Changelog

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Major Changes

• BREAKING CHANGE: if you relied upon application_rules.yaml you can download it from https://github.com/falcosecurity/rules/tree/main/rules and manually install it. [#2389] - @leogr
• new(rules): New rule to detect attempts to inject code into a process using PTRACE [#2226] - @Brucedh
• new(engine): Also include exact locations for rule condition compile errors (missing macros, etc). [#2216] - @mstemm
• new(scripts): Support older RHEL distros in falco-driver-loader script [#2312] - @gentooise
• new(scripts): add falcoctl config into Falco package [#2390] - @Andreagit97
• new(userspace/falco): [EXPERIMENTAL] allow modern bpf probe to assign more than one CPU to a single ring buffer [#2363] - @Andreagit97
• new(userspace/falco): add webserver endpoint for retrieving internal version numbers [#2356] - @jasondellaluce
• new(falco): add --version-json to print version information in json format [#2331] - @LucaGuerra
• new(scripts): support multiple drivers in systemd units [#2242] - @FedeDP
• new(scripts): add bottlerocket support in falco-driver-loader [#2318] - @FedeDP
• new(falco): add more version fields to --support and --version [#2325] - @LucaGuerra
• new(config): explicitly add the simulate_drops config [#2260] - @Andreagit97

Minor Changes

• build: upgrade to falcoctl v0.4.0 [#2406] - @loresuso
• update(userspace): change modern_bpf.cpus_for_each_syscall_buffer default value [#2404] - @Andreagit97
• update(build): update falcoctl to 0.3.0 [#2401] - @LucaGuerra
• update(build): update falcoctl to 0.3.0-rc7 [#2396] - @LucaGuerra
• update(cmake): bump libs to 0.10.3 [#2392] - @FedeDP
• build: /etc/falco/rules.available has been deprecated [#2389] - @leogr
• build: application_rules.yaml is not shipped anymore with Falco [#2389] - @leogr
• build: upgrade k8saudit plugin to v0.5.0 [#2381] - @leogr
• build: upgrade cloudtrail plugin to v0.6.0 [#2381] - @leogr
• new!: ship falcoctl inside Falco [#2345] - @FedeDP
• refactor: remove rules and add submodule to falcosecurity/rules [#2359] - @jasondellaluce
• update(scripts): add option for regenerating signatures of all dev and release packages [#2364] - @jasondellaluce
• update: print JSON version output when json_output is enabled [#2351] - @jasondellaluce
• update(cmake): updated libs to 0.10.1 tag. [#2362] - @FedeDP
• Install the certificates of authorities in falco:no-driver docker image [#2355] - @Issif
• update: Mesos support is now deprecated and will be removed in the next version. [#2328] - @leogr
• update(scripts/falco-driver-loader): optimize the resiliency of module download script for air-gapped environments [#2336] - @Dentrax
• doc(userspace): provide users with a correct message when some syscalls are not defined [#2329] - @Andreagit97
• update(ci): update ci jobs to generate Falco images with the modern BPF probe [#2320] - @Andreagit97
• rules: add Falco container lists [#2290] - @oscr
• rules(macro: private_key_or_password): now also check for OpenSSH private keys [#2284] - @oscr
• update(cmake): bump libs and driver to latest RC. [#2302] - @FedeDP
• Ensure that a ruleset object is copied properly in falco_engine::add_source(). [#2271] - @mstemm
• update(userspace/falco): enable using zlib with webserver [#2125] - @jasondellaluce
• update(falco): add container-gvisor and kubernetes-gvisor print options [#2288] - @LucaGuerra
• cleanup: always use bundled libz and libelf in BUNDLED_DEPS mode. [#2277] - @FedeDP
• update: updated libs and driver to version dd443b67c6b04464cb8ee2771af8ada8777e7fac [#2277] - @FedeDP
• update(falco.yaml): open_params under plugins configuration is now trimmed from surrounding whitespace [#2267] - @yardenshoham

Bug Fixes

• fix(engine): Avoid crash related to caching syscall source when the falco engine uses multiple sources at the same time. [#2272] - @mstemm
• fix(scripts): use falco-driver-loader only into install scripts [#2391] - @Andreagit97
• fix(userspace/falco): fix grpc server shutdown [#2350] - @FedeDP
• fix(docker/falco): trust latest GPG key [#2365] - @jasondellaluce
• fix(userspace/engine): improve rule loading validation results [#2344] - @jasondellaluce
• fix: graceful error handling for macros/lists reference loops [#2311] - @jasondellaluce

Rule Changes

• rules(tagging): enhanced rules tagging for inventory / threat modeling [#2167] - @incertum
• rule(Outbound Connection to C2 Server): Update the "Outbound connection to C2 server" rule to match both FQDN and IP addresses. Prior to this change, the rule only matched IP addresses and not FQDN. [#2241] - @Nicolas-Peiffer
• rule(Execution from /dev/shm): new rule to detect execution from /dev/shm [#2225] - @AlbertoPellitteri
• rule(Find AWS Credentials): new rule to detect executions looking for AWS credentials [#2224] - @AlbertoPellitteri
• rule(Linux Kernel Module Injection Detected): improve insmod detection within container using CAP_SYS_MODULE [#2305] - @loresuso
• rule(Read sensitive file untrusted): let salt-call read sensitive files [#2291] - @vin01
• rule(macro: rpm_procs): let salt-call write to rpm database [#2291] - @vin01

Non user-facing changes

• fix(ci): fix rpm sign job dependencies [#2324] - @cappellinsamuele
• chore(userspace): add njson lib as a dependency for falco_engine [#2316] - @Andreagit97
• fix(scripts): force rpm postinstall script to always show dialog, even on upgrade [#2405] - @FedeDP
• fix(scripts): fixed falcoctl config install dir. [#2399] - @FedeDP
• fix(scripts): make /usr writable [#2398] - @therealbobo
• fix(scripts): driver loader insmod [#2388] - @FedeDP
• update(systemd): solve some issues with systemd unit [#2385] - @Andreagit97
• build(cmake): upgrade falcoctl to v0.3.0-rc6 [#2383] - @leogr
• docs(.github): rules are no longer in this repo [#2382] - @leogr
• update(CI): mitigate frequent failure in CircleCI jobs [#2375] - @Andreagit97
• fix(userspace): use the right path for the cpus_for_each_syscall_buffer config [#2378] - @Andreagit97
• fix(scripts): fixed incorrect bash var expansion [#2367] - @therealbobo
• update(CI): upgrade toolchain in modern falco builder dockerfile [#2337] - @Andreagit97
• cleanup(ci): move static analysis job from circle CI to GHA [#2332] - @Andreagit97
• update(falco): update cpp-httplib to 0.11.3 [#2327] - @LucaGuerra
• update(script): makes user able to pass custom option to driver-loade… [#1901] - @andreabonanno
• cleanup(ci): remove some unused jobs and remove some falco-builder reference where possible [#2322] - @Andreagit97
• docs(proposal): new artifacts distribution proposal [#2304] - @leogr
• fix(cmake): properly fetch dev version by appending latest Falco tag, delta between master and tag, and hash [#2292] - @FedeDP
• chore(deps): Bump certifi from 2020.4.5.1 to 2022.12.7 in /test [#2313] - @dependabot[bot]
• chore: remove string view lite [#2307] - @leogr
• new(CHANGELOG): add entry for 0.33.1 (in master branch this time) [#2303] - @LucaGuerra
• update(docs): add overview and versioning sections to falco release.md [#2205] - @incertum
• Add Xenit AB to adopters [#2285] - @NissesSenap
• fix(userspace/falco): verify engine fields only for syscalls [#2281] - @jasondellaluce
• fix(output): do not print syscall_buffer_size when gvisor is enabled [#2283] - @alacuku
• fix(engine): fix warning about redundant std::move [#2286] - @LucaGuerra
• fix(scripts): force falco-driver-loader script to try to compile the driver anyway even on unsupported platforms [#2219] - @FedeDP
• fix(ci): fixed version bucket for release jobs. [#2266] - @FedeDP
• fix(cmake): fixed tag fetching fallback (that is indeed needed) [#2409] - @FedeDP

Statistics

Release Manager

@LucaGuerra

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Minor Changes

• update(falco): fix container-gvisor and kubernetes-gvisor print options [#2288]
• Update libs to 0.9.2, fixing potential CLBO on gVisor+Kubernetes and crash with eBPF when some CPUs are offline [#2299] - @LucaGuerra

Statistics

Release Manager

@LucaGuerra

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Major Changes

• new: add a drop_pct referred to the global number of events [#2130] - @Andreagit97
• new: print some info about eBPF and enabled sources when Falco starts [#2133] - @Andreagit97
• new(userspace): print architecture information [#2147] - @Andreagit97
• new(CI): add CodeQL security scanning to Falco. [#2171] - @Andreagit97
• new: configure syscall buffer dimension from Falco [#2214] - @Andreagit97
• new(cmdline): add development support for modern BPF probe [#2221] - @Andreagit97
• new(falco-driver-loader): DRIVERS_REPO now supports the use of multiple download URLs (comma separated) [#2165] - @IanRobertson-wpe
• new(userspace/engine): support alternative plugin version requirements in checks [#2190] - @jasondellaluce
• new: support running multiple event sources in parallel [#2182] - @jasondellaluce
• new(userspace/falco): automatically create paths for grpc unix socket and gvisor endpoint. [#2189] - @FedeDP
• new(scripts): allow falco-driver-loader to properly distinguish any ubuntu flavor [#2178] - @FedeDP
• new: add option to enable event sources selectively [#2085] - @jasondellaluce

