Releases: falcosecurity/falco
Releases · falcosecurity/falco
0.30.0
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.30.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.30.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.30.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.30.0 |
Major Changes
- new: add
--k8s-nodecommand-line options, which allows filtering by a node when requesting metadata of pods to the K8s API server [#1671] - @leogr - new(outputs): expose rule tags and event source in gRPC and json outputs [#1714] - @jasondellaluce
- new(userspace/falco): add customizable metadata fetching params [#1667] - @zuc
Minor Changes
- update: bump driver version to 3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4 [#1744] - @zuc
- docs: clarify that previous Falco drivers will remain available at https://download.falco.org and no automated cleanup is run anymore [#1738] - @leodido
- update(outputs): add configuration option for tags in json outputs [#1733] - @jasondellaluce
Bug Fixes
- fix(scripts): correct standard output redirection in systemd config (DEB and RPM packages) [#1697] - @chirabino
- fix(scripts): correct lookup order when trying multiple
gccversions in thefalco-driver-loaderscript [#1716] - @Spartan-65
Rule Changes
- rule(list miner_domains): add new miner domains [#1729] - @AlbertoPellitteri
- rule(list https_miner_domains): add new miner domains [#1729] - @AlbertoPellitteri
Non user-facing changes
- add Qonto as adopter [#1717] - @Issif
- docs(proposals): proposal for a libs plugin system [#1637] - @ldegio
- build: remove unused
ncursesdependency [#1658] - @leogr - build(.circleci): use new Debian 11 package names for python-pip [#1712] - @zuc
- build(docker): adding libssl-dev, upstream image reference pinned to
debian:buster[#1719] - @michalschott - fix(test): avoid output_strictly_contains failures [#1724] - @jasondellaluce
- Remove duplicate allowed ecr registry rule [#1725] - @TomKeyte
- docs(RELEASE.md): switch to 3 releases per year [#1711] - @leogr
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 10 |
| Release note | 9 |
| Total | 19 |
Release Manager @araujof
Contributors
araujof
Assets 2
0.29.1
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.29.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.29.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.29.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.29.1 |
Minor Changes
Rule Changes
- rule(list user_known_userfaultfd_processes): list to exclude processes known to use userfaultfd syscall [#1675] - @leodido
- rule(macro consider_userfaultfd_activities): macro to gate the "Unprivileged Delegation of Page Faults Handling to a Userspace Process" rule [#1675] - @leodido
- rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process): new rule to detect successful unprivileged userfaultfd syscalls [#1675] - @leodido
- rule(Linux Kernel Module Injection Detected): adding container info to the output of the rule [#1675] - @leodido
Non user-facing changes
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 2 |
| Release note | 1 |
| Total | 3 |
Release Manager @leodido
0.29.0
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.29.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.29.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.29.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.29.0 |
Minor Changes
Rule Changes
- rule(list miner_domains): add rx.unmineable.com for anti-miner detection [#1676] - @fntlnz
- rule(Change thread namespace and Set Setuid or Setgid bit): disable by default [#1632] - @Kaizhe
- rule(list known_sa_list): add namespace-controller, statefulset-controller, disruption-controller, job-controller, horizontal-pod-autoscaler and persistent-volume-binder as allowed service accounts in the kube-system namespace [#1659] - @sboschman
- rule(Non sudo setuid): check user id as well in case user name info is not available [#1665] - @Kaizhe
- rule(Debugfs Launched in Privileged Container): fix typo in description [#1657] - @Kaizhe
Non user-facing changes
- Fix link to CONTRIBUTING.md in the Pull Request Template [#1679] - @tspearconquest
- fetch libs and drivers from the new repo [#1552] - @leogr
- build(test): upgrade urllib3 to 1.26.5 [#1666] - @leogr
- revert: add notes for 0.28.2 release [#1663] - @maxgio92
- changelog: add notes for 0.28.2 release [#1661] - @maxgio92
- docs(release.md): add blog announcement to post-release tasks [#1652] - @maxgio92
- add Yahoo!Japan as an adopter [#1651] - @ukitazume
- Add Replicated to adopters [#1649] - @diamonwiggins
- docs(proposals): fix libs contribution name [#1641] - @leodido
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 11 |
| Release note | 7 |
| Total | 18 |
Release Manager @maxgio92
0.28.1
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.28.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.28.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.28.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.28.1 |
Major Changes
- new:
--supportoutput now includes info about the Falco engine version [#1581] - @mstemm - new: Falco outputs an alert in the unlikely situation it's receiving too many consecutive timeouts without an event [#1622] - @leodido
- new: configuration field
syscall_event_timeouts.max_consecutiveto configure after how many consecutive timeouts without an event Falco must alert [#1622] - @leodido
Minor Changes
Bug Fixes
- fix: do not stop the webserver for k8s audit logs when invalid data is coming in the event to be processed [#1617] - @fntlnz
Rule Changes
- rule(macro: allowed_aws_ecr_registry_root_for_eks): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
- rule(macro: aws_eks_core_images): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
