): bumped rn2md to latest master. [#3006] - @FedeDP
• chore: bump Falco to latest libs [#3002] - @Andreagit97
• chore: bump driver version [#2998] - @Andreagit97
• Add addl source related methods [#2939] - @mstemm
• build(deps): Bump submodules/falcosecurity-rules from cd33bc3 to 424b258 [#2993] - @dependabot[bot]
• cleanup(engine): clarify deprecation notice for engines [#2987] - @LucaGuerra
• update(cmake): bumped falcoctl to v0.7.0-rc1. [#2983] - @FedeDP
• chore(ci): revert #2961. [#2984] - @FedeDP
• build(deps): Bump submodules/falcosecurity-testing from 930170b to 9b9630e [#2980] - @dependabot[bot]
• chore: bump Falco to latest libs [#2977] - @Andreagit97
• build(deps): Bump submodules/falcosecurity-rules from 262f569 to cd33bc3 [#2976] - @dependabot[bot]
• Allow enabling rules by ruleset id in addition to name [#2920] - @mstemm
• chore(ci): enable aarch64 falco driver loader tests. [#2961] - @FedeDP
• chore(unit_tests): added more tests for yaml env vars expansion. [#2972] - @FedeDP
• chore(falco.yaml): use HOME env var for ebpf probe path. [#2971] - @FedeDP
• chore: bump falco to latest libs [#2970] - @Andreagit97
• build(deps): Bump submodules/falcosecurity-rules from dd38952 to 262f569 [#2969] - @dependabot[bot]
• update(readme): add actuated.dev badge [#2967] - @LucaGuerra
• chore(cmake,docker): bumped falcoctl to v0.7.0-beta5. [#2968] - @FedeDP
• build(deps): Bump submodules/falcosecurity-rules from 64e2adb to dd38952 [#2959] - @dependabot[bot]
• fix(docker): small fixes in docker entrypoints for new driver loader. [#2966] - @FedeDP
• chore(build): allow usage of non-bundled nlohmann-json [#2947] - @federico-sysdig
• update(ci): enable actuated.dev [#2945] - @LucaGuerra
• cleanup: fix several warnings from a Clang build [#2948] - @federico-sysdig
• chore(docker/falco): add back some deps to falco docker image. [#2932] - @FedeDP
• build(deps): Bump submodules/falcosecurity-testing from 92c313f to 5248e6d [#2937] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from e206c1a to 8f0520f [#2904] - @dependabot[bot]
• cleanup(falco): remove decode_uri as it is no longer used [#2933] - @LucaGuerra
• update(engine): port decode_uri in falco engine [#2912] - @LucaGuerra
• chore(falco): update to libs on nov 28th [#2929] - @LucaGuerra
• cleanup(falco): remove init in the configuration constructor [#2917] - @Andreagit97
• build(deps): Bump submodules/falcosecurity-rules from 8f0520f to 64e2adb [#2908] - @dependabot[bot]
• cleanup(userspace/engine): remove legacy k8saudit implementation [#2913] - @jasondellaluce
• fix(gha): disable branch protection rule trigger for scorecard [#2911] - @LucaGuerra
• chore(gha): set cosign-installer to v3.1.2 [#2901] - @LucaGuerra
• new(docs): sync changelog for 0.36.2. [#2894] - @FedeDP
• Run OpenSSF Scorecard in pipeline [#2888] - @maxgio92
• cleanup: replace banned.h with semgrep [#2881] - @LucaGuerra
• chore(gha): upgrade GitHub actions [#2876] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from a22d0d7 to e206c1a [#2865] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from d119706 to a22d0d7 [#2860] - @dependabot[bot]
• fix(gha): use fedora instead of centos 7 for package publishing [#2854] - @LucaGuerra
• chore(gha): pin versions to hashes [#2849] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from c366d5b to d119706 [#2847] - @dependabot[bot]
• new(ci): properly link libs and driver releases linked to a Falco release [#2846] - @FedeDP
• build(deps): Bump submodules/falcosecurity-rules from 7a7cf24 to c366d5b [#2842] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 77ba57a to 7a7cf24 [#2836] - @dependabot[bot]
• chore(ci): bumped rn2md to latest master. [#2844] - @FedeDP