Minor Changes

• docs(falco-driver-loader): add some comments in falco-driver-loader [#2153] - @Andreagit97
• update(cmake): use latest libs tag 0.9.0 [#2257] - @Andreagit97
• update(.circleci): re-enabled cppcheck [#2186] - @leogr
• update(userspace/engine): improve falco files loading performance [#2151] - @VadimZy
• update(cmake): use latest driver tag 3.0.1+driver [#2251] - @Andreagit97
• update(userspace/falco)!: adapt stats writer for multiple parallel event sources [#2182] - @jasondellaluce
• refactor(userspace/engine): remove falco engine APIs that returned a required_engine_version [#2096] - @mstemm
• update(userspace/engine): add some small changes to rules matching that reduce cpu usage with high event volumes (> 1M syscalls/sec) [#2210] - @mstemm
• rules: added process IDs to default rules [#2211] - @spyder-kyle
• update(scripts/debian): falco.service systemd unit is now cleaned-up during (re)install and removal via the DEB and RPM packages [#2138] - @Happy-Dude
• update(userspace/falco): move on from deprecated libs API for printing event list [#2253] - @jasondellaluce
• chore(userspace/falco): improve cli helper and log options with debug level [#2252] - @jasondellaluce
• update(userspace): minor pre-release improvements [#2236] - @jasondellaluce
• update: bumped libs to fd46dd139a8e35692a7d40ab2f0ed2016df827cf. [#2201] - @FedeDP
• update!: gVisor sock default path changed from /tmp/gvisor.sock to /run/falco/gvisor.sock [#2163] - @vjjmiras
• update!: gRPC server sock default path changed from /run/falco.sock.sock to /run/falco/falco.sock [#2163] - @vjjmiras
• update(scripts/falco-driver-loader): minikube environment is now correctly detected [#2191] - @alacuku
• update(rules/falco_rules.yaml): required_engine_version changed to 13 [#2179] - @incertum
• refactor(userspace/falco): re-design stats writer and make it thread-safe [#2109] - @jasondellaluce
• refactor(userspace/falco): make signal handlers thread safe [#2091] - @jasondellaluce
• refactor(userspace/engine): strengthen and document thread-safety guarantees of falco_engine::process_event [#2082] - @jasondellaluce
• update(userspace/falco): make webserver threadiness configurable [#2090] - @jasondellaluce
• refactor(userspace/falco): reduce app actions dependency on app state and inspector [#2097] - @jasondellaluce
• update(userspace/falco): use move semantics in falco logger [#2095] - @jasondellaluce
• update: use FALCO_HOSTNAME env var to override the hostname value [#2174] - @leogr
• update: bump libs and driver versions to 6599e2efebce30a95f27739d655d53f0d5f686e4 [#2177] - @jasondellaluce
• refactor(userspace/falco): make output rate limiter optional and output engine explicitly thread-safe [#2139] - @jasondellaluce
• update(falco.yaml)!: notification rate limiter disabled by default. [#2139] - @jasondellaluce

Bug Fixes

• fix: compute the drop ratio in the right way [#2128] - @Andreagit97
• fix(falco_service): falco service needs to write under /sys/module/falco [#2238] - @Andreagit97
• fix(userspace): cleanup output of ruleset validation result [#2248] - @jasondellaluce
• fix(userspace): properly print ignored syscalls messages when not in -A mode [#2243] - @jasondellaluce
• fix(falco): clarify pid/tid and container info in gvisor [#2223] - @LucaGuerra
• fix(userspace/engine): avoid reading duplicate exception values [#2200] - @jasondellaluce
• fix: hostname was not present when json_output: true [#2174] - @leogr

Rule Changes

• rule(macro: known_gke_mount_in_privileged_containers): add new macro [#2198] - @hi120ki
• rule(Mount Launched in Privileged Container): add GKE default pod into allowlist in Mount Launched of Privileged Container rule [#2198] - @hi120ki
• rule(list: known_binaries_to_read_environment_variables_from_proc_files): add new list [#2193] - @hi120ki
• rule(Read environment variable from /proc files): add rule to detect an attempt to read process environment variables from /proc files [#2193] - @hi120ki
• rule(macro: k8s_containers): add falco no-driver images [#2234] - @jasondellaluce
• rule(macro: open_file_failed): add new macro [#2118] - @incertum
• rule(macro: directory_traversal): add new macro [#2118] - @incertum
• rule(Directory traversal monitored file read): add new rule [#2118] - @incertum
• rule(Modify Container Entrypoint): new rule created to detect CVE-2019-5736 [#2188] - @darryk10
• rule(Program run with disallowed http proxy env)!: disabled by default [#2179] - @incertum
• rule(Container Drift Detected (chmod))!: disabled by default [#2179] - @incertum
• rule(Container Drift Detected (open+create))!: disabled by default [#2179] - @incertum
• rule(Packet socket created in container)!: removed consider_packet_socket_communication macro [#2179] - @incertum
• rule(macro: consider_packet_socket_communication)!: remove unused macro [#2179] - @incertum
• rule(Interpreted procs outbound network activity)!: disabled by default [#2166] - @incertum
• rule(Interpreted procs inbound network activity)!: disabled by default [#2166] - @incertum
• rule(Contact cloud metadata service from container)!: disabled by default [#2166] - @incertum
• rule(macro: consider_interpreted_outbound)!: remove unused macro [#2166] - @incertum
• rule(macro: consider_interpreted_inbound)!: remove unused macro [#2166] - @incertum
• rule(macro: consider_metadata_access)!: remove unused macro [#2166] - @incertum
• rule(Unexpected outbound connection destination)!: disabled by default [#2168] - @incertum
• rule(Unexpected inbound connection source)!: disabled by default [#2168] - @incertum
• rule(Read Shell Configuration File)!: disabled by default [#2168] - @incertum
• rule(Schedule Cron Jobs)!: disabled by default [#2168] - @incertum
• rule(Launch Suspicious Network Tool on Host)!: disabled by default [#2168] - @incertum
• rule(Create Hidden Files or Directories)!: disabled by default [#2168] - @incertum
• rule(Outbound or Inbound Traffic not to Authorized Server Process and Port)!: disabled by default [#2168] - @incertum
• rule(Network Connection outside Local Subnet)!: disabled by default [#2168] - @incertum
• rule(macro: consider_all_outbound_conns)!: remove unused macro [#2168] - @incertum
• rule(macro: consider_all_inbound_conns)!: remove unused macro [#2168] - @incertum
• rule(macro: consider_shell_config_reads)!: remove unused macro [#2168] - @incertum
• rule(macro: consider_all_cron_jobs)!: remove unused macro [#2168] - @incertum
• rule(macro: consider_all_inbound_conns)!: remove unused macro [#2168] - @incertum
• rule(macro: consider_hidden_file_creation)!: remove unused macro [#2168] - @incertum
• rule(macro: allowed_port)!: remove unused macro [#2168] - @incertum
• rule(macro: enabled_rule_network_only_subnet)!: remove unused macro [#2168] - @incertum
• rule(macro: consider_userfaultfd_activities)!: remove unused macro [#2168] - @incertum
• rule(macro: consider_all_chmods)!: remove unused macro [#2168] - @incertum
• rule(Set Setuid or Setgid bit)!: removed consider_all_chmods macro [#2168] - @incertum
• rule(Container Drift Detected (chmod))!: removed consider_all_chmods macro [#2168] - @incertum
• rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process)!: removed consider_userfaultfd_activities macro [#2168] - @incertum

Non user-facing changes

• new(userspace): support SCAP_FILTERED_EVENT return code [#2148] - @Andreagit97
• chore(test/utils): remove unused script [#2157] - @Andreagit97
• Enrich pull request template [#2162] - @Andreagit97
• vote: update(OWNERS): add Andrea Terzolo to owners [#2185] - @Andreagit97
• fix(CI): codespell should ignore ro word [#2173] - @Andreagit97
• chore: bump plugin version [#2256] - @Andreagit97
• fix(userspace/falco): avoid using CPU when main thread waits for parallel event sources [#2255] - @jasondellaluce
• fix(scripts): inject kmod script fails with some systemd versions [#2250] - @Andreagit97
• chore(userspace/falco): make logging optional when terminating, restarting, and reopening outputs [#2249] - @jasondellaluce
• chore: bump libs version [#2244] - @Andreagit97
• update(userspace): solve warnings and performance tips from cppcheck [#2247] - @jasondellaluce
• fix(userspace/falco): make signal termination more robust with multi-threading [#2235] - @jasondellaluce
• fix(userspace/falco): make termination and signal handlers more stable [#2239] - @jasondellaluce
• fix(userspace): safely check string bounded access [#2237] - @jasondellaluce
• chore: bump libs/driver to the latest release branch commit [#2232] - @Andreagit97
• fix(userspace/falco): check plugin requirements when validating rule files [#2233] - @jasondellaluce
• fix(userspace): add explicit constructors and initializations [#2229] - @jasondellaluce
• Add StackRox to adopters [#2187] - @Molter73
• fix(process_events): check the return value of open_live_inspector [#2215] - @Andreagit97
• fix(userspace/engine): properly include stdexcept header to fix build. [#2197] - @FedeDP
• refactor(userspace/engine): split rule loader classes for a more testable design [#2206] - @jasondellaluce
• chore(OWNERS): cleanup inactive reviewer [#2204] - @leogr
• fix(circleci): falco-driver-loader image build must be done starting from just-pushed falco master image. [#2194] - @FedeDP
• Support condition parse errors in rule loading results [#2155] - @mstemm
• docs: readme update [#2183] - @leogr
• cleanup: rename legacy references [#2180] - @jasondellaluce
• refactor(userspace/engine): increase const coherence in falco engine [#2081] - @jasondellaluce
• Rules result handle multiple files [#2158] - @mstemm
• fix: print full rule load errors/warnings without verbose/-v [#2156] - @mstemm

Statistics

Release Manager @jasondellaluce

Download

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Bug Fixes

• fix: Added ARCH to bpf download URL [#2142] - @eric-engberg

Statistics

Release Manager @Andreagit97

Download

Packages	Download
rpm
deb
tgz
rpm-arm64
deb-arm64
tgz-arm64

Major Changes

• new(falco): add gVisor support [#2078] - @LucaGuerra
• new(docker,scripts): add multiarch images and ARM64 packages [#1990] - @FedeDP

Minor Changes

• update(build): Switch from RSA/SHA1 to RSA/SHA256 signature in the RPM package [#2044] - @vjjmiras
• refactor(userspace/engine): drop macro source field in rules and rule loader [#2094] - @jasondellaluce
• build: introduce DRIVER_VERSION that allows setting a driver version (which may differ from the falcosecurity/libs version) [#2086] - @leogr
• update: add more info to --version output [#2086] - @leogr
• build(scripts): publish deb repo has now a InRelease file [#2060] - @FedeDP
• update(userspace/falco): make plugin init config optional and add --plugin-info CLI option [#2059] - @jasondellaluce
• update(userspace/falco): support libs logging [#2093] - @jasondellaluce
• update(falco): update libs to 0.7.0 [#2119] - @LucaGuerra

