Changelog

List of changes throughout Falco versions

Version 0.37.1

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.37.1
docker pull public.ecr.aws/falcosecurity/falco:0.37.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.37.1
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.37.1
docker pull docker.io/falcosecurity/falco-no-driver:0.37.1
docker pull docker.io/falcosecurity/falco-distroless:0.37.1

v0.37.1

Released on 2024-02-13

Major Changes

  • new(docker): added option for insecure http driver download to falco and driver-loader images [#3058] - @toamto94

Minor Changes

Bug Fixes

  • fix(userspace/engine): always consider all rules (even the ones below min_prio) in m_rule_stats_manager [#3060] - @FedeDP

Non user-facing changes

  • sync(docs): cherrypick CHANGELOG entry for 0.37.1 [#3080] - @FedeDP
  • Added http headers option for driver download in docker images [#3075] - @toamto94
  • fix(build): install libstdc++ in the Wolfi image [#3053] - @LucaGuerra

Statistics

MERGED PRSNUMBER
Not user-facing3
Release note4
Total7

Release Manager @FedeDP


Version 0.37.1-rc1

Download


Version 0.37.0

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.37.0
docker pull public.ecr.aws/falcosecurity/falco:0.37.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.37.0
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.37.0
docker pull docker.io/falcosecurity/falco-no-driver:0.37.0
docker pull docker.io/falcosecurity/falco-distroless:0.37.0

v0.37.0

Released on 2024-01-30

Breaking Changes :warning:

  • new!: dropped falco-driver-loader script in favor of new falcoctl driver command [#2905] - @FedeDP
  • update!: bump libs to latest and deprecation of k8s metadata options and configs [#2914] - @jasondellaluce
  • cleanup(falco)!: remove outputs.rate and outputs.max_burst from Falco config [#2841] - @Andreagit97
  • cleanup(falco)!: remove --userspace support [#2839] - @Andreagit97

Major Changes

  • new(engine): add selective overrides for Falco rules [#2981] - @LucaGuerra
  • feat(userspace/falco): falco administrators can now configure the http output to compress the data sent as well as enable keep alive for the connection. Two new fields (compress_uploads and keep_alive) in the http_output block of the falco.yaml file can be used for that purpose. Both are disabled by default. [#2974] - @sgaist
  • new(userspace): support env variable expansion in all yaml, even inside strings. [#2918] - @FedeDP
  • new(scripts): add a way to enforce driver kind and falcoctl enablement when installing Falco from packages and dialog is not present. [#2773] - @vjjmiras
  • new(falco): print system info when Falco starts [#2927] - @Andreagit97
  • new: driver selection in falco.yaml [#2413] - @therealbobo
  • new(build): enable compilation on win32 and macOS. [#2889] - @therealbobo
  • feat(userspace/falco): falco administrators can now configure the address on which the webserver listen using the new listen_address field in the webserver block of the falco.yaml file. [#2890] - @sgaist

Minor Changes

  • update(userspace/falco): add engine_version_semver key in /versions endpoint [#2899] - @loresuso
  • update: default ruleset upgrade to version 3.0 [#3034] - @leogr
  • update!(config): soft deprecation of drop stats counters in syscall_event_drops [#3015] - @incertum
  • update(cmake): bumped falcoctl tool to v0.7.1. [#3030] - @FedeDP
  • update(rule_loader): deprecate the append flag in Falco rules [#2992] - @Andreagit97
  • cleanup!(cmake): drop bundled plugins in Falco [#2997] - @FedeDP
  • update(config): clarify deprecation notices + list all env vars [#2988] - @incertum
  • update: now the watch_config_files config option monitors file/directory moving and deletion, too [#2965] - @NitroCao
  • update(userspace): enhancements in rule description feature [#2934] - @jasondellaluce
  • update(userspace/falco): add libsinsp state metrics option [#2883] - @incertum
  • update(doc): Add Thought Machine as adopters [#2919] - @RichardoC
  • update(docs): add Wireshark/Logray as adopter [#2867] - @geraldcombs
  • update: engine_version in semver representation [#2838] - @loresuso
  • update(userspace/engine): modularize rule compiler, fix and enrich rule descriptions [#2817] - @jasondellaluce

Bug Fixes

Non user-facing changes

Statistics

MERGED PRSNUMBER
Not user-facing61
Release note31
Total92

Release Manager @Andreagit97


Version 0.37.0-rc3

Download

What's Changed

Full Changelog: https://github.com/falcosecurity/falco/compare/0.37.0-rc2...0.37.0-rc3


Version 0.37.0-rc2

Download

Images
docker pull docker.io/falcosecurity/falco:0.37.0-rc2
docker pull public.ecr.aws/falcosecurity/falco:0.37.0-rc2
docker pull docker.io/falcosecurity/falco-driver-loader:0.37.0-rc2
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.37.0-rc2
docker pull docker.io/falcosecurity/falco-no-driver:0.37.0-rc2
docker pull docker.io/falcosecurity/falco-distroless:0.37.0-rc2

Version 0.37.0-rc1

Download

Images
docker pull docker.io/falcosecurity/falco:0.37.0-rc1
docker pull public.ecr.aws/falcosecurity/falco:0.37.0-rc1
docker pull docker.io/falcosecurity/falco-driver-loader:0.37.0-rc1
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.37.0-rc1
docker pull docker.io/falcosecurity/falco-no-driver:0.37.0-rc1
docker pull docker.io/falcosecurity/falco-distroless:0.37.0-rc1

Version 0.36.2

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.36.2
docker pull public.ecr.aws/falcosecurity/falco:0.36.2
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.2
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.2
docker pull docker.io/falcosecurity/falco-no-driver:0.36.2
docker pull docker.io/falcosecurity/falco-distroless:0.36.2

v0.36.2

Released on 2023-10-27

Major Changes

Minor Changes

Bug Fixes

Release Manager @FedeDP


Version 0.36.2-rc1

Download


Version 0.36.1

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.36.1
docker pull public.ecr.aws/falcosecurity/falco:0.36.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.1
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.1
docker pull docker.io/falcosecurity/falco-no-driver:0.36.1
docker pull docker.io/falcosecurity/falco-distroless:0.36.1

v0.36.1

Released on 2024-01-30

Major Changes

  • feat(userspace): remove experimental outputs queue recovery strategies [#2863] - @incertum

