0.37.0

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.37.0
docker pull public.ecr.aws/falcosecurity/falco:0.37.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.37.0
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.37.0
docker pull docker.io/falcosecurity/falco-no-driver:0.37.0
docker pull docker.io/falcosecurity/falco-distroless:0.37.0

v0.37.0

Released on 2024-01-30

Breaking Changes ⚠️

• new!: dropped falco-driver-loader script in favor of new falcoctl driver command [#2905] - @FedeDP
• update!: bump libs to latest and deprecation of k8s metadata options and configs [#2914] - @jasondellaluce
• cleanup(falco)!: remove outputs.rate and outputs.max_burst from Falco config [#2841] - @Andreagit97
• cleanup(falco)!: remove --userspace support [#2839] - @Andreagit97

Major Changes

• new(engine): add selective overrides for Falco rules [#2981] - @LucaGuerra
• feat(userspace/falco): falco administrators can now configure the http output to compress the data sent as well as enable keep alive for the connection. Two new fields (compress_uploads and keep_alive) in the http_output block of the falco.yaml file can be used for that purpose. Both are disabled by default. [#2974] - @sgaist
• new(userspace): support env variable expansion in all yaml, even inside strings. [#2918] - @FedeDP
• new(scripts): add a way to enforce driver kind and falcoctl enablement when installing Falco from packages and dialog is not present. [#2773] - @vjjmiras
• new(falco): print system info when Falco starts [#2927] - @Andreagit97
• new: driver selection in falco.yaml [#2413] - @therealbobo
• new(build): enable compilation on win32 and macOS. [#2889] - @therealbobo
• feat(userspace/falco): falco administrators can now configure the address on which the webserver listen using the new listen_address field in the webserver block of the falco.yaml file. [#2890] - @sgaist

Minor Changes

• update(userspace/falco): add engine_version_semver key in /versions endpoint [#2899] - @loresuso
• update: default ruleset upgrade to version 3.0 [#3034] - @leogr
• update!(config): soft deprecation of drop stats counters in syscall_event_drops [#3015] - @incertum
• update(cmake): bumped falcoctl tool to v0.7.1. [#3030] - @FedeDP
• update(rule_loader): deprecate the append flag in Falco rules [#2992] - @Andreagit97
• cleanup!(cmake): drop bundled plugins in Falco [#2997] - @FedeDP
• update(config): clarify deprecation notices + list all env vars [#2988] - @incertum
• update: now the watch_config_files config option monitors file/directory moving and deletion, too [#2965] - @NitroCao
• update(userspace): enhancements in rule description feature [#2934] - @jasondellaluce
• update(userspace/falco): add libsinsp state metrics option [#2883] - @incertum
• update(doc): Add Thought Machine as adopters [#2919] - @RichardoC
• update(docs): add Wireshark/Logray as adopter [#2867] - @geraldcombs
• update: engine_version in semver representation [#2838] - @loresuso
• update(userspace/engine): modularize rule compiler, fix and enrich rule descriptions [#2817] - @jasondellaluce

Bug Fixes

• fix(userspace/metric): minor fixes in new libsinsp state metrics handling [#3033] - @incertum
• fix(userspace/engine): avoid storing escaped strings in engine defs [#3028] - @jasondellaluce
• fix(userspace/engine): cache latest rules compilation output [#2900] - @jasondellaluce
• fix(userspace/engine): solve description of macro-only rules [#2898] - @jasondellaluce
• fix(userspace/engine): fix memory leak [#2877] - @therealbobo

Non user-facing changes

• new(docs): add changelog for 0.37.0 [#3041] - @Andreagit97
• fix: nlohmann_json lib include path [#3032] - @federico-sysdig
• chore: bump falco rules [#3021] - @Andreagit97
• chore: bump Falco to libs 0.14.1 [#3020] - @Andreagit97
• chore(build): remove outdated development libs [#2946] - @federico-sysdig
• chore(falco): bump Falco to 000d576 libs commit [#2944] - @Andreagit97
• fix(gha): update rpmsign [#2856] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from 424b258 to 1221b9e [#3000] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 2ac430b to c39d31a [#3019] - @dependabot[bot]
• cleanup(falco.yaml): rename none in nodriver [#3012] - @Andreagit97
• update(config): graduate outputs_queue to stable [#3016] - [@incertum](https://github.com/incer...