Statistics

Release Manager @Andreagit97

Download

What's Changed

• sync: release 0.37.x by @FedeDP in https://github.com/falcosecurity/falco/pull/3035
• update(build): update libs to 0.14.2 by @LucaGuerra in https://github.com/falcosecurity/falco/pull/3036

Full Changelog: https://github.com/falcosecurity/falco/compare/0.37.0-rc2...0.37.0-rc3

Download

Download

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

v0.36.2

Released on 2023-10-27

Major Changes

Minor Changes

Bug Fixes

• Bumped libs to 0.13.4

Release Manager @FedeDP

Download

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

v0.36.1

Released on 2024-01-30

Major Changes

• feat(userspace): remove experimental outputs queue recovery strategies [#2863] - @incertum

Bug Fixes

• fix(userspace/falco): timer_delete() workaround due to bug in older GLIBC [#2851] - @incertum

Non user-facing changes

• new(docs): add changelog for 0.36.1 [#2872] - @Andreagit97

Statistics

Release Manager @Andreagit97

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Release Candidate for Falco 0.36.1. To see what's included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/35

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

v0.36.0

Released on 2023-09-26

Breaking Changes :warning:

• The default rules file that is shipped in the Falco image and/or can be downloaded via falcoctl as falco-rules is now a stable rule file. This file contains a much smaller number of rules that are less noisy and have been vetted by the community. This serves as a much requested "starter" Falco rule set that covers many common use case. The rest of that file has been expanded and split into falco-incubating-rules and falco-sandbox-rules. For more information, see the rules repository
• The main falcosecurity/falco container image and its falco-driver-loader counterpart have been upgraded. Now they are able to compile the kernel module or classic eBPF probe for relatively newer version of the kernel (5.x and above) while we no longer ship toolchains to compile the kernel module for older versions in the default images. Downloading of prebuilt drivers and the modern eBPF will work exactly like before. The older image, meant for compatibility with older kernels (4.x and below), is currently retained as falcosecurity/falco-driver-loader-legacy.
• The Falco HTTP output no longer logs to stdout by default for performance reasons. You can set stdout logging preferences and restore the previous behavior with the configuration option http_output.echo in falco.yaml.
• The --list-syscall-events command line option has been replaced by --list-events which prints all supported system events (syscall, tracepoints, metaevents, internal plugin events) in addition to extra information about flags.
• The semantics of proc.exepath have changed. Now that field contains the executable path on disk even if the binary was launched from a symbolic link.
• The -d daemonize option has been removed.
• The stats command line option (-s, --stats-interval) has been removed in favor of metrics configs in falco.yaml
• The -p option is now changed:
  • when only -pc is set Falco will print container_id=%container.id container_image=%container.image.repository container_image_tag=%container.image.tag container_name=%container.name
  • when -pk is set it will print as above, but with k8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name appended

Major Changes

• new(falco-driver-loader): --source-only now prints the values as env vars [#2353] - @steakunderscore
• new(docker): allow passing options to falco-driver-loader from the driver loader cointainer [#2781] - @LucaGuerra
• new(docker): add experimental falco-distroless image based on Wolfi [#2768] - @LucaGuerra
• new: the legacy falco image is available as driver-loader-legacy [#2718] - @LucaGuerra
• new: added option to enable/disable echoing of server answer to stdout (disabled by default) when using HTTP output [#2602] - @FedeDP
• new: support systemctl reload for Falco services [#2588] - @jabdr
• new(falco/config): add new configurations for http_output that allow mTLS [#2633] - @annadorottya
• new: allow falco to match multiple rules on same event [#2705] - @loresuso