Bug Fixes

• fix(userspace/falco): ensure that only rules files named with -V are loaded when validating rules files. [#2088] - @mstemm
• fix(rules): use exit event in reverse shell detection rule [#2076] - @alacuku
• fix(scripts): falco-driver-loader script will now seek for drivers in driver/${ARCH}/ for x86_64 too. [#2057] - @FedeDP
• fix(falco-driver-loader): building falco module with DKMS on Flatcar and supporting fetching pre-built module/eBPF probe [#2043] - @jepio

Rule Changes

• rule(Redirect STDOUT/STDIN to Network Connection in Container): changed priority to NOTICE [#2092] - @leogr
• rule(Java Process Class Download): detect potential log4shell exploitation [#2041] - @pirxthepilot

Non user-facing changes

• remove kaizhe from falco rule owner [#2050] - @Kaizhe
• docs(readme): added arm64 mention + packages + badge. [#2101] - @FedeDP
• new(circleci): enable integration tests for arm64. [#2099] - @FedeDP
• chore(cmake): bump plugins versions [#2102] - @Andreagit97
• fix(docker): fixed deb tester sub image. [#2100] - @FedeDP
• fix(ci): fix sign script - avoid interpreting '{*}$argv' too soon [#2075] - @vjjmiras
• fix(tests): make tests run locally (take 2) [#2089] - @LucaGuerra
• fix(ci): creates ~/sign instead of ./sign [#2072] - @vjjmiras
• fix(ci): sign arm64 rpm packages. [#2069] - @FedeDP
• update(falco_scripts): Change Flatcar dynlinker path [#2066] - @jepio
• fix(scripts): fixed path in publish-deb script. [#2062] - @FedeDP
• fix(build): docker-container buildx engine does not support retagging images. Tag all images together. [#2058] - @FedeDP
• fix(build): fixed publish-docker-dev job context. [#2056] - @FedeDP
• Correct linting issue in rules [#2055] - @stephanmiehe
• Fix falco compilation issues with new libs [#2053] - @alacuku
• fix(scripts): forcefully create packages dir for debian packages. [#2054] - @FedeDP
• fix(build): removed leftover line in circleci config. [#2052] - @FedeDP
• fix(build): fixed circleCI artifacts publish for arm64. [#2051] - @FedeDP
• update(docker): updated falco-builder to fix multiarch support. [#2049] - @FedeDP
• fix(build): use apt instead of apk when installing deps for aws ecr publish [#2047] - @FedeDP
• fix(build): try to use root user for cimg/base [#2045] - @FedeDP
• update(build): avoid double build of docker images when pushing to aws ecr [#2046] - @FedeDP
• chore(k8s_audit_plugin): bump k8s audit plugin version [#2042] - @Andreagit97
• fix(tests): make run_regression_tests.sh work locally [#2020] - @LucaGuerra
• Circle CI build job for ARM64 [#1997] - @odidev

Statistics

Release Manager @LucaGuerra

Download

Packages	Download
rpm
deb
tgz

Major Changes

• new: added new watch_config_files config option, to trigger a Falco restart whenever a change is detected in the rules or config files [#1991] - @FedeDP
• new(rules): add rule to detect excessively capable container [#1963] - @loresuso
• new(rules): add rules to detect pods sharing host pid and IPC namespaces [#1951] - @loresuso
• new(image): add Falco image based on RedHat UBI [#1943] - @araujof
• new(falco): add --markdown and --list-syscall-events [#1939] - @LucaGuerra

Minor Changes

• update(build): updated plugins to latest versions. [#2033] - @FedeDP
• refactor(userspace/falco): split the currently monolithic falco_init into smaller "actions", managed by the falco application's action manager. [#1953] - @mstemm
• rules: out of the box ruleset for OKTA Falco Plugin [#1955] - @darryk10
• update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b [#2031] - @FedeDP
• update!: moving out plugins ruleset files [#1995] - @leogr
• update: added hostname as a field in JSON output [#1989] - @Milkshak3s
• refactor!: remove K8S audit logs from Falco [#1952] - @jasondellaluce
• refactor(userspace/engine): use supported_operators helper from libsinsp filter parser [#1975] - @jasondellaluce
• refactor!: deprecate PSP regression tests and warn for unsafe usage of in k8s audit filters [#1976] - @jasondellaluce
• build(cmake): upgrade catch2 to 2.13.9 [#1977] - @leogr
• refactor(userspace/engine): reduce memory usage for resolving evttypes [#1965] - @jasondellaluce
• refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader [#1966] - @jasondellaluce
• refactor(userspace/engine): decoupling ruleset reading, parsing, and compilation steps [#1970] - @jasondellaluce
• refactor: update definitions of falco_common [#1967] - @jasondellaluce
• update: improved Falco engine event processing performance [#1944] - @deepskyblue86
• refactor(userspace/engine): use libsinsp filter parser and compiler inside rule loader [#1947] - @jasondellaluce

Bug Fixes

• fix(userspace/engine): skip rules with unknown sources that also have exceptions, and skip macros with unknown sources. [#1920] - @mstemm
• fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled [#2019] - @jasondellaluce

Rule Changes

• rule(Launch Excessively Capable Container): fix typo in description [#1996] - @mmonitz
• rule(macro: known_shell_spawn_cmdlines): add sh -c /usr/share/lighttpd/create-mime.conf.pl to macro [#1996] - @mmonitz
• rule(macro net_miner_pool): additional syscall for detection [#2011] - @beryxz
• rule(macro truncate_shell_history): include .ash_history [#1956] - @bdashrad
• rule(macro modify_shell_history): include .ash_history [#1956] - @bdashrad
• rule(Detect release_agent File Container Escapes): new rule created to detect an attempt to exploit a container escape using release_agent file [#1969] - @darryk10
• rule(k8s: secret): detect get attempts for both successful and unsuccessful attempts [#1949] - @Dentrax
• rule(K8s Serviceaccount Created/Deleted): Fixed output for the rules [#1973] - @darryk10
• rule(Disallowed K8s User): exclude allowed EKS users [#1960] - @darryk10
• rule(Launch Ingress Remote File Copy Tools in Container): Removed use cases not triggering the rule [#1968] - @darryk10
• rule(Mount Launched in Privileged Container): added allowlist macro user_known_mount_in_privileged_containers. [#1930] - @mmoyerfigma
• rule(macro user_known_shell_config_modifiers): allow to allowlist shell config modifiers [#1938] - @claudio-vellage

Non user-facing changes

• new: update plugins [#2023] - @FedeDP
• update(build): updated libs version for Falco 0.32.0 release. [#2022] - @FedeDP
• update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 [#2024] - @FedeDP
• chore(userspace/falco): do not print error code in process_events.cpp [#2030] - @alacuku
• fix(falco-scripts): remove driver versions with dkms-3.0.3 [#2027] - @Andreagit97
• chore(userspace/falco): fix punctuation typo in output message when loading plugins [#2026] - @alacuku
• refactor(userspace): change falco engine design to properly support multiple sources [#2017] - @jasondellaluce
• update(userspace/falco): improve falco termination [#2012] - @Andreagit97
• update(userspace/engine): introduce new check_plugin_requirements API [#2009] - @Andreagit97
• fix(userspace/engine): improve rule loader source checks [#2010] - @Andreagit97
• fix: split filterchecks per source-idx [#1999] - @FedeDP
• new: port CI builds to github actions [#2000] - @FedeDP
• build(userspace/engine): cleanup unused include dir [#1987] - @leogr
• rule(Anonymous Request Allowed): exclude {/livez, /readyz} [#1954] - @sledigabel
• chore(falco_scripts): Update falco-driver-loader cleaning phase [#1950] - @Andreagit97
• new(userspace/falco): use new plugin caps API [#1982] - @FedeDP
• build: correct conffiles for DEB packages [#1980] - @leogr
• Fix exception parsing regressions [#1985] - @mstemm
• Add codespell GitHub Action [#1962] - @invidian
• build: components opt-in mechanism for packages [#1979] - @leogr
• add gVisor to ADOPTERS.md [#1974] - @kevinGC
• rules: whitelist GCP's container threat detection image [#1959] - @clmssz
• Fix some typos [#1961] - @invidian
• chore(rules): remove leftover [#1958] - @leogr
• docs: readme update and plugins [#1940] - @leogr

Statistics

Release Manager @FedeDP

Download

Packages	Download
rpm
deb
tgz

Major Changes

• new: add a new drop category n_drops_scratch_map [#1916] - @Andreagit97
• new: allow to specify multiple --cri options [#1893] - @FedeDP

Minor Changes

• refactor(userspace/falco): replace direct getopt_long() cmdline option parsing with third-party cxxopts library. [#1886] - @mstemm
• update: driver version is b7eb0dd [#1923] - @LucaGuerra

Bug Fixes

• fix(userspace/falco): correct plugins init config conversion from YAML to JSON [#1907] - @jasondellaluce
• fix(userspace/engine): for rules at the informational level being loaded at the notice level [#1885] - @mike-stewart
• chore(userspace/falco): fixes truncated -b option description. [#1915] - @andreabonanno
• update(falco): updates usage description for -o, --option [#1903] - @andreabonanno

Rule Changes

• rule(Detect outbound connections to common miner pool ports): fix url in rule output [#1918] - @jsoref
• rule(macro somebody_becoming_themself): renaming macro to somebody_becoming_themselves [#1918] - @jsoref
• rule(list package_mgmt_binaries): npm added [#1866] - @rileydakota
• rule(Launch Package Management Process in Container): support for detecting npm usage [#1866] - @rileydakota
• rule(Polkit Local Privilege Escalation Vulnerability): new rule created to detect CVE-2021-4034 [#1877] - @darryk10
• rule(macro: modify_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [#1832] - @m4wh6k
• rule(macro: truncate_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [#1832] - @m4wh6k
• rule(macro sssd_writing_krb): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [#1825] - @mac-chaffee
• rule(macro write_etc_common): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [#1825] - @mac-chaffee
• upgrade macro(keepalived_writing_conf) [#1742] - @pabloopez
• rule_output(Delete Bucket Public Access Block) typo [#1888] - @pabloopez