- rule(macro: aws_eks_image_sensitive_mount): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
- rule(list
falco_privileged_images): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92 - rule(list
falco_sensitive_mount_images): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92 - rule(macro
k8s_containers): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92 - rule(macro: python_running_sdchecks): macro removed [#1620] - @leogr
- rule(Change thread namespace): remove python_running_sdchecks exception [#1620] - @leogr
Non user-facing changes
- urelease/docs: fix link and small refactor in the text [#1636] - @cpanato
- Add Secureworks to adopters [#1629] - @dwindsor-scwx
- regression test for malformed k8s audit input (FAL-01-003) [#1624] - @leodido
- Add mathworks to adopterlist [#1621] - @natchaphon-r
- adding known users [#1623] - @danpopSD
- docs: update link for HackMD community call notes [#1614] - @leodido
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 7 |
| Release note | 7 |
| Total | 14 |
Release Manager @cpanato
0.28.0
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.28.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.28.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.28.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.28.0 |
Major Changes
- BREAKING CHANGE: Bintray is deprecated, no new packages will be published at https://dl.bintray.com/falcosecurity/ [#1577] - @leogr
- BREAKING CHANGE: SKIP_MODULE_LOAD env variable no more disables the driver loading (use SKIP_DRIVER_LOADER env variable introduced in Falco 0.24) [#1599] - @leodido
- BREAKING CHANGE: the init.d service unit is not shipped anymore in deb/rpm packages in favor of a systemd service file [#1448] - @jenting
- new: add support for exceptions as rule attributes to provide a compact way to add exceptions to Falco rules [#1427] - @mstemm
- new: falco-no-driver container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-no-driver) [#1519] - @jonahjon
- new: falco-driver-loader container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-driver-loader) [#1519] - @jonahjon
- new: add healthz endpoint to the webserver [#1546] - @cpanato
- new: introduce a new configuration field
syscall_event_drops.thresholdto tune the drop noisiness [#1586] - @leodido - new: falco-driver-loader script can get a custom driver name from DRIVER_NAME env variable [#1488] - @leodido
- new: falco-driver-loader know the Falco version [#1488] - @leodido
Minor Changes
- docs(proposals): libraries and drivers donation [#1530] - @leodido
- docs(docker): update links to the new Falco website URLs [#1545] - @cpanato
- docs(test): update links to new Falco website URLs [#1563] - @shane-lawrence
- build: now Falco packages are published at https://download.falco.org [#1577] - @leogr
- update: lower the
syscall_event_drops.max_burstdefault value to 1 [#1586] - @leodido - update: falco-driver-loader tries to download a Falco driver before then compiling it on the fly for the host [#1599] - @leodido
- docs(test): document the prerequisites for running the integration test suite locally [#1609] - @fntlnz
- update: Debian/RPM package migrated from init to systemd [#1448] - @jenting
Bug Fixes
- fix(userspace/engine): properly handle field extraction over lists of containers when not all containers match the specified sub-properties [#1601] - @mstemm
- fix(docker/falco): add flex and bison dependency to container image [#1562] - @schans
- fix: ignore action can not be used with log and alert ones (
syscall_event_dropsconfig) [#1586] - @leodido - fix(userspace/engine): allows fields starting with numbers to be parsed properly [#1598] - @mstemm
Rule Changes
- rule(Write below monitored dir): improve rule description [#1588] - @stevenshuang
- rule(macro allowed_aws_eks_registry_root): macro to match the official eks registry [#1555] - @ismailyenigul
- rule(macro aws_eks_image): match aws image repository for eks [#1555] - @ismailyenigul
- rule(macro aws_eks_image_sensitive_mount): match aws cni images [#1555] - @ismailyenigul
- rule(macro k8s_containers): include fluent/fluentd-kubernetes-daemonset and prom/prometheus [#1555] - @ismailyenigul
- rule(Launch Privileged Container): exclude aws_eks_image [#1555] - @ismailyenigul
- rule(Launch Sensitive Mount Container): exclude aws_eks_image_sensitive_mount [#1555] - @ismailyenigul
- rule(Debugfs Launched in Privileged Container): new rule [#1583] - @Kaizhe
- rule(Mount Launched in Privileged Container): new rule [#1583] - @Kaizhe
- rule(Set Setuid or Setgid bit): add k3s-agent in the whitelist [#1583] - @Kaizhe
- rule(macro user_ssh_directory): using glob operator [#1560] - @shane-lawrence
- rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud [#1337] - @nibalizer
- rule(list rpm_binaries): add rhsmcertd [#1385] - @epcim
- rule(list deb_binaries): add apt.systemd.daily [#1385] - @epcim
- rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156 [#1543] - @darryk10
- rule(list allowed_k8s_users): add
eks:node-manager[#1536] - @ismailyenigul - rule(list mysql_mgmt_binaries): removed [#1602] - @fntlnz
- rule(list db_mgmt_binaries): removed [#1602] - @fntlnz
- rule(macro parent_ansible_running_python): removed [#1602] - @fntlnz
- rule(macro parent_bro_running_python): removed [#1602] - @fntlnz
- rule(macro parent_python_running_denyhosts): removed [#1602] - @fntlnz
- rule(macro parent_linux_image_upgrade_script): removed [#1602] - @fntlnz
- rule(macro parent_java_running_echo): removed [#1602] - @fntlnz
- rule(macro parent_scripting_running_builds): removed [#1602] - @fntlnz
- rule(macro parent_Xvfb_running_xkbcomp): removed [#1602] - @fntlnz
- rule(macro parent_nginx_running_serf): removed [#1602] - @fntlnz
- rule(macro parent_node_running_npm): removed [[#1602](https:...
