Changelog

List of changes throughout Falco versions

Version 0.36.0-rc3

Download


Version 0.36.0-rc2

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.36.0-rc2
docker pull public.ecr.aws/falcosecurity/falco:0.36.0-rc2
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.0-rc2
docker pull docker.io/falcosecurity/falco-no-driver:0.36.0-rc2

Second Release Candidate for Falco 0.36.0. To see what's included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/30


Version 0.36.0-rc1

Download

First Release Candidate for Falco 0.36.0. To see what's included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/30

Version 0.35.1

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.35.1
docker pull public.ecr.aws/falcosecurity/falco:0.35.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.35.1
docker pull docker.io/falcosecurity/falco-no-driver:0.35.1

Major Changes

Minor Changes

Bug Fixes

  • fix(scripts): fixed falco-driver-loader to manage debian kernel rt and cloud flavors. [#2627] - @FedeDP
  • fix(userspace/falco): solve live multi-source issues when loading more than two sources [#2653] - @jasondellaluce
  • fix(driver-loader): fix ubuntu kernel version parsing [#2635] - @therealbobo
  • fix(userspace): switch to timer_settime API for stats writer. [#2646] - @FedeDP

Non user-facing changes

  • CI: bump ubuntu version for tests-driver-loader-integration job [#2661] - @Andreagit97

Release Manager @jasondellaluce


Version 0.35.0

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.35.0
docker pull public.ecr.aws/falcosecurity/falco:0.35.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.35.0
docker pull docker.io/falcosecurity/falco-no-driver:0.35.0

Major Changes

  • BREAKING CHANGE: support for metadata enrichment from Mesos has been removed. [#2465] - @leogr
  • new(falco): introduce new metrics w/ Falco internal: metrics snapshot option and new metrics config [#2333] - @incertum
  • new(scripts): properly manage talos prebuilt drivers [#2537] - @FedeDP
  • new(release): released container images are now signed with cosign [#2546] - @LucaGuerra
  • new(ci): ported master and release artifacts publishing CI to gha [#2501] - @FedeDP
  • new(app_actions): introduce base_syscalls user option [#2428] - @incertum
  • new(falco/config): add new configurations for http_output that allow custom CA certificates and stores. [#2458] - @alacuku
  • new(cmake): bumped libs to c8b0d6a8fdc1bb3ea9067bc2fdc3ae5858cff48f [#2456] - @FedeDP
  • new(userspace): add a new syscall_drop_failed config option to drop failed syscalls exit events [#2456] - @FedeDP

Minor Changes

  • update(cmake): bump Falco rules to 1.0.0 [#2618] - @loresuso
  • update(cmake): bump libs to 0.11.1 [#2614] - @loresuso
  • update(cmake): bump plugins to latest versions [#2610] - @loresuso
  • update(cmake): bump falco rules to 1.0.0-rc1 [#2609] - @loresuso
  • update(cmake): bump libs to 0.11.0 [#2608] - @loresuso
  • cleanup(docs): update release.md [#2599] - @incertum
  • update(cmake): bump libs to 0.11.0-rc5 and driver to 5.0.1. [#2600] - @FedeDP
  • cleanup(docs): adjust falco readme style and content [#2594] - @incertum
  • cleanup(userspace, config): improve metrics UX, add include_empty_values option [#2593] - @incertum
  • feat: add the curl and jq packages to the falco-no-driver docker image [#2581] - @therealdwright
  • update: add missing exception, required_engine_version, required_plugin_version to -L json output [#2584] - @loresuso
  • feat: add image source OCI label to docker images [#2592] - @therealdwright
  • cleanup(config): improve falco config [#2571] - @incertum
  • update(cmake): bump libs and plugins to latest dev versions [#2586] - @jasondellaluce
  • chore(userspace/falco): always print invalid syscalls from custom set [#2578] - @jasondellaluce
  • update(build): upgrade falcoctl to 0.5.0 [#2572] - @LucaGuerra
  • chore(userspace/falco/app): print all supported plugin caps [#2564] - @jasondellaluce
  • update: get rules details with -l or -L flags when json output format is specified [#2544] - @loresuso
  • update!: bump libs version, and support latest plugin features, add --nodriver option [#2552] - @jasondellaluce
  • cleanup(actions): now modern bpf support -A flag [#2551] - @Andreagit97
  • update: falco-driver-loader now uses now uses $TMPDIR if set [#2518] - @jabdr
  • update: improve control and UX of ignored events [#2509] - @jasondellaluce
  • update: bump libs and adapt Falco to new libsinsp event source management [#2507] - @jasondellaluce
  • new(app_actions)!: adjust base_syscalls option, add base_syscalls.repair [#2457] - @incertum
  • update(scripts): support al2022 and al2023 in falco-driver-loader. [#2494] - @FedeDP
  • update: sync libs with newest event name APIs [#2471] - @jasondellaluce
  • update!: remove --mesos-api, -pmesos, and -pm command-line flags [#2465] - @leogr
  • cleanup(unit_tests): try making test_configure_interesting_sets more robust [#2464] - @incertum

Bug Fixes

  • fix: unquote quoted URL's to avoid libcurl errors [#2596] - @therealdwright
  • fix(userspace/engine): store alternatives as array in -L json output [#2597] - @loresuso
  • fix(userspace/engine): store required engine version as string in -L json output [#2595] - @loresuso
  • fix(userspace/falco): report plugin deps rules issues in any case [#2589] - @jasondellaluce
  • fix(userspace): hotreload on wrong metrics [#2582] - @therealbobo
  • fix(userspace): check the supported number of online CPUs with modern bpf [#2575] - @Andreagit97
  • fix(userspace/falco): don't hang on terminating error when multi sourcing [#2576] - @jasondellaluce
  • fix(userspace/falco): properly format numeric values in metrics [#2569] - @jasondellaluce
  • fix(scripts): properly support debian kernel releases embedded in kernel version [#2377] - @FedeDP

Non user-facing changes

Release Manager @FedeDP


Version 0.35.0-rc2

Download

Release Candidate for Falco 0.35.0

Version 0.35.0-rc1

Download

Release Candidate for Falco 0.35.0

Version 0.35.0-alpha5

Download

This is a test for the release pipeline.

Version 0.35.0-alpha4

Download

This is a test for the release pipeline.

Version 0.35.0-alpha3

Download

This is a test for the release pipeline.

Version 0.35.0-alpha2

Download

This is a test for the release pipeline

Version 0.35.0-alpha1

Download

This is a test for the release pipeline.

Version 0.34.1

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.34.1
docker pull public.ecr.aws/falcosecurity/falco:0.34.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.34.1
docker pull docker.io/falcosecurity/falco-no-driver:0.34.1
docker pull docker.io/falcosecurity/falcoctl:0.4.0

Minor Changes

  • fix(userspace/engine): correctly bump FALCO_ENGINE_VERSION after introduction of new fields [#2418] - @loresuso

Statistics

Merged PRsNumber
Not user-facing1
Release note1
Total2

Release Manager

@alacuku


Version 0.34.0

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.34.0
docker pull public.ecr.aws/falcosecurity/falco:0.34.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.34.0
docker pull docker.io/falcosecurity/falco-no-driver:0.34.0
docker pull docker.io/falcosecurity/falcoctl:0.4.0