0.37.0-rc3

What's Changed

• sync: release 0.37.x by @FedeDP in #3035
• update(build): update libs to 0.14.2 by @LucaGuerra in #3036

Full Changelog: 0.37.0-rc2...0.37.0-rc3

0.37.0-rc2

Images
docker pull docker.io/falcosecurity/falco:0.37.0-rc2
docker pull public.ecr.aws/falcosecurity/falco:0.37.0-rc2
docker pull docker.io/falcosecurity/falco-driver-loader:0.37.0-rc2
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.37.0-rc2
docker pull docker.io/falcosecurity/falco-no-driver:0.37.0-rc2
docker pull docker.io/falcosecurity/falco-distroless:0.37.0-rc2

0.37.0-rc1

Images
docker pull docker.io/falcosecurity/falco:0.37.0-rc1
docker pull public.ecr.aws/falcosecurity/falco:0.37.0-rc1
docker pull docker.io/falcosecurity/falco-driver-loader:0.37.0-rc1
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.37.0-rc1
docker pull docker.io/falcosecurity/falco-no-driver:0.37.0-rc1
docker pull docker.io/falcosecurity/falco-distroless:0.37.0-rc1

0.36.2

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.36.2
docker pull public.ecr.aws/falcosecurity/falco:0.36.2
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.2
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.2
docker pull docker.io/falcosecurity/falco-no-driver:0.36.2
docker pull docker.io/falcosecurity/falco-distroless:0.36.2

v0.36.2

Released on 2023-10-27

Major Changes

Minor Changes

Bug Fixes

• Bumped libs to 0.13.4

Release Manager @FedeDP

0.36.2-rc1

update(cmake): bumped libs to 0.13.3.

Signed-off-by: Federico Di Pierro <[email protected]>

0.36.1

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.36.1
docker pull public.ecr.aws/falcosecurity/falco:0.36.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.1
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.1
docker pull docker.io/falcosecurity/falco-no-driver:0.36.1
docker pull docker.io/falcosecurity/falco-distroless:0.36.1

v0.36.1

Released on 2024-01-30

Major Changes

• feat(userspace): remove experimental outputs queue recovery strategies [#2863] - @incertum

Bug Fixes

• fix(userspace/falco): timer_delete() workaround due to bug in older GLIBC [#2851] - @incertum

Non user-facing changes

• new(docs): add changelog for 0.36.1 [#2872] - @Andreagit97

Statistics

MERGED PRS	NUMBER
Not user-facing	1
Release note	2
Total	3

Release Manager @Andreagit97

0.36.1-rc1

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.36.1-rc1
docker pull public.ecr.aws/falcosecurity/falco:0.36.1-rc1
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.1-rc1
docker pull docker.io/falcosecurity/falco-no-driver:0.36.1-rc1
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.1-rc1
docker pull docker.io/falcosecurity/falco-distroless:0.36.1-rc1

Release Candidate for Falco 0.36.1.
To see what's included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/35

0.36.0

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.36.0
docker pull public.ecr.aws/falcosecurity/falco:0.36.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.0
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.0
docker pull docker.io/falcosecurity/falco-no-driver:0.36.0
docker pull docker.io/falcosecurity/falco-distroless:0.36.0