0.27.0
Released on 2021-01-18
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.27.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.27.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.27.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.27.0 |
Major Changes
- new: Added falco engine version to grpc version service [#1507] - @nibalizer
- BREAKING CHANGE: Users who run Falco without a config file will be unable to do that any more, Falco now expects a configuration file to be passed all the times. Developers may need to adjust their processes. [#1494] - @nibalizer
- new: asynchronous outputs implementation, outputs channels will not block event processing anymore [#1451] - @leogr
- new: slow outputs detection [#1451] - @leogr
- new:
output_timeoutconfig option for slow outputs detection [#1451] - @leogr
Minor Changes
- build: bump b64 to v2.0.0.1 [#1441] - @fntlnz
- rules(macro container_started): re-use
spawned_processmacro insidecontainer_startedmacro [#1449] - @leodido - docs: reach out documentation [#1472] - @fntlnz
- docs: Broken outputs.proto link [#1493] - @deepskyblue86
- docs(README.md): correct broken links [#1506] - @leogr
- docs(proposals): Exceptions handling proposal [#1376] - @mstemm
- docs: fix a broken link of README [#1516] - @oke-py
- docs: adding the kubernetes privileged use case to use cases [#1484] - @fntlnz
- rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [#1386] - @jhwbarlow
- rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [#1386] - @jhwbarlow
- docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [#1518] - @leodido
- build: falcosecurity/falco:master also available on the AWS ECR Public registry [#1512] - @leodido
- build: falcosecurity/falco:latest also available on the AWS ECR Public registry [#1512] - @leodido
- update: gRPC clients can now subscribe to drop alerts via gRCP API [#1451] - @leogr
- macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s [#1444] - @fntlnz
Bug Fixes
- fix(userspace/falco): use given priority in falco_outputs::handle_msg() [#1450] - @leogr
- fix(userspace/engine): free formatters, if any [#1447] - @leogr
- fix(scripts/falco-driver-loader): lsmod usage [#1474] - @dnwe
- fix: a bug that prevents Falco driver to be consumed by many Falco instances in some circumstances [#1485] - @leodido
- fix: set
HOST_ROOT=/hostenvironment variable for thefalcosecurity/falco-no-drivercontainer image by default [#1492] - @leogr
Rule Changes
- rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list [#1501] - @Kaizhe
- rule(Container Run as Root User): new rule created [#1500] - @Kaizhe
- rule(Linux Kernel Module injection detected): adds a new rule that detects when an LKM module is injected using
insmodfrom a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [#1478] - @d1vious - rule(macro multipath_writing_conf): create and use the macro [#1475] - @nmarier-coveo
- rule(list falco_privileged_images): add calico/node without registry prefix to prevent false positive alerts [#1457] - @czunker
- rule(Full K8s Administrative Access): use the right list of admin users (fix) [#1454] - @mstemm
Non user-facing changes
- chore(cmake): remove unnecessary whitespace patch [#1522] - @leogr
- remove stale bot in favor of the new lifecycle bot [#1490] - @leodido
- chore(cmake): mark some variables as advanced [#1496] - @deepskyblue86
- chore(cmake/modules): avoid useless rebuild [#1495] - @deepskyblue86
- build: BUILD_BYPRODUCTS for civetweb [#1489] - @fntlnz
- build: remove duplicate item from FALCO_SOURCES [#1480] - @leodido
- build: make our integration tests report clear steps for CircleCI UI [#1473] - @fntlnz
- further improvements outputs impl. [#1443] - @leogr
- fix(test): make integration tests properly fail [#1439] - @leogr
- Falco outputs refactoring [#1412] - @leogr
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 10 |
| Release note | 30 |
| Total | 40 |
0.26.2
Released on 2020-10-01
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.26.2 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.26.2 |
docker pull docker.io/falcosecurity/falco-no-driver:0.26.2 |
Major Changes
- update: DRIVERS_REPO now defaults to https://download.falco.org/driver [#1460] - @leodido
0.26.1
Released on 2020-10-01