Major Changes

  • BREAKING CHANGE: if you relied upon application_rules.yaml you can download it from https://github.com/falcosecurity/rules/tree/main/rules and manually install it. [#2389] - @leogr
  • new(rules): New rule to detect attempts to inject code into a process using PTRACE [#2226] - @Brucedh
  • new(engine): Also include exact locations for rule condition compile errors (missing macros, etc). [#2216] - @mstemm
  • new(scripts): Support older RHEL distros in falco-driver-loader script [#2312] - @gentooise
  • new(scripts): add falcoctl config into Falco package [#2390] - @Andreagit97
  • new(userspace/falco): [EXPERIMENTAL] allow modern bpf probe to assign more than one CPU to a single ring buffer [#2363] - @Andreagit97
  • new(userspace/falco): add webserver endpoint for retrieving internal version numbers [#2356] - @jasondellaluce
  • new(falco): add --version-json to print version information in json format [#2331] - @LucaGuerra
  • new(scripts): support multiple drivers in systemd units [#2242] - @FedeDP
  • new(scripts): add bottlerocket support in falco-driver-loader [#2318] - @FedeDP
  • new(falco): add more version fields to --support and --version [#2325] - @LucaGuerra
  • new(config): explicitly add the simulate_drops config [#2260] - @Andreagit97

Minor Changes

  • build: upgrade to falcoctl v0.4.0 [#2406] - @loresuso
  • update(userspace): change modern_bpf.cpus_for_each_syscall_buffer default value [#2404] - @Andreagit97
  • update(build): update falcoctl to 0.3.0 [#2401] - @LucaGuerra
  • update(build): update falcoctl to 0.3.0-rc7 [#2396] - @LucaGuerra
  • update(cmake): bump libs to 0.10.3 [#2392] - @FedeDP
  • build: /etc/falco/rules.available has been deprecated [#2389] - @leogr
  • build: application_rules.yaml is not shipped anymore with Falco [#2389] - @leogr
  • build: upgrade k8saudit plugin to v0.5.0 [#2381] - @leogr
  • build: upgrade cloudtrail plugin to v0.6.0 [#2381] - @leogr
  • new!: ship falcoctl inside Falco [#2345] - @FedeDP
  • refactor: remove rules and add submodule to falcosecurity/rules [#2359] - @jasondellaluce
  • update(scripts): add option for regenerating signatures of all dev and release packages [#2364] - @jasondellaluce
  • update: print JSON version output when json_output is enabled [#2351] - @jasondellaluce
  • update(cmake): updated libs to 0.10.1 tag. [#2362] - @FedeDP
  • Install the certificates of authorities in falco:no-driver docker image [#2355] - @Issif
  • update: Mesos support is now deprecated and will be removed in the next version. [#2328] - @leogr
  • update(scripts/falco-driver-loader): optimize the resiliency of module download script for air-gapped environments [#2336] - @Dentrax
  • doc(userspace): provide users with a correct message when some syscalls are not defined [#2329] - @Andreagit97
  • update(ci): update ci jobs to generate Falco images with the modern BPF probe [#2320] - @Andreagit97
  • rules: add Falco container lists [#2290] - @oscr
  • rules(macro: private_key_or_password): now also check for OpenSSH private keys [#2284] - @oscr
  • update(cmake): bump libs and driver to latest RC. [#2302] - @FedeDP
  • Ensure that a ruleset object is copied properly in falco_engine::add_source(). [#2271] - @mstemm
  • update(userspace/falco): enable using zlib with webserver [#2125] - @jasondellaluce
  • update(falco): add container-gvisor and kubernetes-gvisor print options [#2288] - @LucaGuerra
  • cleanup: always use bundled libz and libelf in BUNDLED_DEPS mode. [#2277] - @FedeDP
  • update: updated libs and driver to version dd443b67c6b04464cb8ee2771af8ada8777e7fac [#2277] - @FedeDP
  • update(falco.yaml): open_params under plugins configuration is now trimmed from surrounding whitespace [#2267] - @yardenshoham

Bug Fixes

  • fix(engine): Avoid crash related to caching syscall source when the falco engine uses multiple sources at the same time. [#2272] - @mstemm
  • fix(scripts): use falco-driver-loader only into install scripts [#2391] - @Andreagit97
  • fix(userspace/falco): fix grpc server shutdown [#2350] - @FedeDP
  • fix(docker/falco): trust latest GPG key [#2365] - @jasondellaluce
  • fix(userspace/engine): improve rule loading validation results [#2344] - @jasondellaluce
  • fix: graceful error handling for macros/lists reference loops [#2311] - @jasondellaluce

Rule Changes

  • rules(tagging): enhanced rules tagging for inventory / threat modeling [#2167] - @incertum
  • rule(Outbound Connection to C2 Server): Update the "Outbound connection to C2 server" rule to match both FQDN and IP addresses. Prior to this change, the rule only matched IP addresses and not FQDN. [#2241] - @Nicolas-Peiffer
  • rule(Execution from /dev/shm): new rule to detect execution from /dev/shm [#2225] - @AlbertoPellitteri
  • rule(Find AWS Credentials): new rule to detect executions looking for AWS credentials [#2224] - @AlbertoPellitteri
  • rule(Linux Kernel Module Injection Detected): improve insmod detection within container using CAP_SYS_MODULE [#2305] - @loresuso
  • rule(Read sensitive file untrusted): let salt-call read sensitive files [#2291] - @vin01
  • rule(macro: rpm_procs): let salt-call write to rpm database [#2291] - @vin01

Non user-facing changes

  • fix(ci): fix rpm sign job dependencies [#2324] - @cappellinsamuele
  • chore(userspace): add njson lib as a dependency for falco_engine [#2316] - @Andreagit97
  • fix(scripts): force rpm postinstall script to always show dialog, even on upgrade [#2405] - @FedeDP
  • fix(scripts): fixed falcoctl config install dir. [#2399] - @FedeDP
  • fix(scripts): make /usr writable [#2398] - @therealbobo
  • fix(scripts): driver loader insmod [#2388] - @FedeDP
  • update(systemd): solve some issues with systemd unit [#2385] - @Andreagit97
  • build(cmake): upgrade falcoctl to v0.3.0-rc6 [#2383] - @leogr
  • docs(.github): rules are no longer in this repo [#2382] - @leogr
  • update(CI): mitigate frequent failure in CircleCI jobs [#2375] - @Andreagit97
  • fix(userspace): use the right path for the cpus_for_each_syscall_buffer config [#2378] - @Andreagit97
  • fix(scripts): fixed incorrect bash var expansion [#2367] - @therealbobo
  • update(CI): upgrade toolchain in modern falco builder dockerfile [#2337] - @Andreagit97
  • cleanup(ci): move static analysis job from circle CI to GHA [#2332] - @Andreagit97
  • update(falco): update cpp-httplib to 0.11.3 [#2327] - @LucaGuerra
  • update(script): makes user able to pass custom option to driver-loade… [#1901] - @andreabonanno
  • cleanup(ci): remove some unused jobs and remove some falco-builder reference where possible [#2322] - @Andreagit97
  • docs(proposal): new artifacts distribution proposal [#2304] - @leogr
  • fix(cmake): properly fetch dev version by appending latest Falco tag, delta between master and tag, and hash [#2292] - @FedeDP
  • chore(deps): Bump certifi from 2020.4.5.1 to 2022.12.7 in /test [#2313] - @dependabot[bot]
  • chore: remove string view lite [#2307] - @leogr
  • new(CHANGELOG): add entry for 0.33.1 (in master branch this time) [#2303] - @LucaGuerra
  • update(docs): add overview and versioning sections to falco release.md [#2205] - @incertum
  • Add Xenit AB to adopters [#2285] - @NissesSenap
  • fix(userspace/falco): verify engine fields only for syscalls [#2281] - @jasondellaluce
  • fix(output): do not print syscall_buffer_size when gvisor is enabled [#2283] - @alacuku
  • fix(engine): fix warning about redundant std::move [#2286] - @LucaGuerra
  • fix(scripts): force falco-driver-loader script to try to compile the driver anyway even on unsupported platforms [#2219] - @FedeDP
  • fix(ci): fixed version bucket for release jobs. [#2266] - @FedeDP
  • fix(cmake): fixed tag fetching fallback (that is indeed needed) [#2409] - @FedeDP