v0.36.0

Released on 2023-09-26

Breaking Changes ⚠️

• The default rules file that is shipped in the Falco image and/or can be downloaded via falcoctl as falco-rules is now a stable rule file. This file contains a much smaller number of rules that are less noisy and have been vetted by the community. This serves as a much requested "starter" Falco rule set that covers many common use case. The rest of that file has been expanded and split into falco-incubating-rules and falco-sandbox-rules. For more information, see the rules repository
• The main falcosecurity/falco container image and its falco-driver-loader counterpart have been upgraded. Now they are able to compile the kernel module or classic eBPF probe for relatively newer version of the kernel (5.x and above) while we no longer ship toolchains to compile the kernel module for older versions in the default images. Downloading of prebuilt drivers and the modern eBPF will work exactly like before. The older image, meant for compatibility with older kernels (4.x and below), is currently retained as falcosecurity/falco-driver-loader-legacy.
• The Falco HTTP output no longer logs to stdout by default for performance reasons. You can set stdout logging preferences and restore the previous behavior with the configuration option http_output.echo in falco.yaml.
• The --list-syscall-events command line option has been replaced by --list-events which prints all supported system events (syscall, tracepoints, metaevents, internal plugin events) in addition to extra information about flags.
• The semantics of proc.exepath have changed. Now that field contains the executable path on disk even if the binary was launched from a symbolic link.
• The -d daemonize option has been removed.
• The stats command line option (-s, --stats-interval) has been removed in favor of metrics configs in falco.yaml
• The -p option is now changed:
  • when only -pc is set Falco will print container_id=%container.id container_image=%container.image.repository container_image_tag=%container.image.tag container_name=%container.name
  • when -pk is set it will print as above, but with k8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name appended

Major Changes

• new(falco-driver-loader): --source-only now prints the values as env vars [#2353] - @steakunderscore
• new(docker): allow passing options to falco-driver-loader from the driver loader cointainer [#2781] - @LucaGuerra
• new(docker): add experimental falco-distroless image based on Wolfi [#2768] - @LucaGuerra
• new: the legacy falco image is available as driver-loader-legacy [#2718] - @LucaGuerra
• new: added option to enable/disable echoing of server answer to stdout (disabled by default) when using HTTP output [#2602] - @FedeDP
• new: support systemctl reload for Falco services [#2588] - @jabdr
• new(falco/config): add new configurations for http_output that allow mTLS [#2633] - @annadorottya
• new: allow falco to match multiple rules on same event [#2705] - @loresuso

Minor Changes

• update(cmake): bumped bundled falcoctl to 0.6.2 [#2829] - @FedeDP
• update(rules)!: major rule update to version 2.0.0 [#2823] - @LucaGuerra
• update(cmake): bumped plugins to latest stable versions [#2820] - @FedeDP
• update(cmake): bumped libs to 0.13.0-rc2 and driver to 6.0.1+driver [#2806] - @FedeDP
• update!: default substitution for %container.info is now equal container_id=%container.id container_name=%container.name [#2793] - @leogr
• update!: the --list-syscall-events flag is now called --list-events and lists all events [#2771] - @LucaGuerra
• update!: the Falco base image is now based on Debian 12 with gcc 11-12 [#2718] - @LucaGuerra
• update(docker): the Falco no-driver image is now based on Debian 12 [#2782] - @LucaGuerra
• feat(userspace)!: remove -d daemonize option [#2677] - @incertum
• build(deps): Bump submodules/falcosecurity-rules from 3f52480 to 0d0e333 [#2693] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 3f52480 to b42893a [#2756] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from b42893a to 6ed73fe [#2780] - @dependabot[bot]
• update(cmake): bumped libs to 0.13.0-rc1 and driver to 6.0.0+driver. [#2783] - @FedeDP
• feat: support parsing of system environment variables in yaml [#2562] - @therealdwright
• feat(userspace)!: deprecate stats command args option in favor of metrics configs in falco.yaml [#2739] - @incertum
• update: upgrade falcoctl to version 0.6.0 [#2764] - @leogr
• cleanup: deprecate rate limiter mechanism [#2762] - @Andreagit97
• cleanup(config): add more info [#2758] - @incertum
• update(userspace/engine): improve skip-if-unknown-filter YAML field [#2749] - @jasondellaluce
• chore: improved HTTP output performance [#2602] - @FedeDP
• update!: HTTP output will no more echo to stdout by default [#2602] - @FedeDP
• chore: remove b64 from falco dependencies [#2746] - @Andreagit97
• update(cmake): support building libs and driver from forks [#2747] - @jasondellaluce
• update: -p pres...

0.36.0-rc3

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.36.0-rc3
docker pull public.ecr.aws/falcosecurity/falco:0.36.0-rc3
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.0-rc3
docker pull docker.io/falcosecurity/falco-no-driver:0.36.0-rc3
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.0-rc3
docker pull docker.io/falcosecurity/falco-distroless:0.36.0-rc3

Release Candidate for Falco 0.36.0.
To see what's included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/30