Non user-facing changes

• fix(build): fix civetweb linking in cmake module [#1919] - @LucaGuerra
• chore(userspace/engine): remove unused lua functions and state vars [#1908] - @jasondellaluce
• fix(userspace/falco): applies FALCO_INSTALL_CONF_FILE as the default … [#1900] - @andreabonanno
• fix(scripts): correct typo in falco-driver-loader help message [#1899] - @leogr
• update(build)!: replaced various PROBE with DRIVER where necessary. [#1887] - @FedeDP
• Add Fairwinds to the adopters list [#1917] - @sudermanjr
• build(cmake): several cmake changes to speed up/simplify builds for external projects and copying files from source-to-build directories [#1905] - @mstemm

Statistics

Release Manager @LucaGuerra

Download

Packages	Download
rpm
deb
tgz

Major Changes

• new: add support for plugins to extend Falco functionality to new event sources and custom fields [#1753] - @mstemm
• new: add ability to set User-Agent http header when sending http output. Provide default value of 'falcosecurit/falco'. [#1850] - @yoshi314
• new(configuration): support defining plugin init config as a YAML [#1852] - @jasondellaluce

Minor Changes

• rules: add the official Falco ECR repository to rules [#1817] - @calvinbui
• build: update CircleCI machine image for eBPF tests to a newer version of ubuntu [#1764] - @mstemm
• update(engine): refactor Falco engine to be agnostic to specific event sources [#1715] - @mstemm
• build: upgrade civetweb to v1.15 [#1782] - @FedeDP
• update: driver version is 319368f1ad778691164d33d59945e00c5752cd27 now [#1861] - @FedeDP
• build: allow using local libs source dir by setting FALCOSECURITY_LIBS_SOURCE_DIR in cmake [#1791] - @jasondellaluce
• build: the statically linked binary package is now published with the -static suffix [#1873] - @LucaGuerra
• update!: removed "--alternate-lua-dir" cmdline option as lua scripts are now embedded in Falco executable. [#1872] - @FedeDP
• build: switch to dynamic build for the binary package (.tar.gz) [#1853] - @LucaGuerra
• update: simpleconsumer filtering is now being done at kernel level [#1846] - @FedeDP
• update(scripts/falco-driver-loader): first try to load the latest kmod version, then fallback to an already installed if any [#1863] - @leogr
• refactor: clean up --list output with better formatting and no duplicate sections across event sources. [#1816] - @mstemm
• update: embed .lua files used to load/compile rules into the main falco executable, for simplicity and to avoid tampering. [#1843] - @mstemm
• update: support non-enumerable event sources in gRPC outputs service [#1840] - @jasondellaluce
• docs: add jasondellaluce to OWNERS [#1818] - @jasondellaluce
• chore: --list option can be used to selectively list fields related to new sources that are introduced by plugins [#1839] - @loresuso
• update(userspace/falco): support arbitrary-depth nested values in YAML configuration [#1792] - @jasondellaluce
• build: bump FakeIt version to 2.0.9 [#1797] - @jasondellaluce
• update: allow append of new exceptions to rules [#1780] - @sai-arigeli
• update: Linux packages are now signed with SHA256 [#1758] - @twa16

Bug Fixes

• fix(scripts/falco-driver-loader): fix for SELinux insmod denials [#1756] - @dwindsor
• fix(scripts/falco-driver-loader): correctly clean loaded drivers when using --clean [#1795] - @jasondellaluce
• fix(userspace/falco): in case output_file cannot be opened, throw a falco exception [#1773] - @FedeDP
• fix(userspace/engine): support jsonpointer escaping in rule parser [#1777] - @jasondellaluce
• fix(scripts/falco-driver-loader): support kernel object files in .zst and .gz compression formats [#1863] - @leogr
• fix(engine): correctly format json output in json_event [#1847] - @jasondellaluce
• fix: set http output contenttype to text/plain when json output is disabled [#1829] - @FedeDP
• fix(userspace/falco): accept 'Content-Type' header that contains "application/json", but it is not strictly equal to it [#1800] - @FedeDP
• fix(userspace/engine): supporting enabled-only overwritten rules [#1775] - @jasondellaluce

Rule Changes

• rule(Create Symlink Over Sensitive File): corrected typo in rule output [#1820] - @deepskyblue86
• rule(macro open_write): add support to openat2 [#1796] - @jasondellaluce
• rule(macro open_read): add support to openat2 [#1796] - @jasondellaluce
• rule(macro open_directory): add support to openat2 [#1796] - @jasondellaluce
• rule(Create files below dev): add support to openat2 [#1796] - @jasondellaluce
• rule(Container Drift Detected (open+create)): add support to openat2 [#1796] - @jasondellaluce
• rule(macro sensitive_mount): add containerd socket [#1815] - @loresuso
• rule(macro spawned_process): monitor also processes spawned by execveat [#1868] - @Andreagit97
• rule(Create Hardlink Over Sensitive Files): new rule to detect hard links created over sensitive files [#1810] - @sberkovich
• rule(Detect crypto miners using the Stratum protocol): add stratum2+tcp and stratum+ssl protocols detection [#1810] - @sberkovich
• rule(Sudo Potential Privilege Escalation): correct special case for the CVE-2021-3156 exploit [#1810] - @sberkovich
• rule(list falco_hostnetwork_images): moved to k8s_audit_rules.yaml to avoid a warning when usng falco_rules.yaml only [#1681] - @leodido
• rule(list deb_binaries): remove apt-config [#1860] - @Andreagit97
• rule(Launch Remote File Copy Tools in Container): add additional binaries: curl and wget. [#1771] - @ec4n6
• rule(list known_sa_list): add coredns, coredns-autoscaler, endpointslicemirroring-controller, horizontal-pod-autoscaler, job-controller, node-controller (nodelifecycle), persistent-volume-binder, pv-protection-controller, pvc-protection-controller, root-ca-cert-publisher and service-account-controller as allowed service accounts in the kube-system namespace [#1760] - @sboschman

Non user-facing changes

• fix: force-set evt.type for plugin source events [#1878] - @FedeDP
• fix: updated some warning strings; properly refresh lua files embedded in falco [#1864] - @FedeDP
• style(userspace/engine): avoid creating multiple versions of methods only to assume default ruleset. Use a default argument instead. [#1754] - @FedeDP
• add raft in the adopters list [#1776] - @teshsharma
• build: always populate partial version variables [#1778] - @dnwe
• build: updated cloudtrail plugin to latest version [#1865] - @FedeDP
• replace ".." concatenation with table.concat [#1834] - @VadimZy
• fix(userspace/engine): actually make m_filter_all_event_types useful by properly using it as fallback when no filter event types is provided [#1875] - @FedeDP
• fix(build): do not show plugin options in musl optimized builds [#1871] - @LucaGuerra
• fix(aws_cloudtrail_rules.yaml): correct required plugin versions [#1867] - @FedeDP
• docs: fix priority level "info" to "informational" [#1858] - @Andreagit97
• Field properties changes [#1838] - @mstemm
• update(build): updated libs to latest master version; updated plugins versions [#1856] - @FedeDP
• Add Giant Swarm to Adopters list [#1842] - @stone-z
• update(tests): remove token_bucket unit tests [#1798] - @jasondellaluce
• fix(build): use consistent 7-character build abbrev sha [#1830] - @LucaGuerra
• add Phoenix to adopters list [#1806] - @kaldyka
• remove unused files in test directory [#1801] - @jasondellaluce
• drop Falco luajit module, use the one provied by libs [#1788] - @FedeDP
• chore(build): update libs version to 7906f7e [#1790] - @LucaGuerra
• Add SysFlow to list of libs adopters [#1747] - @araujof
• build: dropped centos8 circleci build because it is useless [#1882] - @FedeDP

Statistics

Release Manager @jasondellaluce

Download

Packages	Download
rpm
deb
tgz

Major Changes

• new: add --k8s-node command-line options, which allows filtering by a node when requesting metadata of pods to the K8s API server [#1671] - @leogr
• new(outputs): expose rule tags and event source in gRPC and json outputs [#1714] - @jasondellaluce
• new(userspace/falco): add customizable metadata fetching params [#1667] - @zuc

Minor Changes

• update: bump driver version to 3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4 [#1744] - @zuc
• docs: clarify that previous Falco drivers will remain available at https://download.falco.org and no automated cleanup is run anymore [#1738] - @leodido
• update(outputs): add configuration option for tags in json outputs [#1733] - @jasondellaluce

Bug Fixes

• fix(scripts): correct standard output redirection in systemd config (DEB and RPM packages) [#1697] - @chirabino
• fix(scripts): correct lookup order when trying multiple gcc versions in the falco-driver-loader script [#1716] - @Spartan-65

Rule Changes

• rule(list miner_domains): add new miner domains [#1729] - @AlbertoPellitteri
• rule(list https_miner_domains): add new miner domains [#1729] - @AlbertoPellitteri

Non user-facing changes

• add Qonto as adopter [#1717] - @Issif
• docs(proposals): proposal for a libs plugin system [#1637] - @ldegio
• build: remove unused ncurses dependency [#1658] - @leogr
• build(.circleci): use new Debian 11 package names for python-pip [#1712] - @zuc
• build(docker): adding libssl-dev, upstream image reference pinned to debian:buster [#1719] - @michalschott
• fix(test): avoid output_strictly_contains failures [#1724] - @jasondellaluce
• Remove duplicate allowed ecr registry rule [#1725] - @TomKeyte
• docs(RELEASE.md): switch to 3 releases per year [#1711] - @leogr

Statistics

Release Manager @araujof

Download

Packages	Download
rpm
deb
tgz

Minor Changes

• update: bump the Falco engine version to version 9 [#1675] - @leodido

Rule Changes

• rule(list user_known_userfaultfd_processes): list to exclude processes known to use userfaultfd syscall [#1675] - @leodido
• rule(macro consider_userfaultfd_activities): macro to gate the "Unprivileged Delegation of Page Faults Handling to a Userspace Process" rule [#1675] - @leodido
• rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process): new rule to detect successful unprivileged userfaultfd syscalls [#1675] - @leodido
• rule(Linux Kernel Module Injection Detected): adding container info to the output of the rule [#1675] - @leodido