Bug Fixes

  • fix(userspace/falco): timer_delete() workaround due to bug in older GLIBC [#2851] - @incertum

Non user-facing changes

Statistics

MERGED PRSNUMBER
Not user-facing1
Release note2
Total3

Release Manager @Andreagit97


Version 0.36.1-rc1

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.36.1-rc1
docker pull public.ecr.aws/falcosecurity/falco:0.36.1-rc1
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.1-rc1
docker pull docker.io/falcosecurity/falco-no-driver:0.36.1-rc1
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.1-rc1
docker pull docker.io/falcosecurity/falco-distroless:0.36.1-rc1

Release Candidate for Falco 0.36.1. To see what's included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/35


Version 0.36.0

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.36.0
docker pull public.ecr.aws/falcosecurity/falco:0.36.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.0
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.0
docker pull docker.io/falcosecurity/falco-no-driver:0.36.0
docker pull docker.io/falcosecurity/falco-distroless:0.36.0

v0.36.0

Released on 2023-09-26

Breaking Changes :warning:

  • The default rules file that is shipped in the Falco image and/or can be downloaded via falcoctl as falco-rules is now a stable rule file. This file contains a much smaller number of rules that are less noisy and have been vetted by the community. This serves as a much requested "starter" Falco rule set that covers many common use case. The rest of that file has been expanded and split into falco-incubating-rules and falco-sandbox-rules. For more information, see the rules repository
  • The main falcosecurity/falco container image and its falco-driver-loader counterpart have been upgraded. Now they are able to compile the kernel module or classic eBPF probe for relatively newer version of the kernel (5.x and above) while we no longer ship toolchains to compile the kernel module for older versions in the default images. Downloading of prebuilt drivers and the modern eBPF will work exactly like before. The older image, meant for compatibility with older kernels (4.x and below), is currently retained as falcosecurity/falco-driver-loader-legacy.
  • The Falco HTTP output no longer logs to stdout by default for performance reasons. You can set stdout logging preferences and restore the previous behavior with the configuration option http_output.echo in falco.yaml.
  • The --list-syscall-events command line option has been replaced by --list-events which prints all supported system events (syscall, tracepoints, metaevents, internal plugin events) in addition to extra information about flags.
  • The semantics of proc.exepath have changed. Now that field contains the executable path on disk even if the binary was launched from a symbolic link.
  • The -d daemonize option has been removed.
  • The stats command line option (-s, --stats-interval) has been removed in favor of metrics configs in falco.yaml
  • The -p option is now changed:
    • when only -pc is set Falco will print container_id=%container.id container_image=%container.image.repository container_image_tag=%container.image.tag container_name=%container.name
    • when -pk is set it will print as above, but with k8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name appended

Major Changes

  • new(falco-driver-loader): --source-only now prints the values as env vars [#2353] - @steakunderscore
  • new(docker): allow passing options to falco-driver-loader from the driver loader cointainer [#2781] - @LucaGuerra
  • new(docker): add experimental falco-distroless image based on Wolfi [#2768] - @LucaGuerra
  • new: the legacy falco image is available as driver-loader-legacy [#2718] - @LucaGuerra
  • new: added option to enable/disable echoing of server answer to stdout (disabled by default) when using HTTP output [#2602] - @FedeDP
  • new: support systemctl reload for Falco services [#2588] - @jabdr
  • new(falco/config): add new configurations for http_output that allow mTLS [#2633] - @annadorottya
  • new: allow falco to match multiple rules on same event [#2705] - @loresuso

Minor Changes

  • update(cmake): bumped bundled falcoctl to 0.6.2 [#2829] - @FedeDP
  • update(rules)!: major rule update to version 2.0.0 [#2823] - @LucaGuerra
  • update(cmake): bumped plugins to latest stable versions [#2820] - @FedeDP
  • update(cmake): bumped libs to 0.13.0-rc2 and driver to 6.0.1+driver [#2806] - @FedeDP
  • update!: default substitution for %container.info is now equal container_id=%container.id container_name=%container.name [#2793] - @leogr
  • update!: the --list-syscall-events flag is now called --list-events and lists all events [#2771] - @LucaGuerra
  • update!: the Falco base image is now based on Debian 12 with gcc 11-12 [#2718] - @LucaGuerra
  • update(docker): the Falco no-driver image is now based on Debian 12 [#2782] - @LucaGuerra
  • feat(userspace)!: remove -d daemonize option [#2677] - @incertum
  • build(deps): Bump submodules/falcosecurity-rules from 3f52480 to 0d0e333 [#2693] - @dependabot[bot]
  • build(deps): Bump submodules/falcosecurity-rules from 3f52480 to b42893a [#2756] - @dependabot[bot]
  • build(deps): Bump submodules/falcosecurity-rules from b42893a to 6ed73fe [#2780] - @dependabot[bot]
  • update(cmake): bumped libs to 0.13.0-rc1 and driver to 6.0.0+driver. [#2783] - @FedeDP
  • feat: support parsing of system environment variables in yaml [#2562] - @therealdwright
  • feat(userspace)!: deprecate stats command args option in favor of metrics configs in falco.yaml [#2739] - @incertum
  • update: upgrade falcoctl to version 0.6.0 [#2764] - @leogr
  • cleanup: deprecate rate limiter mechanism [#2762] - @Andreagit97
  • cleanup(config): add more info [#2758] - @incertum
  • update(userspace/engine): improve skip-if-unknown-filter YAML field [#2749] - @jasondellaluce
  • chore: improved HTTP output performance [#2602] - @FedeDP
  • update!: HTTP output will no more echo to stdout by default [#2602] - @FedeDP
  • chore: remove b64 from falco dependencies [#2746] - @Andreagit97
  • update(cmake): support building libs and driver from forks [#2747] - @jasondellaluce
  • update: -p presets have been updated to reflect the new rules style guide [#2737] - @leogr
  • feat: Allow specifying explicit kernel release and version for falco-driver-loader [#2728] - @johananl
  • cleanup(config): assign Stable to base_syscalls config [#2740] - @incertum
  • update : support build for wasm [#2663] - @Rohith-Raju
  • docs(config.yaml): fix wrong severity levels for sinsp logger [#2736] - @Andreagit97
  • update(cmake): bump libs and driver to 0.12.0 [#2721] - @jasondellaluce