Statistics

Merged PRsNumber
Not user-facing30
Release note53
Total83

Release Manager

@LucaGuerra


Version 0.33.1

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.33.1
docker pull public.ecr.aws/falcosecurity/falco:0.33.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.33.1
docker pull docker.io/falcosecurity/falco-no-driver:0.33.1

Minor Changes

  • update(falco): fix container-gvisor and kubernetes-gvisor print options [#2288]
  • Update libs to 0.9.2, fixing potential CLBO on gVisor+Kubernetes and crash with eBPF when some CPUs are offline [#2299] - @LucaGuerra

Statistics

Merged PRsNumber
Not user-facing1
Release note2
Total3

Release Manager

@LucaGuerra


Version 0.33.0

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.33.0
docker pull public.ecr.aws/falcosecurity/falco:0.33.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.33.0
docker pull docker.io/falcosecurity/falco-no-driver:0.33.0

Major Changes

  • new: add a drop_pct referred to the global number of events [#2130] - @Andreagit97
  • new: print some info about eBPF and enabled sources when Falco starts [#2133] - @Andreagit97
  • new(userspace): print architecture information [#2147] - @Andreagit97
  • new(CI): add CodeQL security scanning to Falco. [#2171] - @Andreagit97
  • new: configure syscall buffer dimension from Falco [#2214] - @Andreagit97
  • new(cmdline): add development support for modern BPF probe [#2221] - @Andreagit97
  • new(falco-driver-loader): DRIVERS_REPO now supports the use of multiple download URLs (comma separated) [#2165] - @IanRobertson-wpe
  • new(userspace/engine): support alternative plugin version requirements in checks [#2190] - @jasondellaluce
  • new: support running multiple event sources in parallel [#2182] - @jasondellaluce
  • new(userspace/falco): automatically create paths for grpc unix socket and gvisor endpoint. [#2189] - @FedeDP
  • new(scripts): allow falco-driver-loader to properly distinguish any ubuntu flavor [#2178] - @FedeDP
  • new: add option to enable event sources selectively [#2085] - @jasondellaluce

Minor Changes

  • docs(falco-driver-loader): add some comments in falco-driver-loader [#2153] - @Andreagit97
  • update(cmake): use latest libs tag 0.9.0 [#2257] - @Andreagit97
  • update(.circleci): re-enabled cppcheck [#2186] - @leogr
  • update(userspace/engine): improve falco files loading performance [#2151] - @VadimZy
  • update(cmake): use latest driver tag 3.0.1+driver [#2251] - @Andreagit97
  • update(userspace/falco)!: adapt stats writer for multiple parallel event sources [#2182] - @jasondellaluce
  • refactor(userspace/engine): remove falco engine APIs that returned a required_engine_version [#2096] - @mstemm
  • update(userspace/engine): add some small changes to rules matching that reduce cpu usage with high event volumes (> 1M syscalls/sec) [#2210] - @mstemm
  • rules: added process IDs to default rules [#2211] - @spyder-kyle
  • update(scripts/debian): falco.service systemd unit is now cleaned-up during (re)install and removal via the DEB and RPM packages [#2138] - @Happy-Dude
  • update(userspace/falco): move on from deprecated libs API for printing event list [#2253] - @jasondellaluce
  • chore(userspace/falco): improve cli helper and log options with debug level [#2252] - @jasondellaluce
  • update(userspace): minor pre-release improvements [#2236] - @jasondellaluce
  • update: bumped libs to fd46dd139a8e35692a7d40ab2f0ed2016df827cf. [#2201] - @FedeDP
  • update!: gVisor sock default path changed from /tmp/gvisor.sock to /run/falco/gvisor.sock [#2163] - @vjjmiras
  • update!: gRPC server sock default path changed from /run/falco.sock.sock to /run/falco/falco.sock [#2163] - @vjjmiras
  • update(scripts/falco-driver-loader): minikube environment is now correctly detected [#2191] - @alacuku
  • update(rules/falco_rules.yaml): required_engine_version changed to 13 [#2179] - @incertum
  • refactor(userspace/falco): re-design stats writer and make it thread-safe [#2109] - @jasondellaluce
  • refactor(userspace/falco): make signal handlers thread safe [#2091] - @jasondellaluce
  • refactor(userspace/engine): strengthen and document thread-safety guarantees of falco_engine::process_event [#2082] - @jasondellaluce
  • update(userspace/falco): make webserver threadiness configurable [#2090] - @jasondellaluce
  • refactor(userspace/falco): reduce app actions dependency on app state and inspector [#2097] - @jasondellaluce
  • update(userspace/falco): use move semantics in falco logger [#2095] - @jasondellaluce
  • update: use FALCO_HOSTNAME env var to override the hostname value [#2174] - @leogr
  • update: bump libs and driver versions to 6599e2efebce30a95f27739d655d53f0d5f686e4 [#2177] - @jasondellaluce
  • refactor(userspace/falco): make output rate limiter optional and output engine explicitly thread-safe [#2139] - @jasondellaluce
  • update(falco.yaml)!: notification rate limiter disabled by default. [#2139] - @jasondellaluce

Bug Fixes

Rule Changes

  • rule(macro: known_gke_mount_in_privileged_containers): add new macro [#2198] - @hi120ki
  • rule(Mount Launched in Privileged Container): add GKE default pod into allowlist in Mount Launched of Privileged Container rule [#2198] - @hi120ki
  • rule(list: known_binaries_to_read_environment_variables_from_proc_files): add new list [#2193] - @hi120ki
  • rule(Read environment variable from /proc files): add rule to detect an attempt to read process environment variables from /proc files [#2193] - @hi120ki
  • rule(macro: k8s_containers): add falco no-driver images [#2234] - @jasondellaluce
  • rule(macro: open_file_failed): add new macro [#2118] - @incertum
  • rule(macro: directory_traversal): add new macro [#2118] - @incertum
  • rule(Directory traversal monitored file read): add new rule [#2118] - @incertum
  • rule(Modify Container Entrypoint): new rule created to detect CVE-2019-5736 [#2188] - @darryk10
  • rule(Program run with disallowed http proxy env)!: disabled by default [#2179] - @incertum
  • rule(Container Drift Detected (chmod))!: disabled by default [#2179] - @incertum
  • rule(Container Drift Detected (open+create))!: disabled by default [#2179] - @incertum
  • rule(Packet socket created in container)!: removed consider_packet_socket_communication macro [#2179] - @incertum
  • rule(macro: consider_packet_socket_communication)!: remove unused macro [#2179] - @incertum
  • rule(Interpreted procs outbound network activity)!: disabled by default [#2166] - @incertum
  • rule(Interpreted procs inbound network activity)!: disabled by default [#2166] - @incertum
  • rule(Contact cloud metadata service from container)!: disabled by default [#2166] - @incertum
  • rule(macro: consider_interpreted_outbound)!: remove unused macro [#2166] - @incertum
  • rule(macro: consider_interpreted_inbound)!: remove unused macro [#2166] - @incertum
  • rule(macro: consider_metadata_access)!: remove unused macro [#2166] - @incertum
  • rule(Unexpected outbound connection destination)!: disabled by default [#2168] - @incertum
  • rule(Unexpected inbound connection source)!: disabled by default [#2168] - @incertum
  • rule(Read Shell Configuration File)!: disabled by default [#2168] - @incertum
  • rule(Schedule Cron Jobs)!: disabled by default [#2168] - @incertum
  • rule(Launch Suspicious Network Tool on Host)!: disabled by default [#2168] - @incertum
  • rule(Create Hidden Files or Directories)!: disabled by default [#2168] - @incertum
  • rule(Outbound or Inbound Traffic not to Authorized Server Process and Port)!: disabled by default [#2168] - @incertum
  • rule(Network Connection outside Local Subnet)!: disabled by default [#2168] - @incertum
  • rule(macro: consider_all_outbound_conns)!: remove unused macro [#2168] - @incertum
  • rule(macro: consider_all_inbound_conns)!: remove unused macro [#2168] - @incertum
  • rule(macro: consider_shell_config_reads)!: remove unused macro [#2168] - @incertum
  • rule(macro: consider_all_cron_jobs)!: remove unused macro [#2168] - @incertum
  • rule(macro: consider_all_inbound_conns)!: remove unused macro [#2168] - @incertum
  • rule(macro: consider_hidden_file_creation)!: remove unused macro [#2168] - @incertum
  • rule(macro: allowed_port)!: remove unused macro [#2168] - @incertum
  • rule(macro: enabled_rule_network_only_subnet)!: remove unused macro [#2168] - @incertum
  • rule(macro: consider_userfaultfd_activities)!: remove unused macro [#2168] - @incertum
  • rule(macro: consider_all_chmods)!: remove unused macro [#2168] - @incertum
  • rule(Set Setuid or Setgid bit)!: removed consider_all_chmods macro [#2168] - @incertum
  • rule(Container Drift Detected (chmod))!: removed consider_all_chmods macro [#2168] - @incertum
  • rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process)!: removed consider_userfaultfd_activities macro [#2168] - @incertum