Minor Changes

• update(cmake): bumped bundled falcoctl to 0.6.2 [#2829] - @FedeDP
• update(rules)!: major rule update to version 2.0.0 [#2823] - @LucaGuerra
• update(cmake): bumped plugins to latest stable versions [#2820] - @FedeDP
• update(cmake): bumped libs to 0.13.0-rc2 and driver to 6.0.1+driver [#2806] - @FedeDP
• update!: default substitution for %container.info is now equal container_id=%container.id container_name=%container.name [#2793] - @leogr
• update!: the --list-syscall-events flag is now called --list-events and lists all events [#2771] - @LucaGuerra
• update!: the Falco base image is now based on Debian 12 with gcc 11-12 [#2718] - @LucaGuerra
• update(docker): the Falco no-driver image is now based on Debian 12 [#2782] - @LucaGuerra
• feat(userspace)!: remove -d daemonize option [#2677] - @incertum
• build(deps): Bump submodules/falcosecurity-rules from 3f52480 to 0d0e333 [#2693] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 3f52480 to b42893a [#2756] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from b42893a to 6ed73fe [#2780] - @dependabot[bot]
• update(cmake): bumped libs to 0.13.0-rc1 and driver to 6.0.0+driver. [#2783] - @FedeDP
• feat: support parsing of system environment variables in yaml [#2562] - @therealdwright
• feat(userspace)!: deprecate stats command args option in favor of metrics configs in falco.yaml [#2739] - @incertum
• update: upgrade falcoctl to version 0.6.0 [#2764] - @leogr
• cleanup: deprecate rate limiter mechanism [#2762] - @Andreagit97
• cleanup(config): add more info [#2758] - @incertum
• update(userspace/engine): improve skip-if-unknown-filter YAML field [#2749] - @jasondellaluce
• chore: improved HTTP output performance [#2602] - @FedeDP
• update!: HTTP output will no more echo to stdout by default [#2602] - @FedeDP
• chore: remove b64 from falco dependencies [#2746] - @Andreagit97
• update(cmake): support building libs and driver from forks [#2747] - @jasondellaluce
• update: -p presets have been updated to reflect the new rules style guide [#2737] - @leogr
• feat: Allow specifying explicit kernel release and version for falco-driver-loader [#2728] - @johananl
• cleanup(config): assign Stable to base_syscalls config [#2740] - @incertum
• update : support build for wasm [#2663] - @Rohith-Raju
• docs(config.yaml): fix wrong severity levels for sinsp logger [#2736] - @Andreagit97
• update(cmake): bump libs and driver to 0.12.0 [#2721] - @jasondellaluce

Bug Fixes

• fix(outputs): expose queue_capacity_outputs config for memory control [#2711] - @incertum
• fix(userspace/falco): cleanup metrics timer upon leaving. [#2759] - @FedeDP
• fix: restore Falco MINIMAL_BUILD and deprecate userspace option [#2761] - @Andreagit97
• fix(userspace/engine): support appending to unknown sources [#2753] - @jasondellaluce