Bug Fixes

  • fix(outputs): expose queue_capacity_outputs config for memory control [#2711] - @incertum
  • fix(userspace/falco): cleanup metrics timer upon leaving. [#2759] - @FedeDP
  • fix: restore Falco MINIMAL_BUILD and deprecate userspace option [#2761] - @Andreagit97
  • fix(userspace/engine): support appending to unknown sources [#2753] - @jasondellaluce

Non user-facing changes

Statistics

MERGED PRSNUMBER
Not user-facing48
Release note38
Total86

Release Manager @LucaGuerra


Version 0.36.0-rc3

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.36.0-rc3
docker pull public.ecr.aws/falcosecurity/falco:0.36.0-rc3
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.0-rc3
docker pull docker.io/falcosecurity/falco-no-driver:0.36.0-rc3
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.0-rc3
docker pull docker.io/falcosecurity/falco-distroless:0.36.0-rc3

Release Candidate for Falco 0.36.0. To see what's included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/30


Version 0.36.0-rc2

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.36.0-rc2
docker pull public.ecr.aws/falcosecurity/falco:0.36.0-rc2
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.0-rc2
docker pull docker.io/falcosecurity/falco-no-driver:0.36.0-rc2

Second Release Candidate for Falco 0.36.0. To see what's included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/30


Version 0.36.0-rc1

Download

First Release Candidate for Falco 0.36.0. To see what's included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/30

Version 0.35.1

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.35.1
docker pull public.ecr.aws/falcosecurity/falco:0.35.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.35.1
docker pull docker.io/falcosecurity/falco-no-driver:0.35.1

Major Changes

Minor Changes

Bug Fixes

  • fix(scripts): fixed falco-driver-loader to manage debian kernel rt and cloud flavors. [#2627] - @FedeDP
  • fix(userspace/falco): solve live multi-source issues when loading more than two sources [#2653] - @jasondellaluce
  • fix(driver-loader): fix ubuntu kernel version parsing [#2635] - @therealbobo
  • fix(userspace): switch to timer_settime API for stats writer. [#2646] - @FedeDP

Non user-facing changes

  • CI: bump ubuntu version for tests-driver-loader-integration job [#2661] - @Andreagit97

Release Manager @jasondellaluce


Version 0.35.0

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.35.0
docker pull public.ecr.aws/falcosecurity/falco:0.35.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.35.0
docker pull docker.io/falcosecurity/falco-no-driver:0.35.0

Major Changes

  • BREAKING CHANGE: support for metadata enrichment from Mesos has been removed. [#2465] - @leogr
  • new(falco): introduce new metrics w/ Falco internal: metrics snapshot option and new metrics config [#2333] - @incertum
  • new(scripts): properly manage talos prebuilt drivers [#2537] - @FedeDP
  • new(release): released container images are now signed with cosign [#2546] - @LucaGuerra
  • new(ci): ported master and release artifacts publishing CI to gha [#2501] - @FedeDP
  • new(app_actions): introduce base_syscalls user option [#2428] - @incertum
  • new(falco/config): add new configurations for http_output that allow custom CA certificates and stores. [#2458] - @alacuku
  • new(cmake): bumped libs to c8b0d6a8fdc1bb3ea9067bc2fdc3ae5858cff48f [#2456] - @FedeDP
  • new(userspace): add a new syscall_drop_failed config option to drop failed syscalls exit events [#2456] - @FedeDP

Minor Changes

  • update(cmake): bump Falco rules to 1.0.0 [#2618] - @loresuso
  • update(cmake): bump libs to 0.11.1 [#2614] - @loresuso
  • update(cmake): bump plugins to latest versions [#2610] - @loresuso
  • update(cmake): bump falco rules to 1.0.0-rc1 [#2609] - @loresuso
  • update(cmake): bump libs to 0.11.0 [#2608] - @loresuso
  • cleanup(docs): update release.md [#2599] - @incertum
  • update(cmake): bump libs to 0.11.0-rc5 and driver to 5.0.1. [#2600] - @FedeDP
  • cleanup(docs): adjust falco readme style and content [#2594] - @incertum
  • cleanup(userspace, config): improve metrics UX, add include_empty_values option [#2593] - @incertum
  • feat: add the curl and jq packages to the falco-no-driver docker image [#2581] - @therealdwright
  • update: add missing exception, required_engine_version, required_plugin_version to -L json output [#2584] - @loresuso
  • feat: add image source OCI label to docker images [#2592] - @therealdwright
  • cleanup(config): improve falco config [#2571] - @incertum
  • update(cmake): bump libs and plugins to latest dev versions [#2586] - @jasondellaluce
  • chore(userspace/falco): always print invalid syscalls from custom set [#2578] - @jasondellaluce
  • update(build): upgrade falcoctl to 0.5.0 [#2572] - @LucaGuerra
  • chore(userspace/falco/app): print all supported plugin caps [#2564] - @jasondellaluce
  • update: get rules details with -l or -L flags when json output format is specified [#2544] - @loresuso
  • update!: bump libs version, and support latest plugin features, add --nodriver option [#2552] - @jasondellaluce
  • cleanup(actions): now modern bpf support -A flag [#2551] - @Andreagit97
  • update: falco-driver-loader now uses now uses $TMPDIR if set [#2518] - @jabdr
  • update: improve control and UX of ignored events [#2509] - @jasondellaluce
  • update: bump libs and adapt Falco to new libsinsp event source management [#2507] - @jasondellaluce
  • new(app_actions)!: adjust base_syscalls option, add base_syscalls.repair [#2457] - @incertum
  • update(scripts): support al2022 and al2023 in falco-driver-loader. [#2494] - @FedeDP
  • update: sync libs with newest event name APIs [#2471] - @jasondellaluce
  • update!: remove --mesos-api, -pmesos, and -pm command-line flags [#2465] - @leogr
  • cleanup(unit_tests): try making test_configure_interesting_sets more robust [#2464] - @incertum