Non user-facing changes

Statistics

Merged PRsNumber
Not user-facing29
Release note50
Total79

Release Manager @jasondellaluce


Version 0.32.2

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.32.2
docker pull public.ecr.aws/falcosecurity/falco:0.32.2
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.2
docker pull docker.io/falcosecurity/falco-no-driver:0.32.2

Bug Fixes

Statistics

Merged PRsNumber
Not user-facing0
Release note1
Total1

Release Manager @Andreagit97


Version 0.32.1

Download

PackagesDownload
rpmrpm
debdeb
tgztgz
rpm-arm64rpm
deb-arm64deb
tgz-arm64tgz
Images
docker pull docker.io/falcosecurity/falco:0.32.1
docker pull public.ecr.aws/falcosecurity/falco:0.32.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.1
docker pull docker.io/falcosecurity/falco-no-driver:0.32.1

Major Changes

Minor Changes

  • update(build): Switch from RSA/SHA1 to RSA/SHA256 signature in the RPM package [#2044] - @vjjmiras
  • refactor(userspace/engine): drop macro source field in rules and rule loader [#2094] - @jasondellaluce
  • build: introduce DRIVER_VERSION that allows setting a driver version (which may differ from the falcosecurity/libs version) [#2086] - @leogr
  • update: add more info to --version output [#2086] - @leogr
  • build(scripts): publish deb repo has now a InRelease file [#2060] - @FedeDP
  • update(userspace/falco): make plugin init config optional and add --plugin-info CLI option [#2059] - @jasondellaluce
  • update(userspace/falco): support libs logging [#2093] - @jasondellaluce
  • update(falco): update libs to 0.7.0 [#2119] - @LucaGuerra

Bug Fixes

  • fix(userspace/falco): ensure that only rules files named with -V are loaded when validating rules files. [#2088] - @mstemm
  • fix(rules): use exit event in reverse shell detection rule [#2076] - @alacuku
  • fix(scripts): falco-driver-loader script will now seek for drivers in driver/${ARCH}/ for x86_64 too. [#2057] - @FedeDP
  • fix(falco-driver-loader): building falco module with DKMS on Flatcar and supporting fetching pre-built module/eBPF probe [#2043] - @jepio

Rule Changes

  • rule(Redirect STDOUT/STDIN to Network Connection in Container): changed priority to NOTICE [#2092] - @leogr
  • rule(Java Process Class Download): detect potential log4shell exploitation [#2041] - @pirxthepilot

Non user-facing changes

  • remove kaizhe from falco rule owner [#2050] - @Kaizhe
  • docs(readme): added arm64 mention + packages + badge. [#2101] - @FedeDP
  • new(circleci): enable integration tests for arm64. [#2099] - @FedeDP
  • chore(cmake): bump plugins versions [#2102] - @Andreagit97
  • fix(docker): fixed deb tester sub image. [#2100] - @FedeDP
  • fix(ci): fix sign script - avoid interpreting '{*}$argv' too soon [#2075] - @vjjmiras
  • fix(tests): make tests run locally (take 2) [#2089] - @LucaGuerra
  • fix(ci): creates ~/sign instead of ./sign [#2072] - @vjjmiras
  • fix(ci): sign arm64 rpm packages. [#2069] - @FedeDP
  • update(falco_scripts): Change Flatcar dynlinker path [#2066] - @jepio
  • fix(scripts): fixed path in publish-deb script. [#2062] - @FedeDP
  • fix(build): docker-container buildx engine does not support retagging images. Tag all images together. [#2058] - @FedeDP
  • fix(build): fixed publish-docker-dev job context. [#2056] - @FedeDP
  • Correct linting issue in rules [#2055] - @stephanmiehe
  • Fix falco compilation issues with new libs [#2053] - @alacuku
  • fix(scripts): forcefully create packages dir for debian packages. [#2054] - @FedeDP
  • fix(build): removed leftover line in circleci config. [#2052] - @FedeDP
  • fix(build): fixed circleCI artifacts publish for arm64. [#2051] - @FedeDP
  • update(docker): updated falco-builder to fix multiarch support. [#2049] - @FedeDP
  • fix(build): use apt instead of apk when installing deps for aws ecr publish [#2047] - @FedeDP
  • fix(build): try to use root user for cimg/base [#2045] - @FedeDP
  • update(build): avoid double build of docker images when pushing to aws ecr [#2046] - @FedeDP
  • chore(k8s_audit_plugin): bump k8s audit plugin version [#2042] - @Andreagit97
  • fix(tests): make run_regression_tests.sh work locally [#2020] - @LucaGuerra
  • Circle CI build job for ARM64 [#1997] - @odidev

Statistics

Merged PRsNumber
Not user-facing25
Release note16
Total41

Release Manager @LucaGuerra


Version 0.32.0

Download

PackagesDownload
rpmrpm
debdeb
tgztgz
Images
docker pull docker.io/falcosecurity/falco:0.32.0
docker pull public.ecr.aws/falcosecurity/falco:0.32.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.0
docker pull docker.io/falcosecurity/falco-no-driver:0.32.0

Major Changes

  • new: added new watch_config_files config option, to trigger a Falco restart whenever a change is detected in the rules or config files [#1991] - @FedeDP
  • new(rules): add rule to detect excessively capable container [#1963] - @loresuso
  • new(rules): add rules to detect pods sharing host pid and IPC namespaces [#1951] - @loresuso
  • new(image): add Falco image based on RedHat UBI [#1943] - @araujof
  • new(falco): add --markdown and --list-syscall-events [#1939] - @LucaGuerra