Non user-facing changes

• docs(release.md): update steps [#1684] - @maxgio92

Statistics

Release Manager @leodido

Download

Packages	Download
rpm
deb
tgz

Minor Changes

• update: driver version is 17f5df52a7d9ed6bb12d3b1768460def8439936d now [#1669] - @leogr

Rule Changes

• rule(list miner_domains): add rx.unmineable.com for anti-miner detection [#1676] - @fntlnz
• rule(Change thread namespace and Set Setuid or Setgid bit): disable by default [#1632] - @Kaizhe
• rule(list known_sa_list): add namespace-controller, statefulset-controller, disruption-controller, job-controller, horizontal-pod-autoscaler and persistent-volume-binder as allowed service accounts in the kube-system namespace [#1659] - @sboschman
• rule(Non sudo setuid): check user id as well in case user name info is not available [#1665] - @Kaizhe
• rule(Debugfs Launched in Privileged Container): fix typo in description [#1657] - @Kaizhe

Non user-facing changes

• Fix link to CONTRIBUTING.md in the Pull Request Template [#1679] - @tspearconquest
• fetch libs and drivers from the new repo [#1552] - @leogr
• build(test): upgrade urllib3 to 1.26.5 [#1666] - @leogr
• revert: add notes for 0.28.2 release [#1663] - @maxgio92
• changelog: add notes for 0.28.2 release [#1661] - @maxgio92
• docs(release.md): add blog announcement to post-release tasks [#1652] - @maxgio92
• add Yahoo!Japan as an adopter [#1651] - @ukitazume
• Add Replicated to adopters [#1649] - @diamonwiggins
• docs(proposals): fix libs contribution name [#1641] - @leodido

Statistics

Release Manager @maxgio92

Download

Packages	Download
rpm
deb
tgz

Major Changes

• new: --support output now includes info about the Falco engine version [#1581] - @mstemm
• new: Falco outputs an alert in the unlikely situation it's receiving too many consecutive timeouts without an event [#1622] - @leodido
• new: configuration field syscall_event_timeouts.max_consecutive to configure after how many consecutive timeouts without an event Falco must alert [#1622] - @leodido

Minor Changes

• build: enforcing hardening flags by default [#1604] - @leogr

Bug Fixes

• fix: do not stop the webserver for k8s audit logs when invalid data is coming in the event to be processed [#1617] - @fntlnz

Rule Changes

• rule(macro: allowed_aws_ecr_registry_root_for_eks): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
• rule(macro: aws_eks_core_images): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
• rule(macro: aws_eks_image_sensitive_mount): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
• rule(list falco_privileged_images): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92
• rule(list falco_sensitive_mount_images): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92
• rule(macro k8s_containers): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92
• rule(macro: python_running_sdchecks): macro removed [#1620] - @leogr
• rule(Change thread namespace): remove python_running_sdchecks exception [#1620] - @leogr

Non user-facing changes

• urelease/docs: fix link and small refactor in the text [#1636] - @cpanato
• Add Secureworks to adopters [#1629] - @dwindsor-scwx
• regression test for malformed k8s audit input (FAL-01-003) [#1624] - @leodido
• Add mathworks to adopterlist [#1621] - @natchaphon-r
• adding known users [#1623] - @danpopSD
• docs: update link for HackMD community call notes [#1614] - @leodido

Statistics

Release Manager @cpanato

Download

Packages	Download
rpm
deb
tgz

Major Changes

• BREAKING CHANGE: Bintray is deprecated, no new packages will be published at https://dl.bintray.com/falcosecurity/ [#1577] - @leogr
• BREAKING CHANGE: SKIP_MODULE_LOAD env variable no more disables the driver loading (use SKIP_DRIVER_LOADER env variable introduced in Falco 0.24) [#1599] - @leodido
• BREAKING CHANGE: the init.d service unit is not shipped anymore in deb/rpm packages in favor of a systemd service file [#1448] - @jenting
• new: add support for exceptions as rule attributes to provide a compact way to add exceptions to Falco rules [#1427] - @mstemm
• new: falco-no-driver container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-no-driver) [#1519] - @jonahjon
• new: falco-driver-loader container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-driver-loader) [#1519] - @jonahjon
• new: add healthz endpoint to the webserver [#1546] - @cpanato
• new: introduce a new configuration field syscall_event_drops.threshold to tune the drop noisiness [#1586] - @leodido
• new: falco-driver-loader script can get a custom driver name from DRIVER_NAME env variable [#1488] - @leodido
• new: falco-driver-loader know the Falco version [#1488] - @leodido

Minor Changes

• docs(proposals): libraries and drivers donation [#1530] - @leodido
• docs(docker): update links to the new Falco website URLs [#1545] - @cpanato
• docs(test): update links to new Falco website URLs [#1563] - @shane-lawrence
• build: now Falco packages are published at https://download.falco.org [#1577] - @leogr
• update: lower the syscall_event_drops.max_burst default value to 1 [#1586] - @leodido
• update: falco-driver-loader tries to download a Falco driver before then compiling it on the fly for the host [#1599] - @leodido
• docs(test): document the prerequisites for running the integration test suite locally [#1609] - @fntlnz
• update: Debian/RPM package migrated from init to systemd [#1448] - @jenting

Bug Fixes

• fix(userspace/engine): properly handle field extraction over lists of containers when not all containers match the specified sub-properties [#1601] - @mstemm
• fix(docker/falco): add flex and bison dependency to container image [#1562] - @schans
• fix: ignore action can not be used with log and alert ones (syscall_event_drops config) [#1586] - @leodido
• fix(userspace/engine): allows fields starting with numbers to be parsed properly [#1598] - @mstemm

Rule Changes

• rule(Write below monitored dir): improve rule description [#1588] - @stevenshuang
• rule(macro allowed_aws_eks_registry_root): macro to match the official eks registry [#1555] - @ismailyenigul
• rule(macro aws_eks_image): match aws image repository for eks [#1555] - @ismailyenigul
• rule(macro aws_eks_image_sensitive_mount): match aws cni images [#1555] - @ismailyenigul
• rule(macro k8s_containers): include fluent/fluentd-kubernetes-daemonset and prom/prometheus [#1555] - @ismailyenigul
• rule(Launch Privileged Container): exclude aws_eks_image [#1555] - @ismailyenigul
• rule(Launch Sensitive Mount Container): exclude aws_eks_image_sensitive_mount [#1555] - @ismailyenigul
• rule(Debugfs Launched in Privileged Container): new rule [#1583] - @Kaizhe
• rule(Mount Launched in Privileged Container): new rule [#1583] - @Kaizhe
• rule(Set Setuid or Setgid bit): add k3s-agent in the whitelist [#1583] - @Kaizhe
• rule(macro user_ssh_directory): using glob operator [#1560] - @shane-lawrence
• rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud [#1337] - @nibalizer
• rule(list rpm_binaries): add rhsmcertd [#1385] - @epcim
• rule(list deb_binaries): add apt.systemd.daily [#1385] - @epcim
• rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156 [#1543] - @darryk10
• rule(list allowed_k8s_users): add eks:node-manager [#1536] - @ismailyenigul
• rule(list mysql_mgmt_binaries): removed [#1602] - @fntlnz
• rule(list db_mgmt_binaries): removed [#1602] - @fntlnz
• rule(macro parent_ansible_running_python): removed [#1602] - @fntlnz
• rule(macro parent_bro_running_python): removed [#1602] - @fntlnz
• rule(macro parent_python_running_denyhosts): removed [#1602] - @fntlnz
• rule(macro parent_linux_image_upgrade_script): removed [#1602] - @fntlnz
• rule(macro parent_java_running_echo): removed [#1602] - @fntlnz
• rule(macro parent_scripting_running_builds): removed [#1602] - @fntlnz
• rule(macro parent_Xvfb_running_xkbcomp): removed [#1602] - @fntlnz
• rule(macro parent_nginx_running_serf): removed [#1602] - @fntlnz
• rule(macro parent_node_running_npm): removed [#1602] - @fntlnz
• rule(macro parent_java_running_sbt): removed [#1602] - @fntlnz
• rule(list known_container_shell_spawn_cmdlines): removed [#1602] - @fntlnz
• rule(list known_shell_spawn_binaries): removed [#1602] - @fntlnz
• rule(macro run_by_puppet): removed [#1602] - @fntlnz
• rule(macro user_privileged_containers): removed [#1602] - @fntlnz
• rule(list rancher_images): removed [#1602] - @fntlnz
• rule(list images_allow_network_outside_subnet): removed [#1602] - @fntlnz
• rule(macro parent_python_running_sdchecks): removed [#1602] - @fntlnz
• rule(macro trusted_containers): removed [#1602] - @fntlnz
• rule(list authorized_server_binaries): removed [#1602] - @fntlnz

Non user-facing changes

• chore(test): replace bucket url with official distribution url [#1608] - @fntlnz
• adding asapp as an adopter [#1611] - @Stuxend
• update: fixtures URLs [#1603] - @leogr
• cleanup publishing jobs [#1596] - @leogr
• fix(falco/test): bump pyyaml from 5.3.1 to 5.4 [#1595] - @leodido
• fix(.circleci): tar must be present in the image [#1594] - @leogr
• fix: publishing jobs [#1591] - @leogr
• Pocteo as an adopter [#1574] - @pocteo-labs
• build: fetch build deps from download.falco.org [#1572] - @leogr
• adding shapesecurity to adopters [#1566] - @irivera007
• Use default pip version to get avocado version [#1565] - @shane-lawrence
• Added Swissblock to list of adopters [#1551] - @bygui86
• Fix various typos in markdown files. [#1514] - @didier-durand
• docs: move governance to falcosecurity/.github [#1524] - @leogr
• ci: fix missing infra context to publish stable Falco packages [#1615] - @leodido

Statistics

Download

Released on 2021-01-18

Packages	Download
rpm
deb
tgz

Major Changes

• new: Added falco engine version to grpc version service [#1507] - @nibalizer
• BREAKING CHANGE: Users who run Falco without a config file will be unable to do that any more, Falco now expects a configuration file to be passed all the times. Developers may need to adjust their processes. [#1494] - @nibalizer
• new: asynchronous outputs implementation, outputs channels will not block event processing anymore [#1451] - @leogr
• new: slow outputs detection [#1451] - @leogr
• new: output_timeout config option for slow outputs detection [#1451] - @leogr