Bug Fixes

  • fix: unquote quoted URL's to avoid libcurl errors [#2596] - @therealdwright
  • fix(userspace/engine): store alternatives as array in -L json output [#2597] - @loresuso
  • fix(userspace/engine): store required engine version as string in -L json output [#2595] - @loresuso
  • fix(userspace/falco): report plugin deps rules issues in any case [#2589] - @jasondellaluce
  • fix(userspace): hotreload on wrong metrics [#2582] - @therealbobo
  • fix(userspace): check the supported number of online CPUs with modern bpf [#2575] - @Andreagit97
  • fix(userspace/falco): don't hang on terminating error when multi sourcing [#2576] - @jasondellaluce
  • fix(userspace/falco): properly format numeric values in metrics [#2569] - @jasondellaluce
  • fix(scripts): properly support debian kernel releases embedded in kernel version [#2377] - @FedeDP

Non user-facing changes

Release Manager @FedeDP


Version 0.35.0-rc2

Download

Release Candidate for Falco 0.35.0

Version 0.35.0-rc1

Download

Release Candidate for Falco 0.35.0

Version 0.35.0-alpha5

Download

This is a test for the release pipeline.

Version 0.35.0-alpha4

Download

This is a test for the release pipeline.

Version 0.35.0-alpha3

Download

This is a test for the release pipeline.

Version 0.35.0-alpha2

Download

This is a test for the release pipeline

Version 0.35.0-alpha1

Download

This is a test for the release pipeline.

Version 0.34.1

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.34.1
docker pull public.ecr.aws/falcosecurity/falco:0.34.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.34.1
docker pull docker.io/falcosecurity/falco-no-driver:0.34.1
docker pull docker.io/falcosecurity/falcoctl:0.4.0

Minor Changes

  • fix(userspace/engine): correctly bump FALCO_ENGINE_VERSION after introduction of new fields [#2418] - @loresuso

Statistics

Merged PRsNumber
Not user-facing1
Release note1
Total2

Release Manager

@alacuku


Version 0.34.0

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.34.0
docker pull public.ecr.aws/falcosecurity/falco:0.34.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.34.0
docker pull docker.io/falcosecurity/falco-no-driver:0.34.0
docker pull docker.io/falcosecurity/falcoctl:0.4.0

Major Changes

  • BREAKING CHANGE: if you relied upon application_rules.yaml you can download it from https://github.com/falcosecurity/rules/tree/main/rules and manually install it. [#2389] - @leogr
  • new(rules): New rule to detect attempts to inject code into a process using PTRACE [#2226] - @Brucedh
  • new(engine): Also include exact locations for rule condition compile errors (missing macros, etc). [#2216] - @mstemm
  • new(scripts): Support older RHEL distros in falco-driver-loader script [#2312] - @gentooise
  • new(scripts): add falcoctl config into Falco package [#2390] - @Andreagit97
  • new(userspace/falco): [EXPERIMENTAL] allow modern bpf probe to assign more than one CPU to a single ring buffer [#2363] - @Andreagit97
  • new(userspace/falco): add webserver endpoint for retrieving internal version numbers [#2356] - @jasondellaluce
  • new(falco): add --version-json to print version information in json format [#2331] - @LucaGuerra
  • new(scripts): support multiple drivers in systemd units [#2242] - @FedeDP
  • new(scripts): add bottlerocket support in falco-driver-loader [#2318] - @FedeDP
  • new(falco): add more version fields to --support and --version [#2325] - @LucaGuerra
  • new(config): explicitly add the simulate_drops config [#2260] - @Andreagit97

Minor Changes

  • build: upgrade to falcoctl v0.4.0 [#2406] - @loresuso
  • update(userspace): change modern_bpf.cpus_for_each_syscall_buffer default value [#2404] - @Andreagit97
  • update(build): update falcoctl to 0.3.0 [#2401] - @LucaGuerra
  • update(build): update falcoctl to 0.3.0-rc7 [#2396] - @LucaGuerra
  • update(cmake): bump libs to 0.10.3 [#2392] - @FedeDP
  • build: /etc/falco/rules.available has been deprecated [#2389] - @leogr
  • build: application_rules.yaml is not shipped anymore with Falco [#2389] - @leogr
  • build: upgrade k8saudit plugin to v0.5.0 [#2381] - @leogr
  • build: upgrade cloudtrail plugin to v0.6.0 [#2381] - @leogr
  • new!: ship falcoctl inside Falco [#2345] - @FedeDP
  • refactor: remove rules and add submodule to falcosecurity/rules [#2359] - @jasondellaluce
  • update(scripts): add option for regenerating signatures of all dev and release packages [#2364] - @jasondellaluce
  • update: print JSON version output when json_output is enabled [#2351] - @jasondellaluce
  • update(cmake): updated libs to 0.10.1 tag. [#2362] - @FedeDP
  • Install the certificates of authorities in falco:no-driver docker image [#2355] - @Issif
  • update: Mesos support is now deprecated and will be removed in the next version. [#2328] - @leogr
  • update(scripts/falco-driver-loader): optimize the resiliency of module download script for air-gapped environments [#2336] - @Dentrax
  • doc(userspace): provide users with a correct message when some syscalls are not defined [#2329] - @Andreagit97
  • update(ci): update ci jobs to generate Falco images with the modern BPF probe [#2320] - @Andreagit97
  • rules: add Falco container lists [#2290] - @oscr
  • rules(macro: private_key_or_password): now also check for OpenSSH private keys [#2284] - @oscr
  • update(cmake): bump libs and driver to latest RC. [#2302] - @FedeDP
  • Ensure that a ruleset object is copied properly in falco_engine::add_source(). [#2271] - @mstemm
  • update(userspace/falco): enable using zlib with webserver [#2125] - @jasondellaluce
  • update(falco): add container-gvisor and kubernetes-gvisor print options [#2288] - @LucaGuerra
  • cleanup: always use bundled libz and libelf in BUNDLED_DEPS mode. [#2277] - @FedeDP
  • update: updated libs and driver to version dd443b67c6b04464cb8ee2771af8ada8777e7fac [#2277] - @FedeDP
  • update(falco.yaml): open_params under plugins configuration is now trimmed from surrounding whitespace [#2267] - @yardenshoham