Minor Changes

  • update(build): updated plugins to latest versions. [#2033] - @FedeDP
  • refactor(userspace/falco): split the currently monolithic falco_init into smaller "actions", managed by the falco application's action manager. [#1953] - @mstemm
  • rules: out of the box ruleset for OKTA Falco Plugin [#1955] - @darryk10
  • update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b [#2031] - @FedeDP
  • update!: moving out plugins ruleset files [#1995] - @leogr
  • update: added hostname as a field in JSON output [#1989] - @Milkshak3s
  • refactor!: remove K8S audit logs from Falco [#1952] - @jasondellaluce
  • refactor(userspace/engine): use supported_operators helper from libsinsp filter parser [#1975] - @jasondellaluce
  • refactor!: deprecate PSP regression tests and warn for unsafe usage of in k8s audit filters [#1976] - @jasondellaluce
  • build(cmake): upgrade catch2 to 2.13.9 [#1977] - @leogr
  • refactor(userspace/engine): reduce memory usage for resolving evttypes [#1965] - @jasondellaluce
  • refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader [#1966] - @jasondellaluce
  • refactor(userspace/engine): decoupling ruleset reading, parsing, and compilation steps [#1970] - @jasondellaluce
  • refactor: update definitions of falco_common [#1967] - @jasondellaluce
  • update: improved Falco engine event processing performance [#1944] - @deepskyblue86
  • refactor(userspace/engine): use libsinsp filter parser and compiler inside rule loader [#1947] - @jasondellaluce

Bug Fixes

  • fix(userspace/engine): skip rules with unknown sources that also have exceptions, and skip macros with unknown sources. [#1920] - @mstemm
  • fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled [#2019] - @jasondellaluce

Rule Changes

  • rule(Launch Excessively Capable Container): fix typo in description [#1996] - @mmonitz
  • rule(macro: known_shell_spawn_cmdlines): add sh -c /usr/share/lighttpd/create-mime.conf.pl to macro [#1996] - @mmonitz
  • rule(macro net_miner_pool): additional syscall for detection [#2011] - @beryxz
  • rule(macro truncate_shell_history): include .ash_history [#1956] - @bdashrad
  • rule(macro modify_shell_history): include .ash_history [#1956] - @bdashrad
  • rule(Detect release_agent File Container Escapes): new rule created to detect an attempt to exploit a container escape using release_agent file [#1969] - @darryk10
  • rule(k8s: secret): detect get attempts for both successful and unsuccessful attempts [#1949] - @Dentrax
  • rule(K8s Serviceaccount Created/Deleted): Fixed output for the rules [#1973] - @darryk10
  • rule(Disallowed K8s User): exclude allowed EKS users [#1960] - @darryk10
  • rule(Launch Ingress Remote File Copy Tools in Container): Removed use cases not triggering the rule [#1968] - @darryk10
  • rule(Mount Launched in Privileged Container): added allowlist macro user_known_mount_in_privileged_containers. [#1930] - @mmoyerfigma
  • rule(macro user_known_shell_config_modifiers): allow to allowlist shell config modifiers [#1938] - @claudio-vellage

Non user-facing changes

  • new: update plugins [#2023] - @FedeDP
  • update(build): updated libs version for Falco 0.32.0 release. [#2022] - @FedeDP
  • update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 [#2024] - @FedeDP
  • chore(userspace/falco): do not print error code in process_events.cpp [#2030] - @alacuku
  • fix(falco-scripts): remove driver versions with dkms-3.0.3 [#2027] - @Andreagit97
  • chore(userspace/falco): fix punctuation typo in output message when loading plugins [#2026] - @alacuku
  • refactor(userspace): change falco engine design to properly support multiple sources [#2017] - @jasondellaluce
  • update(userspace/falco): improve falco termination [#2012] - @Andreagit97
  • update(userspace/engine): introduce new check_plugin_requirements API [#2009] - @Andreagit97
  • fix(userspace/engine): improve rule loader source checks [#2010] - @Andreagit97
  • fix: split filterchecks per source-idx [#1999] - @FedeDP
  • new: port CI builds to github actions [#2000] - @FedeDP
  • build(userspace/engine): cleanup unused include dir [#1987] - @leogr
  • rule(Anonymous Request Allowed): exclude {/livez, /readyz} [#1954] - @sledigabel
  • chore(falco_scripts): Update falco-driver-loader cleaning phase [#1950] - @Andreagit97
  • new(userspace/falco): use new plugin caps API [#1982] - @FedeDP
  • build: correct conffiles for DEB packages [#1980] - @leogr
  • Fix exception parsing regressions [#1985] - @mstemm
  • Add codespell GitHub Action [#1962] - @invidian
  • build: components opt-in mechanism for packages [#1979] - @leogr
  • add gVisor to ADOPTERS.md [#1974] - @kevinGC
  • rules: whitelist GCP's container threat detection image [#1959] - @clmssz
  • Fix some typos [#1961] - @invidian
  • chore(rules): remove leftover [#1958] - @leogr
  • docs: readme update and plugins [#1940] - @leogr

Statistics

Merged PRsNumber
Not user-facing27
Release note34
Total61

Release Manager @FedeDP


Version 0.31.1

Download

PackagesDownload
rpmrpm
debdeb
tgztgz
Images
docker pull docker.io/falcosecurity/falco:0.31.1
docker pull public.ecr.aws/falcosecurity/falco:0.31.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.31.1
docker pull docker.io/falcosecurity/falco-no-driver:0.31.1

Major Changes

Minor Changes

  • refactor(userspace/falco): replace direct getopt_long() cmdline option parsing with third-party cxxopts library. [#1886] - @mstemm
  • update: driver version is b7eb0dd [#1923] - @LucaGuerra

Bug Fixes

  • fix(userspace/falco): correct plugins init config conversion from YAML to JSON [#1907] - @jasondellaluce
  • fix(userspace/engine): for rules at the informational level being loaded at the notice level [#1885] - @mike-stewart
  • chore(userspace/falco): fixes truncated -b option description. [#1915] - @andreabonanno
  • update(falco): updates usage description for -o, --option [#1903] - @andreabonanno

Rule Changes

  • rule(Detect outbound connections to common miner pool ports): fix url in rule output [#1918] - @jsoref
  • rule(macro somebody_becoming_themself): renaming macro to somebody_becoming_themselves [#1918] - @jsoref
  • rule(list package_mgmt_binaries): npm added [#1866] - @rileydakota
  • rule(Launch Package Management Process in Container): support for detecting npm usage [#1866] - @rileydakota
  • rule(Polkit Local Privilege Escalation Vulnerability): new rule created to detect CVE-2021-4034 [#1877] - @darryk10
  • rule(macro: modify_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [#1832] - @m4wh6k
  • rule(macro: truncate_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [#1832] - @m4wh6k
  • rule(macro sssd_writing_krb): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [#1825] - @mac-chaffee
  • rule(macro write_etc_common): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [#1825] - @mac-chaffee
  • upgrade macro(keepalived_writing_conf) [#1742] - @pabloopez
  • rule_output(Delete Bucket Public Access Block) typo [#1888] - @pabloopez

Non user-facing changes

  • fix(build): fix civetweb linking in cmake module [#1919] - @LucaGuerra
  • chore(userspace/engine): remove unused lua functions and state vars [#1908] - @jasondellaluce
  • fix(userspace/falco): applies FALCO_INSTALL_CONF_FILE as the default … [#1900] - @andreabonanno
  • fix(scripts): correct typo in falco-driver-loader help message [#1899] - @leogr
  • update(build)!: replaced various PROBE with DRIVER where necessary. [#1887] - @FedeDP
  • Add Fairwinds to the adopters list [#1917] - @sudermanjr
  • build(cmake): several cmake changes to speed up/simplify builds for external projects and copying files from source-to-build directories [#1905] - @mstemm

Statistics

Merged PRsNumber
Not user-facing11
Release note13
Total24

Release Manager @LucaGuerra


Version 0.31.0

Download

PackagesDownload
rpmrpm
debdeb
tgztgz
Images
docker pull docker.io/falcosecurity/falco:0.31.0
docker pull public.ecr.aws/falcosecurity/falco:0.31.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.31.0
docker pull docker.io/falcosecurity/falco-no-driver:0.31.0