Minor Changes

• build: bump b64 to v2.0.0.1 [#1441] - @fntlnz
• rules(macro container_started): re-use spawned_process macro inside container_started macro [#1449] - @leodido
• docs: reach out documentation [#1472] - @fntlnz
• docs: Broken outputs.proto link [#1493] - @deepskyblue86
• docs(README.md): correct broken links [#1506] - @leogr
• docs(proposals): Exceptions handling proposal [#1376] - @mstemm
• docs: fix a broken link of README [#1516] - @oke-py
• docs: adding the kubernetes privileged use case to use cases [#1484] - @fntlnz
• rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [#1386] - @jhwbarlow
• rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [#1386] - @jhwbarlow
• docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [#1518] - @leodido
• build: falcosecurity/falco:master also available on the AWS ECR Public registry [#1512] - @leodido
• build: falcosecurity/falco:latest also available on the AWS ECR Public registry [#1512] - @leodido
• update: gRPC clients can now subscribe to drop alerts via gRCP API [#1451] - @leogr
• macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s [#1444] - @fntlnz

Bug Fixes

• fix(userspace/falco): use given priority in falco_outputs::handle_msg() [#1450] - @leogr
• fix(userspace/engine): free formatters, if any [#1447] - @leogr
• fix(scripts/falco-driver-loader): lsmod usage [#1474] - @dnwe
• fix: a bug that prevents Falco driver to be consumed by many Falco instances in some circumstances [#1485] - @leodido
• fix: set HOST_ROOT=/host environment variable for the falcosecurity/falco-no-driver container image by default [#1492] - @leogr

Rule Changes

• rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list [#1501] - @Kaizhe
• rule(Container Run as Root User): new rule created [#1500] - @Kaizhe
• rule(Linux Kernel Module injection detected): adds a new rule that detects when an LKM module is injected using insmod from a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [#1478] - @d1vious
• rule(macro multipath_writing_conf): create and use the macro [#1475] - @nmarier-coveo
• rule(list falco_privileged_images): add calico/node without registry prefix to prevent false positive alerts [#1457] - @czunker
• rule(Full K8s Administrative Access): use the right list of admin users (fix) [#1454] - @mstemm

Non user-facing changes

• chore(cmake): remove unnecessary whitespace patch [#1522] - @leogr
• remove stale bot in favor of the new lifecycle bot [#1490] - @leodido
• chore(cmake): mark some variables as advanced [#1496] - @deepskyblue86
• chore(cmake/modules): avoid useless rebuild [#1495] - @deepskyblue86
• build: BUILD_BYPRODUCTS for civetweb [#1489] - @fntlnz
• build: remove duplicate item from FALCO_SOURCES [#1480] - @leodido
• build: make our integration tests report clear steps for CircleCI UI [#1473] - @fntlnz
• further improvements outputs impl. [#1443] - @leogr
• fix(test): make integration tests properly fail [#1439] - @leogr
• Falco outputs refactoring [#1412] - @leogr

Statistics

Download

Released on 2020-10-01

Packages	Download
rpm
deb
tgz

Major Changes

• update: DRIVERS_REPO now defaults to https://download.falco.org/driver [#1460] - @leodido

Download

Released on 2020-10-01

Packages	Download
rpm
deb
tgz

Major Changes

• new: CLI flag --alternate-lua-dir to load Lua files from arbitrary paths [#1419] - @admiral0

Rule Changes

• rule(Delete or rename shell history): fix warnings/FPs + container teardown [#1423] - @mstemm
• rule(Write below root): ensure proc_name_exists too [#1423] - @mstemm

Statistics

Download

Released on 2020-24-09

	Official Stable Download 0.26.0
rpm
deb
binary

Major Changes

• new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [#1410]
• new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [#1408]
• new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [#1377]

Minor Changes

• update: bump Falco engine version to 7 [#1381]
• update: the required_engine_version is now on by default [#1381]
• update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [#1377]
• docs(proposals): artifacts storage [#1375]
• docs(proposals): artifacts cleanup [#1375]

Rule Changes

• rule: Address several sources of FPs, primarily from GKE environments. [#1372]
• rule(macro inbound_outbound): add brackets to disambiguate operator precedence [#1373]
• rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [#1373]
• rule(macro run_by_foreman): add brackets to disambiguate operator precedence [#1373]
• rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [#1402]
• rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [#1393]
• rule(Disallowed K8s User): quote colons in user names [#1393]
• rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [#1394]
• rule: adds user.loginuid to the default Falco rules that also contain user.name [#1369]

This file documents all notable changes to Falco. The release numbering uses semantic versioning.

Statistics

Download

Released on 2020-08-25

Major Changes

• new(userspace/falco): print the Falco and driver versions at the very beginning of the output. [#1303] - @leogr
• new: libyaml is now bundled in the release process. Users can now avoid installing libyaml directly when getting Falco from the official release. [#1252] - @fntlnz

Minor Changes

• docs(test): step-by-step instructions to run integration tests locally [#1313] - @leodido
• update: renameat2 syscall support [#1355] - @fntlnz
• update: support for 5.8.x kernels [#1355] - @fntlnz

Bug Fixes

• fix(userspace/falco): correct the fallback mechanism for loading the kernel module [#1366] - @leogr
• fix(falco-driver-loader): script crashing when using arguments [#1330] - @antoinedeschenes

Rule Changes

• rule(macro user_trusted_containers): add sysdig/node-image-analyzer and sysdig/agent-slim [#1321] - @Kaizhe
• rule(macro falco_privileged_images): add docker.io/falcosecurity/falco [#1326] - @nvanheuverzwijn
• rule(EphemeralContainers Created): add new rule to detect ephemeral container created [#1339] - @Kaizhe
• rule(macro user_read_sensitive_file_containers): replace endswiths with exact image repo name [#1349] - @Kaizhe
• rule(macro user_trusted_containers): replace endswiths with exact image repo name [#1349] - @Kaizhe
• rule(macro user_privileged_containers): replace endswiths with exact image repo name [#1349] - @Kaizhe
• rule(macro trusted_images_query_miner_domain_dns): replace endswiths with exact image repo name [#1349] - @Kaizhe
• rule(macro falco_privileged_containers): append "/" to quay.io/sysdig [#1349] - @Kaizhe
• rule(list falco_privileged_images): add images docker.io/sysdig/agent-slim and docker.io/sysdig/node-image-analyzer [#1349] - @Kaizhe
• rule(list falco_sensitive_mount_images): add image docker.io/sysdig/agent-slim [#1349] - @Kaizhe
• rule(list k8s_containers): prepend docker.io to images [#1349] - @Kaizhe
• rule(macro exe_running_docker_save): add better support for centos [#1350] - @admiral0
• rule(macro rename): add renameat2 syscall [#1359] - @leogr
• rule(Read sensitive file untrusted): add trusted images into whitelist [#1327] - @Kaizhe
• rule(Pod Created in Kube Namespace): add new list k8s_image_list as white list [#1336] - @Kaizhe
• rule(list allowed_k8s_users): add "kubernetes-admin" user [#1323] - @leogr

Statistics

Download

Released on 2020-16-07

Major Changes

• BREAKING CHANGE: --stats_interval is now --stats-interval [#1308]
• BREAKING CHANGE: server streaming gRPC outputs method is now falco.outputs.service/get [#1241]
• new: auto threadiness for gRPC server [#1271]
• new: new bi-directional async streaming gRPC outputs (falco.outputs.service/sub) [#1241]
• new: unix socket for the gRPC server [#1217]
• new: Falco now supports userspace instrumentation with the -u flag [#1195]

Minor Changes

• update: driver version is 85c88952b018fdbce2464222c3303229f5bfcfad now [#1305]
• update: SKIP_MODULE_LOAD renamed to SKIP_DRIVER_LOADER [#1297]
• docs: add leogr to OWNERS [#1300]
• update: default threadiness to 0 ("auto" behavior) [#1271]
• update: k8s audit endpoint now defaults to /k8s-audit everywhere [#1292]
• update(falco.yaml): webserver.k8s_audit_endpoint default value changed from /k8s_audit to /k8s-audit [#1261]
• docs(test): instructions to run regression test suites locally [#1234]

Bug Fixes

• fix: --stats-interval correctly accepts values >= 999 (ms) [#1308]
• fix: make the eBPF driver build work on CentOS 8 [#1301]
• fix(userspace/falco): correct options handling for buffered_output: false which was not honored for the stdout output [#1296]
• fix(userspace/falco): honor -M also when using a trace file [#1245]
• fix: high CPU usage when using server streaming gRPC outputs [#1241]
• fix: missing newline from some log messages (eg., token bucket depleted) [#1257]