Bug Fixes

  • fix(engine): Avoid crash related to caching syscall source when the falco engine uses multiple sources at the same time. [#2272] - @mstemm
  • fix(scripts): use falco-driver-loader only into install scripts [#2391] - @Andreagit97
  • fix(userspace/falco): fix grpc server shutdown [#2350] - @FedeDP
  • fix(docker/falco): trust latest GPG key [#2365] - @jasondellaluce
  • fix(userspace/engine): improve rule loading validation results [#2344] - @jasondellaluce
  • fix: graceful error handling for macros/lists reference loops [#2311] - @jasondellaluce

Rule Changes

  • rules(tagging): enhanced rules tagging for inventory / threat modeling [#2167] - @incertum
  • rule(Outbound Connection to C2 Server): Update the "Outbound connection to C2 server" rule to match both FQDN and IP addresses. Prior to this change, the rule only matched IP addresses and not FQDN. [#2241] - @Nicolas-Peiffer
  • rule(Execution from /dev/shm): new rule to detect execution from /dev/shm [#2225] - @AlbertoPellitteri
  • rule(Find AWS Credentials): new rule to detect executions looking for AWS credentials [#2224] - @AlbertoPellitteri
  • rule(Linux Kernel Module Injection Detected): improve insmod detection within container using CAP_SYS_MODULE [#2305] - @loresuso
  • rule(Read sensitive file untrusted): let salt-call read sensitive files [#2291] - @vin01
  • rule(macro: rpm_procs): let salt-call write to rpm database [#2291] - @vin01

Non user-facing changes

  • fix(ci): fix rpm sign job dependencies [#2324] - @cappellinsamuele
  • chore(userspace): add njson lib as a dependency for falco_engine [#2316] - @Andreagit97
  • fix(scripts): force rpm postinstall script to always show dialog, even on upgrade [#2405] - @FedeDP
  • fix(scripts): fixed falcoctl config install dir. [#2399] - @FedeDP
  • fix(scripts): make /usr writable [#2398] - @therealbobo
  • fix(scripts): driver loader insmod [#2388] - @FedeDP
  • update(systemd): solve some issues with systemd unit [#2385] - @Andreagit97
  • build(cmake): upgrade falcoctl to v0.3.0-rc6 [#2383] - @leogr
  • docs(.github): rules are no longer in this repo [#2382] - @leogr
  • update(CI): mitigate frequent failure in CircleCI jobs [#2375] - @Andreagit97
  • fix(userspace): use the right path for the cpus_for_each_syscall_buffer config [#2378] - @Andreagit97
  • fix(scripts): fixed incorrect bash var expansion [#2367] - @therealbobo
  • update(CI): upgrade toolchain in modern falco builder dockerfile [#2337] - @Andreagit97
  • cleanup(ci): move static analysis job from circle CI to GHA [#2332] - @Andreagit97
  • update(falco): update cpp-httplib to 0.11.3 [#2327] - @LucaGuerra
  • update(script): makes user able to pass custom option to driver-loade… [#1901] - @andreabonanno
  • cleanup(ci): remove some unused jobs and remove some falco-builder reference where possible [#2322] - @Andreagit97
  • docs(proposal): new artifacts distribution proposal [#2304] - @leogr
  • fix(cmake): properly fetch dev version by appending latest Falco tag, delta between master and tag, and hash [#2292] - @FedeDP
  • chore(deps): Bump certifi from 2020.4.5.1 to 2022.12.7 in /test [#2313] - @dependabot[bot]
  • chore: remove string view lite [#2307] - @leogr
  • new(CHANGELOG): add entry for 0.33.1 (in master branch this time) [#2303] - @LucaGuerra
  • update(docs): add overview and versioning sections to falco release.md [#2205] - @incertum
  • Add Xenit AB to adopters [#2285] - @NissesSenap
  • fix(userspace/falco): verify engine fields only for syscalls [#2281] - @jasondellaluce
  • fix(output): do not print syscall_buffer_size when gvisor is enabled [#2283] - @alacuku
  • fix(engine): fix warning about redundant std::move [#2286] - @LucaGuerra
  • fix(scripts): force falco-driver-loader script to try to compile the driver anyway even on unsupported platforms [#2219] - @FedeDP
  • fix(ci): fixed version bucket for release jobs. [#2266] - @FedeDP
  • fix(cmake): fixed tag fetching fallback (that is indeed needed) [#2409] - @FedeDP

Statistics

Merged PRsNumber
Not user-facing30
Release note53
Total83

Release Manager

@LucaGuerra


Version 0.33.1

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.33.1
docker pull public.ecr.aws/falcosecurity/falco:0.33.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.33.1
docker pull docker.io/falcosecurity/falco-no-driver:0.33.1

Minor Changes

  • update(falco): fix container-gvisor and kubernetes-gvisor print options [#2288]
  • Update libs to 0.9.2, fixing potential CLBO on gVisor+Kubernetes and crash with eBPF when some CPUs are offline [#2299] - @LucaGuerra

Statistics

Merged PRsNumber
Not user-facing1
Release note2
Total3

Release Manager

@LucaGuerra


Version 0.33.0

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.33.0
docker pull public.ecr.aws/falcosecurity/falco:0.33.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.33.0
docker pull docker.io/falcosecurity/falco-no-driver:0.33.0

Major Changes

  • new: add a drop_pct referred to the global number of events [#2130] - @Andreagit97
  • new: print some info about eBPF and enabled sources when Falco starts [#2133] - @Andreagit97
  • new(userspace): print architecture information [#2147] - @Andreagit97
  • new(CI): add CodeQL security scanning to Falco. [#2171] - @Andreagit97
  • new: configure syscall buffer dimension from Falco [#2214] - @Andreagit97
  • new(cmdline): add development support for modern BPF probe [#2221] - @Andreagit97
  • new(falco-driver-loader): DRIVERS_REPO now supports the use of multiple download URLs (comma separated) [#2165] - @IanRobertson-wpe
  • new(userspace/engine): support alternative plugin version requirements in checks [#2190] - @jasondellaluce
  • new: support running multiple event sources in parallel [#2182] - @jasondellaluce
  • new(userspace/falco): automatically create paths for grpc unix socket and gvisor endpoint. [#2189] - @FedeDP
  • new(scripts): allow falco-driver-loader to properly distinguish any ubuntu flavor [#2178] - @FedeDP
  • new: add option to enable event sources selectively [#2085] - @jasondellaluce