Non user-facing changes

• build(deps): Bump submodules/falcosecurity-rules from 69c9be8 to 77ba57a [#2833] - @dependabot[bot]
• chore: bump submodule testing to 62edc65 [#2831] - @Andreagit97
• update(gha): add version for rn2md [#2830] - @LucaGuerra
• chore: automatically attach release author to release body. [#2828] - @FedeDP
• new(ci): autogenerate release body. [#2812] - @FedeDP
• fix(dockerfile): remove useless CMD [#2824] - @Andreagit97
• chore: bump to the latest libs [#2822] - @Andreagit97
• update: add SPDX license identifier [#2809] - @leogr
• chore: bump to latest libs [#2815] - @Andreagit97
• build(deps): Bump submodules/falcosecurity-rules from ee5fb38 to bea364e [#2814] - @dependabot[bot]
• fix(build): set the right bucket and version for driver legacy [#2800] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from 43580b4 to ee5fb38 [#2810] - @dependabot[bot]
• cleanup(userspace): thrown exceptions and avoid multiple logs [#2803] - @Andreagit97
• build(deps): Bump submodules/falcosecurity-rules from c6e01fa to 43580b4 [#2801] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-testing from 76d1743 to 30c3643 [#2802] - @dependabot[bot]
• fix(userspace/falco): clearing full output queue [#2798] - @jasondellaluce
• update(docs): add driver-loader-legacy to readme and fix bad c&p [#2799] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from d31dbc2 to c6e01fa [#2797] - @dependabot[bot]
• docs: add LICENSE file [#2796] - @leogr
• build(deps): Bump submodules/falcosecurity-rules from b6372d2 to d31dbc2 [#2794] - @dependabot[bot]
• fix(stats): always initialize m_output field [#2789] - @Andreagit97
• build(deps): Bump submodules/falcosecurity-rules from 6ed73fe to b6372d2 [#2786] - @dependabot[bot]
• update(cmake/modules): bump rules to falco-rules-2.0.0-rc1 [#2775] - @leogr
• update(OWNERS): add LucaGuerra to owners [#2650] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from 9126bef to 0328c59 [#2709] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 0d0e333 to 64ce419 [#2731] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 3ceea88 to 40a9817 [#2745] - @dependabot[bot]
• docs(README.md): correct URL [#2772] - @vjjmiras
• #2393 Document why Falco is written in C++ rather than anything else [#2410] - @RichardoC
• chore: bump Falco to latest libs [#2769] - @Andreagit97
• ci: disable falco-driver-loader tests on ARM64 [#2770] - @Andreagit97
• update(userspace/falco): revised CLI help messages [#2755] - @leogr
• fix(engine): fix reorder warning for m_watch_config_files / m_rule_matching [#2767] - @LucaGuerra
• update: introduce new stats updated to the latest libs version [#2766] - @Andreagit97
• ci: support tests on amazon-linux [#2765] - @Andreagit97
• chore: bump Falco to latest libs master [#2754] - @Andreagit97
• build(deps): Bump submodules/falcosecurity-testing from b39c807 to 9110022 [#2760] - @dependabot[bot]
• fix: fix "ebpf_enabled" output stat [#2751] - @Andreagit97
• fix(userspace/engine): support both old and new gcc + std::move [#2748] - @jasondellaluce
• cleanup: turn some warnings into errors [#2744] - @Andreagit97
• update(ci): minimize retention days for build-only CI artifacts [#2743] - @jasondellaluce
• cleanup: remove unused --pidfile option from systemd units [#2742] - @Andreagit97
• build(deps): Bump submodules/falcosecurity-rules from bf1639a to 3ceea88 [#2741] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 64ce419 to bf1639a [#2738] - @dependabot[bot]
• Relocate tools on Flatcar in BPF mode [#2729] - @johananl
• build: update versioning with cmake [#2727] - @leogr
• update(userspace/engine): make rule_matching strategy stateless [#2726] - @loresuso
• chore: bump Falco to latest libs version [#2722] - @Andreagit97

Statistics

Release Manager @LucaGuerra

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Release Candidate for Falco 0.36.0. To see what's included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/30

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Second Release Candidate for Falco 0.36.0. To see what's included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/30

Download

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Major Changes

Minor Changes

• update(userspace): change description of snaplen option stating only performance implications [#2634] - @loresuso
• update(cmake): bump libs to 0.11.3 [#2662] - @jasondellaluce
• cleanup(config): minor config clarifications [#2651] - @incertum
• update(cmake): bump falco rules to v1.0.1 [#2648] - @jasondellaluce
• chore(userspace/falco): make source matching error more expressive [#2623] - @jasondellaluce
• update(.github): integrate Go regression tests [#2437] - @jasondellaluce

Bug Fixes

• fix(scripts): fixed falco-driver-loader to manage debian kernel rt and cloud flavors. [#2627] - @FedeDP
• fix(userspace/falco): solve live multi-source issues when loading more than two sources [#2653] - @jasondellaluce
• fix(driver-loader): fix ubuntu kernel version parsing [#2635] - @therealbobo
• fix(userspace): switch to timer_settime API for stats writer. [#2646] - @FedeDP

Non user-facing changes

• CI: bump ubuntu version for tests-driver-loader-integration job [#2661] - @Andreagit97