Rule Changes

• rule(Container Drift Detected (chmod)): disabled by default [#1316]
• rule(Container Drift Detected (open+create)): disabled by default [#1316]
• rule(Write below etc): allow snapd to write its unit files [#1289]
• rule(macro remote_file_copy_procs): fix reference to remote_file_copy_binaries [#1224]
• rule(list allowed_k8s_users): whitelisted kube-apiserver-healthcheck user created by kops >= 1.17.0 for the kube-apiserver-healthcheck sidecar [#1286]
• rule(Change thread namespace): Allow protokube, dockerd, tini and aws binaries to change thread namespace. [#1222]
• rule(macro exe_running_docker_save): to filter out cmdlines containing /var/run/docker. [#1222]
• rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs [#1294]
• rule(Schedule Cron Jobs): exclude known cron jobs [#1294]
• rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update [#1294]
• rule(Update Package Registry): exclude known package registry update [#1294]
• rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info [#1294]
• rule(Read ssh information): do not throw for activities known to read SSH info [#1294]
• rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files [#1294]
• rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files [#1294]
• rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files [#1294]
• rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database [#1294]
• rule(Write below rpm database): do not throw for activities known to write RPM database [#1294]
• rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB [#1294]
• rule(DB program spawned process): do not throw for processes known to spawn DB [#1294]
• rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories [#1294]
• rule(Modify binary dirs): do not throw for activities known to modify bin directories [#1294]
• rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories [#1294]
• rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories [#1294]
• rule(macro user_known_system_user_login): new macro to exclude known system user logins [#1294]
• rule(System user interactive): do not throw for known system user logins [#1294]
• rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities [#1294]
• rule(User mgmt binaries): do not throw for activities known to do user managements activities [#1294]
• rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev [#1294]
• rule(Create files below dev): do not throw for activities known to create files below dev [#1294]
• rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server [#1294]
• rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server [#1294]
• rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools [#1294]
• rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools [#1294]
• rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands [#1294]
• rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands [#1294]
• rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files [#1294]
• rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files [#1294]
• rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers) [#1294]
• rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers) [#1294]
• rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers [#1294]
• rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers [#1294]
• rule(Container Drift Detected (open+create)): do not throw for activities known to create executables in containers [#1294]
• rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s) [#1294]
• rule(Create NodePort Service): do not throw for services known to start with a NopePort service type (k8s) [#1294]
• rule(macro user_known_exec_pod_activities): do not throw for activities known to attach/exec to a pod (k8s) [#1294]
• rule(Attach/Exec Pod): do not throw for activities known to attach/exec to a pod (k8s) [#1294]
• rule(macro trusted_pod): defines trusted pods by an image list [#1294]
• rule(Pod Created in Kube Namespace): do not throw for trusted pods [#1294]
• rule(macro trusted_sa): define trusted ServiceAccount [#1294]
• rule(Service Account Created in Kube Namespace): do not throw for trusted ServiceAccount [#1294]
• rule(list network_tool_binaries): add zmap to the list [#1284]
• rule(macro root_dir): correct macro to exactly match the /root dir and not other with just /root as a prefix [#1279]
• rule(macro user_expected_terminal_shell_in_container_conditions): allow whitelisting terminals in containers under specific conditions [#1154]
• rule(macro user_known_write_below_binary_dir_activities): allow writing to a binary dir in some conditions [#1260]
• rule(macro trusted_logging_images): Add addl fluentd image [#1230]
• rule(macro trusted_logging_images): Let azure-npm image write to /var/log [#1230]
• rule(macro lvprogs_writing_conf): Add lvs as a lvm program [#1230]
• rule(macro user_known_k8s_client_container): Allow hcp-tunnelfront to run kubectl in containers [#1230]
• rule(list allowed_k8s_users): Add vertical pod autoscaler as known k8s users [#1230]
• rule(Anonymous Request Allowed): update to checking auth decision equals to allow [#1267]
• rule(Container Drift Detected (chmod)): new rule to detect if an existing file get exec permissions in a container [#1254]
• rule(Container Drift Detected (open+create)): new rule to detect if a new file with execution permission is created in a container [#1254]
• rule(Mkdir binary dirs): correct condition in macro bin_dir_mkdir to catch mkdirat syscall [#1250]
• rule(Modify binary dirs): correct condition in macro bin_dir_rename to catch rename, renameat, and unlinkat syscalls [#1250]
• rule(Create files below dev): correct condition to catch openat syscall [#1250]
• rule(macro user_known_set_setuid_or_setgid_bit_conditions): create macro [#1213]

Statistics

Download

Released on 2020-18-05

Major Changes

• BREAKING CHANGE: the falco-driver-loader script now references falco-probe.o and falco-probe.ko as falco.o and falco.ko [#1158]
• BREAKING CHANGE: the falco-driver-loader script environment variable to use a custom repository to download drivers now uses the DRIVERS_REPO environment variable instead of DRIVER_LOOKUP_URL. This variable must contain the parent URI containing the following directory structure /$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]. e.g: [#1160]
• new(scripts): options and command-line usage for falco-driver-loader [#1200]
• new: ability to specify exact matches when adding rules to Falco engine (only API) [#1185]
• new(docker): add an image that wraps the falco-driver-loader with the toolchain [#1192]
• new(docker): add falcosecurity/falco-no-driver image [#1205]

Minor Changes

• update(scripts): improve falco-driver-loader output messages [#1200]
• update: containers look for prebuilt drivers on the Drivers Build Grid [#1158]
• update: driver version bump to 96bd9bc560f67742738eb7255aeb4d03046b8045 [#1190]
• update(docker): now falcosecurity/falco:slim-* alias to falcosecurity/falco-no-driver:* [#1205]
• docs: instructions to run unit tests [#1199]
• docs(examples): move /examples to contrib repo [#1191]
• update(docker): remove minimal image [#1196]
• update(integration): move /integrations to contrib repo [#1157]
• https://dl.bintray.com/driver/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]` [#1160]
• update(docker/event-generator): remove the event-generator from Falco repository [#1156]
• docs(examples): set audit level to metadata for object secrets [#1153]

Bug Fixes

• fix(scripts): upstream files (prebuilt drivers) for the generic Ubuntu kernel contains "ubuntu-generic" [#1212]
• fix: support Falco driver on Linux kernels 5.6.y [#1174]

Rule Changes

• rule(Redirect STDOUT/STDIN to Network Connection in Container): correct rule name as per rules naming convention [#1164]
• rule(Redirect STDOUT/STDIN to Network Connection in Container): new rule to detect Redirect stdout/stdin to network connection in container [#1152]
• rule(K8s Secret Created): new rule to track the creation of Kubernetes secrets (excluding kube-system and service account secrets) [#1151]
• rule(K8s Secret Deleted): new rule to track the deletion of Kubernetes secrets (excluding kube-system and service account secrets) [#1151]

Statistics

Download

Released on 2020-17-04

Major Changes

• Same as v0.22.0

Minor Changes

• Same as v0.22.0

Bug Fixes

• fix: correct driver path (/usr/src/falco-%driver_version%) for RPM package [#1148]

Rule Changes

• Same as v0.22.0

Download

Released on 2020-16-04

Major Changes

• new: falco version and driver version are distinct and not coupled anymore [#1111]
• new: flag to disable asynchronous container metadata (CRI) fetch --disable-cri-async [#1099]

Minor Changes

• docs(integrations): update API resource versions to Kubernetes 1.16 [#1044]
• docs: add new release archive to the README.md [#1098]
• update: driver version a259b4bf49c3 [#1138]
• docs(integrations/k8s-using-daemonset): --cri flag correct socket path [#1140]
• update: bump driver version to cd3d10123e [#1131]
• update(docker): remove RHEL, kernel/linuxkit, and kernel/probeloader images [#1124]
• update: falco-probe-loader script is falco-driver-loader now [#1111]
• update: using only sha256 hashes when pulling build dependencies [#1118]

Bug Fixes

• fix(integrations/k8s-using-daemonset): added missing privileges for the apps Kubernetes API group in the falco-cluster-role when using RBAC [#1136]
• fix: connect to docker works also with libcurl >= 7.69.0 [#1138]
• fix: HOST_ROOT environment variable detection [#1133]
• fix(driver/bpf): stricter conditionals while dealing with strings [#1131]
• fix: /usr/bin/falco-${DRIVER_VERSION} driver directory [#1111]
• fix: FALCO_VERSION env variable inside Falco containers contains the Falco version now (not the docker image tag) [#1111]

Rule Changes

• rule(macro user_expected_system_procs_network_activity_conditions): allow whitelisting system binaries using the network under specific conditions [#1070]
• rule(Full K8s Administrative Access): detect any k8s operation by an administrator with full access [#1122]
• rule(Ingress Object without TLS Certificate Created): detect any attempt to create an ingress without TLS certification (rule enabled by default) [#1122]
• rule(Untrusted Node Successfully Joined the Cluster): detect a node successfully joined the cluster outside of the list of allowed nodes [#1122]
• rule(Untrusted Node Unsuccessfully Tried to Join the Cluster): detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes [#1122]
• rule(Network Connection outside Local Subnet): detect traffic to image outside local subnet [#1122]
• rule(Outbound or Inbound Traffic not to Authorized Server Process and Port): detect traffic that is not to authorized server process and port [#1122]
• rule(Delete or rename shell history): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [#1143]
• rule(Delete Bash History): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [#1143]
• rule(Write below root): use pmatch to check against known root directories [#1137]
• rule(Detect outbound connections to common miner pool ports): whitelist sysdig/agent and falcosecurity/falco for query miner domain dns [#1115]
• rule(Service Account Created in Kube Namespace): only detect sa created in kube namespace with success [#1117]

Statistics

Download

Released on 2020-03-17

Major Changes

• BREAKING CHANGE: the SYSDIG_BPF_PROBE environment variable is now just FALCO_BPF_PROBE (please update your systemd scripts or kubernetes deployments). [#1050]
• new: automatically publish deb packages (from git master branch) to public dev repository [#1059]
• new: automatically publish rpm packages (from git master branch) to public dev repository [#1059]
• new: automatically release deb packages (from git tags) to public repository [#1059]
• new: automatically release rpm packages (from git tags) to public repository [#1059]
• new: automatically publish docker images from master (master, master-slim, master-minimal) [#1059]
• new: automatically publish docker images from git tag (tag, tag-slim, tag-master, latest, latest-slim, latest-minimal) [#1059]
• new: sign packages with falcosecurity gpg key [#1059]

Minor Changes

• new: falco_version_prerelease contains the number of commits since last tag on the master [#1086]
• docs: update branding [#1074]
• new(docker/event-generator): add example k8s resource files that allow running the event generator in a k8s cluster. [#1088]
• update: creating *-dev docker images using build arguments at build time [#1059]
• update: docker images use packages from the new repositories [#1059]
• update: docker image downloads old deb dependencies (gcc-6, gcc-5, binutils-2.30) from a new open repository [#1059]

Bug Fixes

• fix(docker): updating stable and local images to run from debian:stable [#1018]
• fix(event-generator): the image used by the event generator deployment to latest. [#1091]
• fix: -t (to disable rules by certain tag) or -t (to only run rules with a certain tag) work now [#1081]
• fix: the falco driver now compiles on >= 5.4 kernels [#1080]
• fix: download falco packages which url contains character to encode - eg, + [#1059]
• fix(docker): use base name in docker-entrypoint.sh [#981]

Rule Changes

• rule(detect outbound connections to common miner pool ports): disabled by default [#1061]
• rule(macro net_miner_pool): add localhost and rfc1918 addresses as exception in the rule. [#1061]
• rule(change thread namespace): modify condition to detect suspicious container activity [#974]

Statistics

Download

Released on 2020-02-24

Major Changes

• fix: memory leak introduced in 0.18.0 happening while using json events and the kubernetes audit endpoint [#1041]
• new: grpc version api [#872]