Minor Changes

  • docs(falco-driver-loader): add some comments in falco-driver-loader [#2153] - @Andreagit97
  • update(cmake): use latest libs tag 0.9.0 [#2257] - @Andreagit97
  • update(.circleci): re-enabled cppcheck [#2186] - @leogr
  • update(userspace/engine): improve falco files loading performance [#2151] - @VadimZy
  • update(cmake): use latest driver tag 3.0.1+driver [#2251] - @Andreagit97
  • update(userspace/falco)!: adapt stats writer for multiple parallel event sources [#2182] - @jasondellaluce
  • refactor(userspace/engine): remove falco engine APIs that returned a required_engine_version [#2096] - @mstemm
  • update(userspace/engine): add some small changes to rules matching that reduce cpu usage with high event volumes (> 1M syscalls/sec) [#2210] - @mstemm
  • rules: added process IDs to default rules [#2211] - @spyder-kyle
  • update(scripts/debian): falco.service systemd unit is now cleaned-up during (re)install and removal via the DEB and RPM packages [#2138] - @Happy-Dude
  • update(userspace/falco): move on from deprecated libs API for printing event list [#2253] - @jasondellaluce
  • chore(userspace/falco): improve cli helper and log options with debug level [#2252] - @jasondellaluce
  • update(userspace): minor pre-release improvements [#2236] - @jasondellaluce
  • update: bumped libs to fd46dd139a8e35692a7d40ab2f0ed2016df827cf. [#2201] - @FedeDP
  • update!: gVisor sock default path changed from /tmp/gvisor.sock to /run/falco/gvisor.sock [#2163] - @vjjmiras
  • update!: gRPC server sock default path changed from /run/falco.sock.sock to /run/falco/falco.sock [#2163] - @vjjmiras
  • update(scripts/falco-driver-loader): minikube environment is now correctly detected [#2191] - @alacuku
  • update(rules/falco_rules.yaml): required_engine_version changed to 13 [#2179] - @incertum
  • refactor(userspace/falco): re-design stats writer and make it thread-safe [#2109] - @jasondellaluce
  • refactor(userspace/falco): make signal handlers thread safe [#2091] - @jasondellaluce
  • refactor(userspace/engine): strengthen and document thread-safety guarantees of falco_engine::process_event [#2082] - @jasondellaluce
  • update(userspace/falco): make webserver threadiness configurable [#2090] - @jasondellaluce
  • refactor(userspace/falco): reduce app actions dependency on app state and inspector [#2097] - @jasondellaluce
  • update(userspace/falco): use move semantics in falco logger [#2095] - @jasondellaluce
  • update: use FALCO_HOSTNAME env var to override the hostname value [#2174] - @leogr
  • update: bump libs and driver versions to 6599e2efebce30a95f27739d655d53f0d5f686e4 [#2177] - @jasondellaluce
  • refactor(userspace/falco): make output rate limiter optional and output engine explicitly thread-safe [#2139] - @jasondellaluce
  • update(falco.yaml)!: notification rate limiter disabled by default. [#2139] - @jasondellaluce

Bug Fixes

Rule Changes

  • rule(macro: known_gke_mount_in_privileged_containers): add new macro [#2198] - @hi120ki
  • rule(Mount Launched in Privileged Container): add GKE default pod into allowlist in Mount Launched of Privileged Container rule [#2198] - @hi120ki
  • rule(list: known_binaries_to_read_environment_variables_from_proc_files): add new list [#2193] - @hi120ki
  • rule(Read environment variable from /proc files): add rule to detect an attempt to read process environment variables from /proc files [#2193] - @hi120ki
  • rule(macro: k8s_containers): add falco no-driver images [#2234] - @jasondellaluce
  • rule(macro: open_file_failed): add new macro [#2118] - @incertum
  • rule(macro: directory_traversal): add new macro [#2118] - @incertum
  • rule(Directory traversal monitored file read): add new rule [#2118] - @incertum
  • rule(Modify Container Entrypoint): new rule created to detect CVE-2019-5736 [#2188] - @darryk10
  • rule(Program run with disallowed http proxy env)!: disabled by default [#2179] - @incertum
  • rule(Container Drift Detected (chmod))!: disabled by default [#2179] - @incertum
  • rule(Container Drift Detected (open+create))!: disabled by default [#2179] - @incertum
  • rule(Packet socket created in container)!: removed consider_packet_socket_communication macro [#2179] - @incertum
  • rule(macro: consider_packet_socket_communication)!: remove unused macro [#2179] - @incertum
  • rule(Interpreted procs outbound network activity)!: disabled by default [#2166] - @incertum
  • rule(Interpreted procs inbound network activity)!: disabled by default [#2166] - @incertum
  • rule(Contact cloud metadata service from container)!: disabled by default [#2166] - @incertum
  • rule(macro: consider_interpreted_outbound)!: remove unused macro [#2166] - @incertum
  • rule(macro: consider_interpreted_inbound)!: remove unused macro [#2166] - @incertum
  • rule(macro: consider_metadata_access)!: remove unused macro [#2166] - @incertum
  • rule(Unexpected outbound connection destination)!: disabled by default [#2168] - @incertum
  • rule(Unexpected inbound connection source)!: disabled by default [#2168] - @incertum
  • rule(Read Shell Configuration File)!: disabled by default [#2168] - @incertum
  • rule(Schedule Cron Jobs)!: disabled by default [#2168] - @incertum
  • rule(Launch Suspicious Network Tool on Host)!: disabled by default [#2168] - @incertum
  • rule(Create Hidden Files or Directories)!: disabled by default [#2168] - @incertum
  • rule(Outbound or Inbound Traffic not to Authorized Server Process and Port)!: disabled by default [#2168] - @incertum
  • rule(Network Connection outside Local Subnet)!: disabled by default [#2168] - @incertum
  • rule(macro: consider_all_outbound_conns)!: remove unused macro [#2168] - @incertum
  • rule(macro: consider_all_inbound_conns)!: remove unused macro [#2168] - @incertum
  • rule(macro: consider_shell_config_reads)!: remove unused macro [#2168] - @incertum
  • rule(macro: consider_all_cron_jobs)!: remove unused macro [#2168] - @incertum
  • rule(macro: consider_all_inbound_conns)!: remove unused macro [#2168] - @incertum
  • rule(macro: consider_hidden_file_creation)!: remove unused macro [#2168] - @incertum
  • rule(macro: allowed_port)!: remove unused macro [#2168] - @incertum
  • rule(macro: enabled_rule_network_only_subnet)!: remove unused macro [#2168] - @incertum
  • rule(macro: consider_userfaultfd_activities)!: remove unused macro [#2168] - @incertum
  • rule(macro: consider_all_chmods)!: remove unused macro [#2168] - @incertum
  • rule(Set Setuid or Setgid bit)!: removed consider_all_chmods macro [#2168] - @incertum
  • rule(Container Drift Detected (chmod))!: removed consider_all_chmods macro [#2168] - @incertum
  • rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process)!: removed consider_userfaultfd_activities macro [#2168] - @incertum