Release Manager @jasondellaluce

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Major Changes

• BREAKING CHANGE: support for metadata enrichment from Mesos has been removed. [#2465] - @leogr
• new(falco): introduce new metrics w/ Falco internal: metrics snapshot option and new metrics config [#2333] - @incertum
• new(scripts): properly manage talos prebuilt drivers [#2537] - @FedeDP
• new(release): released container images are now signed with cosign [#2546] - @LucaGuerra
• new(ci): ported master and release artifacts publishing CI to gha [#2501] - @FedeDP
• new(app_actions): introduce base_syscalls user option [#2428] - @incertum
• new(falco/config): add new configurations for http_output that allow custom CA certificates and stores. [#2458] - @alacuku
• new(cmake): bumped libs to c8b0d6a8fdc1bb3ea9067bc2fdc3ae5858cff48f [#2456] - @FedeDP
• new(userspace): add a new syscall_drop_failed config option to drop failed syscalls exit events [#2456] - @FedeDP

Minor Changes

• update(cmake): bump Falco rules to 1.0.0 [#2618] - @loresuso
• update(cmake): bump libs to 0.11.1 [#2614] - @loresuso
• update(cmake): bump plugins to latest versions [#2610] - @loresuso
• update(cmake): bump falco rules to 1.0.0-rc1 [#2609] - @loresuso
• update(cmake): bump libs to 0.11.0 [#2608] - @loresuso
• cleanup(docs): update release.md [#2599] - @incertum
• update(cmake): bump libs to 0.11.0-rc5 and driver to 5.0.1. [#2600] - @FedeDP
• cleanup(docs): adjust falco readme style and content [#2594] - @incertum
• cleanup(userspace, config): improve metrics UX, add include_empty_values option [#2593] - @incertum
• feat: add the curl and jq packages to the falco-no-driver docker image [#2581] - @therealdwright
• update: add missing exception, required_engine_version, required_plugin_version to -L json output [#2584] - @loresuso
• feat: add image source OCI label to docker images [#2592] - @therealdwright
• cleanup(config): improve falco config [#2571] - @incertum
• update(cmake): bump libs and plugins to latest dev versions [#2586] - @jasondellaluce
• chore(userspace/falco): always print invalid syscalls from custom set [#2578] - @jasondellaluce
• update(build): upgrade falcoctl to 0.5.0 [#2572] - @LucaGuerra
• chore(userspace/falco/app): print all supported plugin caps [#2564] - @jasondellaluce
• update: get rules details with -l or -L flags when json output format is specified [#2544] - @loresuso
• update!: bump libs version, and support latest plugin features, add --nodriver option [#2552] - @jasondellaluce
• cleanup(actions): now modern bpf support -A flag [#2551] - @Andreagit97
• update: falco-driver-loader now uses now uses $TMPDIR if set [#2518] - @jabdr
• update: improve control and UX of ignored events [#2509] - @jasondellaluce
• update: bump libs and adapt Falco to new libsinsp event source management [#2507] - @jasondellaluce
• new(app_actions)!: adjust base_syscalls option, add base_syscalls.repair [#2457] - @incertum
• update(scripts): support al2022 and al2023 in falco-driver-loader. [#2494] - @FedeDP
• update: sync libs with newest event name APIs [#2471] - @jasondellaluce
• update!: remove --mesos-api, -pmesos, and -pm command-line flags [#2465] - @leogr
• cleanup(unit_tests): try making test_configure_interesting_sets more robust [#2464] - @incertum

Bug Fixes

• fix: unquote quoted URL's to avoid libcurl errors [#2596] - @therealdwright
• fix(userspace/engine): store alternatives as array in -L json output [#2597] - @loresuso
• fix(userspace/engine): store required engine version as string in -L json output [#2595] - @loresuso
• fix(userspace/falco): report plugin deps rules issues in any case [#2589] - @jasondellaluce
• fix(userspace): hotreload on wrong metrics [#2582] - @therealbobo
• fix(userspace): check the supported number of online CPUs with modern bpf [#2575] - @Andreagit97
• fix(userspace/falco): don't hang on terminating error when multi sourcing [#2576] - @jasondellaluce
• fix(userspace/falco): properly format numeric values in metrics [#2569] - @jasondellaluce
• fix(scripts): properly support debian kernel releases embedded in kernel version [#2377] - @FedeDP