Major Changes

  • new: add support for plugins to extend Falco functionality to new event sources and custom fields [#1753] - @mstemm
  • new: add ability to set User-Agent http header when sending http output. Provide default value of 'falcosecurit/falco'. [#1850] - @yoshi314
  • new(configuration): support defining plugin init config as a YAML [#1852] - @jasondellaluce

Minor Changes

  • rules: add the official Falco ECR repository to rules [#1817] - @calvinbui
  • build: update CircleCI machine image for eBPF tests to a newer version of ubuntu [#1764] - @mstemm
  • update(engine): refactor Falco engine to be agnostic to specific event sources [#1715] - @mstemm
  • build: upgrade civetweb to v1.15 [#1782] - @FedeDP
  • update: driver version is 319368f1ad778691164d33d59945e00c5752cd27 now [#1861] - @FedeDP
  • build: allow using local libs source dir by setting FALCOSECURITY_LIBS_SOURCE_DIR in cmake [#1791] - @jasondellaluce
  • build: the statically linked binary package is now published with the -static suffix [#1873] - @LucaGuerra
  • update!: removed "--alternate-lua-dir" cmdline option as lua scripts are now embedded in Falco executable. [#1872] - @FedeDP
  • build: switch to dynamic build for the binary package (.tar.gz) [#1853] - @LucaGuerra
  • update: simpleconsumer filtering is now being done at kernel level [#1846] - @FedeDP
  • update(scripts/falco-driver-loader): first try to load the latest kmod version, then fallback to an already installed if any [#1863] - @leogr
  • refactor: clean up --list output with better formatting and no duplicate sections across event sources. [#1816] - @mstemm
  • update: embed .lua files used to load/compile rules into the main falco executable, for simplicity and to avoid tampering. [#1843] - @mstemm
  • update: support non-enumerable event sources in gRPC outputs service [#1840] - @jasondellaluce
  • docs: add jasondellaluce to OWNERS [#1818] - @jasondellaluce
  • chore: --list option can be used to selectively list fields related to new sources that are introduced by plugins [#1839] - @loresuso
  • update(userspace/falco): support arbitrary-depth nested values in YAML configuration [#1792] - @jasondellaluce
  • build: bump FakeIt version to 2.0.9 [#1797] - @jasondellaluce
  • update: allow append of new exceptions to rules [#1780] - @sai-arigeli
  • update: Linux packages are now signed with SHA256 [#1758] - @twa16

Bug Fixes

  • fix(scripts/falco-driver-loader): fix for SELinux insmod denials [#1756] - @dwindsor
  • fix(scripts/falco-driver-loader): correctly clean loaded drivers when using --clean [#1795] - @jasondellaluce
  • fix(userspace/falco): in case output_file cannot be opened, throw a falco exception [#1773] - @FedeDP
  • fix(userspace/engine): support jsonpointer escaping in rule parser [#1777] - @jasondellaluce
  • fix(scripts/falco-driver-loader): support kernel object files in .zst and .gz compression formats [#1863] - @leogr
  • fix(engine): correctly format json output in json_event [#1847] - @jasondellaluce
  • fix: set http output contenttype to text/plain when json output is disabled [#1829] - @FedeDP
  • fix(userspace/falco): accept 'Content-Type' header that contains "application/json", but it is not strictly equal to it [#1800] - @FedeDP
  • fix(userspace/engine): supporting enabled-only overwritten rules [#1775] - @jasondellaluce

Rule Changes

  • rule(Create Symlink Over Sensitive File): corrected typo in rule output [#1820] - @deepskyblue86
  • rule(macro open_write): add support to openat2 [#1796] - @jasondellaluce
  • rule(macro open_read): add support to openat2 [#1796] - @jasondellaluce
  • rule(macro open_directory): add support to openat2 [#1796] - @jasondellaluce
  • rule(Create files below dev): add support to openat2 [#1796] - @jasondellaluce
  • rule(Container Drift Detected (open+create)): add support to openat2 [#1796] - @jasondellaluce
  • rule(macro sensitive_mount): add containerd socket [#1815] - @loresuso
  • rule(macro spawned_process): monitor also processes spawned by execveat [#1868] - @Andreagit97
  • rule(Create Hardlink Over Sensitive Files): new rule to detect hard links created over sensitive files [#1810] - @sberkovich
  • rule(Detect crypto miners using the Stratum protocol): add stratum2+tcp and stratum+ssl protocols detection [#1810] - @sberkovich
  • rule(Sudo Potential Privilege Escalation): correct special case for the CVE-2021-3156 exploit [#1810] - @sberkovich
  • rule(list falco_hostnetwork_images): moved to k8s_audit_rules.yaml to avoid a warning when usng falco_rules.yaml only [#1681] - @leodido
  • rule(list deb_binaries): remove apt-config [#1860] - @Andreagit97
  • rule(Launch Remote File Copy Tools in Container): add additional binaries: curl and wget. [#1771] - @ec4n6
  • rule(list known_sa_list): add coredns, coredns-autoscaler, endpointslicemirroring-controller, horizontal-pod-autoscaler, job-controller, node-controller (nodelifecycle), persistent-volume-binder, pv-protection-controller, pvc-protection-controller, root-ca-cert-publisher and service-account-controller as allowed service accounts in the kube-system namespace [#1760] - @sboschman

Non user-facing changes

  • fix: force-set evt.type for plugin source events [#1878] - @FedeDP
  • fix: updated some warning strings; properly refresh lua files embedded in falco [#1864] - @FedeDP
  • style(userspace/engine): avoid creating multiple versions of methods only to assume default ruleset. Use a default argument instead. [#1754] - @FedeDP
  • add raft in the adopters list [#1776] - @teshsharma
  • build: always populate partial version variables [#1778] - @dnwe
  • build: updated cloudtrail plugin to latest version [#1865] - @FedeDP
  • replace ".." concatenation with table.concat [#1834] - @VadimZy
  • fix(userspace/engine): actually make m_filter_all_event_types useful by properly using it as fallback when no filter event types is provided [#1875] - @FedeDP
  • fix(build): do not show plugin options in musl optimized builds [#1871] - @LucaGuerra
  • fix(aws_cloudtrail_rules.yaml): correct required plugin versions [#1867] - @FedeDP
  • docs: fix priority level "info" to "informational" [#1858] - @Andreagit97
  • Field properties changes [#1838] - @mstemm
  • update(build): updated libs to latest master version; updated plugins versions [#1856] - @FedeDP
  • Add Giant Swarm to Adopters list [#1842] - @stone-z
  • update(tests): remove token_bucket unit tests [#1798] - @jasondellaluce
  • fix(build): use consistent 7-character build abbrev sha [#1830] - @LucaGuerra
  • add Phoenix to adopters list [#1806] - @kaldyka
  • remove unused files in test directory [#1801] - @jasondellaluce
  • drop Falco luajit module, use the one provied by libs [#1788] - @FedeDP
  • chore(build): update libs version to 7906f7e [#1790] - @LucaGuerra
  • Add SysFlow to list of libs adopters [#1747] - @araujof
  • build: dropped centos8 circleci build because it is useless [#1882] - @FedeDP

Statistics

Merged PRsNumber
Not user-facing23
Release note40
Total63

Release Manager @jasondellaluce


Version 0.30.0

Download

PackagesDownload
rpmrpm
debdeb
tgztgz
Images
docker pull docker.io/falcosecurity/falco:0.30.0
docker pull public.ecr.aws/falcosecurity/falco:0.30.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.30.0
docker pull docker.io/falcosecurity/falco-no-driver:0.30.0