Non user-facing changes

Statistics

Merged PRsNumber
Not user-facing29
Release note50
Total79

Release Manager @jasondellaluce


Version 0.32.2

Download

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.32.2
docker pull public.ecr.aws/falcosecurity/falco:0.32.2
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.2
docker pull docker.io/falcosecurity/falco-no-driver:0.32.2

Bug Fixes

Statistics

Merged PRsNumber
Not user-facing0
Release note1
Total1

Release Manager @Andreagit97


Version 0.32.1

Download

PackagesDownload
rpmrpm
debdeb
tgztgz
rpm-arm64rpm
deb-arm64deb
tgz-arm64tgz
Images
docker pull docker.io/falcosecurity/falco:0.32.1
docker pull public.ecr.aws/falcosecurity/falco:0.32.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.1
docker pull docker.io/falcosecurity/falco-no-driver:0.32.1

Major Changes

Minor Changes

  • update(build): Switch from RSA/SHA1 to RSA/SHA256 signature in the RPM package [#2044] - @vjjmiras
  • refactor(userspace/engine): drop macro source field in rules and rule loader [#2094] - @jasondellaluce
  • build: introduce DRIVER_VERSION that allows setting a driver version (which may differ from the falcosecurity/libs version) [#2086] - @leogr
  • update: add more info to --version output [#2086] - @leogr
  • build(scripts): publish deb repo has now a InRelease file [#2060] - @FedeDP
  • update(userspace/falco): make plugin init config optional and add --plugin-info CLI option [#2059] - @jasondellaluce
  • update(userspace/falco): support libs logging [#2093] - @jasondellaluce
  • update(falco): update libs to 0.7.0 [#2119] - @LucaGuerra

Bug Fixes

  • fix(userspace/falco): ensure that only rules files named with -V are loaded when validating rules files. [#2088] - @mstemm
  • fix(rules): use exit event in reverse shell detection rule [#2076] - @alacuku
  • fix(scripts): falco-driver-loader script will now seek for drivers in driver/${ARCH}/ for x86_64 too. [#2057] - @FedeDP
  • fix(falco-driver-loader): building falco module with DKMS on Flatcar and supporting fetching pre-built module/eBPF probe [#2043] - @jepio

Rule Changes

  • rule(Redirect STDOUT/STDIN to Network Connection in Container): changed priority to NOTICE [#2092] - @leogr
  • rule(Java Process Class Download): detect potential log4shell exploitation [#2041] - @pirxthepilot

Non user-facing changes

  • remove kaizhe from falco rule owner [#2050] - @Kaizhe
  • docs(readme): added arm64 mention + packages + badge. [#2101] - @FedeDP
  • new(circleci): enable integration tests for arm64. [#2099] - @FedeDP
  • chore(cmake): bump plugins versions [#2102] - @Andreagit97
  • fix(docker): fixed deb tester sub image. [#2100] - @FedeDP
  • fix(ci): fix sign script - avoid interpreting '{*}$argv' too soon [#2075] - @vjjmiras
  • fix(tests): make tests run locally (take 2) [#2089] - @LucaGuerra
  • fix(ci): creates ~/sign instead of ./sign [#2072] - @vjjmiras
  • fix(ci): sign arm64 rpm packages. [#2069] - @FedeDP
  • update(falco_scripts): Change Flatcar dynlinker path [#2066] - @jepio
  • fix(scripts): fixed path in publish-deb script. [#2062] - @FedeDP
  • fix(build): docker-container buildx engine does not support retagging images. Tag all images together. [#2058] - @FedeDP
  • fix(build): fixed publish-docker-dev job context. [#2056] - @FedeDP
  • Correct linting issue in rules [#2055] - @stephanmiehe
  • Fix falco compilation issues with new libs [#2053] - @alacuku
  • fix(scripts): forcefully create packages dir for debian packages. [#2054] - @FedeDP
  • fix(build): removed leftover line in circleci config. [#2052] - @FedeDP
  • fix(build): fixed circleCI artifacts publish for arm64. [#2051] - @FedeDP
  • update(docker): updated falco-builder to fix multiarch support. [#2049] - @FedeDP
  • fix(build): use apt instead of apk when installing deps for aws ecr publish [#2047] - @FedeDP
  • fix(build): try to use root user for cimg/base [#2045] - @FedeDP
  • update(build): avoid double build of docker images when pushing to aws ecr [#2046] - @FedeDP
  • chore(k8s_audit_plugin): bump k8s audit plugin version [#2042] - @Andreagit97
  • fix(tests): make run_regression_tests.sh work locally [#2020] - @LucaGuerra
  • Circle CI build job for ARM64 [#1997] - @odidev