Non user-facing changes

• docs(README.md): add scope/status badge and simply doc structure [#2611] - @leogr
• build(deps): Bump submodules/falcosecurity-rules from 3471984 to 16fb709 [#2598] - @dependabot[bot]
• docs(proposals): Falco roadmap management [#2547] - @leogr
• build(deps): Bump submodules/falcosecurity-rules from b2290ad to 3471984 [#2577] - @dependabot[bot]
• update(build): libs 0.11.0-rc2 [#2573] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from 3f52480 to b2290ad [#2570] - @dependabot[bot]
• update(ci): use repo instead of master branch for reusable workflows [#2568] - @LucaGuerra
• cleanup(ci): cleaned up circleci workflow. [#2566] - @FedeDP
• build(deps): Bump requests from 2.26.0 to 2.31.0 in /test [#2567] - @dependabot[bot]
• fix(ci): simplify and fix multi-arch image publishing process [#2542] - @LucaGuerra
• fix(ci): get the manifest for the correct tag [#2563] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from 3f52480 to 6da15ae [#2559] - @dependabot[bot]
• fix(ci): properly use docker save to store images. [#2560] - @FedeDP
• fix(ci): docker arg is named TARGETARCH. [#2558] - @FedeDP
• fix(ci): set docker TARGET_ARCH [#2557] - @FedeDP
• fix(ci): use normal docker to build docker images, instead of buildx. [#2556] - @FedeDP
• docs: improve documentation and description of base_syscalls option [#2515] - @Happy-Dude
• Updating Falco branding guidelines [#2493] - @aijamalnk
• build(deps): Bump submodules/falcosecurity-rules from f773578 to 6da15ae [#2553] - @dependabot[bot]
• fix(cmake): properly exclude prereleases when fetching latest tag from cmake [#2550] - @FedeDP
• fix(ci): load falco image before building falco-driver-loader [#2549] - @LucaGuerra
• fix(ci): correctly tag slim manifest [#2545] - @LucaGuerra
• cleanup(config): modern bpf is no more experimental [#2538] - @Andreagit97
• new(ci): add RC/prerelease support [#2533] - @LucaGuerra
• fix(ci): configure ECR public region [#2531] - @LucaGuerra
• fix(ci): falco images directory, ecr login [#2528] - @LucaGuerra
• fix(ci): separate rpm/bin/bin-static/deb packages before publication, rename bin-static [#2527] - @LucaGuerra
• fix(ci): add Cloudfront Distribution ID [#2525] - @LucaGuerra
• fix(ci): escape heredoc [#2521] - @LucaGuerra
• chore(ci): build-musl-package does not need to wait for build-packages anymore [#2520] - @FedeDP
• fix: ci Falco version [#2516] - @FedeDP
• fix(ci): fetch version step, download rpms/debs, minor change [#2519] - @LucaGuerra
• chore(ci): properly install recent version of git (needed >= 2.18 by checkout action) [#2514] - @FedeDP
• fix(ci): enable toolset before every make command [#2513] - @LucaGuerra
• fix(ci): remove unnecessary mv [#2512] - @LucaGuerra
• fix(ci): bucket -> bucket_suffix [#2511] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from 5857874 to 1bd7e4a [#2478] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 694adf5 to 5857874 [#2473] - @dependabot[bot]
• cleanup(ci): properly set a concurrency for CI workflows. [#2470] - @FedeDP
• build(deps): Bump submodules/falcosecurity-rules from e0646a0 to 694adf5 [#2466] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 0b0f50f to e0646a0 [#2460] - @dependabot[bot]

Release Manager @FedeDP

Download

Download

Download

Download

Download

Download