Major Changes

  • new: add --k8s-node command-line options, which allows filtering by a node when requesting metadata of pods to the K8s API server [#1671] - @leogr
  • new(outputs): expose rule tags and event source in gRPC and json outputs [#1714] - @jasondellaluce
  • new(userspace/falco): add customizable metadata fetching params [#1667] - @zuc

Minor Changes

Bug Fixes

  • fix(scripts): correct standard output redirection in systemd config (DEB and RPM packages) [#1697] - @chirabino
  • fix(scripts): correct lookup order when trying multiple gcc versions in the falco-driver-loader script [#1716] - @Spartan-65

Rule Changes

Non user-facing changes

  • add Qonto as adopter [#1717] - @Issif
  • docs(proposals): proposal for a libs plugin system [#1637] - @ldegio
  • build: remove unused ncurses dependency [#1658] - @leogr
  • build(.circleci): use new Debian 11 package names for python-pip [#1712] - @zuc
  • build(docker): adding libssl-dev, upstream image reference pinned to debian:buster [#1719] - @michalschott
  • fix(test): avoid output_strictly_contains failures [#1724] - @jasondellaluce
  • Remove duplicate allowed ecr registry rule [#1725] - @TomKeyte
  • docs(RELEASE.md): switch to 3 releases per year [#1711] - @leogr

Statistics

Merged PRsNumber
Not user-facing10
Release note9
Total19

Release Manager @araujof


Version 0.29.1

Download

PackagesDownload
rpmrpm
debdeb
tgztgz
Images
docker pull docker.io/falcosecurity/falco:0.29.1
docker pull public.ecr.aws/falcosecurity/falco:0.29.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.29.1
docker pull docker.io/falcosecurity/falco-no-driver:0.29.1

Minor Changes

  • update: bump the Falco engine version to version 9 [#1675] - @leodido

Rule Changes

  • rule(list user_known_userfaultfd_processes): list to exclude processes known to use userfaultfd syscall [#1675] - @leodido
  • rule(macro consider_userfaultfd_activities): macro to gate the "Unprivileged Delegation of Page Faults Handling to a Userspace Process" rule [#1675] - @leodido
  • rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process): new rule to detect successful unprivileged userfaultfd syscalls [#1675] - @leodido
  • rule(Linux Kernel Module Injection Detected): adding container info to the output of the rule [#1675] - @leodido

Non user-facing changes

Statistics

Merged PRsNumber
Not user-facing2
Release note1
Total3

Release Manager @leodido


Version 0.29.0

Download

PackagesDownload
rpmrpm
debdeb
tgztgz
Images
docker pull docker.io/falcosecurity/falco:0.29.0
docker pull public.ecr.aws/falcosecurity/falco:0.29.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.29.0
docker pull docker.io/falcosecurity/falco-no-driver:0.29.0

Minor Changes

  • update: driver version is 17f5df52a7d9ed6bb12d3b1768460def8439936d now [#1669] - @leogr

Rule Changes

  • rule(list miner_domains): add rx.unmineable.com for anti-miner detection [#1676] - @fntlnz
  • rule(Change thread namespace and Set Setuid or Setgid bit): disable by default [#1632] - @Kaizhe
  • rule(list known_sa_list): add namespace-controller, statefulset-controller, disruption-controller, job-controller, horizontal-pod-autoscaler and persistent-volume-binder as allowed service accounts in the kube-system namespace [#1659] - @sboschman
  • rule(Non sudo setuid): check user id as well in case user name info is not available [#1665] - @Kaizhe
  • rule(Debugfs Launched in Privileged Container): fix typo in description [#1657] - @Kaizhe

Non user-facing changes

Statistics

Merged PRsNumber
Not user-facing11
Release note7
Total18


Release Manager @maxgio92


Version 0.28.1

Download

PackagesDownload
rpmrpm
debdeb
tgztgz
Images
docker pull docker.io/falcosecurity/falco:0.28.1
docker pull public.ecr.aws/falcosecurity/falco:0.28.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.28.1
docker pull docker.io/falcosecurity/falco-no-driver:0.28.1

Major Changes

  • new: --support output now includes info about the Falco engine version [#1581] - @mstemm
  • new: Falco outputs an alert in the unlikely situation it's receiving too many consecutive timeouts without an event [#1622] - @leodido
  • new: configuration field syscall_event_timeouts.max_consecutive to configure after how many consecutive timeouts without an event Falco must alert [#1622] - @leodido

Minor Changes

  • build: enforcing hardening flags by default [#1604] - @leogr

Bug Fixes

  • fix: do not stop the webserver for k8s audit logs when invalid data is coming in the event to be processed [#1617] - @fntlnz

Rule Changes

  • rule(macro: allowed_aws_ecr_registry_root_for_eks): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
  • rule(macro: aws_eks_core_images): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
  • rule(macro: aws_eks_image_sensitive_mount): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
  • rule(list falco_privileged_images): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92
  • rule(list falco_sensitive_mount_images): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92
  • rule(macro k8s_containers): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92
  • rule(macro: python_running_sdchecks): macro removed [#1620] - @leogr
  • rule(Change thread namespace): remove python_running_sdchecks exception [#1620] - @leogr

Non user-facing changes

Statistics

Merged PRsNumber
Not user-facing7
Release note7
Total14


Release Manager @cpanato


Version 0.28.0

Download

PackagesDownload
rpmrpm
debdeb
tgztgz
Images
docker pull docker.io/falcosecurity/falco:0.28.0
docker pull public.ecr.aws/falcosecurity/falco:0.28.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.28.0
docker pull docker.io/falcosecurity/falco-no-driver:0.28.0

Major Changes

Minor Changes

  • docs(proposals): libraries and drivers donation [#1530] - @leodido
  • docs(docker): update links to the new Falco website URLs [#1545] - @cpanato
  • docs(test): update links to new Falco website URLs [#1563] - @shane-lawrence
  • build: now Falco packages are published at https://download.falco.org [#1577] - @leogr
  • update: lower the syscall_event_drops.max_burst default value to 1 [#1586] - @leodido
  • update: falco-driver-loader tries to download a Falco driver before then compiling it on the fly for the host [#1599] - @leodido
  • docs(test): document the prerequisites for running the integration test suite locally [#1609] - @fntlnz
  • update: Debian/RPM package migrated from init to systemd [#1448] - @jenting

Bug Fixes

  • fix(userspace/engine): properly handle field extraction over lists of containers when not all containers match the specified sub-properties [#1601] - @mstemm
  • fix(docker/falco): add flex and bison dependency to container image [#1562] - @schans
  • fix: ignore action can not be used with log and alert ones (syscall_event_drops config) [#1586] - @leodido
  • fix(userspace/engine): allows fields starting with numbers to be parsed properly [#1598] - @mstemm