Statistics

Merged PRsNumber
Not user-facing25
Release note16
Total41

Release Manager @LucaGuerra


Version 0.32.0

Download

PackagesDownload
rpmrpm
debdeb
tgztgz
Images
docker pull docker.io/falcosecurity/falco:0.32.0
docker pull public.ecr.aws/falcosecurity/falco:0.32.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.0
docker pull docker.io/falcosecurity/falco-no-driver:0.32.0

Major Changes

  • new: added new watch_config_files config option, to trigger a Falco restart whenever a change is detected in the rules or config files [#1991] - @FedeDP
  • new(rules): add rule to detect excessively capable container [#1963] - @loresuso
  • new(rules): add rules to detect pods sharing host pid and IPC namespaces [#1951] - @loresuso
  • new(image): add Falco image based on RedHat UBI [#1943] - @araujof
  • new(falco): add --markdown and --list-syscall-events [#1939] - @LucaGuerra

Minor Changes

  • update(build): updated plugins to latest versions. [#2033] - @FedeDP
  • refactor(userspace/falco): split the currently monolithic falco_init into smaller "actions", managed by the falco application's action manager. [#1953] - @mstemm
  • rules: out of the box ruleset for OKTA Falco Plugin [#1955] - @darryk10
  • update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b [#2031] - @FedeDP
  • update!: moving out plugins ruleset files [#1995] - @leogr
  • update: added hostname as a field in JSON output [#1989] - @Milkshak3s
  • refactor!: remove K8S audit logs from Falco [#1952] - @jasondellaluce
  • refactor(userspace/engine): use supported_operators helper from libsinsp filter parser [#1975] - @jasondellaluce
  • refactor!: deprecate PSP regression tests and warn for unsafe usage of in k8s audit filters [#1976] - @jasondellaluce
  • build(cmake): upgrade catch2 to 2.13.9 [#1977] - @leogr
  • refactor(userspace/engine): reduce memory usage for resolving evttypes [#1965] - @jasondellaluce
  • refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader [#1966] - @jasondellaluce
  • refactor(userspace/engine): decoupling ruleset reading, parsing, and compilation steps [#1970] - @jasondellaluce
  • refactor: update definitions of falco_common [#1967] - @jasondellaluce
  • update: improved Falco engine event processing performance [#1944] - @deepskyblue86
  • refactor(userspace/engine): use libsinsp filter parser and compiler inside rule loader [#1947] - @jasondellaluce

Bug Fixes

  • fix(userspace/engine): skip rules with unknown sources that also have exceptions, and skip macros with unknown sources. [#1920] - @mstemm
  • fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled [#2019] - @jasondellaluce

Rule Changes

  • rule(Launch Excessively Capable Container): fix typo in description [#1996] - @mmonitz
  • rule(macro: known_shell_spawn_cmdlines): add sh -c /usr/share/lighttpd/create-mime.conf.pl to macro [#1996] - @mmonitz
  • rule(macro net_miner_pool): additional syscall for detection [#2011] - @beryxz
  • rule(macro truncate_shell_history): include .ash_history [#1956] - @bdashrad
  • rule(macro modify_shell_history): include .ash_history [#1956] - @bdashrad
  • rule(Detect release_agent File Container Escapes): new rule created to detect an attempt to exploit a container escape using release_agent file [#1969] - @darryk10
  • rule(k8s: secret): detect get attempts for both successful and unsuccessful attempts [#1949] - @Dentrax
  • rule(K8s Serviceaccount Created/Deleted): Fixed output for the rules [#1973] - @darryk10
  • rule(Disallowed K8s User): exclude allowed EKS users [#1960] - @darryk10
  • rule(Launch Ingress Remote File Copy Tools in Container): Removed use cases not triggering the rule [#1968] - @darryk10
  • rule(Mount Launched in Privileged Container): added allowlist macro user_known_mount_in_privileged_containers. [#1930] - @mmoyerfigma
  • rule(macro user_known_shell_config_modifiers): allow to allowlist shell config modifiers [#1938] - @claudio-vellage

Non user-facing changes

  • new: update plugins [#2023] - @FedeDP
  • update(build): updated libs version for Falco 0.32.0 release. [#2022] - @FedeDP
  • update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 [#2024] - @FedeDP
  • chore(userspace/falco): do not print error code in process_events.cpp [#2030] - @alacuku
  • fix(falco-scripts): remove driver versions with dkms-3.0.3 [#2027] - @Andreagit97
  • chore(userspace/falco): fix punctuation typo in output message when loading plugins [#2026] - @alacuku
  • refactor(userspace): change falco engine design to properly support multiple sources [#2017] - @jasondellaluce
  • update(userspace/falco): improve falco termination [#2012] - @Andreagit97
  • update(userspace/engine): introduce new check_plugin_requirements API [#2009] - @Andreagit97
  • fix(userspace/engine): improve rule loader source checks [#2010] - @Andreagit97
  • fix: split filterchecks per source-idx [#1999] - @FedeDP
  • new: port CI builds to github actions [#2000] - @FedeDP
  • build(userspace/engine): cleanup unused include dir [#1987] - @leogr
  • rule(Anonymous Request Allowed): exclude {/livez, /readyz} [#1954] - @sledigabel
  • chore(falco_scripts): Update falco-driver-loader cleaning phase [#1950] - @Andreagit97
  • new(userspace/falco): use new plugin caps API [#1982] - @FedeDP
  • build: correct conffiles for DEB packages [#1980] - @leogr
  • Fix exception parsing regressions [#1985] - @mstemm
  • Add codespell GitHub Action [#1962] - @invidian
  • build: components opt-in mechanism for packages [#1979] - @leogr
  • add gVisor to ADOPTERS.md [#1974] - @kevinGC
  • rules: whitelist GCP's container threat detection image [#1959] - @clmssz
  • Fix some typos [#1961] - @invidian
  • chore(rules): remove leftover [#1958] - @leogr
  • docs: readme update and plugins [#1940] - @leogr

Statistics

Merged PRsNumber
Not user-facing27
Release note34
Total61

Release Manager @FedeDP

Last modified Oct 10, 2023: fix(content): fix more index.md (3fd448a)