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.26.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.26.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.26.1 |
Major Changes
Rule Changes
- rule(Delete or rename shell history): fix warnings/FPs + container teardown [#1423] - @mstemm
- rule(Write below root): ensure proc_name_exists too [#1423] - @mstemm
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 4 |
| Release note | 2 |
| Total | 6 |
0.26.0
Released on 2020-24-09
| Official Stable Download 0.26.0 | |
|---|---|
| rpm |  |
| deb |  |
| binary |  |
Major Changes
- new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [#1410]
- new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [#1408]
- new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [#1377]
Minor Changes
- update: bump Falco engine version to 7 [#1381]
- update: the required_engine_version is now on by default [#1381]
- update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [#1377]
- docs(proposals): artifacts storage [#1375]
- docs(proposals): artifacts cleanup [#1375]
Rule Changes
- rule: Address several sources of FPs, primarily from GKE environments. [#1372]
- rule(macro inbound_outbound): add brackets to disambiguate operator precedence [#1373]
- rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [#1373]
- rule(macro run_by_foreman): add brackets to disambiguate operator precedence [#1373]
- rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [#1402]
- rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [#1393]
- rule(Disallowed K8s User): quote colons in user names [#1393]
- rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [#1394]
- rule: adds user.loginuid to the default Falco rules that also contain user.name [#1369]
This file documents all notable changes to Falco. The release numbering uses semantic versioning.
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 5 |
| Release note | 13 |
| Total | 18 |
0.25.0
Released on 2020-08-25
Major Changes
- new(userspace/falco): print the Falco and driver versions at the very beginning of the output. [#1303] - @leogr
- new: libyaml is now bundled in the release process. Users can now avoid installing libyaml directly when getting Falco from the official release. [#1252] - @fntlnz
Minor Changes
- docs(test): step-by-step instructions to run integration tests locally [#1313] - @leodido
- update: renameat2 syscall support [#1355] - @fntlnz
- update: support for 5.8.x kernels [#1355] - @fntlnz
Bug Fixes
- fix(userspace/falco): correct the fallback mechanism for loading the kernel module [#1366] - @leogr
- fix(falco-driver-loader): script crashing when using arguments [#1330] - @antoinedeschenes
Rule Changes
- rule(macro user_trusted_containers): add
sysdig/node-image-analyzerandsysdig/agent-slim[#1321] - @Kaizhe - rule(macro falco_privileged_images): add
docker.io/falcosecurity/falco[#1326] - @nvanheuverzwijn - rule(EphemeralContainers Created): add new rule to detect ephemeral container created [#1339] - @Kaizhe
- rule(macro user_read_sensitive_file_containers): replace endswiths with exact image repo name [#1349] - @Kaizhe
- rule(macro user_trusted_containers): replace endswiths with exact image repo name [#1349] - @Kaizhe
- rule(macro user_privileged_containers): replace endswiths with exact image repo name [#1349] - @Kaizhe
- rule(macro trusted_images_query_miner_domain_dns): replace endswiths with exact image repo name [#1349] - @Kaizhe
- rule(macro falco_privileged_containers): append "/" to quay.io/sysdig [#1349] - @Kaizhe
- rule(list falco_privileged_images): add images docker.io/sysdig/agent-slim and docker.io/sysdig/node-image-analyzer [#1349] - @Kaizhe
- rule(list falco_sensitive_mount_images): add image docker.io/sysdig/agent-slim [#1349] - @Kaizhe
- rule(list k8s_containers): prepend docker.io to images [#1349] - @Kaizhe
- rule(macro exe_running_docker_save): add better support for centos [#1350] - @admiral0
- rule(macro rename): add
renameat2syscall [#1359] - @leogr - rule(Read sensitive file untrusted): add trusted images into whitelist [#1327] - @Kaizhe
- rule(Pod Created in Kube Namespace): add new list k8s_image_list as white list [#1336] - @Kaizhe
- rule(list allowed_k8s_users): add "kubernetes-admin" user [#1323] - @leogr
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 5 |
| Release note | 15 |
| Total | 20 |