Bug Fixes

• fix: the base64 output format (-b) now works with both json and normal output. [#1033]
• fix: version follows semver 2 bnf [#872]

Rule Changes

• rule(write below etc): add "dsc_host" as a ms oms program [#1028]
• rule(write below etc): let mcafee write to /etc/cma.d [#1028]
• rule(write below etc): let avinetworks supervisor write some ssh cfg [#1028]
• rule(write below etc): alow writes to /etc/pki from openshift secrets dir [#1028]
• rule(write below root): let runc write to /exec.fifo [#1028]
• rule(change thread namespace): let cilium-cni change namespaces [#1028]
• rule(run shell untrusted): let puma reactor spawn shells [#1028]

Statistics

Download

Released on 2020-01-23

Major Changes

• new: security audit [#977]
• instead of crashing, now falco will report the error when an internal error occurs while handling an event to be inspected. the log line will be of type error and will contain the string error handling inspector event [#746]
• build: bump grpc to 1.25.0 [#939]
• build: (most of) dependencies are bundled dynamically (by default) [#968]
• test: integration tests now can run on different distributions via docker containers, for now CentOS 7 and Ubuntu 18.04 with respective rpm and deb packages [#1012]

Minor Changes

• proposal: rules naming convention [#980]
• update: also allow posting json arrays containing k8s audit events to the k8s_audit endpoint. [#967]
• update: add support for k8s audit events to the falco-event-generator container. [#997]
• update: falco-tester base image is fedora:31 now [#968]
• build: switch to circleci [#968]
• build: bundle openssl into falco-builder docker image [#1004]
• build: falco-builder docker image revamp (centos:7 base image) [#1004]
• update: puppet module had been renamed from "sysdig-falco" to "falco" [#922]
• update: adds a hostname field to grpc output [#927]
• build: download grpc from their github repo [#933]
• update: ef_drop_falco is now ef_drop_simple_cons [#922]
• update(docker): use host_root environment variable rather than sysdig_host_root [#922]
• update: ef_drop_falco is now ef_drop_simple_cons [#922]

Bug Fixes

• fix: providing clang into docker-builder [#972]
• fix: prevent throwing json type error c++ exceptions outside of the falco engine when procesing k8s audit events. [#928]
• fix(docker/kernel/linuxkit): correct from for falco minimal image [#913]

Rule Changes

• rules(list network_tool_binaries): add some network tools to detect suspicious network activity. [#973]
• rules(write below etc): allow automount to write to /etc/mtab [#957]
• rules(macro user_known_k8s_client_container): when executing the docker client, exclude fluentd-gcp-scaler container running in the kube-system namespace to avoid false positives [#962]
• rules(the docker client is executed in a container): detect the execution of the docker client in a container and logs it with warning priority. [#915]
• rules(list k8s_client_binaries): create and add docker, kubectl, crictl [#915]
• rules(macro container_entrypoint): add docker-runc-cur [#914]
• rules(list user_known_chmod_applications): add hyperkube [#914]
• rules(list network_tool_binaries): add some network tools to detect suspicious network activity. [#975]
• rules(macro user_known_k8s_client_container): macro to match kube-system namespace [#955]
• rules(contact k8s api server from container): now it can automatically resolve the cluster ip address [#952]
• rules(macro k8s_api_server): new macro to match the default k8s api server [#952]
• rules(macro sensitive_vol_mount): add more sensitive host paths [#929]
• rules(macro sensitive_mount): add more sensitive paths [#929]
• rules(macro consider_metadata_access): macro to decide whether to consider metadata or not (off by default) [#943]
• rules(contact cloud metadata service from container): add rules to detect access to gce instance metadata [#943]
• rules(macro sensitive_vol_mount): align sensitive mounts macro between k8s audit rules and syscall rules [#950]
• rules(macro consider_packet_socket_communication): macro to consider or not packet socket communication (off by default) [#945]
• rules(packet socket created in container): rule to detect raw packets creation [#945]
• rules(macro exe_running_docker_save): fixed false positives in multiple rules that were caused by the use of docker in docker [#951]
• rules(modify shell configuration file): fixed a false positive by excluding "exe_running_docker_save" [#949]
• rules(update package repository): fixed a false positive by excluding "exe_running_docker_save". [#948]
• rules(the docker client is executed in a container): when executing the docker client, exclude containers running in the kube-system namespace to avoid false positives [#955]
• rules(list user_known_chmod_applications): add kubelet [#944]
• rules(set setuid or setgid bit): fixed a false positive by excluding "exe_running_docker_save" [#946]
• rules(macro user_known_package_manager_in_container): allow users to specify conditions that match a legitimate use case for using a package management process in a container. [#941]

Statistics

Download

Released 2019-10-31

Major Changes

• falco grpc api server implementation, contains a subscribe method to subscribe to outputs from any grpc capable language [#822]
• add support for converting k8s pod security policies (psps) into set of falco rules that can be used to evaluate the conditions specified in the psp. [#826]
• initial redesign container images to remove build tools and leverage init containers for kernel module delivery. [#776]
• add flags to disable syscall event source or k8s_audit event source [#779]

Minor Changes

• allow for unique names for psp converted rules/macros/lists/rule names as generated by falcoctl 0.0.3 [#895]
• make it easier to run regression tests without necessarily using the falco-tester docker image. [#808]
• fix falco engine compatibility with older k8s audit rules files. [#893]
• add tests for psp conversions with names containing spaces/dashes. [#899]

Bug Fixes

• handle multi-document yaml files when reading rules files. [#760]
• improvements to how the webserver handles incoming invalid inputs [#759]
• fix: make lua state access thread-safe [#867]
• fix compilation on gcc 5.4 by working around gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56480 [#873]
• add explicit dependency between tests and catch2 header file. [#879]
• fix: stable dockerfile libgcc-6-dev dependencies [#830]
• fix: build dependencies for the local dockerfile [#782]
• fix: a crash bug that could result from reading more than ~6 rules files [#906] [#907]

Rule Changes

• rules: add calico/node to trusted privileged container list [#902]
• rules: add macro calico_node_write_envvars to exception list of write below etc [#902]
• rules: add exception for rule write below rpm, this is a fp caused by amazon linux 2 yum. [#755]
• rules: ignore sensitive mounts from the ecs-agent [#881]
• rules: add rules to detect crypto mining activities [#763]
• rules: add back rule delete bash history for backport compatibility [#864]
• rule: syscalls are used to detect suid and sgid [#765]
• rules: delete bash history is renamed to delete or rename shell history [#762]
• rules: add image fluent/fluentd-kubernetes-daemonset to clear log trusted images [#852]
• rules: include default users created by kops. [#898]
• rules: delete or rename shell history: when deleting a shell history file now the syscalls are taken into account rather than just the commands deleting the files [#762]
• rules: delete or rename shell history: history deletion now supports fish and zsh in addition to bash [#762]
• rules: "create hidden files or directories" and "update package repository" now trigger also if the files are moved and not just if modified or created. [#766]

Download

Released 2019-09-26

Major Changes

• Same as v0.17.0

Minor Changes

• Same as v0.17.0

Bug Fixes

• All in v0.17.0
• Fix a build problem for pre-built kernel probes. [draios/sysdig#1471]

Rule Changes

• Same as v0.17.0

Download

Released 2019-07-31

Major Changes

• The set of supported platforms has changed. Switch to a reorganized builder image that uses Centos 7 as a base. As a result, falco is no longer supported on Centos 6. The other supported platforms should remain the same [#719]

Minor Changes

• When enabling rules within the falco engine, use rule substrings instead of regexes. [#743]

• Additional improvements to the handling and display of rules validation errors [#744] [#747]

Bug Fixes

• Fix a problem that would cause prevent container metadata lookups when falco was daemonized [#731]

• Allow rule priorites to be expressed as lowercase and a mix of lower/uppercase [#737]

Rule Changes

• Fix a parentheses bug with the shell_procs macro [#728]

• Allow additional containers to mount sensitive host paths [#733] [#736]

• Allow additional containers to truncate log files [#733]

• Fix false positives with the Write below root rule on GKE [#739]

Download

Released 2019-07-16

Major Changes

• Clean up error reporting to provide more meaningful error messages along with context when loading rules files. When run with -V, the results of the validation ("OK" or error message) are sent to standard output. [#708]

• Improve rule loading performance by optimizing lua parsing paths to avoid expensive pattern matches. [#694]

• Bump falco engine version to 4 to reflect new fields ka.useragent, others. [#710] [#681]

• Add Catch2 as a unit testing framework. This will add additional coverage on top of the regression tests using Avocado. [#687]

Minor Changes

• Add SYSDIG_DIR Cmake option to specify location for sysdig source code when building falco. [#677] [#679] [#702]

• New field ka.useragent reports the useragent from k8s audit events. [#709]

• Add clang formatter for C++ syntax formatting. [#701] [#689]

• Partial changes towards lua syntax formatting. No particular formatting enforced yet, though. [#718]

• Partial changes towards yaml syntax formatting. No particular formatting enforced yet, though. [#714]

• Add cmake syntax formatting. [#703]

• Token bucket unit tests and redesign. [#692]

• Update github PR template. [#699]

• Fix PR template for kind/rule-*. [#697]

Bug Fixes

• Remove an unused cmake file. [#700]

• Misc Cmake cleanups. [#673]

• Misc k8s install docs improvements. [#671]

Rule Changes

• Allow k8s.gcr.io/kube-proxy image to run privileged. [#717]

• Add runc to the list of possible container entrypoint parents. [#712]

• Skip Source RFC 1918 addresses when considering outbound connections. [#685]

• Add additional user_XXX placeholder macros to allow for easy customization of rule exceptions. [#685]

• Let weaveworks programs change namespaces. [#685]

• Add additional openshift images. [#685]

• Add openshift as a k8s binary. [#678]

• Add dzdo as a binary that can change users. [#678]

• Allow azure/calico binaries to change namespaces. [#678]

• Add back trusted_containers list for backport compatibility [#675]

• Add mkdirat as a syscall for mkdir operations. [#667]

• Add container id/repository to rules that can work with containers. [#667]

Download

Released 2019-06-12

Major Changes

• None.

Minor Changes

• None.

Bug Fixes

• Fix kernel module compilation for kernels < 3.11 [#sysdig/1436]

Rule Changes

• None.