Rule Changes

  • rule(Write below monitored dir): improve rule description [#1588] - @stevenshuang
  • rule(macro allowed_aws_eks_registry_root): macro to match the official eks registry [#1555] - @ismailyenigul
  • rule(macro aws_eks_image): match aws image repository for eks [#1555] - @ismailyenigul
  • rule(macro aws_eks_image_sensitive_mount): match aws cni images [#1555] - @ismailyenigul
  • rule(macro k8s_containers): include fluent/fluentd-kubernetes-daemonset and prom/prometheus [#1555] - @ismailyenigul
  • rule(Launch Privileged Container): exclude aws_eks_image [#1555] - @ismailyenigul
  • rule(Launch Sensitive Mount Container): exclude aws_eks_image_sensitive_mount [#1555] - @ismailyenigul
  • rule(Debugfs Launched in Privileged Container): new rule [#1583] - @Kaizhe
  • rule(Mount Launched in Privileged Container): new rule [#1583] - @Kaizhe
  • rule(Set Setuid or Setgid bit): add k3s-agent in the whitelist [#1583] - @Kaizhe
  • rule(macro user_ssh_directory): using glob operator [#1560] - @shane-lawrence
  • rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud [#1337] - @nibalizer
  • rule(list rpm_binaries): add rhsmcertd [#1385] - @epcim
  • rule(list deb_binaries): add apt.systemd.daily [#1385] - @epcim
  • rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156 [#1543] - @darryk10
  • rule(list allowed_k8s_users): add eks:node-manager [#1536] - @ismailyenigul
  • rule(list mysql_mgmt_binaries): removed [#1602] - @fntlnz
  • rule(list db_mgmt_binaries): removed [#1602] - @fntlnz
  • rule(macro parent_ansible_running_python): removed [#1602] - @fntlnz
  • rule(macro parent_bro_running_python): removed [#1602] - @fntlnz
  • rule(macro parent_python_running_denyhosts): removed [#1602] - @fntlnz
  • rule(macro parent_linux_image_upgrade_script): removed [#1602] - @fntlnz
  • rule(macro parent_java_running_echo): removed [#1602] - @fntlnz
  • rule(macro parent_scripting_running_builds): removed [#1602] - @fntlnz
  • rule(macro parent_Xvfb_running_xkbcomp): removed [#1602] - @fntlnz
  • rule(macro parent_nginx_running_serf): removed [#1602] - @fntlnz
  • rule(macro parent_node_running_npm): removed [#1602] - @fntlnz
  • rule(macro parent_java_running_sbt): removed [#1602] - @fntlnz
  • rule(list known_container_shell_spawn_cmdlines): removed [#1602] - @fntlnz
  • rule(list known_shell_spawn_binaries): removed [#1602] - @fntlnz
  • rule(macro run_by_puppet): removed [#1602] - @fntlnz
  • rule(macro user_privileged_containers): removed [#1602] - @fntlnz
  • rule(list rancher_images): removed [#1602] - @fntlnz
  • rule(list images_allow_network_outside_subnet): removed [#1602] - @fntlnz
  • rule(macro parent_python_running_sdchecks): removed [#1602] - @fntlnz
  • rule(macro trusted_containers): removed [#1602] - @fntlnz
  • rule(list authorized_server_binaries): removed [#1602] - @fntlnz

Non user-facing changes

Statistics

Merged PRsNumber
Not user-facing17
Release note24
Total41

Version 0.27.0

Download

Released on 2021-01-18

PackagesDownload
rpmrpm
debdeb
tgztgz
Images
docker pull docker.io/falcosecurity/falco:0.27.0
docker pull public.ecr.aws/falcosecurity/falco:0.27.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.27.0
docker pull docker.io/falcosecurity/falco-no-driver:0.27.0

Major Changes

  • new: Added falco engine version to grpc version service [#1507] - @nibalizer
  • BREAKING CHANGE: Users who run Falco without a config file will be unable to do that any more, Falco now expects a configuration file to be passed all the times. Developers may need to adjust their processes. [#1494] - @nibalizer
  • new: asynchronous outputs implementation, outputs channels will not block event processing anymore [#1451] - @leogr
  • new: slow outputs detection [#1451] - @leogr
  • new: output_timeout config option for slow outputs detection [#1451] - @leogr

Minor Changes

  • build: bump b64 to v2.0.0.1 [#1441] - @fntlnz
  • rules(macro container_started): re-use spawned_process macro inside container_started macro [#1449] - @leodido
  • docs: reach out documentation [#1472] - @fntlnz
  • docs: Broken outputs.proto link [#1493] - @deepskyblue86
  • docs(README.md): correct broken links [#1506] - @leogr
  • docs(proposals): Exceptions handling proposal [#1376] - @mstemm
  • docs: fix a broken link of README [#1516] - @oke-py
  • docs: adding the kubernetes privileged use case to use cases [#1484] - @fntlnz
  • rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [#1386] - @jhwbarlow
  • rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [#1386] - @jhwbarlow
  • docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [#1518] - @leodido
  • build: falcosecurity/falco:master also available on the AWS ECR Public registry [#1512] - @leodido
  • build: falcosecurity/falco:latest also available on the AWS ECR Public registry [#1512] - @leodido
  • update: gRPC clients can now subscribe to drop alerts via gRCP API [#1451] - @leogr
  • macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s [#1444] - @fntlnz

Bug Fixes

  • fix(userspace/falco): use given priority in falco_outputs::handle_msg() [#1450] - @leogr
  • fix(userspace/engine): free formatters, if any [#1447] - @leogr
  • fix(scripts/falco-driver-loader): lsmod usage [#1474] - @dnwe
  • fix: a bug that prevents Falco driver to be consumed by many Falco instances in some circumstances [#1485] - @leodido
  • fix: set HOST_ROOT=/host environment variable for the falcosecurity/falco-no-driver container image by default [#1492] - @leogr

Rule Changes

  • rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list [#1501] - @Kaizhe
  • rule(Container Run as Root User): new rule created [#1500] - @Kaizhe
  • rule(Linux Kernel Module injection detected): adds a new rule that detects when an LKM module is injected using insmod from a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [#1478] - @d1vious
  • rule(macro multipath_writing_conf): create and use the macro [#1475] - @nmarier-coveo
  • rule(list falco_privileged_images): add calico/node without registry prefix to prevent false positive alerts [#1457] - @czunker
  • rule(Full K8s Administrative Access): use the right list of admin users (fix) [#1454] - @mstemm

Non user-facing changes

Statistics

Merged PRsNumber
Not user-facing10
Release note30
Total40

Version 0.26.2

Download

Released on 2020-10-01

PackagesDownload
rpmrpm
debdeb
tgztgz
Images
docker pull docker.io/falcosecurity/falco:0.26.2
docker pull docker.io/falcosecurity/falco-driver-loader:0.26.2
docker pull docker.io/falcosecurity/falco-no-driver:0.26.2

Major Changes


Version 0.26.1

Download

Released on 2020-10-01

PackagesDownload
rpmrpm
debdeb
tgztgz
Images
docker pull docker.io/falcosecurity/falco:0.26.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.26.1
docker pull docker.io/falcosecurity/falco-no-driver:0.26.1

Major Changes

  • new: CLI flag --alternate-lua-dir to load Lua files from arbitrary paths [#1419] - @admiral0

Rule Changes

  • rule(Delete or rename shell history): fix warnings/FPs + container teardown [#1423] - @mstemm
  • rule(Write below root): ensure proc_name_exists too [#1423] - @mstemm

Statistics

Merged PRsNumber
Not user-facing4
Release note2
Total6

Version 0.26.0

Download

Released on 2020-24-09

Official Stable Download 0.26.0
rpmrpm
debdeb
binarybin

Major Changes

  • new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [#1410]
  • new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [#1408]
  • new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [#1377]

Minor Changes

  • update: bump Falco engine version to 7 [#1381]
  • update: the required_engine_version is now on by default [#1381]
  • update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [#1377]
  • docs(proposals): artifacts storage [#1375]
  • docs(proposals): artifacts cleanup [#1375]

Rule Changes

  • rule: Address several sources of FPs, primarily from GKE environments. [#1372]
  • rule(macro inbound_outbound): add brackets to disambiguate operator precedence [#1373]
  • rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [#1373]
  • rule(macro run_by_foreman): add brackets to disambiguate operator precedence [#1373]
  • rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [#1402]
  • rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [#1393]
  • rule(Disallowed K8s User): quote colons in user names [#1393]
  • rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [#1394]
  • rule: adds user.loginuid to the default Falco rules that also contain user.name [#1369]

This file documents all notable changes to Falco. The release numbering uses semantic versioning.

Statistics

Merged PRsNumber
Not user-facing5
Release note13
Total18